Edit tour

Windows Analysis Report
NEW ORDER.exe

Overview

General Information

Sample name:	NEW ORDER.exe
Analysis ID:	1501082
MD5:	3611914350f1ddaa7cf7573267f7fc91
SHA1:	2be994ddb06abdd9f6f74955af41001d8412f9e8
SHA256:	d25f1495eee9c05e29e18fbd62f932f0f670cb441b30ac99ced1a80e14275b80
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Found API chain indicative of sandbox detection

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

NEW ORDER.exe (PID: 7516 cmdline: "C:\Users\user\Desktop\NEW ORDER.exe" MD5: 3611914350F1DDAA7CF7573267F7FC91)

RegSvcs.exe (PID: 7688 cmdline: "C:\Users\user\Desktop\NEW ORDER.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.fosna.net", "Username": "sarthiever@fosna.net", "Password": "(=8fPSH$KO_!"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2541134746.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2541134746.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1313798591.0000000003670000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1313798591.0000000003670000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.1313798591.0000000003670000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1313798591.0000000003670000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x343c5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34437:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x344c1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34553:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x345bd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3462f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x346c5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34755:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000000.00000002.1313798591.0000000003670000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3158d:$s2: GetPrivateProfileString 0x30c5d:$s3: get_OSFullName 0x322a3:$s5: remove_Key 0x32493:$s5: remove_Key 0x333ac:$s6: FtpWebRequest 0x343a7:$s7: logins 0x34919:$s7: logins 0x375fc:$s7: logins 0x376dc:$s7: logins 0x39031:$s7: logins 0x38276:$s9: 1.85 (Hash, version 2, native byte-order)
00000002.00000002.2542708995.0000000002E05000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: NEW ORDER.exe PID: 7516	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: NEW ORDER.exe PID: 7516	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: NEW ORDER.exe PID: 7516	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 7688	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7688	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.NEW ORDER.exe.3670000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.NEW ORDER.exe.3670000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.NEW ORDER.exe.3670000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x325c5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x32637:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x326c1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x32753:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x327bd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3282f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x328c5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32955:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.NEW ORDER.exe.3670000.1.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f78d:$s2: GetPrivateProfileString 0x2ee5d:$s3: get_OSFullName 0x304a3:$s5: remove_Key 0x30693:$s5: remove_Key 0x315ac:$s6: FtpWebRequest 0x325a7:$s7: logins 0x32b19:$s7: logins 0x357fc:$s7: logins 0x358dc:$s7: logins 0x37231:$s7: logins 0x36476:$s9: 1.85 (Hash, version 2, native byte-order)
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x343c5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34437:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x344c1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34553:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x345bd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3462f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x346c5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34755:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3158d:$s2: GetPrivateProfileString 0x30c5d:$s3: get_OSFullName 0x322a3:$s5: remove_Key 0x32493:$s5: remove_Key 0x333ac:$s6: FtpWebRequest 0x343a7:$s7: logins 0x34919:$s7: logins 0x375fc:$s7: logins 0x376dc:$s7: logins 0x39031:$s7: logins 0x38276:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.NEW ORDER.exe.3670000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.NEW ORDER.exe.3670000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.NEW ORDER.exe.3670000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.NEW ORDER.exe.3670000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x343c5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34437:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x344c1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34553:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x345bd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3462f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x346c5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34755:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.NEW ORDER.exe.3670000.1.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3158d:$s2: GetPrivateProfileString 0x30c5d:$s3: get_OSFullName 0x322a3:$s5: remove_Key 0x32493:$s5: remove_Key 0x333ac:$s6: FtpWebRequest 0x343a7:$s7: logins 0x34919:$s7: logins 0x375fc:$s7: logins 0x376dc:$s7: logins 0x39031:$s7: logins 0x38276:$s9: 1.85 (Hash, version 2, native byte-order)
Click to see the 9 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 2.2.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.fosna.net", "Username": "sarthiever@fosna.net", "Password": "(=8fPSH$KO_!"}

Multi AV Scanner detection for submitted file

Source: NEW ORDER.exe	ReversingLabs: Detection: 73%
Source: NEW ORDER.exe	Virustotal: Detection: 66%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: NEW ORDER.exe

Joe Sandbox ML: detected

Source: NEW ORDER.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: NEW ORDER.exe, 00000000.00000003.1302326962.0000000003850000.00000004.00001000.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.1303400500.0000000003700000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: NEW ORDER.exe, 00000000.00000003.1302326962.0000000003850000.00000004.00001000.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.1303400500.0000000003700000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_0042DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0042DBBE
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_003FC2A2 FindFirstFileExW,	0_2_003FC2A2
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_004368EE FindFirstFileW,FindClose,	0_2_004368EE
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_0043698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0043698F
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_0042D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0042D076
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_0042D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0042D3A9
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_00439642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00439642
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_0043979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0043979D
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_00439B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00439B2B
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_00435C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00435C97

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW ORDER.exe.3670000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1313798591.0000000003670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: Joe Sandbox View

ASN Name: TUT-ASUS TUT-ASUS

Source: unknown

DNS query: name: ip-api.com

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\NEW ORDER.exe

Code function: 0_2_0043CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_0043CE44

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ip-api.com

Source: RegSvcs.exe, 00000002.00000002.2542708995.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2542708995.0000000002EA2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2542708995.0000000002EBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: NEW ORDER.exe, 00000000.00000002.1313798591.0000000003670000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2541304554.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2541134746.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2542708995.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2542708995.0000000002EA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: RegSvcs.exe, 00000002.00000002.2544083166.0000000006081000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hostingS
Source: RegSvcs.exe, 00000002.00000002.2542708995.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2542708995.0000000002EA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: NEW ORDER.exe, 00000000.00000002.1313798591.0000000003670000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2541134746.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.NEW ORDER.exe.3670000.1.raw.unpack, oAKy.cs

.Net Code: ExGJKp0bbyd

Source: C:\Users\user\Desktop\NEW ORDER.exe

Code function: 0_2_0043EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0043EAFF

Source: C:\Users\user\Desktop\NEW ORDER.exe

Code function: 0_2_0043ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0043ED6A

Source: C:\Users\user\Desktop\NEW ORDER.exe

0_2_0043EAFF

Source: C:\Users\user\Desktop\NEW ORDER.exe

Code function: 0_2_0042AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0042AA57

Source: C:\Users\user\Desktop\NEW ORDER.exe

Code function: 0_2_00459576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00459576

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.NEW ORDER.exe.3670000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.NEW ORDER.exe.3670000.1.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.NEW ORDER.exe.3670000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.NEW ORDER.exe.3670000.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000000.00000002.1313798591.0000000003670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1313798591.0000000003670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: NEW ORDER.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: NEW ORDER.exe, 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_24c0cd45-6
Source: NEW ORDER.exe, 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_2ecdcb17-5
Source: NEW ORDER.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_dcf01536-e
Source: NEW ORDER.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_4b79cd51-c

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: NEW ORDER.exe

Source: C:\Users\user\Desktop\NEW ORDER.exe

Code function: 0_2_0042D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0042D5EB

Source: C:\Users\user\Desktop\NEW ORDER.exe

Code function: 0_2_00421201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00421201

Source: C:\Users\user\Desktop\NEW ORDER.exe

Code function: 0_2_0042E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0042E8F6

Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_003CBF40	0_2_003CBF40
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_00432046	0_2_00432046
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_003C8060	0_2_003C8060
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_00428298	0_2_00428298
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_003FE4FF	0_2_003FE4FF
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_003F676B	0_2_003F676B
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_00454873	0_2_00454873
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_003ECAA0	0_2_003ECAA0
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_003CCAF0	0_2_003CCAF0
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_003DCC39	0_2_003DCC39
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_003F6DD9	0_2_003F6DD9
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_003DB119	0_2_003DB119
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_003C91C0	0_2_003C91C0
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_003E1394	0_2_003E1394
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_003E1706	0_2_003E1706
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_003E781B	0_2_003E781B
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_003C7920	0_2_003C7920
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_003D997D	0_2_003D997D
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_003E19B0	0_2_003E19B0
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_003E7A4A	0_2_003E7A4A
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_003E1C77	0_2_003E1C77
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_003E7CA7	0_2_003E7CA7
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_0044BE44	0_2_0044BE44
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_003F9EEE	0_2_003F9EEE
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_003E1F32	0_2_003E1F32
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_033035F0	0_2_033035F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_011DA6E0	2_2_011DA6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_011DD958	2_2_011DD958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_011D4A88	2_2_011D4A88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_011D3E70	2_2_011D3E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_011D41B8	2_2_011D41B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06632300	2_2_06632300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06631150	2_2_06631150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06633AB0	2_2_06633AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_066333C8	2_2_066333C8

Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: String function: 003C9CB3 appears 31 times
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: String function: 003DF9F2 appears 40 times
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: String function: 003E0A30 appears 46 times

Source: NEW ORDER.exe, 00000000.00000003.1307059596.00000000039CD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs NEW ORDER.exe
Source: NEW ORDER.exe, 00000000.00000003.1305291352.0000000003823000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs NEW ORDER.exe
Source: NEW ORDER.exe, 00000000.00000002.1313798591.0000000003670000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename88e10d5e-7fd5-494e-a8ee-82170ba0d629.exe4 vs NEW ORDER.exe

Source: NEW ORDER.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.NEW ORDER.exe.3670000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.NEW ORDER.exe.3670000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.NEW ORDER.exe.3670000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.NEW ORDER.exe.3670000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000000.00000002.1313798591.0000000003670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.1313798591.0000000003670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: 0.2.NEW ORDER.exe.3670000.1.raw.unpack, ekKu0.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.NEW ORDER.exe.3670000.1.raw.unpack, vKf1z6NvS.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.NEW ORDER.exe.3670000.1.raw.unpack, ZNAvlD7qmXc.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.NEW ORDER.exe.3670000.1.raw.unpack, U2doU2.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.NEW ORDER.exe.3670000.1.raw.unpack, BgffYko.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.NEW ORDER.exe.3670000.1.raw.unpack, HrTdA63.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.NEW ORDER.exe.3670000.1.raw.unpack, Vvp22TrBv9g.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.NEW ORDER.exe.3670000.1.raw.unpack, Vvp22TrBv9g.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.NEW ORDER.exe.3670000.1.raw.unpack, Vvp22TrBv9g.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.NEW ORDER.exe.3670000.1.raw.unpack, Vvp22TrBv9g.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/4@1/1

Source: C:\Users\user\Desktop\NEW ORDER.exe

Code function: 0_2_004337B5 GetLastError,FormatMessageW,

0_2_004337B5

Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_004210BF AdjustTokenPrivileges,CloseHandle,		0_2_004210BF
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_004216C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_004216C3

Source: C:\Users\user\Desktop\NEW ORDER.exe

Code function: 0_2_004351CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_004351CD

Source: C:\Users\user\Desktop\NEW ORDER.exe

Code function: 0_2_0044A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0044A67C

Source: C:\Users\user\Desktop\NEW ORDER.exe

Code function: 0_2_0043648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0043648E

Source: C:\Users\user\Desktop\NEW ORDER.exe

Code function: 0_2_003C42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_003C42A2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\NEW ORDER.exe

File created: C:\Users\user\AppData\Local\Temp\autDE75.tmp

Jump to behavior

Source: NEW ORDER.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\NEW ORDER.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.2542708995.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2542708995.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: NEW ORDER.exe	ReversingLabs: Detection: 73%
Source: NEW ORDER.exe	Virustotal: Detection: 66%

Source: unknown	Process created: C:\Users\user\Desktop\NEW ORDER.exe "C:\Users\user\Desktop\NEW ORDER.exe"
Source: C:\Users\user\Desktop\NEW ORDER.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\NEW ORDER.exe"
Source: C:\Users\user\Desktop\NEW ORDER.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\NEW ORDER.exe"	Jump to behavior

Source: C:\Users\user\Desktop\NEW ORDER.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: NEW ORDER.exe

Static file information: File size 1219072 > 1048576

Source: NEW ORDER.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: NEW ORDER.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: NEW ORDER.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: NEW ORDER.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: NEW ORDER.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: NEW ORDER.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: NEW ORDER.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: NEW ORDER.exe, 00000000.00000003.1302326962.0000000003850000.00000004.00001000.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.1303400500.0000000003700000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: NEW ORDER.exe, 00000000.00000003.1302326962.0000000003850000.00000004.00001000.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.1303400500.0000000003700000.00000004.00001000.00020000.00000000.sdmp

Source: NEW ORDER.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: NEW ORDER.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: NEW ORDER.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: NEW ORDER.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: NEW ORDER.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\NEW ORDER.exe

Code function: 0_2_003C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003C42DE

Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_003E0A76 push ecx; ret		0_2_003E0A89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0663CA30 push es; ret		2_2_0663CA40

Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_003DF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_003DF98E
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_00451C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00451C41

Source: C:\Users\user\Desktop\NEW ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: NEW ORDER.exe PID: 7516, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\NEW ORDER.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95672

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\NEW ORDER.exe

API/Special instruction interceptor: Address: 3303214

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: NEW ORDER.exe, 00000000.00000002.1313798591.0000000003670000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2541134746.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2542708995.0000000002EBC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2542708995.0000000002E05000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\NEW ORDER.exe

API coverage: 3.8 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_0042DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0042DBBE
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_003FC2A2 FindFirstFileExW,	0_2_003FC2A2
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_004368EE FindFirstFileW,FindClose,	0_2_004368EE
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_0043698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0043698F
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_0042D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0042D076
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_0042D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0042D3A9
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_00439642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00439642
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_0043979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0043979D
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_00439B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00439B2B
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_00435C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00435C97

Source: C:\Users\user\Desktop\NEW ORDER.exe

Code function: 0_2_003C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003C42DE

Source: RegSvcs.exe, 00000002.00000002.2542708995.0000000002E05000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: RegSvcs.exe, 00000002.00000002.2542708995.0000000002E05000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: RegSvcs.exe, 00000002.00000002.2541134746.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
Source: RegSvcs.exe, 00000002.00000002.2544083166.0000000006081000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 2_2_011D7070 CheckRemoteDebuggerPresent,

2_2_011D7070

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\NEW ORDER.exe

Code function: 0_2_0043EAA2 BlockInput,

0_2_0043EAA2

Source: C:\Users\user\Desktop\NEW ORDER.exe

Code function: 0_2_003F2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_003F2622

Source: C:\Users\user\Desktop\NEW ORDER.exe

Code function: 0_2_003C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003C42DE

Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_003E4CE8 mov eax, dword ptr fs:[00000030h]	0_2_003E4CE8
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_03303480 mov eax, dword ptr fs:[00000030h]	0_2_03303480
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_033034E0 mov eax, dword ptr fs:[00000030h]	0_2_033034E0
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_03301E70 mov eax, dword ptr fs:[00000030h]	0_2_03301E70

Source: C:\Users\user\Desktop\NEW ORDER.exe

Code function: 0_2_00420B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00420B62

Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_003F2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_003F2622
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_003E083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_003E083F
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_003E09D5 SetUnhandledExceptionFilter,	0_2_003E09D5
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_003E0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_003E0C21

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\NEW ORDER.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\NEW ORDER.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: DB3008

Jump to behavior

Source: C:\Users\user\Desktop\NEW ORDER.exe

0_2_00421201

Source: C:\Users\user\Desktop\NEW ORDER.exe

Code function: 0_2_00402BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00402BA5

Source: C:\Users\user\Desktop\NEW ORDER.exe

Code function: 0_2_0042B226 SendInput,keybd_event,

0_2_0042B226

Source: C:\Users\user\Desktop\NEW ORDER.exe

Code function: 0_2_004422DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_004422DA

Source: C:\Users\user\Desktop\NEW ORDER.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\NEW ORDER.exe"

Jump to behavior

Source: C:\Users\user\Desktop\NEW ORDER.exe

0_2_00420B62

Source: C:\Users\user\Desktop\NEW ORDER.exe

Code function: 0_2_00421663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00421663

Source: NEW ORDER.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: NEW ORDER.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\NEW ORDER.exe

Code function: 0_2_003E0698 cpuid

0_2_003E0698

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\NEW ORDER.exe

Code function: 0_2_00438195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00438195

Source: C:\Users\user\Desktop\NEW ORDER.exe

Code function: 0_2_0041D27A GetUserNameW,

0_2_0041D27A

Source: C:\Users\user\Desktop\NEW ORDER.exe

Code function: 0_2_003FB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_003FB952

Source: C:\Users\user\Desktop\NEW ORDER.exe

Code function: 0_2_003C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003C42DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.NEW ORDER.exe.3670000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW ORDER.exe.3670000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2541134746.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1313798591.0000000003670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NEW ORDER.exe PID: 7516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7688, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: NEW ORDER.exe	Binary or memory string: WIN_81
Source: NEW ORDER.exe	Binary or memory string: WIN_XP
Source: NEW ORDER.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: NEW ORDER.exe	Binary or memory string: WIN_XPe
Source: NEW ORDER.exe	Binary or memory string: WIN_VISTA
Source: NEW ORDER.exe	Binary or memory string: WIN_7
Source: NEW ORDER.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 0.2.NEW ORDER.exe.3670000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW ORDER.exe.3670000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2541134746.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1313798591.0000000003670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2542708995.0000000002E05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NEW ORDER.exe PID: 7516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7688, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.NEW ORDER.exe.3670000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW ORDER.exe.3670000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2541134746.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1313798591.0000000003670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NEW ORDER.exe PID: 7516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7688, type: MEMORYSTR

Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_00441204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00441204
Source: C:\Users\user\Desktop\NEW ORDER.exe	Code function: 0_2_00441806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00441806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	138 System Information Discovery	Distributed Component Object Model	121 Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	741 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	32 Virtualization/Sandbox Evasion	Cached Domain Credentials	32 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
NEW ORDER.exe	74%	ReversingLabs	Win32.Trojan.AutoitInject
NEW ORDER.exe	67%	Virustotal		Browse
NEW ORDER.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
ip-api.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://account.dyn.com/	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://ip-api.com/line/?fields=hosting	0%	URL Reputation	safe
http://ip-api.com	0%	URL Reputation	safe
http://ip-api.com/line/?fields=hostingS	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hostingS	RegSvcs.exe, 00000002.00000002.2544083166.0000000006081000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://account.dyn.com/	NEW ORDER.exe, 00000000.00000002.1313798591.0000000003670000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2541134746.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.2542708995.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2542708995.0000000002EA2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ip-api.com	RegSvcs.exe, 00000002.00000002.2542708995.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2542708995.0000000002EA2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2542708995.0000000002EBC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1501082
Start date and time:	2024-08-29 12:10:14 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	NEW ORDER.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/4@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 49 Number of non-executed functions: 288
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	Orden de compra.000854657689654253545676785436.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	00_datos de la transacci#U00f3n rechazada y n#U00famero de cuenta incorrecto.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	1.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	ip-api.com/line/?fields=hosting
	XClient.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	ip-api.com/line/?fields=hosting
	SecuriteInfo.com.W64.ABRisk.KSAB-7665.26815.23633.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	IrisLily673Xander.msc.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/?fields=11827
	spglr64.exe	Get hash	malicious	Blank Grabber, DCRat, Umbral Stealer	Browse	ip-api.com/json/?fields=225545
	obvious.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	ip-api.com/json/?fields=225545
	#U00d6deme Talebi_27.08.2024.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	memreduct.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	Orden de compra.000854657689654253545676785436.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	00_datos de la transacci#U00f3n rechazada y n#U00famero de cuenta incorrecto.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	1.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	XClient.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	SecuriteInfo.com.W64.ABRisk.KSAB-7665.26815.23633.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	IrisLily673Xander.msc.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	spglr64.exe	Get hash	malicious	Blank Grabber, DCRat, Umbral Stealer	Browse	208.95.112.1
	obvious.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	208.95.112.1
	#U00d6deme Talebi_27.08.2024.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Doc-Secure6025.pdf	Get hash	malicious	Unknown	Browse	51.77.64.70

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	Orden de compra.000854657689654253545676785436.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	00_datos de la transacci#U00f3n rechazada y n#U00famero de cuenta incorrecto.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	1.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	XClient.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	SecuriteInfo.com.W64.ABRisk.KSAB-7665.26815.23633.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	IrisLily673Xander.msc.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	spglr64.exe	Get hash	malicious	Blank Grabber, DCRat, Umbral Stealer	Browse	208.95.112.1
	obvious.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	208.95.112.1
	#U00d6deme Talebi_27.08.2024.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	memreduct.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1

Process:	C:\Users\user\Desktop\NEW ORDER.exe
File Type:	data
Category:	dropped
Size (bytes):	244224
Entropy (8bit):	6.676886174848622
Encrypted:	false
SSDEEP:	6144:GBEA4XFRPVkjn4DPdN8MhpE9iM3roDy5T2Ol3g+s10R8KVV+ufz8:WEA4XXVkjn4D1NBhpE9dUDyTzlls10Rs
MD5:	08A8113CD43B29C47ED063D88587925A
SHA1:	652EA39E1FEFEB2FE68C60759712C1FE87A7FCF3
SHA-256:	FD076EBF4547C3D3A15E99E1553578891C040DE90E8CEF90E4374006AF64CC38
SHA-512:	C4FC582D9E36433655E48BA4ED6A678FB2C558B90D13ADA2A8758C13C3425BCB34D46AA9EC10EE940A40F32714C168FA594A4EE79C4E1B21A5C73454AC526860
Malicious:	false
Reputation:	low
Preview:	...5Z6AI61UX..HJ.C5Y6AI2qUXR5HJEC5Y6AI21UXR5HJEC5Y6AI21UXR5H.EC5W).G2.\.s.I..ba1_2iBC:? T%j&"[7Y5iPTu'[h#+cq.ea$]U0v_8BnEC5Y6AIbtUX.4KJ..??6AI21UXR.HHDH4R6A.11UPR5HJEC.5AI.1UX.6HJE.5Y.AI23UXV5HJEC5Y2AI21UXR5hNEC7Y6AI21WX..HJUC5I6AI2!UXB5HJEC5I6AI21UXR5HJ.6YyAI21.[RsMJEC5Y6AI21UXR5HJEC5Y2AE21UXR5HJEC5Y6AI21UXR5HJEC5Y6AI21UXR5HJEC5Y6AI21UXR5HjEC=Y6AI21UXR5HBeC5.6AI21UXR5HJk7P!BAI2..[R5hJEC.Z6AK21UXR5HJEC5Y6Ai215v F:)EC5.3AI2.VXR3HJE.6Y6AI21UXR5HJE.5Yvo;W]:;R5DJEC5Y2AI01UX.6HJEC5Y6AI21UX.5H.EC5Y6AI21UXR5HJE..Z6AI21.XR5JJ@Ca.4A..0U[R5HKEC3Y6AI21UXR5HJEC5Y6AI21UXR5HJEC5Y6AI21UXR5HJEC5Y6AT.....}v.8}?;1.o.V.[..[..:..9.\.JA.~.G....f<4..X.:x..<...G.]]+4...aVJ8<Y./}:).X...\|hFq..T[.0..'..'4..q...lf..zN=li..&..)..8F1%W..94T:#.A.X6AI2.......M.llJ=/aJc....KN...&R5H.EC5+6AIS1UX.5HJC5YXAI2OUXRKHJE.5Y6.I21bXR5mJECXY6Am21U&R5H.8L:.. A..XR5HJp..i.,....e...s2.'m#q..<.~..@..V^.>q}...;....NdO..._S3LOGD1Z:\|Gy..s7LN@A2]5Mt<z.....l.....8....(.4JEC5Y6.I2.UXR..J.C5Y.A.2..XR5.E.5.6..1

C:\Users\user\AppData\Local\Temp\Prober

Download File

Process:	C:\Users\user\Desktop\NEW ORDER.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	86022
Entropy (8bit):	4.178711971546278
Encrypted:	false
SSDEEP:	1536:0oMu0ovxhAYVuYzUhxCOkrrIaW/jYOHb7rRciir08YqFx:ZzpUharU1jb77K/
MD5:	F4F6FDAA97D888DF072775952A1C6EB1
SHA1:	E26146FDD17BDD70A49C6CBBF9E36698E6FC9CEE
SHA-256:	006E517150A55AC5339995DC6634E8A57DD328617FEEBBAFF0A663879A596ED9
SHA-512:	D6FF8BD5FB81543F15BBF04424B71D1618318D4AD5F51C74AB3E1640425A901CFD73CDE4A8946D56E70879A0647ADC5C17B917910D628C16895BF4EDE92A6D2D
Malicious:	false
Reputation:	low
Preview:	30A78A35Z35P38M62J65O63Z38J31F65D63X63M63E30M32J30N30B30Z30J35U36J35J37J62S38E36T62R30R30M30N30X30V30H36O36A38A39B34G35R38B34E62G39L36W35Z30G30N30Z30O30I30V36Y36H38Z39Q34K64F38J36L62E61V37T32R30B30X30K30M30D30P36B36C38U39R35Z35Q38H38R62L38A36I65Y30P30L30K30Y30T30X36P36T38N39D34W35O38V61I62G39L36S35X30L30Y30T30X30R30N36C36D38Y39M34A64E38C63R62Z61S36V63T30X30K30M30S30R30A36Q36J38J39R35T35X38K65R62U38H33V33A30J30X30T30H30E30R36Z36D38G39Z34I35F39F30D62E39V33L32A30O30B30L30L30H30C36V36S38H39U34Z64D39X32M62U61P32I65U30I30R30L30N30B30Y36Y36D38S39X35Z35O39U34G62F38I36A34H30B30L30E30A30I30X36Y36D38S39E34I35D39N36H62N39B36F63A30U30M30Q30M30Q30R36A36N38P39O34S64H39A38Y62W61U36B63E30W30N30F30R30W30D36B36T38J39E35J35W39E61H33F33W63T30N36U36N38T39I34M35R39N63O62R39G36Q65O30X30P30E30D30M30G36C36X38M39O38D64P34S34X66I66R66C66G66D66H62W61Y37D34L30E30B30B30C30M30R36F36W38L39L39J35G34Z36T66I66J66E66V66A66X62M38X36T34D30E30O30X30U30T30B36F36Z38G39P38F35X34E38M66Q66E66A66K66E66X62C39P36J63I30E30L30V30Z30T3

C:\Users\user\AppData\Local\Temp\autDE75.tmp

Download File

Process:	C:\Users\user\Desktop\NEW ORDER.exe
File Type:	data
Category:	dropped
Size (bytes):	146884
Entropy (8bit):	7.928533416238099
Encrypted:	false
SSDEEP:	3072:Spi4jeo8i26Qlou0n5S+NDk3nPxNWM1WZlaHXoc8iiWq:SpmoA6XNNA+3wH45t
MD5:	98ADF7FA8129C322DB1D863FBB38FF23
SHA1:	8F07FDCB8E7BA4F13B8759D9B44F2C73B69AF118
SHA-256:	018A848829BED563A4419021B73B8E2524928829E0F6383109FAD22BC6C35B95
SHA-512:	432054DB6A0AC3BF5F6B267855AFF1043AD314DC061C5E2FC2B96C241A00D8BE8E1C0071C428132B601A58D40AA644570B54D6BE10F6F106E3BCD8EF99EB733E
Malicious:	false
Reputation:	low
Preview:	EA06.......sZ..I.Lj..o.J.....eq..SZE..............e..enx.L..b..k.+M..:...[T.E[..f...R.....9].....d...._.P...y.]....J.......ui..%"iR.P.3..V....^kA.......<..k1`..gU.U.%.2....E...)qW.D...UV.5......b..[.H..{8.f....ku+.4...Ph...H...j......YhsX..omsz.....q.u..@..........2..n..4.R..G.`..F.X.L..............^.:...@..L...T..[..Mi...O.'...fS...yJ.P(v.........".E...<?....3.n/.}.@.....c....J...[..g]....\..=M...G.syx...y4.G+.......O;.\|O....esMWw;...j......gR..c..../..5.=.V.s..#9'.s..H.2...}..m.oQz.Om..w&M...eR...1....i..:..(<...+.......7.....T._a.J.~>......-.{1&..%..d.....i.P."T..V...x..K.. ..$.....x.......[@?...8.N..]L......W.....v2:xV....ns/\..#...X......P"..{.>..bZ....C...$.....k.9.2.G.LkS......c.sze:.A.Wf........g.....zs..#g..h&....Rf[..Sk.n.....2..@!.F.....N.c..L..I}.oZ..$...vG=._c...+..@p.4.Rh4Y.D........".o...j.7.$..Sy.r.C.....$f.X.G........s..J_W.R.4..mA..&z...kH.M.sZ..y(.Lj7*d.g=.-b.:U>..bG.V)..kS..&s.U;Y4.m(....A.." y.^...H..{\.5A..

C:\Users\user\AppData\Local\Temp\autDEB4.tmp

Download File

Process:	C:\Users\user\Desktop\NEW ORDER.exe
File Type:	data
Category:	dropped
Size (bytes):	43524
Entropy (8bit):	7.821877359260817
Encrypted:	false
SSDEEP:	768:ifaWM7ComPe8u++tY0u3BEgx0K/1PwudwcgDV7oFRk0CCNl1pYvenCfG8YcWoTda:5WM7FmPeGIY0uR7x0Kdoumxonk0C+8vS
MD5:	C8117B52EBE23E095032681D0EA5F5F0
SHA1:	DFCEA99893B7FAC40B1DB332FB052AC5238C779C
SHA-256:	8E6AC88FFFEDDA992380CB340151A9BDA0F7FE70DCAAB67EF451FBEF62445B91
SHA-512:	BCD625A744078FB4D7D14D2EA5119C1F114DC8094A930018428E97BA286DF010B72B7441171A3B8FD5D43C9BB893D3017E865661F0BBE42A515B51B45807CD2E
Malicious:	false
Reputation:	low
Preview:	EA06..P...(3y..g5.L....6.R..Z\|.gZ..)S9..m5.M.u...6..fs.l.eJ..).9..g0.L.....3.......6.T.s.,.mT.L.S9...M...9.Zg0.L.....3.i'4)..3..s....6.Q.s.d.mW..f.p.8.$.......mY...9.jg9......,..i..m1.L..I..cB.f.`.U.g0.L..)..3.Ufs....Q....J..eL..f....N.)....aT.Bf..%Rg8.L.4I...@....i...E...kX.3..4....Y..g8...4..6.Qfs...f..V.....mV.L......@..D.....(....8.....T....s:....r.........L.....@.L...3..<...g9.3).9.....TT....\|.G.f.D.sU..+Si..g9.L.@=%Vm1.L.@!.T......;....@..L...Di....m2..) 9l.......V...E......2.6....2..l...@B..6.6....3.T&s.\|.iS..-.."..6.U...&....U.'0.D..Q.y...%E..f.p..m1.>(.9.\...{..URg9....'fsN.L..Tl....u.,.@....I.p.H.H..H3.$.iP..&sJ....T..j..mG.M..`........F .F(@.u.."..(.[,....@(.8...B.$4...6..&....6.Sfs...3......lU@........@.0.r...f......R..`....H...:H.EL.~.@..P.U..i`F...X.).i...J..!U......M. m .b.......R.....I..i./L.6...j..^. .u......U9....U.HX.......P.....g.i.0b......p.....l@tT..S....F.....P.....z@.r....C.0...p...@.."l.J..50.Z..w..$...L.5.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.058168823881381
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	NEW ORDER.exe
File size:	1'219'072 bytes
MD5:	3611914350f1ddaa7cf7573267f7fc91
SHA1:	2be994ddb06abdd9f6f74955af41001d8412f9e8
SHA256:	d25f1495eee9c05e29e18fbd62f932f0f670cb441b30ac99ced1a80e14275b80
SHA512:	5b8409876366fa11857a37114fcb39bf49eaf8f688cd3ab05f733e421a6788399d6e96c18510b9c3ca3a0bb20b55473b3179b0d92827de4cc081d38a2372c1b7
SSDEEP:	24576:aqDEvCTbMWu7rQYlBQcBiT6rprG8aYXuNKbdz0p:aTvC/MTQYxsWR7aYeNKZ0
TLSH:	2345AE12F3818062FFAB91724B77EE31467EA9360123A51F139C2979BF701B1563E663
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	0f39356666163145

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66C673AA [Wed Aug 21 23:09:30 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FB09CB934C3h
jmp 00007FB09CB92DCFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FB09CB92FADh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FB09CB92F7Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FB09CB95B6Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FB09CB95BB8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FB09CB95BA1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x52ffc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x127000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x52ffc	0x53000	ba5996c590f9717cda6e30f086a27e7a	False	0.8793298192771084	data	7.749864781410279	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x127000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd4668	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd4790	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd48b8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd49e0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	Great Britain	0.35080645161290325
RT_ICON	0xd4cc8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.4594594594594595
RT_ICON	0xd4df0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688	English	Great Britain	0.5557036247334755
RT_ICON	0xd5c98	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	Great Britain	0.7017148014440433
RT_ICON	0xd6540	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	Great Britain	0.7044797687861272
RT_ICON	0xd6aa8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	Great Britain	0.29918516769012754
RT_ICON	0xdacd0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	Great Britain	0.3355809128630705
RT_ICON	0xdd278	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 6720	English	Great Britain	0.3477810650887574
RT_ICON	0xdece0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	Great Britain	0.3834427767354597
RT_ICON	0xdfd88	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	Great Britain	0.42131147540983604
RT_ICON	0xe0710	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 1680	English	Great Britain	0.4680232558139535
RT_ICON	0xe0dc8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	Great Britain	0.5212765957446809
RT_MENU	0xe1230	0x50	data	English	Great Britain	0.9
RT_STRING	0xe1280	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xe1814	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xe1ea0	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xe2330	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xe292c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xe2f88	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xe33f0	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xe3548	0x434fc	data			1.0003300593381403
RT_GROUP_ICON	0x126a44	0xae	data	English	Great Britain	0.6436781609195402
RT_GROUP_ICON	0x126af4	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x126b08	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x126b1c	0x14	data	English	Great Britain	1.25
RT_VERSION	0x126b30	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x126c0c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 12:11:10.362818956 CEST	49704	80	192.168.2.10	208.95.112.1
Aug 29, 2024 12:11:10.368102074 CEST	80	49704	208.95.112.1	192.168.2.10
Aug 29, 2024 12:11:10.368169069 CEST	49704	80	192.168.2.10	208.95.112.1
Aug 29, 2024 12:11:10.369214058 CEST	49704	80	192.168.2.10	208.95.112.1
Aug 29, 2024 12:11:10.375152111 CEST	80	49704	208.95.112.1	192.168.2.10
Aug 29, 2024 12:11:10.841454029 CEST	80	49704	208.95.112.1	192.168.2.10
Aug 29, 2024 12:11:10.886851072 CEST	49704	80	192.168.2.10	208.95.112.1
Aug 29, 2024 12:12:09.009145975 CEST	80	49704	208.95.112.1	192.168.2.10
Aug 29, 2024 12:12:09.009392023 CEST	49704	80	192.168.2.10	208.95.112.1
Aug 29, 2024 12:12:50.857101917 CEST	49704	80	192.168.2.10	208.95.112.1
Aug 29, 2024 12:12:50.864398956 CEST	80	49704	208.95.112.1	192.168.2.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 12:11:10.347023964 CEST	60909	53	192.168.2.10	1.1.1.1
Aug 29, 2024 12:11:10.353764057 CEST	53	60909	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 29, 2024 12:11:10.347023964 CEST	192.168.2.10	1.1.1.1	0x91e3	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 29, 2024 12:11:10.353764057 CEST	1.1.1.1	192.168.2.10	0x91e3	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49704	208.95.112.1	80	7688	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:11:10.369214058 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Aug 29, 2024 12:11:10.841454029 CEST	175	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:11:10 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Target ID:	0
Start time:	06:11:07
Start date:	29/08/2024
Path:	C:\Users\user\Desktop\NEW ORDER.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\NEW ORDER.exe"
Imagebase:	0x3c0000
File size:	1'219'072 bytes
MD5 hash:	3611914350F1DDAA7CF7573267F7FC91
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1313798591.0000000003670000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.1313798591.0000000003670000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1313798591.0000000003670000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.1313798591.0000000003670000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000000.00000002.1313798591.0000000003670000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:11:08
Start date:	29/08/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\NEW ORDER.exe"
Imagebase:	0xa50000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2541134746.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2541134746.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2542708995.0000000002E05000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	1.7%
Signature Coverage:	4.9%
Total number of Nodes:	1947
Total number of Limit Nodes:	52

Executed Functions

Function 003C42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 003C430D

Part of subcall function 003C6B57: _wcslen.LIBCMT ref: 003C6B6A

GetCurrentProcess.KERNEL32(?,0045CB64,00000000,?,?), ref: 003C4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 003C4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 003C4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 003C4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 003C4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 003C447B
GetSystemInfo.KERNEL32(?,?,?), ref: 003C44A0

Strings

GetNativeSystemInfo, xrefs: 003C4460
|O, xrefs: 004036F8
kernel32.dll, xrefs: 003C444F

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: f8badfa60bd1d78dc1298e970b0113fbdbcacba06ab75befdb9a9ecc42ab585b
Instruction ID: 7de1b85565d7b87def0ee6322afa03b0ff7aa5d6b932492fcb2adc9e654e971c
Opcode Fuzzy Hash: f8badfa60bd1d78dc1298e970b0113fbdbcacba06ab75befdb9a9ecc42ab585b
Instruction Fuzzy Hash: 93A1836590A3C2DFE736CB6A78816A57FB86B36301B1448BFDC41D3A72D2354918CB2D

Function 003C42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,003C50AA,?,?,00000000,00000000), ref: 003C42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,003C50AA,?,?,00000000,00000000), ref: 003C42C9
LoadResource.KERNEL32(?,00000000,?,?,003C50AA,?,?,00000000,00000000,?,?,?,?,?,?,003C4F20), ref: 004035BE
SizeofResource.KERNEL32(?,00000000,?,?,003C50AA,?,?,00000000,00000000,?,?,?,?,?,?,003C4F20), ref: 004035D3
LockResource.KERNEL32(003C50AA,?,?,003C50AA,?,?,00000000,00000000,?,?,?,?,?,?,003C4F20,?), ref: 004035E6

Strings

SCRIPT, xrefs: 003C42BF

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: ddd15c9ac086109be906172e27637c05a312facf6ab0ecd0a3414cf3024fd1de
Instruction ID: f2b1e26083a41d6950ae832bb5e763be9948570d46c628352ef9902e8622bc72
Opcode Fuzzy Hash: ddd15c9ac086109be906172e27637c05a312facf6ab0ecd0a3414cf3024fd1de
Instruction Fuzzy Hash: 06115A70600700BFD7228B65DC89F277BB9EBC5B52F2045ADB806D66A0DB71DC00D761

Function 00402BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 003C2B6B

Part of subcall function 003C3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00491418,?,003C2E7F,?,?,?,00000000), ref: 003C3A78

Part of subcall function 003C9CB3: _wcslen.LIBCMT ref: 003C9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00482224), ref: 00402C10
ShellExecuteW.SHELL32(00000000,?,?,00482224), ref: 00402C17

Strings

runas, xrefs: 00402C0B

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: ba14d5eb08bbc7c62babd628f8d4f778f5ca5889b303e02dff2aff82dba1cb96
Instruction ID: fc8e3f36ccd11c2bbd8d745b2f14bd8e0044f13c6d1e26b36d04de973ff3969a
Opcode Fuzzy Hash: ba14d5eb08bbc7c62babd628f8d4f778f5ca5889b303e02dff2aff82dba1cb96
Instruction Fuzzy Hash: 3111A2312083416AC716FF60D895F6EBBA4AB95300F44843EF0429B0A3CF658D4A8756

Function 0042DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00405222), ref: 0042DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0042DBDD
FindFirstFileW.KERNELBASE(?,?), ref: 0042DBEE
FindClose.KERNEL32(00000000), ref: 0042DBFA

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 4c7259df6fe0ceb769f2ecd26c5381091cfa3736fb8d04cbbfe19e8e6093c5db
Instruction ID: 5b89c3d915638b7db968cd378e31e56890b63d818e652a576e6cc65fd29ef79b
Opcode Fuzzy Hash: 4c7259df6fe0ceb769f2ecd26c5381091cfa3736fb8d04cbbfe19e8e6093c5db
Instruction Fuzzy Hash: 43F0A030C10B205B82206B78AC4D8AB376C9E01336B944753F836D21E1EBB49955C69E

Function 003CBF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

b, xrefs: 004107CE

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: BuffCharUpper
String ID: b
API String ID: 3964851224-2387849686
Opcode ID: b020aadbacef952c437ae396d45fb1eea6fd393b83d9c60612f15ac3fe9c95ef
Instruction ID: a50f3f090b1e8f787b4fa1dbce0d3755dde8c65d1f408f42aaa203f4e8201289
Opcode Fuzzy Hash: b020aadbacef952c437ae396d45fb1eea6fd393b83d9c60612f15ac3fe9c95ef
Instruction Fuzzy Hash: 55A28B706183019FC721DF24C480B6ABBE5BF89304F14996EE89ACB352D775EC85CB92

Function 003CD730 Relevance: 21.6, APIs: 14, Instructions: 629windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 003CD807
timeGetTime.WINMM ref: 003CDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003CDB28
TranslateMessage.USER32(?), ref: 003CDB7B
DispatchMessageW.USER32(?), ref: 003CDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003CDB9F
Sleep.KERNEL32(0000000A), ref: 003CDBB1

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 3cf717e67f1f7cacead56c8c39d2e2c5c60dccd9aa593585f7325af04784d52b
Instruction ID: 7a37fd70f4a986826e073fa2d08afc27afff3eb977947f7fe3184e9a41ad85f1
Opcode Fuzzy Hash: 3cf717e67f1f7cacead56c8c39d2e2c5c60dccd9aa593585f7325af04784d52b
Instruction Fuzzy Hash: 5142D030608341AFD72ADF24C884FAAB7A5BF45304F15452EF456CB2A1D7B4EC94CB96

Function 003C2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 003C2D07
RegisterClassExW.USER32(00000030), ref: 003C2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003C2D42
InitCommonControlsEx.COMCTL32(?), ref: 003C2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003C2D6F
LoadIconW.USER32(000000A9), ref: 003C2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 003C2D94

Strings

TaskbarCreated, xrefs: 003C2D37
AutoIt v3 GUI, xrefs: 003C2D23
0, xrefs: 003C2CE9
+, xrefs: 003C2CF0

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 830e4e63daef9b6141da411bab47228fce21318104f0ee55dd17dcb882609a97
Instruction ID: aedc8e18252e27833a03e20e8b78a4d9e49e792aa69250459e2b5de1a109a838
Opcode Fuzzy Hash: 830e4e63daef9b6141da411bab47228fce21318104f0ee55dd17dcb882609a97
Instruction Fuzzy Hash: DD21C3B590131AAFDB00DFA4EC89BDDBBB4FB08B01F10813AF911A62A1D7B54544CF99

Function 003CDFD0 Relevance: 18.9, APIs: 2, Strings: 8, Instructions: 1414COMMON

Download Yara Rule

Strings

_, xrefs: 003CE0DC, 003CE289, 003CE418, 003CE4C0
D%I, xrefs: 003CE1E0
D%I, xrefs: 0041302D
b, xrefs: 003CE3ED, 003CE4AC, 003CE4BA, 003CE4C8, 003CE4DC, 003CE881, 003CE889, 003CE8A2, 003CE8AD, 003CE927, 003CE92F, 003CE952, 003CE95D, 00413051
D%I, xrefs: 003CE4B1
Variable must be of type 'Object'., xrefs: 004132B7
D%ID%I, xrefs: 003CE27E
D%I, xrefs: 00412FDA

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID:
String ID: D%I$D%I$D%I$D%I$D%ID%I$Variable must be of type 'Object'.$_$b
API String ID: 0-1413351388
Opcode ID: 31e9c4ffbf22bf04566d052dca89b996d2839a5ff3ea895599341f56c1679905
Instruction ID: d94d141e0e9ddbb4f4c22bc825e0f4bb17f085507ef5f6c13e43d89506bd794a
Opcode Fuzzy Hash: 31e9c4ffbf22bf04566d052dca89b996d2839a5ff3ea895599341f56c1679905
Instruction Fuzzy Hash: 64C29875A00214DFCB26CF98C880FADB7B5BF08314F25856AE906AB391D375ED81CB95

Function 003F8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.>, xrefs: 003F903A, 003F8FD0, 003F8FF2

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID:
String ID: .>
API String ID: 0-1757889381
Opcode ID: 2299ca25862e6659f997a3aa42db3991edd898949eb2dc84e0505c8bf76db566
Instruction ID: 78f490e2a1d5db78b8646cfc8f464b8c28356a4855d40d5d852fb90cb9de5566
Opcode Fuzzy Hash: 2299ca25862e6659f997a3aa42db3991edd898949eb2dc84e0505c8bf76db566
Instruction Fuzzy Hash: 56C1057590434EAFCB17DFA8D845BBDBBB4AF19310F05416AFA14AB392CB718941CB60

Function 0040065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040039A: CreateFileW.KERNELBASE(00000000,00000000,?,00400704,?,?,00000000,?,00400704,00000000,0000000C), ref: 004003B7

GetLastError.KERNEL32 ref: 0040076F
__dosmaperr.LIBCMT ref: 00400776
GetFileType.KERNELBASE(00000000), ref: 00400782
GetLastError.KERNEL32 ref: 0040078C
__dosmaperr.LIBCMT ref: 00400795
CloseHandle.KERNEL32(00000000), ref: 004007B5
CloseHandle.KERNEL32(?), ref: 004008FF
GetLastError.KERNEL32 ref: 00400931
__dosmaperr.LIBCMT ref: 00400938

Strings

H, xrefs: 004008BD

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 7e8da3948ff94ba819d3d62cba25730b4b307a196a6e934120b61ffea2ebc46f
Instruction ID: e587475019e1f49bdae13cd49facc92fd5c477a0d7b62504bd06c80444e38327
Opcode Fuzzy Hash: 7e8da3948ff94ba819d3d62cba25730b4b307a196a6e934120b61ffea2ebc46f
Instruction Fuzzy Hash: F6A13732A001488FDF19AF68D851BAE7BA0EB06320F14417EF815AF3D1D7799D12CB99

Function 003C344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003C3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00491418,?,003C2E7F,?,?,?,00000000), ref: 003C3A78

Part of subcall function 003C3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 003C3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 003C356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0040318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 004031CE
RegCloseKey.ADVAPI32(?), ref: 00403210
_wcslen.LIBCMT ref: 00403277
_wcslen.LIBCMT ref: 00403286

Strings

\, xrefs: 0040328C
Software\AutoIt v3\AutoIt, xrefs: 003C3560
Include, xrefs: 00403184, 004031C5
\Include\, xrefs: 003C3527

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: e62250574f68eac11662940ca17e9d7488618f27f699d98970f1f5b5871d3151
Instruction ID: 32a99ed4ceaad37e43e87a1696a953504629e507e11c2c6fd050447b64f4ce17
Opcode Fuzzy Hash: e62250574f68eac11662940ca17e9d7488618f27f699d98970f1f5b5871d3151
Instruction Fuzzy Hash: AD718E71404300AEC325EF65ED82A5BBBE8BF95740B40453FF845D72A1DB749A48CB59

Function 003C2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 003C2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 003C2B9D
LoadIconW.USER32(00000063), ref: 003C2BB3
LoadIconW.USER32(000000A4), ref: 003C2BC5
LoadIconW.USER32(000000A2), ref: 003C2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 003C2BEF
RegisterClassExW.USER32(?), ref: 003C2C40

Part of subcall function 003C2CD4: GetSysColorBrush.USER32(0000000F), ref: 003C2D07
Part of subcall function 003C2CD4: RegisterClassExW.USER32(00000030), ref: 003C2D31
Part of subcall function 003C2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003C2D42
Part of subcall function 003C2CD4: InitCommonControlsEx.COMCTL32(?), ref: 003C2D5F
Part of subcall function 003C2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003C2D6F
Part of subcall function 003C2CD4: LoadIconW.USER32(000000A9), ref: 003C2D85
Part of subcall function 003C2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 003C2D94

Strings

AutoIt v3, xrefs: 003C2C2F
#, xrefs: 003C2C16
0, xrefs: 003C2C0F

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: c6c1624d0be35a89d3384a09545bd5d4e21ee841eb92884745827da474654089
Instruction ID: 3229c5dea832e5a31b7837e9c9e4b169ddc58f7ceecf7f3a706a06aca66f110d
Opcode Fuzzy Hash: c6c1624d0be35a89d3384a09545bd5d4e21ee841eb92884745827da474654089
Instruction Fuzzy Hash: 47213A70E00319AFEB219FA5EC89B997FB4FB18B50F00413BE905A66B0D3B14540CF98

Function 003C3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,003C316A,?,?), ref: 003C31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,003C316A,?,?), ref: 003C3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 003C3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,003C316A,?,?), ref: 003C3232
CreatePopupMenu.USER32 ref: 003C3246
PostQuitMessage.USER32(00000000), ref: 003C3267

Strings

TaskbarCreated, xrefs: 003C322D

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: d3c7511123ed0f6869ca130071db5a9fb8d9864cda2ff9c291719ae426ce3ed1
Instruction ID: 9ac607e96ceb02a064fbf928e95cb45a8b2e8895164e9db4e613e2cff7f97fbc
Opcode Fuzzy Hash: d3c7511123ed0f6869ca130071db5a9fb8d9864cda2ff9c291719ae426ce3ed1
Instruction Fuzzy Hash: CA41C531244205AEDF262B68DD4DF793A69EB15340F08853FF902D56E2C7B5CE409BA9

Function 003CB710 Relevance: 11.1, APIs: 1, Strings: 5, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 003CBB4E

Strings

x#I, xrefs: 00410168
b, xrefs: 003CBA72, 003CBB6B, 0041024F, 00410263
x#I, xrefs: 00410207
p%I, xrefs: 003CB8DC
p%I, xrefs: 003CBB32

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Init_thread_footer
String ID: p%I$p%I$x#I$x#I$b
API String ID: 1385522511-922323979
Opcode ID: 85bf08fe35580fb9a6ef2d0cd1aa8f8243f70664d0208222d3e6dadf3fbf8f31
Instruction ID: 3a36f48560e8ba3e69d97309e9802a24dafadb6b3c900e46f2864536e6f9a487
Opcode Fuzzy Hash: 85bf08fe35580fb9a6ef2d0cd1aa8f8243f70664d0208222d3e6dadf3fbf8f31
Instruction Fuzzy Hash: 1132CD35A00209EFCB21CF64C985FBAB7B9EF44310F15806AED15AB351C7B9AD81CB95

Function 033025D0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 033026A1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 033028C7

Memory Dump Source

Source File: 00000000.00000002.1313706611.0000000003300000.00000040.00001000.00020000.00000000.sdmp, Offset: 03300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3300000_NEW ORDER.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
Instruction ID: a5c148984b5d0def02d440ef4c0559f1bb1fb4f0ca120125a9a537634c709719
Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
Instruction Fuzzy Hash: 48A12774E00209EBDB14CFA4C8A8BEEB7B5BF48705F248599E511BB2C1D7759A80CF54

Function 003C2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 003C2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 003C2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,003C1CAD,?), ref: 003C2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,003C1CAD,?), ref: 003C2CCF

Strings

AutoIt v3, xrefs: 003C2C89, 003C2C8E, 003C2C8F
edit, xrefs: 003C2CAC

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: c26c493d5903e7ad1b92cb92e8ab209e2b88da09eaa26cf37caf19ac4a2d465e
Instruction ID: fa2b600b89bc286f7cd07a37b2953ae672304d8f3045606a299cdff4d83d3b09
Opcode Fuzzy Hash: c26c493d5903e7ad1b92cb92e8ab209e2b88da09eaa26cf37caf19ac4a2d465e
Instruction Fuzzy Hash: 3DF017755403917EEB300723AC48E772EBDD7DAF51B00007BFD04A25B0C2750840DAB8

Function 033023B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 139
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 033022A0: Sleep.KERNELBASE(000001F4), ref: 033022B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 033024BB

Strings

JEC5Y6AI21UXR5H, xrefs: 0330251E, 03302521

Memory Dump Source

Source File: 00000000.00000002.1313706611.0000000003300000.00000040.00001000.00020000.00000000.sdmp, Offset: 03300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3300000_NEW ORDER.jbxd

Similarity

API ID: CreateFileSleep
String ID: JEC5Y6AI21UXR5H
API String ID: 2694422964-290130290
Opcode ID: aa338fdad3424db1d8fe9d0b06964ef4faa1e49f4dbe59e510b92ff7d8631c8d
Instruction ID: 6d72927f24d60a488d48065ab4ae0685c819d4479d31613bb2bbf63feda17657
Opcode Fuzzy Hash: aa338fdad3424db1d8fe9d0b06964ef4faa1e49f4dbe59e510b92ff7d8631c8d
Instruction Fuzzy Hash: A6515F71D44249DAEF11DBE4C858BEFBB78AF09300F004599E608BB2C0D7B91B45CB65

Function 00432947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00432C05
DeleteFileW.KERNEL32(?), ref: 00432C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00432C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00432CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00432CC0

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 625f0857e7deb1778318810399bcc97478c80d029ee2b4cc26deb6c2877b8eab
Instruction ID: af3ed01686c259aff9563482f7397246320f2e9ee8fd39586d2a04a3f61c09fd
Opcode Fuzzy Hash: 625f0857e7deb1778318810399bcc97478c80d029ee2b4cc26deb6c2877b8eab
Instruction Fuzzy Hash: FEB16D72D00129ABDF11EFA5CD85EDEB77DEF08304F1041AAF609E6181EA74AE448F65

Function 003F5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

JO<, xrefs: 003F5BA8, 003F5C6C

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID:
String ID: JO<
API String ID: 0-3670212169
Opcode ID: 0f0899c83357f842eb46362e1aee3f7b44584c426ad7e66730441db2a9a7a0dd
Instruction ID: f6e447d04f91c5a2d3de4d78b1dd3a54cc475b92c569f16064dad559c60cf057
Opcode Fuzzy Hash: 0f0899c83357f842eb46362e1aee3f7b44584c426ad7e66730441db2a9a7a0dd
Instruction Fuzzy Hash: F551BF75D00A0D9FCB229FA5C845FBEBFB8AF05310F15016AF706AB292D7719A018B61

Function 003C3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,003C3B0F,SwapMouseButtons,00000004,?), ref: 003C3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,003C3B0F,SwapMouseButtons,00000004,?), ref: 003C3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,003C3B0F,SwapMouseButtons,00000004,?), ref: 003C3B83

Strings

Control Panel\Mouse, xrefs: 003C3B3E

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 1baf8e8784de0e74ca03b9d2c7c7b5ef4ae70585acbc3099f5892fba9d2c2f05
Instruction ID: f53a8634eaaec1ba9d292a5f18b5f0eee282a7789b836054ab777b906e8a67a0
Opcode Fuzzy Hash: 1baf8e8784de0e74ca03b9d2c7c7b5ef4ae70585acbc3099f5892fba9d2c2f05
Instruction Fuzzy Hash: 2C112AB5510208FFDB218FA5DC84EEFB7BCEF04755B118469B805D7110D231DE409B64

Function 033012A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 03301ACD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03301AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03301B13

Memory Dump Source

Source File: 00000000.00000002.1313706611.0000000003300000.00000040.00001000.00020000.00000000.sdmp, Offset: 03300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3300000_NEW ORDER.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
Instruction ID: 333d931df40d1409346a04565eb6f711aaef777a9287e468648226cdf96a2127
Opcode Fuzzy Hash: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
Instruction Fuzzy Hash: 3B62E934E142589BEB24CBA4CC90BDEB376EF58700F1091A9D10DEB2E4E7759E81CB59

Function 003C3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 004033A2

Part of subcall function 003C6B57: _wcslen.LIBCMT ref: 003C6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 003C3A04

Strings

Line: , xrefs: 004033EB

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 4e0a6c7300787cbbc37346e479774007ce65ba179e1a57f0c5af0be1c5c77189
Instruction ID: 26880e3c595e649e5ee0871835d0ae2ef8db6605baf7f352444f721dfaae44f8
Opcode Fuzzy Hash: 4e0a6c7300787cbbc37346e479774007ce65ba179e1a57f0c5af0be1c5c77189
Instruction Fuzzy Hash: CB31B271508301AAD722EB20DC46FEBB7E8AB44714F10493EF599D71A1DB749E48C7C6

Function 003C2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00402C8C

Part of subcall function 003C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003C3A97,?,?,003C2E7F,?,?,?,00000000), ref: 003C3AC2

Part of subcall function 003C2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003C2DC4

Strings

X, xrefs: 00402C5A
`eH, xrefs: 00402C85

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`eH
API String ID: 779396738-3377190430
Opcode ID: 49ab3fce24bf18cbb23d5c8a6e664fda0eb794a968080c862ff34b89db5ed33e
Instruction ID: b32dcb1aba4f24863c2dc3e40c7321d4fff64599e78911372e1aa82764b378c8
Opcode Fuzzy Hash: 49ab3fce24bf18cbb23d5c8a6e664fda0eb794a968080c862ff34b89db5ed33e
Instruction Fuzzy Hash: 1D219671A002589FDB42EF94C849BDE7BFC9F49714F00806EE405FB281DBB859498F65

Function 003DFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 003E0668

Part of subcall function 003E32A4: RaiseException.KERNEL32(?,?,?,003E068A,?,00491444,?,?,?,?,?,?,003E068A,003C1129,00488738,003C1129), ref: 003E3304

__CxxThrowException@8.LIBVCRUNTIME ref: 003E0685

Strings

Unknown exception, xrefs: 003E0692

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: feb824bd0891c65ad7342d5e0cc7b8b62757b466984b402178015e98aee34848
Instruction ID: 3b821ac686ae66f7a2adeb43d0f1e3b136c783b4dfae9798a17be1d6bc39f85e
Opcode Fuzzy Hash: feb824bd0891c65ad7342d5e0cc7b8b62757b466984b402178015e98aee34848
Instruction Fuzzy Hash: 19F04C3080028C77CF06B766EC86E5E777D9E00300BA04736B914DA6D5EFB0DA59C6C0

Function 00433017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0043302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00433044

Strings

aut, xrefs: 00433038

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: a53dce1fbc71f9db7a56b7ac78c6dc5e4909e5d80cc7e7058f571e41c5c342fa
Instruction ID: 503f574263efe49e8127b409eccbc27ad864b511d45b728c755a77b52f155efb
Opcode Fuzzy Hash: a53dce1fbc71f9db7a56b7ac78c6dc5e4909e5d80cc7e7058f571e41c5c342fa
Instruction Fuzzy Hash: 8BD05B719003146BDA60A7949C8DFCB3A6CD705751F0005A17655D2091DAB4D544CBD4

Function 00447F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 004482F5
TerminateProcess.KERNEL32(00000000), ref: 004482FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 004484DD

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: e0dc66e53372b32777808d437064f31b7afb8fbd060889eb66aca4f3e4b23c97
Instruction ID: 7d537eac75724e7f2435a9e214ceeb97f44a53eef3153d099be2fa70ed0bae90
Opcode Fuzzy Hash: e0dc66e53372b32777808d437064f31b7afb8fbd060889eb66aca4f3e4b23c97
Instruction Fuzzy Hash: 3C126B719083419FD714DF28C484B2ABBE1BF89318F04895EE8898B352DB35ED46CF96

Function 00449096 Relevance: 4.7, APIs: 3, Instructions: 233COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0044912A
_strcat.LIBCMT ref: 00449169
_wcslen.LIBCMT ref: 004491B7

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: _wcslen$_strcat
String ID:
API String ID: 306214811-0
Opcode ID: db29d8e222f3c4a38901bf430eec4125cbf7ae24f96fcfd2188fd719e224513b
Instruction ID: b5032a11dab55b6326921c9e33f24a6d5cf89c97af42bae6863abb3f12171f3b
Opcode Fuzzy Hash: db29d8e222f3c4a38901bf430eec4125cbf7ae24f96fcfd2188fd719e224513b
Instruction Fuzzy Hash: C1A16031204505EFDB18DF58C5D196ABBA1FF49314B1484AEE80A8F392DB36ED42DF85

Function 003C10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 003C1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 003C1BF4
Part of subcall function 003C1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 003C1BFC
Part of subcall function 003C1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 003C1C07
Part of subcall function 003C1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 003C1C12
Part of subcall function 003C1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 003C1C1A
Part of subcall function 003C1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 003C1C22

Part of subcall function 003C1B4A: RegisterWindowMessageW.USER32(00000004,?,003C12C4), ref: 003C1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 003C136A
OleInitialize.OLE32 ref: 003C1388
CloseHandle.KERNEL32(00000000,00000000), ref: 004024AB

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 31ab790a3e830afa519c4974a3df0ab9482c9abc786e9153b7c4ebc2f8747af1
Instruction ID: 56bb76280c7009badd3982160c399ff89a2c78f6b20400c27e877b7b425f00ef
Opcode Fuzzy Hash: 31ab790a3e830afa519c4974a3df0ab9482c9abc786e9153b7c4ebc2f8747af1
Instruction Fuzzy Hash: 6E71CFB4901302AFC785EF7AA985A553AE0FBA8364756813FD41ACB372E7344805DF4C

Function 003F86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,003F85CC,?,00488CC8,0000000C), ref: 003F8704
GetLastError.KERNEL32(?,003F85CC,?,00488CC8,0000000C), ref: 003F870E
__dosmaperr.LIBCMT ref: 003F8739

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 2d5b8686a95fb8035ddf9f875ca4983b2ed81988fb577d5531b27cea516f44ef
Instruction ID: c7d83c777ab9ebeb309e2dba6f1acfc2c85187708c19de86e3394af7a48810de
Opcode Fuzzy Hash: 2d5b8686a95fb8035ddf9f875ca4983b2ed81988fb577d5531b27cea516f44ef
Instruction Fuzzy Hash: 97012F377056681AD62B63346849B7E67894B92779F3B012AFB14DF1D2DEA0CC818154

Function 00432FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00432CD4,?,?,?,00000004,00000001), ref: 00432FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00432CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00433006
CloseHandle.KERNEL32(00000000,?,00432CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0043300D

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: a0295b8b6ca1fee6abe17a4c3390fb906a608cfe4c88a0331ee08af9ecad3c8c
Instruction ID: 40b75c8cc7e05d5e9b7086edf6454313f5603c05f582b4a653e064e0752c44d4
Opcode Fuzzy Hash: a0295b8b6ca1fee6abe17a4c3390fb906a608cfe4c88a0331ee08af9ecad3c8c
Instruction Fuzzy Hash: 5EE086366807147BD2301765BC4DF8B3A1CD78AB72F104220FB29791D146A0590186AC

Function 003D1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 003D17F6

Strings

CALL, xrefs: 003D17C6

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: f12d258adccea23dfa2c1134098cda0d9b61ffc5785e2489fed8d7245df7e43b
Instruction ID: f4902581c31964e542a35de8b02dc6aa5bfa3ce51d8b7e736fa6acad4d4ca84e
Opcode Fuzzy Hash: f12d258adccea23dfa2c1134098cda0d9b61ffc5785e2489fed8d7245df7e43b
Instruction Fuzzy Hash: EB22BD71608301AFC715CF14E480B2ABBF6BF89314F15892EF8968B361D775E985CB86

Function 00436EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00436F6B

Part of subcall function 003C4ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00491418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003C4EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00436F5A, 00436F63

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: e7ff176340b6488126f1d6025c84ad6ff73fb85d6a084ac1f32c0026774da201
Instruction ID: 18ad689305b31eeaffcb818985b9a4889a6ec16cce26ccd24563c7c6b3d05fe7
Opcode Fuzzy Hash: e7ff176340b6488126f1d6025c84ad6ff73fb85d6a084ac1f32c0026774da201
Instruction Fuzzy Hash: 21B1B1711086019FCB15EF20C491E6FB7E4AF98314F04895EF896CB262DB34ED49CB96

Function 00432557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00432587

Strings

EA06, xrefs: 004325B9

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: 634a4bf373421fd51f846a75420df226133311c950faa56d13793f2e272cb8f6
Instruction ID: 9a74f1cbea95e54eba0ada76e25c1809aa775546814574adbd11e6651fb588b8
Opcode Fuzzy Hash: 634a4bf373421fd51f846a75420df226133311c950faa56d13793f2e272cb8f6
Instruction Fuzzy Hash: C001B5729042687EDF19C7A9C856EEEBBF89B05701F00465AF152D61C1E5B8E7088B64

Function 003C3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 003C3908

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: de0fcd9e0d5fb0bfb348ce053056f5550ec27ac311642fc7d50878f1e7a0a9f9
Instruction ID: 033b6581aaa3c0f94ebe7fc03094150a5cba99bd305e72acfb48f1e879f1e612
Opcode Fuzzy Hash: de0fcd9e0d5fb0bfb348ce053056f5550ec27ac311642fc7d50878f1e7a0a9f9
Instruction Fuzzy Hash: CB315A706043019FE721DF24D885B97BBE8FB49709F00092EF99997290E771AA48CB56

Function 0330129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 03301ACD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03301AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03301B13

Memory Dump Source

Source File: 00000000.00000002.1313706611.0000000003300000.00000040.00001000.00020000.00000000.sdmp, Offset: 03300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3300000_NEW ORDER.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
Instruction ID: 701da76ce15f0a93caadfa860948f6933ba31e526911069090e43f39ad0349e8
Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
Instruction Fuzzy Hash: 7B12BD24E24658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4F81CF5A

Function 003C4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 003C4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,003C4EDD,?,00491418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003C4E9C
Part of subcall function 003C4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 003C4EAE
Part of subcall function 003C4E90: FreeLibrary.KERNEL32(00000000,?,?,003C4EDD,?,00491418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003C4EC0

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00491418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003C4EFD

Part of subcall function 003C4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00403CDE,?,00491418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003C4E62
Part of subcall function 003C4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 003C4E74
Part of subcall function 003C4E59: FreeLibrary.KERNEL32(00000000,?,?,00403CDE,?,00491418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003C4E87

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: f047c4409dc483ebd18deda30aea7a8d7499aa739f235b18a47471d05656521a
Instruction ID: c4c6e1a1d80c1d976b08bd4eda84e915d19a23df8325226e6f6a641058c998b3
Opcode Fuzzy Hash: f047c4409dc483ebd18deda30aea7a8d7499aa739f235b18a47471d05656521a
Instruction Fuzzy Hash: FB110132610305AADB16BF70DC22FAD77A5AF40B11F20842EF442EA1C2EEB4EE449754

Function 003F8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 003F8440

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 683944dea744b05d6ba20f3f2c979b7cfd404517cd9e29b107caa39d428b0126
Instruction ID: 41bc7fd24d225183fec96c68e2f2dbc701de481dafb3400536456dcbb34584e6
Opcode Fuzzy Hash: 683944dea744b05d6ba20f3f2c979b7cfd404517cd9e29b107caa39d428b0126
Instruction Fuzzy Hash: 4F11487190410AAFCB0ADF59E9419AE7BF8EF48304F114069FD08AB312DB30EA11CBA4

Function 003EE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
Instruction ID: e1ce64b07952ec5442f65f32bf5bc1e2ffe94936b6f67335a15df3f6a3b3f862
Opcode Fuzzy Hash: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
Instruction Fuzzy Hash: 97F0F432511A78EACA333B6B9C05B6B339C9F52334F110B15F6209B1D2DB74D80586A5

Function 003F3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00491444,?,003DFDF5,?,?,003CA976,00000010,00491440,003C13FC,?,003C13C6,?,003C1129), ref: 003F3852

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c7118aee7d7d1ba771fb6bd4d2bbc856bceba422efa897d16a0ab4c07630c56f
Instruction ID: 5b38d22af07ca861dba9d443710f8a42173000eee0049789952c416f0af132e8
Opcode Fuzzy Hash: c7118aee7d7d1ba771fb6bd4d2bbc856bceba422efa897d16a0ab4c07630c56f
Instruction Fuzzy Hash: 49E0E53110026CAAE63326779D00FBA3648AF42BF0F060131FE04969D1DB19DD0582E1

Function 003F4D7A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 003F4D9C

Part of subcall function 003F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,003FD7D1,00000000,00000000,00000000,00000000,?,003FD7F8,00000000,00000007,00000000,?,003FDBF5,00000000), ref: 003F29DE
Part of subcall function 003F29C8: GetLastError.KERNEL32(00000000,?,003FD7D1,00000000,00000000,00000000,00000000,?,003FD7F8,00000000,00000007,00000000,?,003FDBF5,00000000,00000000), ref: 003F29F0

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
Instruction ID: f7b704efe73fbf814afc661a0b7a419a48ba28a74f3be837391b0a092344bdee
Opcode Fuzzy Hash: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
Instruction Fuzzy Hash: 64E092361403099F8721CF6CD400A93B7F4EF853207218529F99DD7311D331E852CB80

Function 003C4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00491418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003C4F6D

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: ac007a5d5586cf2d34290590d0df15880c01503149dded9d4df06bef3a8b864e
Instruction ID: 4c3569d6a1b663e88389a8f3b82450b80bd30b3948f9abd9fc98d1a2156e9cce
Opcode Fuzzy Hash: ac007a5d5586cf2d34290590d0df15880c01503149dded9d4df06bef3a8b864e
Instruction Fuzzy Hash: DFF03071105751CFDB359F64D4A0E12B7E4AF14319311897EE1DAC2511C7319C44DF10

Function 003C2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003C2DC4

Part of subcall function 003C6B57: _wcslen.LIBCMT ref: 003C6B6A

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 09185a35a0fb762e4b19f9f5a14408643dc9dfeb485c870a251e3d1504a10295
Instruction ID: 2a7583468ca2794230e89f2b065b5be91ac1669315f94212e8f74c188ca073a4
Opcode Fuzzy Hash: 09185a35a0fb762e4b19f9f5a14408643dc9dfeb485c870a251e3d1504a10295
Instruction Fuzzy Hash: 64E0C272A002245BCB21E2999C06FEA77EDDFC8790F0400B6FD09E7258DA74ED808694

Function 00432693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 004326B5

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: abf3ed20c592554fe0f843f52c10fc0336f9e3ecbce701c3f73224e2641d18bc
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: B3E04FB0609B105FDF395A28A9627B777E89F49300F00186EF69B82352E5B268458A4D

Function 003C2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 003C3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 003C3908

Part of subcall function 003CD730: GetInputState.USER32 ref: 003CD807

SetCurrentDirectoryW.KERNEL32(?), ref: 003C2B6B

Part of subcall function 003C30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 003C314E

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: cfbe536f487467116b32525c2283f37cc5a13d3b5df91454f3c54ff36638d0ce
Instruction ID: 9bca9aa9154ec5d4c7628839e74ddbdf97f385f02f1fb9d6e22d5b2e933ee3b0
Opcode Fuzzy Hash: cfbe536f487467116b32525c2283f37cc5a13d3b5df91454f3c54ff36638d0ce
Instruction Fuzzy Hash: BEE0862230434506CA06BB749856F7DB7599BD5351F40553FF147CB173CF258D4A4356

Function 0040039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00400704,?,?,00000000,?,00400704,00000000,0000000C), ref: 004003B7

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b5a4a0f649d5fb020777c2e94a525bfb7035f490a14833f123a9b9819e94deba
Instruction ID: 3c6e01940a8eee703ed89858449c41986d9a16c162fc9c40ef67e975ed85e133
Opcode Fuzzy Hash: b5a4a0f649d5fb020777c2e94a525bfb7035f490a14833f123a9b9819e94deba
Instruction Fuzzy Hash: 48D06C3204020DBFDF028F84DD46EDA3BAAFB48714F014010BE1856021C732E821AB94

Function 003C1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 003C1CBC

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 272a96656b8ce5a1b98d38a672fcfcd61678179a84634f72d56ce4922f23197b
Instruction ID: 5bcaad8f0573d77910219261c6d1bae96d8abf92748bd6022293fbbc6020eb75
Opcode Fuzzy Hash: 272a96656b8ce5a1b98d38a672fcfcd61678179a84634f72d56ce4922f23197b
Instruction Fuzzy Hash: 21C09B35280315BFF21447D0BD4AF107764A358B11F444032F60D555F3D3F15810D658

Function 003DFC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 003DFD1F

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 109817e57c5d5892ad4833ae167462c63e1e49279ad4c6a813dc368fa536af02
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 50310476A001099FC71ACF59E4C0969F7A6FF49304B2582A6E80ACB755D731EDD1CBC0

Function 0330229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 033022B1

Memory Dump Source

Source File: 00000000.00000002.1313706611.0000000003300000.00000040.00001000.00020000.00000000.sdmp, Offset: 03300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3300000_NEW ORDER.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: f23c669fa13714d3661a93ac33b42df6384c4cc2140fc68893bf35a6058c1710
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: FAE09A7494010EAFDB00EFA8D54969E7BB4EF04311F1005A1FD05D6680DA319A548A62

Function 033022A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 033022B1

Memory Dump Source

Source File: 00000000.00000002.1313706611.0000000003300000.00000040.00001000.00020000.00000000.sdmp, Offset: 03300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3300000_NEW ORDER.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: db18345fb96b789e7974fb3e6f16cf53f7f0c1d208cfcdf88de830ab7f429d7f
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 57E0BF7494010E9FDB00EFA8D54969E7BB4EF04301F1005A1FD05D2280D63199508A62

Non-executed Functions

Function 00459576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 003D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003D9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0045961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0045965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0045969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004596C9
SendMessageW.USER32 ref: 004596F2
GetKeyState.USER32(00000011), ref: 0045978B
GetKeyState.USER32(00000009), ref: 00459798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004597AE
GetKeyState.USER32(00000010), ref: 004597B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004597E9
SendMessageW.USER32 ref: 00459810
SendMessageW.USER32(?,00001030,?,00457E95), ref: 00459918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0045992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00459941
SetCapture.USER32(?), ref: 0045994A
ClientToScreen.USER32(?,?), ref: 004599AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 004599BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004599D6
ReleaseCapture.USER32 ref: 004599E1
GetCursorPos.USER32(?), ref: 00459A19
ScreenToClient.USER32(?,?), ref: 00459A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00459A80
SendMessageW.USER32 ref: 00459AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00459AEB
SendMessageW.USER32 ref: 00459B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00459B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00459B4A
GetCursorPos.USER32(?), ref: 00459B68
ScreenToClient.USER32(?,?), ref: 00459B75
GetParent.USER32(?), ref: 00459B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00459BFA
SendMessageW.USER32 ref: 00459C2B
ClientToScreen.USER32(?,?), ref: 00459C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00459CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00459CDE
SendMessageW.USER32 ref: 00459D01
ClientToScreen.USER32(?,?), ref: 00459D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00459D82

Part of subcall function 003D9944: GetWindowLongW.USER32(?,000000EB), ref: 003D9952

GetWindowLongW.USER32(?,000000F0), ref: 00459E05

Strings

F, xrefs: 00459D07
b, xrefs: 00459990
@GUI_DRAGID, xrefs: 0045997D

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$b
API String ID: 3429851547-1107042611
Opcode ID: ba0b2484629274c20d53f3c04e4119d383f15f4f747ae4e7e3203a5db4a63c78
Instruction ID: 932797830f77568d7d057ffa0db23bd5007b609fe848c46012572b46902fd054
Opcode Fuzzy Hash: ba0b2484629274c20d53f3c04e4119d383f15f4f747ae4e7e3203a5db4a63c78
Instruction Fuzzy Hash: CA429C70204301EFDB25CF24CD84AAABBE5FF49311F14062AFA59872A2D735ED58DB49

Function 00454873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 004548F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00454908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00454927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0045494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0045495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0045497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 004549AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 004549D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00454A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00454A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00454A7E
IsMenu.USER32(?), ref: 00454A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00454AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00454B20
GetWindowLongW.USER32(?,000000F0), ref: 00454B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00454BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00454C82
wsprintfW.USER32 ref: 00454CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00454CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00454CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00454D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00454D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00454D5A

Strings

%d/%02d/%02d, xrefs: 00454CA8

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 1a9b75b94a59695ebaa647d13785801e7ee6f9363934ea77839081e5013738da
Instruction ID: 89aac2a5d11022571861da166a3c4c80d38f32636958fa0e4539c9775e958f6a
Opcode Fuzzy Hash: 1a9b75b94a59695ebaa647d13785801e7ee6f9363934ea77839081e5013738da
Instruction Fuzzy Hash: D312C071500314AFEB258F28CC49FAF7BB8EF85315F10412AF916DE2A2D7789985CB58

Function 003DF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 003DF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0041F474
IsIconic.USER32(00000000), ref: 0041F47D
ShowWindow.USER32(00000000,00000009), ref: 0041F48A
SetForegroundWindow.USER32(00000000), ref: 0041F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0041F4AA
GetCurrentThreadId.KERNEL32 ref: 0041F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0041F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0041F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0041F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0041F4DE
SetForegroundWindow.USER32(00000000), ref: 0041F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0041F4F6
keybd_event.USER32(00000012,00000000), ref: 0041F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0041F50B
keybd_event.USER32(00000012,00000000), ref: 0041F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0041F519
keybd_event.USER32(00000012,00000000), ref: 0041F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0041F528
keybd_event.USER32(00000012,00000000), ref: 0041F52D
SetForegroundWindow.USER32(00000000), ref: 0041F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0041F557

Strings

Shell_TrayWnd, xrefs: 0041F46F

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: be429a3570e002405e8d9697cfa0b536f8afda3fb4239959968cd3b1cd3d9d33
Instruction ID: 9931781cd45bb89f49b2aa00b583375096648ae632a853f239198b2dc06ed575
Opcode Fuzzy Hash: be429a3570e002405e8d9697cfa0b536f8afda3fb4239959968cd3b1cd3d9d33
Instruction Fuzzy Hash: E831A571A40318BFEB216BB54C89FBF7E6DEB44B51F100076F600E61D2D6B09D41AA68

Function 00421201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 004216C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0042170D
Part of subcall function 004216C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0042173A
Part of subcall function 004216C3: GetLastError.KERNEL32 ref: 0042174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00421286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 004212A8
CloseHandle.KERNEL32(?), ref: 004212B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004212D1
GetProcessWindowStation.USER32 ref: 004212EA
SetProcessWindowStation.USER32(00000000), ref: 004212F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00421310

Part of subcall function 004210BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004211FC), ref: 004210D4
Part of subcall function 004210BF: CloseHandle.KERNEL32(?,?,004211FC), ref: 004210E9

Strings

default, xrefs: 0042130B
, xrefs: 0042125A
winsta0, xrefs: 004212CC
ZH, xrefs: 00421392

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$ZH
API String ID: 22674027-2345524798
Opcode ID: dfff68031f9532242825c8b15b8ce03449b05bfed5fb2902510c4fe8d0c7ba73
Instruction ID: 31408f5571986af612b1c7ad31f9be4113c866425f1317b05a3edd707ad28e2d
Opcode Fuzzy Hash: dfff68031f9532242825c8b15b8ce03449b05bfed5fb2902510c4fe8d0c7ba73
Instruction Fuzzy Hash: 27819271A00359AFDF11AFA4EC85FEF7BB9EF04704F14412AF915A62A1C7398944CB68

Function 00420B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004210F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00421114
Part of subcall function 004210F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00420B9B,?,?,?), ref: 00421120
Part of subcall function 004210F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00420B9B,?,?,?), ref: 0042112F
Part of subcall function 004210F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00420B9B,?,?,?), ref: 00421136
Part of subcall function 004210F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0042114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00420BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00420C00
GetLengthSid.ADVAPI32(?), ref: 00420C17
GetAce.ADVAPI32(?,00000000,?), ref: 00420C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00420C6D
GetLengthSid.ADVAPI32(?), ref: 00420C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00420C8C
HeapAlloc.KERNEL32(00000000), ref: 00420C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00420CB4
CopySid.ADVAPI32(00000000), ref: 00420CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00420CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00420D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00420D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00420D45
HeapFree.KERNEL32(00000000), ref: 00420D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00420D55
HeapFree.KERNEL32(00000000), ref: 00420D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00420D65
HeapFree.KERNEL32(00000000), ref: 00420D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00420D78
HeapFree.KERNEL32(00000000), ref: 00420D7F

Part of subcall function 00421193: GetProcessHeap.KERNEL32(00000008,00420BB1,?,00000000,?,00420BB1,?), ref: 004211A1
Part of subcall function 00421193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00420BB1,?), ref: 004211A8
Part of subcall function 00421193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00420BB1,?), ref: 004211B7

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 98b346cb1a78c1a1811e48f52cf606d0281d4353cc04003e3c8ba5a5bf237f20
Instruction ID: 6670cf8c700632af60f63af516aa492e139106d38aa058e442a8e0021f29019c
Opcode Fuzzy Hash: 98b346cb1a78c1a1811e48f52cf606d0281d4353cc04003e3c8ba5a5bf237f20
Instruction Fuzzy Hash: 22718A71A0031AAFDF109FE5EC84BAFBBB8AF04701F444126E914A6292D778E905CF64

Function 0043EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0045CC08), ref: 0043EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0043EB37
GetClipboardData.USER32(0000000D), ref: 0043EB43
CloseClipboard.USER32 ref: 0043EB4F
GlobalLock.KERNEL32(00000000), ref: 0043EB87
CloseClipboard.USER32 ref: 0043EB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 0043EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0043EBC9
GetClipboardData.USER32(00000001), ref: 0043EBD1
GlobalLock.KERNEL32(00000000), ref: 0043EBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 0043EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0043EC38
GetClipboardData.USER32(0000000F), ref: 0043EC44
GlobalLock.KERNEL32(00000000), ref: 0043EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0043EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0043EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0043ECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 0043ECF3
CountClipboardFormats.USER32 ref: 0043ED14
CloseClipboard.USER32 ref: 0043ED59

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: d9c785969a1dd76ba025378b6c8a8fbfa2d1e6970513d5266a52aacf64193fb6
Instruction ID: 4da0f4cb1b8710c9a7d6842821ec8fdde9f5d3f981d7ce8bb5b759108a0f17c6
Opcode Fuzzy Hash: d9c785969a1dd76ba025378b6c8a8fbfa2d1e6970513d5266a52aacf64193fb6
Instruction Fuzzy Hash: 6F61B034204302AFD301EF21D885F2AB7A4AF88704F14556EF456DB2E2CB35ED06CB6A

Function 0043698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004369BE
FindClose.KERNEL32(00000000), ref: 00436A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00436A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00436A75

Part of subcall function 003C9CB3: _wcslen.LIBCMT ref: 003C9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00436AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00436ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00436B6A
%03d, xrefs: 00436DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00436B32
%4d, xrefs: 00436BB1
%02d, xrefs: 00436C00, 00436C0A, 00436C5A, 00436CAA, 00436CFA, 00436D4A

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 98dce908a0baebc0c0f5b941e310c760ae09c24ba58a75f9eecc795b4c38a5bf
Instruction ID: 64a9461e0bc5067f54bb560504af1ba270e783712bff221afab1890d773f7bde
Opcode Fuzzy Hash: 98dce908a0baebc0c0f5b941e310c760ae09c24ba58a75f9eecc795b4c38a5bf
Instruction Fuzzy Hash: 17D14072508300AFC715EB64C886EABB7ECAF89704F04491EF585DB291EB74DE44CB62

Function 00439642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 00439663
GetFileAttributesW.KERNEL32(?), ref: 004396A1
SetFileAttributesW.KERNEL32(?,?), ref: 004396BB
FindNextFileW.KERNEL32(00000000,?), ref: 004396D3
FindClose.KERNEL32(00000000), ref: 004396DE
FindFirstFileW.KERNEL32(*.*,?), ref: 004396FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0043974A
SetCurrentDirectoryW.KERNEL32(00486B7C), ref: 00439768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00439772
FindClose.KERNEL32(00000000), ref: 0043977F
FindClose.KERNEL32(00000000), ref: 0043978F

Strings

*.*, xrefs: 004396F5

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: a0b0dafe8219634397aee03a14eb618929cdbf35c9f2079b97e6cc4ff5e4fbe6
Instruction ID: 12d60fe4d30d3421b776e1ac90702904a065a52ee938ed7c6940392dbdfabe95
Opcode Fuzzy Hash: a0b0dafe8219634397aee03a14eb618929cdbf35c9f2079b97e6cc4ff5e4fbe6
Instruction Fuzzy Hash: BF31C23254131AAFDB10AFB4DC89ADF77AC9F09321F1045A7F905E21E1DB78DD448A18

Function 0043979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 004397BE
FindNextFileW.KERNEL32(00000000,?), ref: 00439819
FindClose.KERNEL32(00000000), ref: 00439824
FindFirstFileW.KERNEL32(*.*,?), ref: 00439840
SetCurrentDirectoryW.KERNEL32(?), ref: 00439890
SetCurrentDirectoryW.KERNEL32(00486B7C), ref: 004398AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 004398B8
FindClose.KERNEL32(00000000), ref: 004398C5
FindClose.KERNEL32(00000000), ref: 004398D5

Part of subcall function 0042DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0042DB00

Strings

*.*, xrefs: 0043983B

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 924643421243e789a1ea612d33132198ab53b2f0377fa4b0f81ccf47c63aea2d
Instruction ID: c8fea411498e42bbcbae559a1d2ba953aae2a292360f52b7b95f2b1467863da0
Opcode Fuzzy Hash: 924643421243e789a1ea612d33132198ab53b2f0377fa4b0f81ccf47c63aea2d
Instruction Fuzzy Hash: 8E31D23250031A6EDB14BFA4EC88ADF77AC9F4A325F144567E810A21E1DBB8DD44CB28

Function 00438195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00438257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00438267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00438273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00438310
SetCurrentDirectoryW.KERNEL32(?), ref: 00438324
SetCurrentDirectoryW.KERNEL32(?), ref: 00438356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0043838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00438395

Strings

*.*, xrefs: 0043839B

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: c2c160e70a193061d2ecab3186ccfc1ca8c5797e20b53e145c73b72e0883c1a6
Instruction ID: d31b1dda136bd4f368902757534352b9a970af330792a728139126da4ce3ed5b
Opcode Fuzzy Hash: c2c160e70a193061d2ecab3186ccfc1ca8c5797e20b53e145c73b72e0883c1a6
Instruction Fuzzy Hash: 496146725043459FCB10EF60C881AAFB3E8BF89314F04896EF999C7251DB39E945CB96

Function 0042D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 003C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003C3A97,?,?,003C2E7F,?,?,?,00000000), ref: 003C3AC2

Part of subcall function 0042E199: GetFileAttributesW.KERNEL32(?,0042CF95), ref: 0042E19A

FindFirstFileW.KERNEL32(?,?), ref: 0042D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0042D1DD
MoveFileW.KERNEL32(?,?), ref: 0042D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0042D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0042D237

Part of subcall function 0042D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0042D21C,?,?), ref: 0042D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0042D253
FindClose.KERNEL32(00000000), ref: 0042D264

Strings

\*.*, xrefs: 0042D0CD, 0042D0D6, 0042D0EB

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: c8dbfe87f572d0cb67f19a59f9e595e5af5b215f6b7331ff2750bab755ae2a2c
Instruction ID: 16c10b00f7ba39f18538fd47ed2568e78f085e43afa320c1e26a4f1f297a6f5d
Opcode Fuzzy Hash: c8dbfe87f572d0cb67f19a59f9e595e5af5b215f6b7331ff2750bab755ae2a2c
Instruction Fuzzy Hash: DB615131D0125D9ECF06EBE0E992EEDB775AF15304F6041AAE401B7192EB349F09CB65

Function 0043ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0043ED91
EmptyClipboard.USER32 ref: 0043ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0043EDAC
CloseClipboard.USER32 ref: 0043EEA3

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: bf17f381d97f6bc4e096bc90a25835c6b8ef390be28ad5fd812e03c680a8a383
Instruction ID: e9a6296618ad37d0dd320037a25ece83ecbb1f2bb34809f502ac8a364bef660e
Opcode Fuzzy Hash: bf17f381d97f6bc4e096bc90a25835c6b8ef390be28ad5fd812e03c680a8a383
Instruction Fuzzy Hash: C341AF31605211AFD310CF16D489F1ABBA1EF48329F1490AAE4158B7A2C735ED42CB94

Function 0042E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 004216C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0042170D
Part of subcall function 004216C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0042173A
Part of subcall function 004216C3: GetLastError.KERNEL32 ref: 0042174A

ExitWindowsEx.USER32(?,00000000), ref: 0042E932

Strings

@, xrefs: 0042E925
, xrefs: 0042E95C
SeShutdownPrivilege, xrefs: 0042E902
, xrefs: 0042E920

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: f0ba739e60c1cdbe28535c8ff351413ce4f0c58f85b810014f17947a7a045908
Instruction ID: 6f8baac175cba3ea6360c694fa7317f069e874c7a0d0f711d64a41763e1e9bfc
Opcode Fuzzy Hash: f0ba739e60c1cdbe28535c8ff351413ce4f0c58f85b810014f17947a7a045908
Instruction Fuzzy Hash: C901D6B2710331AFEB5426B6BC8AFBF725C9B14755F550827F802E21E2D5A89C84829C

Function 00441204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00441276
WSAGetLastError.WSOCK32 ref: 00441283
bind.WSOCK32(00000000,?,00000010), ref: 004412BA
WSAGetLastError.WSOCK32 ref: 004412C5
closesocket.WSOCK32(00000000), ref: 004412F4
listen.WSOCK32(00000000,00000005), ref: 00441303
WSAGetLastError.WSOCK32 ref: 0044130D
closesocket.WSOCK32(00000000), ref: 0044133C

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 59ec34b204722db40d0d604857a433c0cef8f088880b06e28888b93827e3ede5
Instruction ID: 02746f55b4cc692756b465fbb4bc0abe11452e0a0b47fb60ecaf39f5b480b5ae
Opcode Fuzzy Hash: 59ec34b204722db40d0d604857a433c0cef8f088880b06e28888b93827e3ede5
Instruction Fuzzy Hash: 614150316002009FE710EF64C485B2ABBE5BF46319F188199D8569F3A7C775ED82CBA5

Function 003FB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 003FB9D4
_free.LIBCMT ref: 003FB9F8
_free.LIBCMT ref: 003FBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00463700), ref: 003FBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0049121C,000000FF,00000000,0000003F,00000000,?,?), ref: 003FBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00491270,000000FF,?,0000003F,00000000,?), ref: 003FBC36
_free.LIBCMT ref: 003FBD4B

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: f5101efd814d991476c9544cfa2a7e36d2f1cdeb4bb3f40de6fdd0541c0305e8
Instruction ID: cfed4917e1aac9fa2b3f5f2320ab0bf133df6b01f6d88eb852c11cefb8d8d142
Opcode Fuzzy Hash: f5101efd814d991476c9544cfa2a7e36d2f1cdeb4bb3f40de6fdd0541c0305e8
Instruction Fuzzy Hash: 05C126F590420DAFCB22AF69DC41BBAFBB8EF41350F1541AAE691DB291E7308E41C750

Function 0042D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 003C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003C3A97,?,?,003C2E7F,?,?,?,00000000), ref: 003C3AC2

Part of subcall function 0042E199: GetFileAttributesW.KERNEL32(?,0042CF95), ref: 0042E19A

FindFirstFileW.KERNEL32(?,?), ref: 0042D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0042D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0042D481
FindClose.KERNEL32(00000000), ref: 0042D498
FindClose.KERNEL32(00000000), ref: 0042D4A1

Strings

\*.*, xrefs: 0042D3F2

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 8ac71b272405dde0de249af88e2af9820ed0a332001bd40ba99e277a943feb58
Instruction ID: 1e3526999f5f58eb04c4502cd39ad38c58ff86e3f179c3e3cdea34c797139ce2
Opcode Fuzzy Hash: 8ac71b272405dde0de249af88e2af9820ed0a332001bd40ba99e277a943feb58
Instruction Fuzzy Hash: 5C318F315083559FC301FF60D892DAFB7A8AE91304F804A6EF4D197191EB34EE09876B

Function 003FE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 003FE645

Strings

1#INF, xrefs: 003FF852
1#SNAN, xrefs: 003FF844
1#IND, xrefs: 003FF83D
1#QNAN, xrefs: 003FF84B

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 38331eefa562d3054fa885ee4e72859025e10c24ea5c73ed1f784038b89a4b27
Instruction ID: 2631789e89027257b5e01f0b525984f9812d2c2aa389b700f68db3ebe9b948f5
Opcode Fuzzy Hash: 38331eefa562d3054fa885ee4e72859025e10c24ea5c73ed1f784038b89a4b27
Instruction Fuzzy Hash: 17C23971E0862D8FDB26CE289D407EAB7B9EF44305F1541EAD90DE7250E778AE818F40

Function 0043648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004364DC
CoInitialize.OLE32(00000000), ref: 00436639
CoCreateInstance.OLE32(0045FCF8,00000000,00000001,0045FB68,?), ref: 00436650
CoUninitialize.OLE32 ref: 004368D4

Strings

.lnk, xrefs: 004364BA, 00436524, 004365E0

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: df20938b1358e2d9db68c9ed52c0791d29e73f10529dba976e7f912e15fd8231
Instruction ID: 54a4827f72e37ee3fe4607f24d0a9d01a40fd31b3f57878ee53418ee2ffed089
Opcode Fuzzy Hash: df20938b1358e2d9db68c9ed52c0791d29e73f10529dba976e7f912e15fd8231
Instruction Fuzzy Hash: 9DD12771508301AFC315EF24C881E6BB7E8AF98704F11896EF595CB291EB71ED09CB96

Function 004422DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 004422E8

Part of subcall function 0043E4EC: GetWindowRect.USER32(?,?), ref: 0043E504

GetDesktopWindow.USER32 ref: 00442312
GetWindowRect.USER32(00000000), ref: 00442319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00442355
GetCursorPos.USER32(?), ref: 00442381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 004423DF

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: d99a631b18b8be11389bf0366acbab05f7fd30b91c1ca019becdbdb40a4cc292
Instruction ID: 7441bd9ebee1d990f73f35b43f84ce10bbc5efdbfaf5c3ca7b8f51f132d000ff
Opcode Fuzzy Hash: d99a631b18b8be11389bf0366acbab05f7fd30b91c1ca019becdbdb40a4cc292
Instruction Fuzzy Hash: F8310272105315AFD720DF65DC44B5BBBA9FF88314F40091EF88497281DB78EA08CB9A

Function 00439B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 003C9CB3: _wcslen.LIBCMT ref: 003C9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00439B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00439C8B

Part of subcall function 00433874: GetInputState.USER32 ref: 004338CB
Part of subcall function 00433874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00433966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00439BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00439C75

Strings

*.*, xrefs: 00439B5D

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: fd80ab80f9269ebb908871dbc81238c5bd9407c960ec6c22d70bac8be4720e85
Instruction ID: 25cdaf62df7b056511e1a9eedd9a04d1ea9985ee3afb70ce3995fec79c489d01
Opcode Fuzzy Hash: fd80ab80f9269ebb908871dbc81238c5bd9407c960ec6c22d70bac8be4720e85
Instruction Fuzzy Hash: 1041A27190420A9FDF15DF64C889BEEBBB4FF09301F24515AE805A7291DB74AE44CF68

Function 003D997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 003D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003D9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 003D9A4E
GetSysColor.USER32(0000000F), ref: 003D9B23
SetBkColor.GDI32(?,00000000), ref: 003D9B36

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 7f839e5d2c243d2e782e0b93b4fd6cbc00a23f273b74ffcdd70f8627976cb2f2
Instruction ID: 3ccfe2569ec6152f41e120096c9f764baf005c3b70c2c72ecea3b7867cc41c39
Opcode Fuzzy Hash: 7f839e5d2c243d2e782e0b93b4fd6cbc00a23f273b74ffcdd70f8627976cb2f2
Instruction Fuzzy Hash: EDA14E73108504FEE726AA3DAC88FBB366DDB42354F15021BF412C6BD2DA299D41C27D

Function 00441806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0044304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0044307A
Part of subcall function 0044304E: _wcslen.LIBCMT ref: 0044309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0044185D
WSAGetLastError.WSOCK32 ref: 00441884
bind.WSOCK32(00000000,?,00000010), ref: 004418DB
WSAGetLastError.WSOCK32 ref: 004418E6
closesocket.WSOCK32(00000000), ref: 00441915

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 2be9f2a6543d70218b26c1e39c85045e375561ff97728499ce5d7aa42b3c70f8
Instruction ID: 8bad2455e314e3477a322290b759f70df8025fb4f8aefb285d5fc16b55f65e4e
Opcode Fuzzy Hash: 2be9f2a6543d70218b26c1e39c85045e375561ff97728499ce5d7aa42b3c70f8
Instruction Fuzzy Hash: 1951B375A00210AFEB11AF24C886F2A77E5AB45718F08845DF9069F3D3C775ED42CBA1

Function 00451C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00451CC0
IsWindowEnabled.USER32 ref: 00451CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00451CDB
IsIconic.USER32 ref: 00451CE9
IsZoomed.USER32 ref: 00451CF7

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 75e67c8fcc044aca3380a4e6cf4bf4493ed9267454df66435d490327c206a2b8
Instruction ID: 298227a588779aad7b3b9d92af30acb4a57ed90f424e18c9fdaa6193b83dd5f9
Opcode Fuzzy Hash: 75e67c8fcc044aca3380a4e6cf4bf4493ed9267454df66435d490327c206a2b8
Instruction Fuzzy Hash: E921A2317402105FD7218F1AC884F277BA5AF95316B18806EEC468B363C776EC46CB98

Function 003C8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 003C813C
VUUU, xrefs: 003C83FA
VUUU, xrefs: 003C843C
VUUU, xrefs: 00405DF0
VUUU, xrefs: 003C83E8

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: fc84722fbbcbacdd257afa06dc61f85454fdbd3c35cf0a0ef0e5d131d18512e0
Instruction ID: 868ddd1407594d041786d435d072b6c48d416acfa3d9c73019d3bc131d6283f4
Opcode Fuzzy Hash: fc84722fbbcbacdd257afa06dc61f85454fdbd3c35cf0a0ef0e5d131d18512e0
Instruction Fuzzy Hash: A3A26D70A0021ACBDF25CF58C940BAEB7B1BF44314F2585AAD816E7385DB789E91CF94

Function 00428298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 004282AA

Strings

tbH, xrefs: 004284F4
|, xrefs: 004282DA
(, xrefs: 004282F0

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: lstrlen
String ID: ($tbH$|
API String ID: 1659193697-3064764139
Opcode ID: f3a72e069523ff347f2a4bf1a12f053be3c628ad80451aac9c70fcdd1594808d
Instruction ID: e5bf511cf6576e7e1d529cc862cf809c0aad0d324a50d94bcea31da8d5956ace
Opcode Fuzzy Hash: f3a72e069523ff347f2a4bf1a12f053be3c628ad80451aac9c70fcdd1594808d
Instruction Fuzzy Hash: 2F324475A00615DFCB28CF19D480A6AB7F0FF48710B55C46EE89ADB3A1EB74E981CB44

Function 0044A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0044A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0044A6BA

Part of subcall function 003C9CB3: _wcslen.LIBCMT ref: 003C9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0044A79C
CloseHandle.KERNEL32(00000000), ref: 0044A7AB

Part of subcall function 003DCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00403303,?), ref: 003DCE8A

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 85e844607285642ce0f87e5535e3dd3da92f7c4bf66651a45d954114bbea24af
Instruction ID: 83e8e81ee010049823c55cda160e106ec2216212cbe6ed590d74ae50603c95ec
Opcode Fuzzy Hash: 85e844607285642ce0f87e5535e3dd3da92f7c4bf66651a45d954114bbea24af
Instruction Fuzzy Hash: 66512771508300AFD311EF24D886E6BBBE8EF89754F00892EF585DB252EB30D904CB96

Function 0042AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0042AAAC
SetKeyboardState.USER32(00000080), ref: 0042AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0042AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0042AB88

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: d9390e5254e2c6b47d9b99909246458bdd18abba9207378520e9e851f0fa8e7b
Instruction ID: d2e06030d74f3959e620f0336aef4e95954853ef740db7f45c12b5a21e5b200f
Opcode Fuzzy Hash: d9390e5254e2c6b47d9b99909246458bdd18abba9207378520e9e851f0fa8e7b
Instruction Fuzzy Hash: F5312E30B40324AFEB30CA65AC057FB7FA6AF44310F84421BEA81522D1D37C9951C75B

Function 0043CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0043CE89
GetLastError.KERNEL32(?,00000000), ref: 0043CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0043CEFE

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: a0f6b1f6ddab8559d963a1cfdf5141a8c5f3062118d75e3783de1c3d6adcc838
Instruction ID: 927889b13fa91d800e0da09fc434725fb9f464abeafe47653a8638e610e60cf3
Opcode Fuzzy Hash: a0f6b1f6ddab8559d963a1cfdf5141a8c5f3062118d75e3783de1c3d6adcc838
Instruction Fuzzy Hash: CA21BD71500305AFD720DFA5C989BAB77F8EB14315F10442FE646A2291E778EE058B58

Function 003F2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 003F271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 003F2724
UnhandledExceptionFilter.KERNEL32(?), ref: 003F2731

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 2d6a70e776a25ac7b28e41ae759397273d5f9fe5c240a64bdc43a6853e32ef71
Instruction ID: a878c6867c8cdcefe582eb26ffdac3a67809212ca9ba3a28f2c8e0963e18fcbe
Opcode Fuzzy Hash: 2d6a70e776a25ac7b28e41ae759397273d5f9fe5c240a64bdc43a6853e32ef71
Instruction Fuzzy Hash: 6631B67491132CDBCB21DF65DC89B9DB7B8AF08310F5042EAE81CA6261E7709F858F45

Function 004351CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004351DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00435238
SetErrorMode.KERNEL32(00000000), ref: 004352A1

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: ee85b02051922d44da97f9af09db7d811c24b9a01e9078e0419eb4a21ea78703
Instruction ID: 56d7cbfcf941cb463ba96c973e8c20da333b24f84c80ea42ad3d73a68fbe0546
Opcode Fuzzy Hash: ee85b02051922d44da97f9af09db7d811c24b9a01e9078e0419eb4a21ea78703
Instruction Fuzzy Hash: D5314B75A006189FDB00DF54D884FAEBBB4FF49318F048099E805AB362DB35EC56CB94

Function 004216C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 003DFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 003E0668
Part of subcall function 003DFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 003E0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0042170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0042173A
GetLastError.KERNEL32 ref: 0042174A

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: f8ddae353bc5b6683c60563d5898194b96c97d54d0152ac71a997cc0439008dd
Instruction ID: 9794f662ba247642b17dd7f7ae2a060ded910b483179bdcf47f03096ebe97038
Opcode Fuzzy Hash: f8ddae353bc5b6683c60563d5898194b96c97d54d0152ac71a997cc0439008dd
Instruction Fuzzy Hash: 8911CEB2500308AFD718AF54ECC6D6BB7B9EF84B24B20852EF05657291EB70FC418A64

Function 0042D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0042D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0042D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0042D650

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 0c06000c6ad99aae5991e0f36f7c8c2b9fb07f01c390582b53a647dc486673a7
Instruction ID: b3e5ce0a5c48f3e11096bb51e44a10f3aa899dcb2d5d136013958d4a502fb1b1
Opcode Fuzzy Hash: 0c06000c6ad99aae5991e0f36f7c8c2b9fb07f01c390582b53a647dc486673a7
Instruction Fuzzy Hash: B8117C71E01328BFDB108F94AC84FAFBBBCEB45B50F108122F914E7290C2744A018BA5

Function 00421663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0042168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 004216A1
FreeSid.ADVAPI32(?), ref: 004216B1

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 21bc67845a5b7fa75e13527c0a7de6718054d31e690c32560946dec8ed99e5d5
Instruction ID: bbab1d4d2dfea7e88d815e96784e836e21ef109487f2838354503f0da8889622
Opcode Fuzzy Hash: 21bc67845a5b7fa75e13527c0a7de6718054d31e690c32560946dec8ed99e5d5
Instruction Fuzzy Hash: FDF0F471950309FFDB00DFE49C89EAEBBBCEB08605F504565E501E2191E774EA448A54

Function 003E4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(003F28E9,?,003E4CBE,003F28E9,004888B8,0000000C,003E4E15,003F28E9,00000002,00000000,?,003F28E9), ref: 003E4D09
TerminateProcess.KERNEL32(00000000,?,003E4CBE,003F28E9,004888B8,0000000C,003E4E15,003F28E9,00000002,00000000,?,003F28E9), ref: 003E4D10
ExitProcess.KERNEL32 ref: 003E4D22

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: bcb8a115da4945ecf858f8ff032138e4b8e6d56c594feeb6cfcf727155887fc9
Instruction ID: 0bb48f1eb1434e66616bf2feab588755a50ee3783ae3c8706eb0af80034255eb
Opcode Fuzzy Hash: bcb8a115da4945ecf858f8ff032138e4b8e6d56c594feeb6cfcf727155887fc9
Instruction Fuzzy Hash: D1E0B63100079CAFCF12AF55DD49A593F69EF85782B114164FD05CA273CB35DD42CA84

Function 003FC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 003FC36C

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 5643ce8bd3e0dbe4cca83dad2e59396e14e5aaff2cfc24d2e762327ec819bdc2
Instruction ID: 58ea08ea9d8cf6bb7acaf8fe51c267242f77374f2b63db11c01672e1e48f9dd1
Opcode Fuzzy Hash: 5643ce8bd3e0dbe4cca83dad2e59396e14e5aaff2cfc24d2e762327ec819bdc2
Instruction Fuzzy Hash: F641477694021DBFCB219FB9CD88EBB77B8EB84354F104669FA05CB280E6709D80CB50

Function 0041D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0041D28C

Strings

X64, xrefs: 0041D2A8

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: bbc0c98a02625d68d3eff0c78c78bc6e4c4efad8dedf0875eff7643b9b38cbb7
Instruction ID: c310828df3e6ec0dc466e93ad7686e703c327044aaee2c977f691a5eff7c6aca
Opcode Fuzzy Hash: bbc0c98a02625d68d3eff0c78c78bc6e4c4efad8dedf0875eff7643b9b38cbb7
Instruction Fuzzy Hash: D7D0C9B580121DEECF90CB90ECC8DD9B3BCBB04305F100192F106A2540D77495498F10

Function 003ECAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 32f827ed850a983be417a057c705bcb5802622acad401da8c25cabc1f60454d8
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: EB022E71E102699BDF15CFA9C8806AEFBF1EF88314F254269D919E7384D731AD428B84

Function 003CCAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

b, xrefs: 003CCF7F
Variable is not of type 'Object'., xrefs: 00410C40

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$b
API String ID: 0-2065399503
Opcode ID: 9edd24a3b8c5bd01efdb8b5689adbb5f16efd7ee23b7ba72928aef614327d7ad
Instruction ID: a6bfd514595467397a39328640ce07f5b64a501632758f5f6acab19c25264f3f
Opcode Fuzzy Hash: 9edd24a3b8c5bd01efdb8b5689adbb5f16efd7ee23b7ba72928aef614327d7ad
Instruction Fuzzy Hash: 10329C70910218DBCF15DF90D885FEEB7B9BF05304F14906EE80AAB282D775AD86CB64

Function 004368EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00436918
FindClose.KERNEL32(00000000), ref: 00436961

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 9beec69583d54a5748335225b56168d59a769307784c80aefa98fa94b48ad2a3
Instruction ID: abc6d2e7d442a3886784710741df2b078dd9c040f471ed8cc995a3e74b83eca7
Opcode Fuzzy Hash: 9beec69583d54a5748335225b56168d59a769307784c80aefa98fa94b48ad2a3
Instruction Fuzzy Hash: 6D11AC71604201AFC710CF29C484B16BBE5EF89328F15C6AEE8698F3A2C734EC05CB91

Function 004337B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00444891,?,?,00000035,?), ref: 004337E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00444891,?,?,00000035,?), ref: 004337F4

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 3d4c47f9ed4f2dc867d5737f36b0ceaf8492a99c8d6a761b734132ce206004a2
Instruction ID: 704883442da3a5aa272b7d0998693bf66ff840e4a384389adf706294bcf8faf8
Opcode Fuzzy Hash: 3d4c47f9ed4f2dc867d5737f36b0ceaf8492a99c8d6a761b734132ce206004a2
Instruction Fuzzy Hash: A1F0EC706043192AD71017664C4DFDB765DDFC4762F004176F505D2291DA609D04C7B4

Function 0042B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0042B25D
keybd_event.USER32(?,7707C0D0,?,00000000), ref: 0042B270

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 9b5785b20c1a0833f47be60d439181413814961906eb096207a633aef9b45bbc
Instruction ID: ee51b2e077e2248bfcf7a502765c9e32eb4a36bcd1d1c25ee5b16488250d6e16
Opcode Fuzzy Hash: 9b5785b20c1a0833f47be60d439181413814961906eb096207a633aef9b45bbc
Instruction Fuzzy Hash: E8F01D7190435EAFDB059FA0D805BAE7FB4FF08305F00805AF955A5192D379C611DFA8

Function 004210BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004211FC), ref: 004210D4
CloseHandle.KERNEL32(?,?,004211FC), ref: 004210E9

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 0ed649791bca09394b9ce4d4cdafdc18ebbbbe32b19a960f0e1a00e1162b85be
Instruction ID: d07c3493cb04ddf7fc0bd61e930ecc697b3464f3717ef95f8de9a3635483c7a3
Opcode Fuzzy Hash: 0ed649791bca09394b9ce4d4cdafdc18ebbbbe32b19a960f0e1a00e1162b85be
Instruction Fuzzy Hash: 79E04F32004710AEE7262B51FC45E7377A9EB04711B10882EF4A6845B6DB62AC90DB54

Function 003F676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,003F6766,?,?,00000008,?,?,003FFEFE,00000000), ref: 003F6998

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 5d6b44a1d17340cf1e55beed76c4a0e425708d917d06fa9b2e5f3ada6acd3f72
Instruction ID: 324595343fb8a6e57056228c8e1faf8c1f9b79b06e5ebc898e04ae912d044fc9
Opcode Fuzzy Hash: 5d6b44a1d17340cf1e55beed76c4a0e425708d917d06fa9b2e5f3ada6acd3f72
Instruction Fuzzy Hash: D7B15D71610608DFDB16CF28C48AB657BE0FF45364F26865CE99ACF2A2C335E991CB40

Function 003DB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0041851F

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 81c3c3d53829683323026ddca4a8d7e5d81ab0208c571c88d0353127c513e6a9
Instruction ID: 8c0b946a00894fa37f06e99dc3d627daa633fa4a4d89855a9f201546bc5844eb
Opcode Fuzzy Hash: 81c3c3d53829683323026ddca4a8d7e5d81ab0208c571c88d0353127c513e6a9
Instruction Fuzzy Hash: A3126D75900229DBCB15CF59D880AEEB7B5FF48310F1581ABE849EB351EB349E81CB94

Function 0043EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0043EABD

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: d1e5a6124769b91c64c11bf8e1a705d012df465dc541307a1b56d98883c9ac4b
Instruction ID: c2696737ebdb079c8447c8026a2dc43d26eb9e39103b15bbd5234b3eac1b226c
Opcode Fuzzy Hash: d1e5a6124769b91c64c11bf8e1a705d012df465dc541307a1b56d98883c9ac4b
Instruction Fuzzy Hash: 4AE04F312102059FC710EF5AD845E9BF7E9AF98760F00842AFC49CB391DB74EC418B95

Function 003E09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,003E03EE), ref: 003E09DA

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 00a8b63d43bfd59879df7f251f0779a765a69e9cb852155b7c86c3e03e485e5f
Instruction ID: 728d41821a3b32fcaf95fb693c1f44e029a2c3d63e6c5de3d67f846869384854
Opcode Fuzzy Hash: 00a8b63d43bfd59879df7f251f0779a765a69e9cb852155b7c86c3e03e485e5f
Instruction Fuzzy Hash:

Function 003E781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 003E798B

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 53182aaa051d0210840d9be250ed7f18e42ea0e97bd2f1e62ce1006e58f17fd0
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 2B516671A0C6F95ADB3B866B885B7FE23899F22340F190719E886DB6C3C715DE01D352

Function 00432046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&I, xrefs: 00432053

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID:
String ID: 0&I
API String ID: 0-401884818
Opcode ID: 72193c020c8836c4f632fb5f076092fc624f22b27caece6ca139735196905d75
Instruction ID: 6fc548076cc0d6d84e12ec94488fd84dfe5f2c913b00ca1992e9a223f752a65b
Opcode Fuzzy Hash: 72193c020c8836c4f632fb5f076092fc624f22b27caece6ca139735196905d75
Instruction Fuzzy Hash: 6921D5322216118BDB2CCE79C92267E73E5A764310F14863FE4A7C77D0DE79A904CB84

Function 003F6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fe03346a9c82202a6e87ff114b9240b37da6eb9e92c775633adb1abbd88408e
Instruction ID: 0c49824d530386280ee4fcad859405afe91d37faf80edc591b6181bd135a944e
Opcode Fuzzy Hash: 9fe03346a9c82202a6e87ff114b9240b37da6eb9e92c775633adb1abbd88408e
Instruction Fuzzy Hash: C0323422D29F054DD7239634CD22336A289AFB73C5F15D737F81AB5EA9EBA9C4834101

Function 003DCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f8cca2bb80b62dd82eaac08bd81d0af5b18c5dcc75ef5197ca5fb25e3f0d1f5
Instruction ID: 7043176c0e7bdfed483a404473c06a68eddda0f7791436f486c24c5140f3f69f
Opcode Fuzzy Hash: 4f8cca2bb80b62dd82eaac08bd81d0af5b18c5dcc75ef5197ca5fb25e3f0d1f5
Instruction Fuzzy Hash: 4C322632AA41068BDF25CE28D9D06FE77A1EF45300F29856BE549CB391D238DDC2DB49

Function 003C7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91aa5fe9d4d2806c664417df25a22f5d10f290da575c32814d4709268c2455d5
Instruction ID: c3c4bcec88588a414c2df4983567742deeffe92d31e37f477d119fe0cfd45d9d
Opcode Fuzzy Hash: 91aa5fe9d4d2806c664417df25a22f5d10f290da575c32814d4709268c2455d5
Instruction Fuzzy Hash: 92229D70A006099FDF15CFA4D881BAEB7B5FF44300F14462AE816EB291EB3AAD51CF54

Function 003C91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd2c90803f69addceef0d1d802302ab24d539bcbbe1635b71d31ccb489f4f401
Instruction ID: ba96e272dcdd81e6e1cd97a000a81074203e5518928b177ba0df3d597e3a7f9f
Opcode Fuzzy Hash: dd2c90803f69addceef0d1d802302ab24d539bcbbe1635b71d31ccb489f4f401
Instruction Fuzzy Hash: 1E02B6B1A00209EFDB05DF55D881BAEB7B5FF44300F11856AE806EB391E735AE21CB95

Function 003E1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: cb17f6e4fd2ba10dc7b493f40606e812504d60ee938cddd78ab558f0d7d3642a
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: EB9184726080F34ADB2B463B853407EFFE15A923A131B079EE4F2CA1C5EE349954D620

Function 003E19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: e0dbaf40e8890a701ce1002ac5e3d096fbc1b0d980b781ade98fa21e89bb19bb
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: F2913F722090F34ADB6B467B857403EFEE55A923A231A07AEE4F2CA5C1FE348554D620

Function 003E7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63c33267f4eb8832cb12065a043c2c32646be7ae7ccf5fcedd33f9e378454c2d
Instruction ID: 35a7c8d012d2af343148c10d6cc8fe7dae973e3967410940ba37bd8e8e02605c
Opcode Fuzzy Hash: 63c33267f4eb8832cb12065a043c2c32646be7ae7ccf5fcedd33f9e378454c2d
Instruction Fuzzy Hash: 476159716087FA96DA3B9A2B8895BBE3398DF41700F210B2DE943DF7C1D6119E428355

Function 003E1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 40544a869455c8a5471b7c550d86930715e85681a3d527d486fbdaa81c293b92
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 558182726080F30ADB6F423B857447EFFE15A923A131B079EE4F2CA1C2EE348554E660

Function 004570D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0045712F
GetSysColorBrush.USER32(0000000F), ref: 00457160
GetSysColor.USER32(0000000F), ref: 0045716C
SetBkColor.GDI32(?,000000FF), ref: 00457186
SelectObject.GDI32(?,?), ref: 00457195
InflateRect.USER32(?,000000FF,000000FF), ref: 004571C0
GetSysColor.USER32(00000010), ref: 004571C8
CreateSolidBrush.GDI32(00000000), ref: 004571CF
FrameRect.USER32(?,?,00000000), ref: 004571DE
DeleteObject.GDI32(00000000), ref: 004571E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00457230
FillRect.USER32(?,?,?), ref: 00457262
GetWindowLongW.USER32(?,000000F0), ref: 00457284

Part of subcall function 004573E8: GetSysColor.USER32(00000012), ref: 00457421
Part of subcall function 004573E8: SetTextColor.GDI32(?,?), ref: 00457425
Part of subcall function 004573E8: GetSysColorBrush.USER32(0000000F), ref: 0045743B
Part of subcall function 004573E8: GetSysColor.USER32(0000000F), ref: 00457446
Part of subcall function 004573E8: GetSysColor.USER32(00000011), ref: 00457463
Part of subcall function 004573E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00457471
Part of subcall function 004573E8: SelectObject.GDI32(?,00000000), ref: 00457482
Part of subcall function 004573E8: SetBkColor.GDI32(?,00000000), ref: 0045748B
Part of subcall function 004573E8: SelectObject.GDI32(?,?), ref: 00457498
Part of subcall function 004573E8: InflateRect.USER32(?,000000FF,000000FF), ref: 004574B7
Part of subcall function 004573E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004574CE
Part of subcall function 004573E8: GetWindowLongW.USER32(00000000,000000F0), ref: 004574DB

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: b92f6ca6a22490bd847143d9702d4ad6d11299660a92450f97b49373a46051b5
Instruction ID: 43b47807420180a44fc63980e789b9a12b864339d2b5ee7daf379b4a4fb5e1d8
Opcode Fuzzy Hash: b92f6ca6a22490bd847143d9702d4ad6d11299660a92450f97b49373a46051b5
Instruction Fuzzy Hash: 90A1A172008715BFD7019F60DC88A5F7BA9FB49322F100A29F962961E2D774E944CF56

Function 003D8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 003D8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00416AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00416AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00416F43

Part of subcall function 003D8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,003D8BE8,?,00000000,?,?,?,?,003D8BBA,00000000,?), ref: 003D8FC5

SendMessageW.USER32(?,00001053), ref: 00416F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00416F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00416FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00416FB7

Strings

0, xrefs: 00416DCF

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 90c5b12a1325f083ec4c9e74faee7d41a736080164b9f4d2efd2cd7accbc617c
Instruction ID: a7fa859c3599d4cc6db8b7f565bce3df3bb0da050935c903da209c25ebc3f776
Opcode Fuzzy Hash: 90c5b12a1325f083ec4c9e74faee7d41a736080164b9f4d2efd2cd7accbc617c
Instruction Fuzzy Hash: F1129B31204211EFDB26CF24D884BAABBE5FB44301F15456AE485CB762CB35EC92DF99

Function 00442711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0044273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0044286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 004428A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 004428B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00442900
GetClientRect.USER32(00000000,?), ref: 0044290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00442955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00442964
GetStockObject.GDI32(00000011), ref: 00442974
SelectObject.GDI32(00000000,00000000), ref: 00442978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00442988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00442991
DeleteDC.GDI32(00000000), ref: 0044299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004429C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 004429DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00442A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00442A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00442A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00442A77
GetStockObject.GDI32(00000011), ref: 00442A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00442A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00442A97

Strings

AutoIt v3, xrefs: 004428F8
msctls_progress32, xrefs: 00442A13
static, xrefs: 0044294F, 00442A71
DISPLAY, xrefs: 0044295A

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: eb9da8ee26767692e28d8fa25ff6b601a1a57b8e6c51b031ae4d1302f6fa7c9f
Instruction ID: 026f3b2d96a986c4dd135e9c6d280e5d60b42d281e0ae6fda7fa1c30479ddd6d
Opcode Fuzzy Hash: eb9da8ee26767692e28d8fa25ff6b601a1a57b8e6c51b031ae4d1302f6fa7c9f
Instruction Fuzzy Hash: E2B15C71A00215AFEB14DF68CD86FAE7BB9EB48711F004129F914EB2A1D774ED40CB98

Function 00434ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00434AED
GetDriveTypeW.KERNEL32(?,0045CB68,?,\\.\,0045CC08), ref: 00434BCA
SetErrorMode.KERNEL32(00000000,0045CB68,?,\\.\,0045CC08), ref: 00434D36

Strings

Removable, xrefs: 00434C10, 00434C15
SATA, xrefs: 00434CD0
RAMDisk, xrefs: 00434BF4
Unknown, xrefs: 00434BED, 00434C83
Network, xrefs: 00434C02
SSA, xrefs: 00434CA6
USB, xrefs: 00434CB4
1394, xrefs: 00434C9F
ATA, xrefs: 00434C98
Fixed, xrefs: 00434C09
CDROM, xrefs: 00434BFB
PhysicalDrive, xrefs: 00434B76
SCSI, xrefs: 00434C8A
RAID, xrefs: 00434CBB
Virtual, xrefs: 00434CE5
\\.\, xrefs: 00434B3F
Fibre, xrefs: 00434CAD
iSCSI, xrefs: 00434CC2
SAS, xrefs: 00434CC9
ATAPI, xrefs: 00434C91
FileBackedVirtual, xrefs: 00434CEC
MMC, xrefs: 00434CDE
SSD, xrefs: 00434C4A

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: e53bb386a6552965e2270a35808daa46cd88d52b419b0372afc071e99ebc1f88
Instruction ID: dee62e026f09fd1707c5e79b292c26c3b90bb8d2130b046fb89bc32611c574a9
Opcode Fuzzy Hash: e53bb386a6552965e2270a35808daa46cd88d52b419b0372afc071e99ebc1f88
Instruction Fuzzy Hash: F16197306051059BCB45EF14C981EEDB7A0AB88304F26A41BF806AB752DB3DFD42DB5E

Function 004573E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00457421
SetTextColor.GDI32(?,?), ref: 00457425
GetSysColorBrush.USER32(0000000F), ref: 0045743B
GetSysColor.USER32(0000000F), ref: 00457446
CreateSolidBrush.GDI32(?), ref: 0045744B
GetSysColor.USER32(00000011), ref: 00457463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00457471
SelectObject.GDI32(?,00000000), ref: 00457482
SetBkColor.GDI32(?,00000000), ref: 0045748B
SelectObject.GDI32(?,?), ref: 00457498
InflateRect.USER32(?,000000FF,000000FF), ref: 004574B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004574CE
GetWindowLongW.USER32(00000000,000000F0), ref: 004574DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0045752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00457554
InflateRect.USER32(?,000000FD,000000FD), ref: 00457572
DrawFocusRect.USER32(?,?), ref: 0045757D
GetSysColor.USER32(00000011), ref: 0045758E
SetTextColor.GDI32(?,00000000), ref: 00457596
DrawTextW.USER32(?,004570F5,000000FF,?,00000000), ref: 004575A8
SelectObject.GDI32(?,?), ref: 004575BF
DeleteObject.GDI32(?), ref: 004575CA
SelectObject.GDI32(?,?), ref: 004575D0
DeleteObject.GDI32(?), ref: 004575D5
SetTextColor.GDI32(?,?), ref: 004575DB
SetBkColor.GDI32(?,?), ref: 004575E5

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 12b21d65ef49969bbfd9e0ae151337a5ff22b2e9b06ec954414abb5fb051f44f
Instruction ID: 4b0f3abb171edca025f0d838278da3b469f5f2ed1fa4667c68cfec92d9f4db39
Opcode Fuzzy Hash: 12b21d65ef49969bbfd9e0ae151337a5ff22b2e9b06ec954414abb5fb051f44f
Instruction Fuzzy Hash: CB614E72900318BFDB019FA4DC89AAE7FB9EB09321F114125F915AB2A2D7749940CF94

Function 00450FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00451128
GetDesktopWindow.USER32 ref: 0045113D
GetWindowRect.USER32(00000000), ref: 00451144
GetWindowLongW.USER32(?,000000F0), ref: 00451199
DestroyWindow.USER32(?), ref: 004511B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 004511ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0045120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0045121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00451232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00451245
IsWindowVisible.USER32(00000000), ref: 004512A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 004512BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 004512D0
GetWindowRect.USER32(00000000,?), ref: 004512E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0045130E
GetMonitorInfoW.USER32(00000000,?), ref: 00451328
CopyRect.USER32(?,?), ref: 0045133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 004513AA

Strings

0, xrefs: 004510D3
(, xrefs: 0045131B
tooltips_class32, xrefs: 004511E6

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: a8fb1fe12432f59a1898ab349325db4b8ed6521c1db18749c59a4e0d7ea141eb
Instruction ID: 737193dfcf3b5f85f06da9c1b6305c75a01b9e1e8c349d52521033e27ef01d52
Opcode Fuzzy Hash: a8fb1fe12432f59a1898ab349325db4b8ed6521c1db18749c59a4e0d7ea141eb
Instruction Fuzzy Hash: 4EB18971604341AFD700DF64C885B6BBBE4EF89741F00891DF9999B2A2C735EC49CB96

Function 00450241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004502E5
_wcslen.LIBCMT ref: 0045031F
_wcslen.LIBCMT ref: 00450389
_wcslen.LIBCMT ref: 004503F1
_wcslen.LIBCMT ref: 00450475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 004504C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00450504

Part of subcall function 003DF9F2: _wcslen.LIBCMT ref: 003DF9FD

Part of subcall function 0042223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00422258
Part of subcall function 0042223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0042228A

Strings

GETITEMCOUNT, xrefs: 00450316, 00450337
FINDITEM, xrefs: 00450627
SELECT, xrefs: 00450548
GETSUBITEMCOUNT, xrefs: 00450384, 0045039F
GETTEXT, xrefs: 004503EC, 00450407
VIEWCHANGE, xrefs: 00450675
GETSELECTEDCOUNT, xrefs: 00450470, 0045048B
ISSELECTED, xrefs: 004504DD
GETSELECTED, xrefs: 004505E1
SELECTCLEAR, xrefs: 0045052D
DESELECT, xrefs: 0045059C
SELECTINVERT, xrefs: 0045057E
SELECTALL, xrefs: 00450515

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 055ab6ad6ad271898186b0d5e6c529de2bfeceab5e907cb8f51b4399efb80024
Instruction ID: 22a1f92e375e9cd15e8c6c319f02f61abf6937583aaa50c6ffcaf5076f3f521f
Opcode Fuzzy Hash: 055ab6ad6ad271898186b0d5e6c529de2bfeceab5e907cb8f51b4399efb80024
Instruction Fuzzy Hash: 6DE1AD352082019FC714EF24C59192EB3E1BF98315F14495EFC969B3A2DB38ED4ACB46

Function 003D8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 003D8968
GetSystemMetrics.USER32(00000007), ref: 003D8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 003D899B
GetSystemMetrics.USER32(00000008), ref: 003D89A3
GetSystemMetrics.USER32(00000004), ref: 003D89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 003D89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 003D89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 003D8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 003D8A3C
GetClientRect.USER32(00000000,000000FF), ref: 003D8A5A
GetStockObject.GDI32(00000011), ref: 003D8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 003D8A81

Part of subcall function 003D912D: GetCursorPos.USER32(?), ref: 003D9141
Part of subcall function 003D912D: ScreenToClient.USER32(00000000,?), ref: 003D915E
Part of subcall function 003D912D: GetAsyncKeyState.USER32(00000001), ref: 003D9183
Part of subcall function 003D912D: GetAsyncKeyState.USER32(00000002), ref: 003D919D

SetTimer.USER32(00000000,00000000,00000028,003D90FC), ref: 003D8AA8

Strings

AutoIt v3 GUI, xrefs: 003D8A20

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: d0bcf02842b496f5b9103d79e9c06a6570eb5ecdd8f6b290655ed82bf5abf828
Instruction ID: 57fadfebd66b2074d356e4d40b94157d115b451e592bdd28974bdbb1965a8f28
Opcode Fuzzy Hash: d0bcf02842b496f5b9103d79e9c06a6570eb5ecdd8f6b290655ed82bf5abf828
Instruction Fuzzy Hash: 41B18E71A0030AAFDB15DFA8DC85BEE3BB5FB48315F11412AFA15A7290DB34E841CB58

Function 00420D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004210F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00421114
Part of subcall function 004210F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00420B9B,?,?,?), ref: 00421120
Part of subcall function 004210F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00420B9B,?,?,?), ref: 0042112F
Part of subcall function 004210F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00420B9B,?,?,?), ref: 00421136
Part of subcall function 004210F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0042114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00420DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00420E29
GetLengthSid.ADVAPI32(?), ref: 00420E40
GetAce.ADVAPI32(?,00000000,?), ref: 00420E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00420E96
GetLengthSid.ADVAPI32(?), ref: 00420EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00420EB5
HeapAlloc.KERNEL32(00000000), ref: 00420EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00420EDD
CopySid.ADVAPI32(00000000), ref: 00420EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00420F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00420F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00420F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00420F6E
HeapFree.KERNEL32(00000000), ref: 00420F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00420F7E
HeapFree.KERNEL32(00000000), ref: 00420F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00420F8E
HeapFree.KERNEL32(00000000), ref: 00420F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00420FA1
HeapFree.KERNEL32(00000000), ref: 00420FA8

Part of subcall function 00421193: GetProcessHeap.KERNEL32(00000008,00420BB1,?,00000000,?,00420BB1,?), ref: 004211A1
Part of subcall function 00421193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00420BB1,?), ref: 004211A8
Part of subcall function 00421193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00420BB1,?), ref: 004211B7

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: fadadb4097efa30935cd251d3699c3259e1652604d4e32fb60995412f333c4f8
Instruction ID: e1bfef29a66a6f542dc4e02ff27df276a94f689f0b983dc1e0879818cc28a1cb
Opcode Fuzzy Hash: fadadb4097efa30935cd251d3699c3259e1652604d4e32fb60995412f333c4f8
Instruction Fuzzy Hash: A1719F72A0031AAFDF209FA4EC44BAFBBB8FF04741F454126F918A6292D774D905CB64

Function 0044C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0044C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0045CC08,00000000,?,00000000,?,?), ref: 0044C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0044C5A4
_wcslen.LIBCMT ref: 0044C5F4
_wcslen.LIBCMT ref: 0044C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0044C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0044C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0044C84D
RegCloseKey.ADVAPI32(?), ref: 0044C881
RegCloseKey.ADVAPI32(00000000), ref: 0044C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0044C960

Strings

REG_MULTI_SZ, xrefs: 0044C6F5
REG_BINARY, xrefs: 0044C913
REG_DWORD, xrefs: 0044C804
REG_EXPAND_SZ, xrefs: 0044C5CD
REG_SZ, xrefs: 0044C644
REG_QWORD, xrefs: 0044C8C3

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: ef5ce1efa0f7781e5bc59019e1b2bf52b91e39570888952982bcbef904929408
Instruction ID: 179342ed5d189e8c70ba6d7107a822900dbda30d28e731c569ac5d9677661fff
Opcode Fuzzy Hash: ef5ce1efa0f7781e5bc59019e1b2bf52b91e39570888952982bcbef904929408
Instruction Fuzzy Hash: 701268356042019FD715EF14C881F2AB7E5EF89714F18889DF88A9B3A2DB35ED41CB89

Function 0045091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004509C6
_wcslen.LIBCMT ref: 00450A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00450A54
_wcslen.LIBCMT ref: 00450A8A
_wcslen.LIBCMT ref: 00450B06
_wcslen.LIBCMT ref: 00450B81

Part of subcall function 003DF9F2: _wcslen.LIBCMT ref: 003DF9FD

Part of subcall function 00422BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00422BFA

Strings

GETITEMCOUNT, xrefs: 00450C1E
UNCHECK, xrefs: 00450D3E
SELECT, xrefs: 00450D11
GETSELECTED, xrefs: 00450C4E
EXPAND, xrefs: 00450BF8
ISCHECKED, xrefs: 00450CE1
COLLAPSE, xrefs: 00450B01, 00450B1C
GETTEXT, xrefs: 00450C97
CHECK, xrefs: 00450A85, 00450AA0
GETTOTALCOUNT, xrefs: 004509F2, 00450A17
EXISTS, xrefs: 00450B7C, 00450B97

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 9450e8813e0cc5e73f1f555293ce9c5b963f629726d7036a3f640c015877e38e
Instruction ID: 23b19c635f8a5684a4b88aacc3f18262aa25e7859056e64b6f345b921cd65454
Opcode Fuzzy Hash: 9450e8813e0cc5e73f1f555293ce9c5b963f629726d7036a3f640c015877e38e
Instruction Fuzzy Hash: 57E19D392083019FC714EF24C49092AB7E1BF98319F14895EFC969B362D739ED4ACB85

Function 0044C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0044B6AE,?,?), ref: 0044C9B5
_wcslen.LIBCMT ref: 0044C9F1
_wcslen.LIBCMT ref: 0044CA68
_wcslen.LIBCMT ref: 0044CA9E
_wcslen.LIBCMT ref: 0044CAF9
_wcslen.LIBCMT ref: 0044CB2F
_wcslen.LIBCMT ref: 0044CB7F

Strings

HKCC, xrefs: 0044CBAC
HKEY_USERS, xrefs: 0044CBDF
HKEY_LOCAL_MACHINE, xrefs: 0044CA62, 0044CA67
HKLM, xrefs: 0044CA98, 0044CA9D
HKEY_CURRENT_USER, xrefs: 0044CBBD
HKU, xrefs: 0044CBF0
HKEY_CURRENT_CONFIG, xrefs: 0044CB79, 0044CB7E
HKEY_CLASSES_ROOT, xrefs: 0044CAF3, 0044CAF8
HKCU, xrefs: 0044CBCE
HKCR, xrefs: 0044CB29, 0044CB2E

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: c4ab4869a7eb9832fbd28b851bb58ff926dbd89473f7910123376cb89e18938e
Instruction ID: cff05fd0076a8f27fd588de14e42df40dba96753cbbd43fedd873ca854cbadf1
Opcode Fuzzy Hash: c4ab4869a7eb9832fbd28b851bb58ff926dbd89473f7910123376cb89e18938e
Instruction Fuzzy Hash: 1B71283260116A8BEB50DE78D8D16BF3391AF60754B28452BFC56AB384EB39DD41C398

Function 0045833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0045835A
_wcslen.LIBCMT ref: 0045836E
_wcslen.LIBCMT ref: 00458391
_wcslen.LIBCMT ref: 004583B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 004583F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00455BF2), ref: 0045844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00458487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 004584CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00458501
FreeLibrary.KERNEL32(?), ref: 0045850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0045851D
DestroyIcon.USER32(?,?,?,?,?,00455BF2), ref: 0045852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00458549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00458555

Strings

.icl, xrefs: 00458368
.dll, xrefs: 004583AB
.exe, xrefs: 00458388

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: b74829406553da373e42a595add99f0a8badd4208e0ac01cad3f1a118b3531e6
Instruction ID: fc48df1b82255333c7f13ab26a7c368dcc2e6eeb08b901b023e066e8d84816fa
Opcode Fuzzy Hash: b74829406553da373e42a595add99f0a8badd4208e0ac01cad3f1a118b3531e6
Instruction Fuzzy Hash: 6B61B071500319BEEB149F64CC81BBF77A8BB08712F10461AFC15EA1D2EF78A954CBA4

Function 003C7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#cs, xrefs: 003C7873, 003C78C5
#OnAutoItStartRegister, xrefs: 003C7817
#pragma compile, xrefs: 003C77D3
#requireadmin, xrefs: 003C77FF
#notrayicon, xrefs: 003C77E7
#comments-start, xrefs: 003C785F, 003C78B1
Cannot parse #include, xrefs: 00405279
#include-once, xrefs: 003C782F
", xrefs: 00405153
#include, xrefs: 003C7847
Unterminated group of comments, xrefs: 0040528C
', xrefs: 00405169
#ce, xrefs: 003C78ED
Bad directive syntax error, xrefs: 0040519A
#comments-end, xrefs: 003C78D9

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: d680c8a82959e79d5169b8ab21b331f0930d93c67099537a0db9d075a507f5a7
Instruction ID: 6b79acf3366739f863d91a36184caf4328b02d4a61c75827451b75e961274280
Opcode Fuzzy Hash: d680c8a82959e79d5169b8ab21b331f0930d93c67099537a0db9d075a507f5a7
Instruction Fuzzy Hash: 5981E371A00205BBDB22AF60DC42FAF37A8AF55300F14402AFD05EE2D6EB759D15CB95

Function 00425A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00425A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00425A40
SetWindowTextW.USER32(?,?), ref: 00425A57
GetDlgItem.USER32(?,000003EA), ref: 00425A6C
SetWindowTextW.USER32(00000000,?), ref: 00425A72
GetDlgItem.USER32(?,000003E9), ref: 00425A82
SetWindowTextW.USER32(00000000,?), ref: 00425A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00425AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00425AC3
GetWindowRect.USER32(?,?), ref: 00425ACC
_wcslen.LIBCMT ref: 00425B33
SetWindowTextW.USER32(?,?), ref: 00425B6F
GetDesktopWindow.USER32 ref: 00425B75
GetWindowRect.USER32(00000000), ref: 00425B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00425BD3
GetClientRect.USER32(?,?), ref: 00425BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00425C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00425C2F

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 41a77062aa0caf5b02fcac8bb9b11806824afed1c55da378d33d051cf7565cb0
Instruction ID: 1ce19d5d35b899115cd1824d226730b782ac2b74c1aae57051fe40bd391de994
Opcode Fuzzy Hash: 41a77062aa0caf5b02fcac8bb9b11806824afed1c55da378d33d051cf7565cb0
Instruction Fuzzy Hash: 75719F31A00B15AFDB20DFA8DE85A6FBBF5FF48705F104529E142A26A0D778F940CB18

Function 004230F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0042318D
_wcslen.LIBCMT ref: 004231F8

Strings

REGEXPCLASS, xrefs: 00423255, 00423266
NAME, xrefs: 00423335, 00423346
[H, xrefs: 0042339A
TEXT, xrefs: 0042347C
CLASSNN, xrefs: 004231F3, 00423204
CLASS, xrefs: 00423188, 004231A5
INSTANCE, xrefs: 00423453

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[H
API String ID: 176396367-2553913052
Opcode ID: 370222310b5d8f4d9f514da3eb7b23702ac84be5ab6e47fa9fefbe9120c8b78d
Instruction ID: 73688e875abbfe0f8deea8df7fa4c2c464d0e79a1b95affd6eea5c43ae9caeab
Opcode Fuzzy Hash: 370222310b5d8f4d9f514da3eb7b23702ac84be5ab6e47fa9fefbe9120c8b78d
Instruction Fuzzy Hash: 5CE10232B00626AACB15EF64D441BEEBBB0BF14711F94815BE856E7240DB3CAE858794

Function 003E00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 003E00C6

Part of subcall function 003E00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0049070C,00000FA0,D8570929,?,?,?,?,004023B3,000000FF), ref: 003E011C
Part of subcall function 003E00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,004023B3,000000FF), ref: 003E0127
Part of subcall function 003E00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,004023B3,000000FF), ref: 003E0138
Part of subcall function 003E00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 003E014E
Part of subcall function 003E00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 003E015C
Part of subcall function 003E00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 003E016A
Part of subcall function 003E00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 003E0195
Part of subcall function 003E00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 003E01A0

___scrt_fastfail.LIBCMT ref: 003E00E7

Part of subcall function 003E00A3: __onexit.LIBCMT ref: 003E00A9

Strings

InitializeConditionVariable, xrefs: 003E0148
WakeAllConditionVariable, xrefs: 003E0162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 003E0122
SleepConditionVariableCS, xrefs: 003E0154
kernel32.dll, xrefs: 003E0133

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: da36beab8d0ce5e87a8b9c3497978de0501ed25be9a3ae6a964a0242f08c2001
Instruction ID: 58ad30e9e1e2a26af6ea5b36e459b523189cb11b719a69200e457d0c54af85b4
Opcode Fuzzy Hash: da36beab8d0ce5e87a8b9c3497978de0501ed25be9a3ae6a964a0242f08c2001
Instruction Fuzzy Hash: B7213E326447606FD7166BB5AC45B2A33A4DB04B62F110237FC02AB2D2DFF49C448A99

Function 004344C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0045CC08), ref: 00434527
_wcslen.LIBCMT ref: 0043453B
_wcslen.LIBCMT ref: 00434599
_wcslen.LIBCMT ref: 004345F4
_wcslen.LIBCMT ref: 0043463F
_wcslen.LIBCMT ref: 004346A7

Part of subcall function 003DF9F2: _wcslen.LIBCMT ref: 003DF9FD

GetDriveTypeW.KERNEL32(?,00486BF0,00000061), ref: 00434743

Strings

unknown, xrefs: 00434708
network, xrefs: 0043469D, 004346A2
all, xrefs: 00434531, 00434536
fixed, xrefs: 00434635, 0043463A
ramdisk, xrefs: 004346F1
cdrom, xrefs: 0043458F, 00434594
removable, xrefs: 004345EA, 004345EF

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: f83ebe384fbbd01e285dafd1880007cfdb763ff1883ce51e183d19bd151d3d66
Instruction ID: 59506529a1fdc20e0ccb2b2b3a1077a646287f4199d1f1fcfb030cdc925eb3e0
Opcode Fuzzy Hash: f83ebe384fbbd01e285dafd1880007cfdb763ff1883ce51e183d19bd151d3d66
Instruction Fuzzy Hash: ADB1EE316083129BC310DF28C891AABB7E4AFE9724F50591EF496C7391D738EC45CB96

Function 0045911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 003D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003D9BB2

DragQueryPoint.SHELL32(?,?), ref: 00459147

Part of subcall function 00457674: ClientToScreen.USER32(?,?), ref: 0045769A
Part of subcall function 00457674: GetWindowRect.USER32(?,?), ref: 00457710
Part of subcall function 00457674: PtInRect.USER32(?,?,00458B89), ref: 00457720

SendMessageW.USER32(?,000000B0,?,?), ref: 004591B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 004591BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 004591DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00459225
SendMessageW.USER32(?,000000B0,?,?), ref: 0045923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00459255
SendMessageW.USER32(?,000000B1,?,?), ref: 00459277
DragFinish.SHELL32(?), ref: 0045927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00459371

Strings

@GUI_DROPID, xrefs: 0045929E
b, xrefs: 004592BB
@GUI_DRAGID, xrefs: 004592E9
@GUI_DRAGFILE, xrefs: 00459320

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$b
API String ID: 221274066-648412044
Opcode ID: c97fbe22a1a2b5e57ee63e0b192eb8070d179add2d54917646abc807a006a077
Instruction ID: 125b48888fa15e77490c50c7328ba93f10f0a6301aca1cf3a19420b05760ef9c
Opcode Fuzzy Hash: c97fbe22a1a2b5e57ee63e0b192eb8070d179add2d54917646abc807a006a077
Instruction Fuzzy Hash: E2615971108301AFC701EF60DC85EAFBBE8EF89750F10092EF995961A1DB709A49CB56

Function 0044AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0044B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0044B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0044B1D4
_wcslen.LIBCMT ref: 0044B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0044B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0044B236
_wcslen.LIBCMT ref: 0044B332

Part of subcall function 004305A7: GetStdHandle.KERNEL32(000000F6), ref: 004305C6

_wcslen.LIBCMT ref: 0044B34B
_wcslen.LIBCMT ref: 0044B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0044B3B6
GetLastError.KERNEL32(00000000), ref: 0044B407
CloseHandle.KERNEL32(?), ref: 0044B439
CloseHandle.KERNEL32(00000000), ref: 0044B44A
CloseHandle.KERNEL32(00000000), ref: 0044B45C
CloseHandle.KERNEL32(00000000), ref: 0044B46E
CloseHandle.KERNEL32(?), ref: 0044B4E3

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 4cbb25c71bc6330cc094d10b7f9ab1b511e41f7cec6544f182859163867c1fe1
Instruction ID: cfbe1efe625cfc5fd408d0aab69909c3784c9c7e7b2aa2c3dc82fe2038c67f45
Opcode Fuzzy Hash: 4cbb25c71bc6330cc094d10b7f9ab1b511e41f7cec6544f182859163867c1fe1
Instruction Fuzzy Hash: 85F177316083409FD715EF25C891B2BBBE5EF85314F14895EF8899B2A2CB35EC05CB96

Function 003C326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00491990), ref: 00402F8D
GetMenuItemCount.USER32(00491990), ref: 0040303D
GetCursorPos.USER32(?), ref: 00403081
SetForegroundWindow.USER32(00000000), ref: 0040308A
TrackPopupMenuEx.USER32(00491990,00000000,?,00000000,00000000,00000000), ref: 0040309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004030A9

Strings

0, xrefs: 003C327D

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: fa577fcc4335ed9a0782887a0b2d3b0e30d36bb5ad909c54ff4c6261c02d01d1
Instruction ID: ceb329fe3a28db0f4090b52d70dda2f8efce409257dead6d03b4056d266c1df8
Opcode Fuzzy Hash: fa577fcc4335ed9a0782887a0b2d3b0e30d36bb5ad909c54ff4c6261c02d01d1
Instruction Fuzzy Hash: A8710770640216BEEB218F65DD89F9ABF68FF00364F20422BF515BA2E1C7B5AD10D794

Function 00456CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00456DEB

Part of subcall function 003C6B57: _wcslen.LIBCMT ref: 003C6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00456E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00456E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00456E94
DestroyWindow.USER32(?), ref: 00456EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,003C0000,00000000), ref: 00456EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00456EFD
GetDesktopWindow.USER32 ref: 00456F16
GetWindowRect.USER32(00000000), ref: 00456F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00456F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00456F4D

Part of subcall function 003D9944: GetWindowLongW.USER32(?,000000EB), ref: 003D9952

Strings

0, xrefs: 00456D98
tooltips_class32, xrefs: 00456E58, 00456EDD

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: d8be46e27e6d888d94c2926c8ad1e048b2e4e6715f34af936234b7e711c20fd7
Instruction ID: f9460bfadb4f94ead0f4e561ca3d4cb8b066215fd68096ce04bc2e30acacb658
Opcode Fuzzy Hash: d8be46e27e6d888d94c2926c8ad1e048b2e4e6715f34af936234b7e711c20fd7
Instruction Fuzzy Hash: FE716971504341AFDB21CF18D884F6BBBE9EB99305F54092EF98987262C774E90ACB19

Function 0043C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0043C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0043C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0043C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0043C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0043C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0043C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0043C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0043C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0043C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0043C5F0
InternetCloseHandle.WININET(00000000), ref: 0043C5FB

Strings

, xrefs: 0043C575

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: c1c7e6d889802701deda5a133df473d92e7e1d3832f96e7de88831bb47ab24df
Instruction ID: 811df77b4dc3ea93d27c19404e15720e39bce3ce87473539dca317b2b3546d60
Opcode Fuzzy Hash: c1c7e6d889802701deda5a133df473d92e7e1d3832f96e7de88831bb47ab24df
Instruction Fuzzy Hash: AD516AB1500309BFDB218F61CDC8AAB7BBCFF08745F00542AF945A6651DB38E904DBA8

Function 0045856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00458592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004585A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004585AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004585BA
GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004585C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004585D7
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004585E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004585E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004585F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0045FC38,?), ref: 00458611
GlobalFree.KERNEL32(00000000), ref: 00458621
GetObjectW.GDI32(?,00000018,?), ref: 00458641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00458671
DeleteObject.GDI32(?), ref: 00458699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004586AF

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 78964ebfd2cfd144620eb9c4d871e3e8d90e8ff3b8184c5e3a26a1f7e2fc3454
Instruction ID: 29ff893f26a9f2c174682bb717a7758fa0276f0011756ff64875411b76a63e2c
Opcode Fuzzy Hash: 78964ebfd2cfd144620eb9c4d871e3e8d90e8ff3b8184c5e3a26a1f7e2fc3454
Instruction Fuzzy Hash: 31410975600308BFDB119FA5CC88EAB7BB8EB89712F104069F905E7262DB34D945CF64

Function 004314BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00431502
VariantCopy.OLEAUT32(?,?), ref: 0043150B
VariantClear.OLEAUT32(?), ref: 00431517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 004315FB
VarR8FromDec.OLEAUT32(?,?), ref: 00431657
VariantInit.OLEAUT32(?), ref: 00431708
SysFreeString.OLEAUT32(?), ref: 0043178C
VariantClear.OLEAUT32(?), ref: 004317D8
VariantClear.OLEAUT32(?), ref: 004317E7
VariantInit.OLEAUT32(00000000), ref: 00431823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00431625
Default, xrefs: 004316AF

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 8a54a90f17f2971ac3f810caf17b1d6dd5d63472879a015048f2138d496d03ca
Instruction ID: 526968ed27d2c390084a811cac5cfeb4fd8a6ddd1023df7f7d3e8a391902ae5b
Opcode Fuzzy Hash: 8a54a90f17f2971ac3f810caf17b1d6dd5d63472879a015048f2138d496d03ca
Instruction Fuzzy Hash: 51D1F032A00205EFDB019F65E885B7DB7B5BF49700F54845BE406EB2A1DB38DC42DB66

Function 0044B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 003C9CB3: _wcslen.LIBCMT ref: 003C9CBD

Part of subcall function 0044C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0044B6AE,?,?), ref: 0044C9B5
Part of subcall function 0044C998: _wcslen.LIBCMT ref: 0044C9F1
Part of subcall function 0044C998: _wcslen.LIBCMT ref: 0044CA68
Part of subcall function 0044C998: _wcslen.LIBCMT ref: 0044CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0044B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0044B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0044B80A
RegCloseKey.ADVAPI32(?), ref: 0044B87E
RegCloseKey.ADVAPI32(?), ref: 0044B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0044B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0044B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0044B922
FreeLibrary.KERNEL32(00000000), ref: 0044B983
RegCloseKey.ADVAPI32(00000000), ref: 0044B994

Strings

advapi32.dll, xrefs: 0044B8ED
RegDeleteKeyExW, xrefs: 0044B8FE

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: a22bb95c6facd9add50a8b5df92e2778f385d01663613bbc8a8236a5664f4c07
Instruction ID: 419bf4e2c4a29e5b665b66826166b4dfe9530b51cd4a84fa0c6debb1223103ee
Opcode Fuzzy Hash: a22bb95c6facd9add50a8b5df92e2778f385d01663613bbc8a8236a5664f4c07
Instruction Fuzzy Hash: 30C17C74208601AFE715DF14C495F2ABBE5FF84318F14849DE49A8B3A2CB35EC46CB96

Function 0044255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004425D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004425E8
CreateCompatibleDC.GDI32(?), ref: 004425F4
SelectObject.GDI32(00000000,?), ref: 00442601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0044266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 004426AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 004426D0
SelectObject.GDI32(?,?), ref: 004426D8
DeleteObject.GDI32(?), ref: 004426E1
DeleteDC.GDI32(?), ref: 004426E8
ReleaseDC.USER32(00000000,?), ref: 004426F3

Strings

(, xrefs: 0044268D

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 45f3f4e6d2ec8e7629e1f1dccbfc97c2d35c3274b82abd8653b732e1e4851a4b
Instruction ID: b79876dab2e7f4df19978fb3f297ac25caa8b2051282bc5362f384d0c894e101
Opcode Fuzzy Hash: 45f3f4e6d2ec8e7629e1f1dccbfc97c2d35c3274b82abd8653b732e1e4851a4b
Instruction Fuzzy Hash: 95611275D00319EFDF04CFA8D984AAEBBB5FF48310F20852AE956A7250D774A941CF94

Function 003FDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 003FDAA1

Part of subcall function 003FD63C: _free.LIBCMT ref: 003FD659
Part of subcall function 003FD63C: _free.LIBCMT ref: 003FD66B
Part of subcall function 003FD63C: _free.LIBCMT ref: 003FD67D
Part of subcall function 003FD63C: _free.LIBCMT ref: 003FD68F
Part of subcall function 003FD63C: _free.LIBCMT ref: 003FD6A1
Part of subcall function 003FD63C: _free.LIBCMT ref: 003FD6B3
Part of subcall function 003FD63C: _free.LIBCMT ref: 003FD6C5
Part of subcall function 003FD63C: _free.LIBCMT ref: 003FD6D7
Part of subcall function 003FD63C: _free.LIBCMT ref: 003FD6E9
Part of subcall function 003FD63C: _free.LIBCMT ref: 003FD6FB
Part of subcall function 003FD63C: _free.LIBCMT ref: 003FD70D
Part of subcall function 003FD63C: _free.LIBCMT ref: 003FD71F
Part of subcall function 003FD63C: _free.LIBCMT ref: 003FD731

_free.LIBCMT ref: 003FDA96

Part of subcall function 003F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,003FD7D1,00000000,00000000,00000000,00000000,?,003FD7F8,00000000,00000007,00000000,?,003FDBF5,00000000), ref: 003F29DE
Part of subcall function 003F29C8: GetLastError.KERNEL32(00000000,?,003FD7D1,00000000,00000000,00000000,00000000,?,003FD7F8,00000000,00000007,00000000,?,003FDBF5,00000000,00000000), ref: 003F29F0

_free.LIBCMT ref: 003FDAB8
_free.LIBCMT ref: 003FDACD
_free.LIBCMT ref: 003FDAD8
_free.LIBCMT ref: 003FDAFA
_free.LIBCMT ref: 003FDB0D
_free.LIBCMT ref: 003FDB1B
_free.LIBCMT ref: 003FDB26
_free.LIBCMT ref: 003FDB5E
_free.LIBCMT ref: 003FDB65
_free.LIBCMT ref: 003FDB82
_free.LIBCMT ref: 003FDB9A

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 7ba15a892b9557df7be95605a5b4df65ab6d839ecdd23bdf4d2b0fdbf44065c6
Instruction ID: cdb0a043a80754d9d4ed2ed4f15a53b93ce6166243a2605b3340541b4ae06412
Opcode Fuzzy Hash: 7ba15a892b9557df7be95605a5b4df65ab6d839ecdd23bdf4d2b0fdbf44065c6
Instruction Fuzzy Hash: F531593164420ADFEB23AE38E849B7B77EAFF01311F124529E648DB191DB71AC508B24

Function 0042365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0042369C
_wcslen.LIBCMT ref: 004236A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00423797
GetClassNameW.USER32(?,?,00000400), ref: 0042380C
GetDlgCtrlID.USER32(?), ref: 0042385D
GetWindowRect.USER32(?,?), ref: 00423882
GetParent.USER32(?), ref: 004238A0
ScreenToClient.USER32(00000000), ref: 004238A7
GetClassNameW.USER32(?,?,00000100), ref: 00423921
GetWindowTextW.USER32(?,?,00000400), ref: 0042395D

Strings

%s%u, xrefs: 00423734

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 92c8d5b92794e68dc874e15caae0c4332fb97493136e4279a39af16c3989dbd2
Instruction ID: 3e39a0d49c552a3a74ef1082d216c1f4caa2d6e63bd1a5d188030f513c4dd0e8
Opcode Fuzzy Hash: 92c8d5b92794e68dc874e15caae0c4332fb97493136e4279a39af16c3989dbd2
Instruction Fuzzy Hash: ED91D471300326AFD719DF24D885BABB7E8FF44341F40852AF999C6290DB38EA45CB95

Function 00424954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00424994
GetWindowTextW.USER32(?,?,00000400), ref: 004249DA
_wcslen.LIBCMT ref: 004249EB
CharUpperBuffW.USER32(?,00000000), ref: 004249F7
_wcsstr.LIBVCRUNTIME ref: 00424A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00424A64
GetWindowTextW.USER32(?,?,00000400), ref: 00424A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00424AE6
GetClassNameW.USER32(?,?,00000400), ref: 00424B20
GetWindowRect.USER32(?,?), ref: 00424B8B

Strings

ThumbnailClass, xrefs: 00424A6F, 00424AF1

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 4dc25e61930afae97f9d402a9dfafe8466189de294bda4ba63d887a29ea712a2
Instruction ID: d57220462cbda798b30a0035359dcf24615fbe3e14359a8ee74b6f59f7b7a441
Opcode Fuzzy Hash: 4dc25e61930afae97f9d402a9dfafe8466189de294bda4ba63d887a29ea712a2
Instruction Fuzzy Hash: 1791F2312043159FDB04CF14E880BAB7BE8FF84314F44846AFD858A296DB38ED45CBA5

Function 00458D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003D9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00458D5A
GetFocus.USER32 ref: 00458D6A
GetDlgCtrlID.USER32(00000000), ref: 00458D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00458E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00458ECF
GetMenuItemCount.USER32(?), ref: 00458EEC
GetMenuItemID.USER32(?,00000000), ref: 00458EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00458F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00458F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00458FA1

Strings

0, xrefs: 00458E9F

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: e947a9085649b2678f0e8278cd4e450eccab997bf8c9d6b46f5973198888d593
Instruction ID: 8878d6a46a6544d2935ba30f3366fc7d48b31b213f83e750304517284c5d3be5
Opcode Fuzzy Hash: e947a9085649b2678f0e8278cd4e450eccab997bf8c9d6b46f5973198888d593
Instruction Fuzzy Hash: A1818B72504311AFDB10CF24D885A6B7BE9BB88355F04092EFD85E7292DF34D909CB6A

Function 0042DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0042DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0042DC46
_wcslen.LIBCMT ref: 0042DC50
_wcsstr.LIBVCRUNTIME ref: 0042DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0042DCBC

Strings

\VarFileInfo\Translation, xrefs: 0042DCB4
%u.%u.%u.%u, xrefs: 0042DD9A
DefaultLangCodepage, xrefs: 0042DD1F
StringFileInfo\, xrefs: 0042DC8F
04090000, xrefs: 0042DCF2

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: e2c8a1bf8cbb945bff647b8de98e94c3aed2cfd1b33c6b5fdec7eba28bb2a4c7
Instruction ID: 6a46110adde449d47b80b7b770d90f750dc8e263d470869d0bda36e95c257ed1
Opcode Fuzzy Hash: e2c8a1bf8cbb945bff647b8de98e94c3aed2cfd1b33c6b5fdec7eba28bb2a4c7
Instruction Fuzzy Hash: 98410632E402217ED702B765AC47FBF776CEF45710F50056BF901AA2C2EA69A90187A9

Function 0044CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0044CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0044CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0044CD48

Part of subcall function 0044CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0044CCAA
Part of subcall function 0044CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0044CCBD
Part of subcall function 0044CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0044CCCF
Part of subcall function 0044CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0044CD05
Part of subcall function 0044CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0044CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0044CCF3

Strings

advapi32.dll, xrefs: 0044CCB8
RegDeleteKeyExW, xrefs: 0044CCC9

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: a53392ac08252edd159e2de56491b4d005447f2ac07189182e7da36c3413a522
Instruction ID: 36e0a4298c82c6e163e3460284dfd39d41155433df7d4388fe65d73c88017b65
Opcode Fuzzy Hash: a53392ac08252edd159e2de56491b4d005447f2ac07189182e7da36c3413a522
Instruction Fuzzy Hash: 8C3182B1902219BFE7209B91DCC8EFFBB7CEF05751F040166A905E2251DA389A45DAA8

Function 0042E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0042E6B4

Part of subcall function 003DE551: timeGetTime.WINMM(?,?,0042E6D4), ref: 003DE555

Sleep.KERNEL32(0000000A), ref: 0042E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0042E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0042E727
SetActiveWindow.USER32 ref: 0042E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0042E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0042E773
Sleep.KERNEL32(000000FA), ref: 0042E77E
IsWindow.USER32 ref: 0042E78A
EndDialog.USER32(00000000), ref: 0042E79B

Strings

BUTTON, xrefs: 0042E719

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: cbb31b7f8618c7373e2902d56fd642907d9858b19423ab2bdcb487430a84f276
Instruction ID: 6de33bc42e61a41c476d38ab2cd549f2ed844018ea5bb4ee62fcc89f8cf7b0cc
Opcode Fuzzy Hash: cbb31b7f8618c7373e2902d56fd642907d9858b19423ab2bdcb487430a84f276
Instruction Fuzzy Hash: 6F218E70304315BFEB105F62FDC9E263B69E76534AB900437F802916A2DBA9EC009A2C

Function 0042E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 003C9CB3: _wcslen.LIBCMT ref: 003C9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0042EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0042EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0042EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0042EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0042EAA7

Strings

close PlayMe, xrefs: 0042EA6E, 0042EA9B
play PlayMe, xrefs: 0042EAA2
status PlayMe mode, xrefs: 0042EA58
alias PlayMe, xrefs: 0042EA36
play PlayMe wait, xrefs: 0042EA91
open , xrefs: 0042EA0C

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 1c4ff2b9e5a035796819a31740ace3d0dbfcd96cb4bad94a444e4a785a13b86a
Instruction ID: f61995cb1583558475f344422462e793f895ddc2dcc38fc191fae3a98eb6acba
Opcode Fuzzy Hash: 1c4ff2b9e5a035796819a31740ace3d0dbfcd96cb4bad94a444e4a785a13b86a
Instruction Fuzzy Hash: 53118F61B9026979D720B7A2EC4AFFF6A7CEBD1B00F51082BB801A61D1EE740D05C6B4

Function 003D8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 003D8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,003D8BE8,?,00000000,?,?,?,?,003D8BBA,00000000,?), ref: 003D8FC5

DestroyWindow.USER32(?), ref: 003D8C81
KillTimer.USER32(00000000,?,?,?,?,003D8BBA,00000000,?), ref: 003D8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00416973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,003D8BBA,00000000,?), ref: 004169A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,003D8BBA,00000000,?), ref: 004169B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,003D8BBA,00000000), ref: 004169D4
DeleteObject.GDI32(00000000), ref: 004169E6

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: c1a1466ebe9500f8efbec78f8393306c97b44c70fa6dbc83d338207e29b54b68
Instruction ID: 24da7c556ef090f86c68b5e4757b0cf31734b4236c3a78c467be13cd551f9f96
Opcode Fuzzy Hash: c1a1466ebe9500f8efbec78f8393306c97b44c70fa6dbc83d338207e29b54b68
Instruction Fuzzy Hash: C3618A72512701DFCB229F14E988B6AB7B5FB50312F15452BE0429BAB0CB35F980DF98

Function 003D9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 003D9944: GetWindowLongW.USER32(?,000000EB), ref: 003D9952

GetSysColor.USER32(0000000F), ref: 003D9862

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 268d6dbfde8a90c63ac4060db21a830f7a62d02021657955e15331031b16b530
Instruction ID: 775ca72a46fe9d278b490f63cfd63311c432c0e213db1a2f9e8fa0106110f078
Opcode Fuzzy Hash: 268d6dbfde8a90c63ac4060db21a830f7a62d02021657955e15331031b16b530
Instruction Fuzzy Hash: 0641A432104754AFDB225F38AC84BBA37A5AB06731F154617F9A2872E2D731DD42EB14

Function 00433388 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 004333CF

Part of subcall function 003C9CB3: _wcslen.LIBCMT ref: 003C9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 004333F0

Strings

Incorrect parameters to object property !, xrefs: 004334AB
^ ERROR , xrefs: 0043349E
Error: , xrefs: 004334D1
Gb, xrefs: 00433388
Line %d (File "%s"):, xrefs: 00433443, 0043345C
"%s" (%d) : ==> %s:%s%s, xrefs: 00433504
"%s" (%d) : ==> %s:, xrefs: 00433522

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Gb$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-893438222
Opcode ID: 3b1304014a212165794fa4ebd54543e7bff65dcdfe3d7ef810a41f481f161c1f
Instruction ID: fe84d19efa687c0117c28a66d0cb618003eef5df7499a81ac4c61b41586dd09a
Opcode Fuzzy Hash: 3b1304014a212165794fa4ebd54543e7bff65dcdfe3d7ef810a41f481f161c1f
Instruction Fuzzy Hash: 6451B332900209BADF16EBA0DD46FEEB378AF14345F20416AF405B6162DB356F58CB68

Function 004296E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0040F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00429717
LoadStringW.USER32(00000000,?,0040F7F8,00000001), ref: 00429720

Part of subcall function 003C9CB3: _wcslen.LIBCMT ref: 003C9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0040F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00429742
LoadStringW.USER32(00000000,?,0040F7F8,00000001), ref: 00429745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00429866

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0042984A
^ ERROR, xrefs: 004297FB
Error: , xrefs: 0042981D
Line %d:, xrefs: 004297A0
Line %d (File "%s"):, xrefs: 0042978F

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 9e5050df8155b9b4d4cd40092faf7e3ddadd8b29d22124dfce49768740c312c5
Instruction ID: c70fcb69262ba3a87e9a4850823e1679944f1be02bd9ec767dc895b78d8b7ab9
Opcode Fuzzy Hash: 9e5050df8155b9b4d4cd40092faf7e3ddadd8b29d22124dfce49768740c312c5
Instruction Fuzzy Hash: 5B415F72900219AADB05FBE0DD86FEE7378AF14340F61446AF505B7092EB396F48CB65

Function 00443C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00443C5C
CoInitialize.OLE32(00000000), ref: 00443C8A
CoUninitialize.OLE32 ref: 00443C94
_wcslen.LIBCMT ref: 00443D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00443DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00443ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00443F0E
CoGetObject.OLE32(?,00000000,0045FB98,?), ref: 00443F2D
SetErrorMode.KERNEL32(00000000), ref: 00443F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00443FC4
VariantClear.OLEAUT32(?), ref: 00443FD8

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: aed0957f7104109795ad3aad8c51b17e601fb2f4e154ebccba1b9851735093a2
Instruction ID: 6ba5bdd49c384be0bcca057b93b3372d22d8a59fc01ab4e63682a4fa4bbdd383
Opcode Fuzzy Hash: aed0957f7104109795ad3aad8c51b17e601fb2f4e154ebccba1b9851735093a2
Instruction Fuzzy Hash: 9DC147716083019FE700DF64C88492BB7E9FF89B49F10495EF98A9B211D735EE05CB56

Function 00437A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00437AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00437B8F
SHGetDesktopFolder.SHELL32(?), ref: 00437BA3
CoCreateInstance.OLE32(0045FD08,00000000,00000001,00486E6C,?), ref: 00437BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00437C74
CoTaskMemFree.OLE32(?,?), ref: 00437CCC
SHBrowseForFolderW.SHELL32(?), ref: 00437D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00437D7A
CoTaskMemFree.OLE32(00000000), ref: 00437D81
CoTaskMemFree.OLE32(00000000), ref: 00437DD6
CoUninitialize.OLE32 ref: 00437DDC

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 22677e263ae926a4b1494a1f971bb17390ad7d24e6ec6bc1119f6eaa11c75454
Instruction ID: 14dde78fdf8a465068ceb7b82c69e8ae4b188ae18d236e91b199d58a6f92ba61
Opcode Fuzzy Hash: 22677e263ae926a4b1494a1f971bb17390ad7d24e6ec6bc1119f6eaa11c75454
Instruction Fuzzy Hash: A2C11875A04209AFCB14DF64C884DAEBBB9FF48305F1484A9E81ADB361D734EE45CB94

Function 0045541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00455504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00455515
CharNextW.USER32(00000158), ref: 00455544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00455585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0045559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004555AC

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: b562d94275227738d7f3ac97d673000919263cc6d6eed4d19ea252a108a7bc6d
Instruction ID: 58d848db9821732cd858ebb08855f468b13f014f13b5fc9ba7add7461daad871
Opcode Fuzzy Hash: b562d94275227738d7f3ac97d673000919263cc6d6eed4d19ea252a108a7bc6d
Instruction Fuzzy Hash: 29619070900609FFDF10DF54CC94AFF3BB9EB06322F104156F925A6292D7788A89DB69

Function 0041FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0041FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0041FB08
VariantInit.OLEAUT32(?), ref: 0041FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0041FB3A
VariantCopy.OLEAUT32(?,?), ref: 0041FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0041FBA1
VariantClear.OLEAUT32(?), ref: 0041FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0041FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0041FBCC
VariantClear.OLEAUT32(?), ref: 0041FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0041FBE9

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: dbbbaf5eaa0be97f1db53ae41e2dbeabcbf2fb8e1e4c9033e73fed150becbb22
Instruction ID: c2ff0564b1fc9a4b67048021b83ba5fc2d296492edbbf56656c705bb7579c803
Opcode Fuzzy Hash: dbbbaf5eaa0be97f1db53ae41e2dbeabcbf2fb8e1e4c9033e73fed150becbb22
Instruction Fuzzy Hash: 46415075A002199FCB00DF64C894DEEBBB9FF48345F00806AE955AB262D734E946CB94

Function 00429C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00429CA1
GetAsyncKeyState.USER32(000000A0), ref: 00429D22
GetKeyState.USER32(000000A0), ref: 00429D3D
GetAsyncKeyState.USER32(000000A1), ref: 00429D57
GetKeyState.USER32(000000A1), ref: 00429D6C
GetAsyncKeyState.USER32(00000011), ref: 00429D84
GetKeyState.USER32(00000011), ref: 00429D96
GetAsyncKeyState.USER32(00000012), ref: 00429DAE
GetKeyState.USER32(00000012), ref: 00429DC0
GetAsyncKeyState.USER32(0000005B), ref: 00429DD8
GetKeyState.USER32(0000005B), ref: 00429DEA

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: b9dc6b9e0ee8bd4d5a944fab924c60fff4d3e3d3dd30276bdad643194c7938e5
Instruction ID: 824e97b51092d4d4d6b110bf5032e24d73337ad5e85b65e5b822244ca14d39f3
Opcode Fuzzy Hash: b9dc6b9e0ee8bd4d5a944fab924c60fff4d3e3d3dd30276bdad643194c7938e5
Instruction Fuzzy Hash: BC41E8347147E96DFF308661A4443B7BEA06F11344F88805BC6C6567C2E7AC9DC4D7AA

Function 0044055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 004405BC
inet_addr.WSOCK32(?), ref: 0044061C
gethostbyname.WSOCK32(?), ref: 00440628
IcmpCreateFile.IPHLPAPI ref: 00440636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 004406C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 004406E5
IcmpCloseHandle.IPHLPAPI(?), ref: 004407B9
WSACleanup.WSOCK32 ref: 004407BF

Strings

Ping, xrefs: 00440676

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 96843c3fff0e6a9bb1b31fd066af12822aa416cb4482ed399547616b8e436070
Instruction ID: 54d02a03ae1420ef5e6ddbf79ed3855e8f3576d3e17bf219282dacd7deaa9911
Opcode Fuzzy Hash: 96843c3fff0e6a9bb1b31fd066af12822aa416cb4482ed399547616b8e436070
Instruction Fuzzy Hash: 83918C35604301AFE320DF15C489F1ABBE0EF48318F1585AAE56A8B7A2C734ED51CF96

Function 00448CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00448CF3

Part of subcall function 00428E54: _wcslen.LIBCMT ref: 00428E77

_wcslen.LIBCMT ref: 00448D4E
_wcslen.LIBCMT ref: 00448D9C
_wcslen.LIBCMT ref: 00448DDC
_wcslen.LIBCMT ref: 00448E6E

Strings

none, xrefs: 00448E65, 00448E6A
cdecl, xrefs: 00448D48, 00448D4D
winapi, xrefs: 00448D96, 00448D9B
stdcall, xrefs: 00448DD6, 00448DDB

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: a6e403300a310494c30b0008f1e8d34254a9193934b2f73867c1334cda18ed7e
Instruction ID: 7f44bca1947aad2240b8025ea6491839166c66c2703a616616b82404efe17279
Opcode Fuzzy Hash: a6e403300a310494c30b0008f1e8d34254a9193934b2f73867c1334cda18ed7e
Instruction Fuzzy Hash: C551A171A005169BDB14DF6CC9509BEB7A5BF64324B31422EE826EB3C5DB38DD40C794

Function 0044372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00443774
CoUninitialize.OLE32 ref: 0044377F
CoCreateInstance.OLE32(?,00000000,00000017,0045FB78,?), ref: 004437D9
IIDFromString.OLE32(?,?), ref: 0044384C
VariantInit.OLEAUT32(?), ref: 004438E4
VariantClear.OLEAUT32(?), ref: 00443936

Strings

Failed to create object, xrefs: 004437E4, 0044389A
NULL Pointer assignment, xrefs: 0044381E
Invalid parameter, xrefs: 00443865

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: bf321dcaa2ebaf85ce1223ad43e8698a7faa295977afa81872dce692c98590a7
Instruction ID: 88bfd23757e64b5add9b191cb751e8409ff02ffa28f99c280ef7edeb3025d71f
Opcode Fuzzy Hash: bf321dcaa2ebaf85ce1223ad43e8698a7faa295977afa81872dce692c98590a7
Instruction Fuzzy Hash: FB619170608301AFE311EF54C889F5AB7E4EF49B16F10485EF8859B291C774EE49CB9A

Function 00458B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003D9BB2

Part of subcall function 003D912D: GetCursorPos.USER32(?), ref: 003D9141
Part of subcall function 003D912D: ScreenToClient.USER32(00000000,?), ref: 003D915E
Part of subcall function 003D912D: GetAsyncKeyState.USER32(00000001), ref: 003D9183
Part of subcall function 003D912D: GetAsyncKeyState.USER32(00000002), ref: 003D919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00458B6B
ImageList_EndDrag.COMCTL32 ref: 00458B71
ReleaseCapture.USER32 ref: 00458B77
SetWindowTextW.USER32(?,00000000), ref: 00458C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00458C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00458CFF

Strings

@GUI_DROPID, xrefs: 00458C51
b, xrefs: 00458C71
@GUI_DRAGFILE, xrefs: 00458C9A

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$b
API String ID: 1924731296-290844155
Opcode ID: 9c656275158f993b35fed6dc909455ec373fb7d61e7562d321934682f1892a85
Instruction ID: bf631c8ace334a7ca13061853392c5e41bdca87726a4b936760e50a881a7e56a
Opcode Fuzzy Hash: 9c656275158f993b35fed6dc909455ec373fb7d61e7562d321934682f1892a85
Instruction Fuzzy Hash: B9517D71104304AFD701EF14DC96FAA77E4FB84715F00062EF956AB2A2DB749D08CB66

Function 0042B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0042B5FC
_wcslen.LIBCMT ref: 0042B608
_wcslen.LIBCMT ref: 0042B64D
_wcslen.LIBCMT ref: 0042B68C
_wcslen.LIBCMT ref: 0042B6C7

Strings

APPEND, xrefs: 0042B6C1, 0042B6C6
REMOVE, xrefs: 0042B602, 0042B607
KEYS, xrefs: 0042B647, 0042B64C
EXISTS, xrefs: 0042B686, 0042B68B

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 59e21d145b67a8bdbdb8b1e0bf7f37f4373c88f964657273c4df4244ac6074ea
Instruction ID: a128682e4109c9a40c4fe2cc2f5a64671dbf2db61b1d90cff45c55d78345f3f2
Opcode Fuzzy Hash: 59e21d145b67a8bdbdb8b1e0bf7f37f4373c88f964657273c4df4244ac6074ea
Instruction Fuzzy Hash: 8541F532B001369ACB206F7D98905BFB7A5EFA0754B65422BE462DB380E739CD81C7D5

Function 00435393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004353A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00435416
GetLastError.KERNEL32 ref: 00435420
SetErrorMode.KERNEL32(00000000,READY), ref: 004354A7

Strings

INVALID, xrefs: 00435459
NOTREADY, xrefs: 0043544B
READY, xrefs: 00435460, 00435468
UNKNOWN, xrefs: 00435444
READONLY, xrefs: 00435452

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 68cb64421a2538d5a1b38470d0fba90d93d951cc3ff5ab0c0f9158fd1ee1db29
Instruction ID: d07d94a2946ecf3bd52984c0c9047e4e2d627b29b15655031f59f74a7c9979cb
Opcode Fuzzy Hash: 68cb64421a2538d5a1b38470d0fba90d93d951cc3ff5ab0c0f9158fd1ee1db29
Instruction Fuzzy Hash: E931AE35A006049FD715DF68C884FAABBB4EF59305F14806AE805CF392D739DD82CB95

Function 00453C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00453C79
SetMenu.USER32(?,00000000), ref: 00453C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00453D10
IsMenu.USER32(?), ref: 00453D24
CreatePopupMenu.USER32 ref: 00453D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00453D5B
DrawMenuBar.USER32 ref: 00453D63

Strings

F, xrefs: 00453D4E
0, xrefs: 00453C54

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 70a2aae5a190c8c9de53ecb06d9c8f35760c8001e1e0013ca7bdd209f3dd2c48
Instruction ID: 9d486a222f2ff827bb5f4b1d4f5671db32e60976a49db2e4815d31e1e78073ea
Opcode Fuzzy Hash: 70a2aae5a190c8c9de53ecb06d9c8f35760c8001e1e0013ca7bdd209f3dd2c48
Instruction Fuzzy Hash: D2415B75A01309AFDB14CFA4D884B9A77B5FF49392F14002AED4697361D734EA18CF98

Function 00453A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00453A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00453AA0
GetWindowLongW.USER32(?,000000F0), ref: 00453AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00453AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00453B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00453BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00453BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00453BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00453BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00453C13

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 516bc11b27e4428b16075a5d806d5a9dffdaa2beb6b617ede1e46b22a48fcb1b
Instruction ID: ead330fe6392fb6de5d3a1818d7a68d992140e7da367273a2769fe4037b7efb8
Opcode Fuzzy Hash: 516bc11b27e4428b16075a5d806d5a9dffdaa2beb6b617ede1e46b22a48fcb1b
Instruction Fuzzy Hash: 3D618B75900248AFDB11DFA8CC81EEE77B8EB09705F1001AAFA15E73A2C774AE45DB54

Function 0042B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0042B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0042A1E1,?,00000001), ref: 0042B165
GetWindowThreadProcessId.USER32(00000000), ref: 0042B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0042A1E1,?,00000001), ref: 0042B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0042B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0042A1E1,?,00000001), ref: 0042B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0042A1E1,?,00000001), ref: 0042B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0042A1E1,?,00000001), ref: 0042B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0042A1E1,?,00000001), ref: 0042B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0042A1E1,?,00000001), ref: 0042B21D

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 646c1af45e4858fbf418e5c465f87be251d1b873890b54d9199ddbfcd31076d0
Instruction ID: b611cebea27ab1ff781a280b59746c898a59044f98c7bfe38c749d7b06dc1689
Opcode Fuzzy Hash: 646c1af45e4858fbf418e5c465f87be251d1b873890b54d9199ddbfcd31076d0
Instruction Fuzzy Hash: C8317A71650314EFDB109F64EC88B7E7BA9EB62356F504026FA01D7291D7B89A40CFAC

Function 003F2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 003F2C94

Part of subcall function 003F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,003FD7D1,00000000,00000000,00000000,00000000,?,003FD7F8,00000000,00000007,00000000,?,003FDBF5,00000000), ref: 003F29DE
Part of subcall function 003F29C8: GetLastError.KERNEL32(00000000,?,003FD7D1,00000000,00000000,00000000,00000000,?,003FD7F8,00000000,00000007,00000000,?,003FDBF5,00000000,00000000), ref: 003F29F0

_free.LIBCMT ref: 003F2CA0
_free.LIBCMT ref: 003F2CAB
_free.LIBCMT ref: 003F2CB6
_free.LIBCMT ref: 003F2CC1
_free.LIBCMT ref: 003F2CCC
_free.LIBCMT ref: 003F2CD7
_free.LIBCMT ref: 003F2CE2
_free.LIBCMT ref: 003F2CED
_free.LIBCMT ref: 003F2CFB

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: fd2b6c0a104dcb29c7e0b866e2e5e32e5c683fc455ec2ca0ba437d5b03ba3675
Instruction ID: 533d53f4a8e80fc1b3664bd81ca3166a45327020bf9412dd2cfc51d5eab77da5
Opcode Fuzzy Hash: fd2b6c0a104dcb29c7e0b866e2e5e32e5c683fc455ec2ca0ba437d5b03ba3675
Instruction Fuzzy Hash: 5D11927614010DEFCB02EF94D882CEE3BA5BF06350F4144A5FA489F222DB71EE609B90

Function 003C1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 003C1459
OleUninitialize.OLE32(?,00000000), ref: 003C14F8
UnregisterHotKey.USER32(?), ref: 003C16DD
DestroyWindow.USER32(?), ref: 004024B9
FreeLibrary.KERNEL32(?), ref: 0040251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0040254B

Strings

close all, xrefs: 003C1454

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 02b599e1be186de260a05970cb45abaf01f7b32f0c2ab6b446d2c269ec09cc91
Instruction ID: 9003951656a794ffb2dc28bd888549ead189a129f801166ff6502dcb7efd0a61
Opcode Fuzzy Hash: 02b599e1be186de260a05970cb45abaf01f7b32f0c2ab6b446d2c269ec09cc91
Instruction Fuzzy Hash: BFD16F317012129FCB1AEF15C999F29F7A4BF05700F1541AEE84AAB392CB35AD12DF58

Function 003C5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 003C5C7A

Part of subcall function 003C5D0A: GetClientRect.USER32(?,?), ref: 003C5D30
Part of subcall function 003C5D0A: GetWindowRect.USER32(?,?), ref: 003C5D71
Part of subcall function 003C5D0A: ScreenToClient.USER32(?,?), ref: 003C5D99

GetDC.USER32 ref: 004046F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00404708
SelectObject.GDI32(00000000,00000000), ref: 00404716
SelectObject.GDI32(00000000,00000000), ref: 0040472B
ReleaseDC.USER32(?,00000000), ref: 00404733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 004047C4

Strings

U, xrefs: 00404693

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 023379a3fe97d6f3acb9e6ccab858c640ef02d8576840ea7c0ea29785c2509be
Instruction ID: 47d72dda5b8c198146cd24178d2fa3684931e39de47b7c1b1d1f5e8631fd5fc2
Opcode Fuzzy Hash: 023379a3fe97d6f3acb9e6ccab858c640ef02d8576840ea7c0ea29785c2509be
Instruction Fuzzy Hash: 0D71DF71400205DFCF228F64C984EAA3BB5FF8A315F14427AEE51AB2A6D3399C81DF54

Function 0043359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004335E4

Part of subcall function 003C9CB3: _wcslen.LIBCMT ref: 003C9CBD

LoadStringW.USER32(00492390,?,00000FFF,?), ref: 0043360A

Strings

^ ERROR, xrefs: 004336C9
Error: , xrefs: 004336EF
Line %d (File "%s"):, xrefs: 0043366B
"%s" (%d) : ==> %s:%s%s, xrefs: 00433724
"%s" (%d) : ==> %s:, xrefs: 00433742

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 8cd2b671120395f0ad7b0df25ebc6dde196586353b0f681fd7588d77a1967723
Instruction ID: 772a57271be1046d44966e38146650617dda6710da7715d93d9585bbee4fd50e
Opcode Fuzzy Hash: 8cd2b671120395f0ad7b0df25ebc6dde196586353b0f681fd7588d77a1967723
Instruction Fuzzy Hash: A951817190020ABADF16EFA0DC46FEEBB34AF14301F14412AF505B61A1DB341E99DF68

Function 0043C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0043C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0043C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0043C2CA
GetLastError.KERNEL32 ref: 0043C322
SetEvent.KERNEL32(?), ref: 0043C336
InternetCloseHandle.WININET(00000000), ref: 0043C341

Strings

, xrefs: 0043C2BB

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 4623cc7cc63221b1e349f015ed19789f975883164f973b2f5645091917e87abf
Instruction ID: e5811cc0d36c6f54c8da67788bf76355fdce71ff306e8582e462d29a84226349
Opcode Fuzzy Hash: 4623cc7cc63221b1e349f015ed19789f975883164f973b2f5645091917e87abf
Instruction Fuzzy Hash: D3318F71600308AFD7219F658CC4A6B7BFCEB4D744F10952EF846A2201DB38DD058B69

Function 0042989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00403AAF,?,?,Bad directive syntax error,0045CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 004298BC
LoadStringW.USER32(00000000,?,00403AAF,?), ref: 004298C3

Part of subcall function 003C9CB3: _wcslen.LIBCMT ref: 003C9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00429987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 004298F1
Line %d:, xrefs: 00429912
Error: , xrefs: 00429955
Line %d (File "%s"):, xrefs: 0042992D
., xrefs: 0042996D

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: cef23d4571b17fc70f8e17d742f689c088db830c71cb10e4b0daca161b073210
Instruction ID: 9d180b865997550ce1d0a11ad878fd26c29d5db9c4683986d5dbd0bc27a31454
Opcode Fuzzy Hash: cef23d4571b17fc70f8e17d742f689c088db830c71cb10e4b0daca161b073210
Instruction Fuzzy Hash: 40219132A0031AABCF12AF90DC4AFEE7735BF18704F04446BF515660A2DB359A58CB58

Function 0042209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 004220AB
GetClassNameW.USER32(00000000,?,00000100), ref: 004220C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0042214D

Strings

smallicons, xrefs: 00422115
largeicons, xrefs: 004220E1
details, xrefs: 004220FB
SHELLDLL_DefView, xrefs: 004220CC
list, xrefs: 0042212F

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 41898857d113af786d58bf0a72da5ae6f5ff91a3048da886c23645556219e8cc
Instruction ID: cd40bc5b78b0286aede34d39da6fca9142402f1747876644ffa22be235912427
Opcode Fuzzy Hash: 41898857d113af786d58bf0a72da5ae6f5ff91a3048da886c23645556219e8cc
Instruction Fuzzy Hash: D4110A7A784727B9F6023621EC06DFB379CDF14324B600127F704A91D2FEE9A822561C

Function 003FCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 003FCEB7
_free.LIBCMT ref: 003FCF22
_free.LIBCMT ref: 003FCF48
_free.LIBCMT ref: 003FCF71
_free.LIBCMT ref: 003FCFA9
_free.LIBCMT ref: 003FCFDA
_free.LIBCMT ref: 003FD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 003FD09C
_free.LIBCMT ref: 003FD0B5

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 5c89d8c5f7304bc9a79459f9936f9624740edad64f21d05d7874dc6aeb01fc4e
Instruction ID: 0a97721dad410a4874054904310f11cdbb3bdc122e9eacb27a1885c42faa2b1b
Opcode Fuzzy Hash: 5c89d8c5f7304bc9a79459f9936f9624740edad64f21d05d7874dc6aeb01fc4e
Instruction Fuzzy Hash: 2761377194430DAFDB23AFB49985A7ABBA5EF05350F05427EFB419B282DB319D01C790

Function 004550D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00455186
ShowWindow.USER32(?,00000000), ref: 004551C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 004551CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 004551D1

Part of subcall function 00456FBA: DeleteObject.GDI32(00000000), ref: 00456FE6

GetWindowLongW.USER32(?,000000F0), ref: 0045520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0045521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0045524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00455287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00455296

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 4fcf4abe5ed9b5b278c45085d447bc81625a228fd9ee03cb7b4b3860be280c84
Instruction ID: 50a9837bdad001931e11878c5730aa4de38495a870e37b47e646de7e5dccf849
Opcode Fuzzy Hash: 4fcf4abe5ed9b5b278c45085d447bc81625a228fd9ee03cb7b4b3860be280c84
Instruction Fuzzy Hash: DB51D330A40A08BFEF209F24CC55BE93BA1EB04326F144057FD159A3E2C379A998DF49

Function 003D8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00416890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 004168A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 004168B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 004168D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 004168F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,003D8874,00000000,00000000,00000000,000000FF,00000000), ref: 00416901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0041691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,003D8874,00000000,00000000,00000000,000000FF,00000000), ref: 0041692D

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 69c9e41a88de68ae60810b49a080293bb405fff31f507f0270cd9b3f2b01a8c9
Instruction ID: e081fa2d0dc58b4aed6927fb6520d9bcee6a09d950f5e2f8106159a6c785f2e8
Opcode Fuzzy Hash: 69c9e41a88de68ae60810b49a080293bb405fff31f507f0270cd9b3f2b01a8c9
Instruction Fuzzy Hash: 2451A7B1600309AFDB21DF25DC91FAA7BBAEB58310F10452AF912972A0DB70E990DB44

Function 0043C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0043C182
GetLastError.KERNEL32 ref: 0043C195
SetEvent.KERNEL32(?), ref: 0043C1A9

Part of subcall function 0043C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0043C272
Part of subcall function 0043C253: GetLastError.KERNEL32 ref: 0043C322
Part of subcall function 0043C253: SetEvent.KERNEL32(?), ref: 0043C336
Part of subcall function 0043C253: InternetCloseHandle.WININET(00000000), ref: 0043C341

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: cd429ea06193c842ac48f6f0b6d691179fa5e4c8fca8a03f17b78f610f61338f
Instruction ID: 66a187881d8bff0f23335d2816c146a0c1fa34747b4cc8751e6ea8f09b56ec06
Opcode Fuzzy Hash: cd429ea06193c842ac48f6f0b6d691179fa5e4c8fca8a03f17b78f610f61338f
Instruction Fuzzy Hash: 2831BE71900701AFDB209FA5DC84A6BBBE9FF1C301F10542EF956A2611D734E811EFA8

Function 004225A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00423A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00423A57
Part of subcall function 00423A3D: GetCurrentThreadId.KERNEL32 ref: 00423A5E
Part of subcall function 00423A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004225B3), ref: 00423A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 004225BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 004225DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 004225DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 004225E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00422601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00422605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0042260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00422623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00422627

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 2d0edf133669dc82d168faf84e2fd545ca322da2f117d441a311d78e549f53ad
Instruction ID: 0c1403d7bd6f20cba896f8967e102bc10bdba1089c530a52079eb12435fc95e0
Opcode Fuzzy Hash: 2d0edf133669dc82d168faf84e2fd545ca322da2f117d441a311d78e549f53ad
Instruction Fuzzy Hash: 6E01D831390720BBFB1067699CCAF597F99DB4EB13F500026F314AF1D2C9E554448A6D

Function 00421803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00421449,?,?,00000000), ref: 0042180C
HeapAlloc.KERNEL32(00000000,?,00421449,?,?,00000000), ref: 00421813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00421449,?,?,00000000), ref: 00421828
GetCurrentProcess.KERNEL32(?,00000000,?,00421449,?,?,00000000), ref: 00421830
DuplicateHandle.KERNEL32(00000000,?,00421449,?,?,00000000), ref: 00421833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00421449,?,?,00000000), ref: 00421843
GetCurrentProcess.KERNEL32(00421449,00000000,?,00421449,?,?,00000000), ref: 0042184B
DuplicateHandle.KERNEL32(00000000,?,00421449,?,?,00000000), ref: 0042184E
CreateThread.KERNEL32(00000000,00000000,00421874,00000000,00000000,00000000), ref: 00421868

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 74348bbea1627db3604c0560bc883ffcea1eeae8fc7b8daa6e487b2273a1b34d
Instruction ID: 8f996339106a80425ef784a58caa837f6120cab53a251636b5ec840eb8d5b1fc
Opcode Fuzzy Hash: 74348bbea1627db3604c0560bc883ffcea1eeae8fc7b8daa6e487b2273a1b34d
Instruction Fuzzy Hash: B401A8B5640708BFE610ABA5DC89F6B3BACEB89B11F404461FA05DB1A2CA74DC40CF24

Function 003CBBE0 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 003CBEB3

Strings

_, xrefs: 003CBC11, 003CBCBC
D%ID%I, xrefs: 003CBCA5
D%I, xrefs: 003CBCA2
b, xrefs: 003CBC10
D%I, xrefs: 003CBE9A
D%I, xrefs: 003CBDED, 003CBD91, 003CBD1B

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%I$D%I$D%I$D%ID%I$_$b
API String ID: 1385522511-1819305782
Opcode ID: 1deafe97bcbd94c57c77829c67972c36e78cdf0894efd479daed1e481902f657
Instruction ID: 0479c9964641f4b84962cbee0ab69d6a87115296614a6ea87adbe776c315817c
Opcode Fuzzy Hash: 1deafe97bcbd94c57c77829c67972c36e78cdf0894efd479daed1e481902f657
Instruction Fuzzy Hash: AB913875A0021ADFCB19CF68C092AAAF7B5FF58310F25816ED942EB350D771AD81CB90

Function 00447B7E Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 003E0242: EnterCriticalSection.KERNEL32(0049070C,00491884,?,?,003D198B,00492518,?,?,?,003C12F9,00000000), ref: 003E024D
Part of subcall function 003E0242: LeaveCriticalSection.KERNEL32(0049070C,?,003D198B,00492518,?,?,?,003C12F9,00000000), ref: 003E028A

Part of subcall function 003C9CB3: _wcslen.LIBCMT ref: 003C9CBD

Part of subcall function 003E00A3: __onexit.LIBCMT ref: 003E00A9

__Init_thread_footer.LIBCMT ref: 00447BFB

Part of subcall function 003E01F8: EnterCriticalSection.KERNEL32(0049070C,?,?,003D8747,00492514), ref: 003E0202
Part of subcall function 003E01F8: LeaveCriticalSection.KERNEL32(0049070C,?,003D8747,00492514), ref: 003E0235

Strings

+TA, xrefs: 00447E2E
5, xrefs: 00447C78
Gb, xrefs: 00447C96
Gb, xrefs: 00447CD4, 00447D73, 00447D05, 00447E05
Variable must be of type 'Object'., xrefs: 00447C3A
b, xrefs: 00447D5C, 00447C50

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +TA$5$Gb$Gb$Variable must be of type 'Object'.$b
API String ID: 535116098-3566290282
Opcode ID: a2b0e356fb8c819e1c9a79fc43758b5bbb067b7d62026a8516df363546490530
Instruction ID: 13dc6e353340a52f6bb47530efea2760a7ff48bd08be9f95edd9c26669f1996e
Opcode Fuzzy Hash: a2b0e356fb8c819e1c9a79fc43758b5bbb067b7d62026a8516df363546490530
Instruction Fuzzy Hash: 5F91AF70A04209AFDB15EF54D881DAEB7B1FF44304F10805EF8069B392DB749E46CB59

Function 0044A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0042D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0042D501
Part of subcall function 0042D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0042D50F
Part of subcall function 0042D4DC: CloseHandle.KERNEL32(00000000), ref: 0042D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0044A16D
GetLastError.KERNEL32 ref: 0044A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0044A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0044A268
GetLastError.KERNEL32(00000000), ref: 0044A273
CloseHandle.KERNEL32(00000000), ref: 0044A2C4

Strings

SeDebugPrivilege, xrefs: 0044A18F

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 36c8e67a4386a5e668ba2193c0bd5b6b971c43824cf07f29c741e409f3fe3479
Instruction ID: cd7d9932debb5b070f75b1d81a310b38e1830cd993e8ed2ae220b3ffb367f1fb
Opcode Fuzzy Hash: 36c8e67a4386a5e668ba2193c0bd5b6b971c43824cf07f29c741e409f3fe3479
Instruction Fuzzy Hash: 7E618D302442429FE710DF14C494F1ABBE1AF44318F58849DE4668F7A3C7BAED46CB96

Function 00453886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00453925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0045393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00453954
_wcslen.LIBCMT ref: 00453999
SendMessageW.USER32(?,00001057,00000000,?), ref: 004539C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 004539F4

Strings

SysListView32, xrefs: 004538F7

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 973ebca75032a0e647134a64798d683a97aeb431d50ccb37db2a174a9628f891
Instruction ID: b08723bc43d5d559ecac8acb68b7532ce7db231fb979519dc20bd8bb30a23c86
Opcode Fuzzy Hash: 973ebca75032a0e647134a64798d683a97aeb431d50ccb37db2a174a9628f891
Instruction Fuzzy Hash: 4941C371A00319ABEB219F64CC45BEB7BA9EF08391F100526F944E7282D774DE84CB98

Function 0042BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0042BCFD
IsMenu.USER32(00000000), ref: 0042BD1D
CreatePopupMenu.USER32 ref: 0042BD53
GetMenuItemCount.USER32(00C28270), ref: 0042BDA4
InsertMenuItemW.USER32(00C28270,?,00000001,00000030), ref: 0042BDCC

Strings

0, xrefs: 0042BCA8
2, xrefs: 0042BD37

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 9c485ca23af8c9106ef1a9ef4777c0d026dc456dc677d1b7b7e927b8aaf75110
Instruction ID: aa9bc73999b97f04709911f0681ae7875e14e9b347d15e2725f201a7132baf50
Opcode Fuzzy Hash: 9c485ca23af8c9106ef1a9ef4777c0d026dc456dc677d1b7b7e927b8aaf75110
Instruction Fuzzy Hash: CE51FF70B00329ABDB11CFA9E8C4BEEBBF4EF44314F54412AE45197391D7789941CB99

Function 003E2D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 003E2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 003E2D53
_ValidateLocalCookies.LIBCMT ref: 003E2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 003E2E0C
_ValidateLocalCookies.LIBCMT ref: 003E2E61

Strings

csm, xrefs: 003E2DF6
&H>, xrefs: 003E2DFE, 003E2E07, 003E2E18

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H>$csm
API String ID: 1170836740-3797664976
Opcode ID: 9ccb6a3f90a5f108056ff6f51a9364429080ac67a1f14a700d5b87f8e25604b1
Instruction ID: 92a2de8410d9133b1f3e22fc2b236743f56fa01f46097768eb3d03e54bb12f82
Opcode Fuzzy Hash: 9ccb6a3f90a5f108056ff6f51a9364429080ac67a1f14a700d5b87f8e25604b1
Instruction Fuzzy Hash: 8A41D634E00268DBCF11DF6ACC45A9FBBB8BF44314F158266E9246B3D2D771AA05CB90

Function 0042C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0042C913

Strings

info, xrefs: 0042C8B4
blank, xrefs: 0042C895
question, xrefs: 0042C8CC
warning, xrefs: 0042C8FC
stop, xrefs: 0042C8E4

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 3a843931bc72992950907dd018f81b9f278bcdd78439c245ad9a2d23456c5925
Instruction ID: 168ddb75b887fe2d1169ece4e9886e4e823c989ea2b94c37728d50d45701ed35
Opcode Fuzzy Hash: 3a843931bc72992950907dd018f81b9f278bcdd78439c245ad9a2d23456c5925
Instruction Fuzzy Hash: 99112E71789326BAA7016B54ACC2D9F679CDF15325BA0003BF500AB2C2D7A85D4053AD

Function 0042ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0042ED2A
_wcslen.LIBCMT ref: 0042ED3B
_wcslen.LIBCMT ref: 0042ED79
_wcslen.LIBCMT ref: 0042EDAF
_wcslen.LIBCMT ref: 0042EDDF
_wcslen.LIBCMT ref: 0042EDEF
_wcslen.LIBCMT ref: 0042EE2B
_wcslen.LIBCMT ref: 0042EE5A

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 2c07ead07e2a7997df2d62f3d41c5489d0009a6d63e1fd47ce4a65a7dd2acbb2
Instruction ID: 00160e4a6bba36417043b9a3945177d83b682e49f13ac43c4ad98e17478a5b9a
Opcode Fuzzy Hash: 2c07ead07e2a7997df2d62f3d41c5489d0009a6d63e1fd47ce4a65a7dd2acbb2
Instruction Fuzzy Hash: 3C41A565D10268B5CB12EBF6888A9CF77A8AF45310F504A63F614F7162FB34D245C3EA

Function 003DF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0041682C,00000004,00000000,00000000), ref: 003DF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0041682C,00000004,00000000,00000000), ref: 0041F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0041682C,00000004,00000000,00000000), ref: 0041F454

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: b01d1f8c0017c4eb526d2d5d6019973a4f0e0bc780c88d8a5118e274a572b795
Instruction ID: fd09d39840631df3d4801416a32eb6314551ba176c9aa1739414215fdcc4ca75
Opcode Fuzzy Hash: b01d1f8c0017c4eb526d2d5d6019973a4f0e0bc780c88d8a5118e274a572b795
Instruction Fuzzy Hash: DF417B32A08780BEC73B8B29E8E876A7B95AB56314F15403FE04B56B61C735E8C5CB15

Function 00452D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00452D1B
GetDC.USER32(00000000), ref: 00452D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00452D2E
ReleaseDC.USER32(00000000,00000000), ref: 00452D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00452D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00452D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00455A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00452DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00452DE1

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 921527aaecd3bc710467d206986c6002e0c6bd0bf06a9ec8a6a970f8d3119a97
Instruction ID: ab68c1263eac8b2ded649dad351e81e35e25dabfde81064913e756d8618bb423
Opcode Fuzzy Hash: 921527aaecd3bc710467d206986c6002e0c6bd0bf06a9ec8a6a970f8d3119a97
Instruction Fuzzy Hash: AF317172101314BFEB114F50CC89FEB3BA9EF09756F044066FE089A292C6B59C55CBA8

Function 00425622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00425637
_memcmp.LIBVCRUNTIME ref: 00425659
_memcmp.LIBVCRUNTIME ref: 00425671
_memcmp.LIBVCRUNTIME ref: 00425684
_memcmp.LIBVCRUNTIME ref: 0042569E
_memcmp.LIBVCRUNTIME ref: 004256B1
_memcmp.LIBVCRUNTIME ref: 004256C9
_memcmp.LIBVCRUNTIME ref: 004256E4

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 012bc2930f8f5a2cadcae2a0a3e16a02e369b290f80981581e704748d338d3f9
Instruction ID: 4952fb11b1291e49810749d95028b5d3c08c9ca2a4fe6e3dd3816c8b2bd1c57d
Opcode Fuzzy Hash: 012bc2930f8f5a2cadcae2a0a3e16a02e369b290f80981581e704748d338d3f9
Instruction Fuzzy Hash: 7B21C575B41A6977D2159521AE82FBB335CAE20385F940033FD089E782F73CED1981AE

Function 00444FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0044502E, 00445383
Not an Object type, xrefs: 00445007

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 0e7af4df6584c1fe50bb7e5fabb6d98c008699ce128fd6c5dd0b0e9c0126bed6
Instruction ID: f4cfe11802a13d37cc531941387685871306d7102f22fa992aac4aede716f849
Opcode Fuzzy Hash: 0e7af4df6584c1fe50bb7e5fabb6d98c008699ce128fd6c5dd0b0e9c0126bed6
Instruction Fuzzy Hash: A4D1C275A0060AAFEF10CFA8C881FAEB7B5BF48344F14846AE915AB382D774DD45CB54

Function 00401522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,004017FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 004015CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00401651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,004017FB,?,004017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004016E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004016FB

Part of subcall function 003F3820: RtlAllocateHeap.NTDLL(00000000,?,00491444,?,003DFDF5,?,?,003CA976,00000010,00491440,003C13FC,?,003C13C6,?,003C1129), ref: 003F3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00401777
__freea.LIBCMT ref: 004017A2
__freea.LIBCMT ref: 004017AE

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: c82536da1a4812e865009f55528702c022a26a9a27ef43fa809578e0d8f6abcc
Instruction ID: 2447502e4e22f97b44d920acaa0c4551e28cd9e899fda357b4a0c64c028a5af5
Opcode Fuzzy Hash: c82536da1a4812e865009f55528702c022a26a9a27ef43fa809578e0d8f6abcc
Instruction Fuzzy Hash: 51918171E10216AEDB218E64CC81AEF7BB59F45310F18467AE905FB2E1D739DC41CB68

Function 00444523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00444648
VariantInit.OLEAUT32(?), ref: 00444749
VariantClear.OLEAUT32(?), ref: 00444753
VariantClear.OLEAUT32(?), ref: 004447B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 004445D8, 00444706, 004447BE
Incorrect Object type in FOR..IN loop, xrefs: 0044472C

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 7f2fe618de2922abd34a43e0c36c8f6630115aadb7daec3b8bf290b6857496e4
Instruction ID: 06a2c803b2e5462c4c372221c99b103ac05d50efb31824b556e1c4bd8d199fca
Opcode Fuzzy Hash: 7f2fe618de2922abd34a43e0c36c8f6630115aadb7daec3b8bf290b6857496e4
Instruction Fuzzy Hash: 3891C871900215AFEF20CF94C884FAFB7B8EF86714F10855AF505AB281D7789942CFA4

Function 00431187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0043125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00431284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 004312A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004312D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0043135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004313C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00431430

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: fc9478b16f86cdb6c545ad04fa6ecfe3b4d4fef4bd538d921c6177fd425ea36c
Instruction ID: 267396c0f121eba08283341770a87387f98813c37ae77daf9461f5e753e2dfb3
Opcode Fuzzy Hash: fc9478b16f86cdb6c545ad04fa6ecfe3b4d4fef4bd538d921c6177fd425ea36c
Instruction Fuzzy Hash: 08910371A002189FDB01DF94C885BBEB7B5FF49325F10506BE911EB2A1D778E942CB98

Function 003D948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: b688e38a86e304598ba523499233de33c725aa065ad8cfaa41594eff6f7eb236
Instruction ID: 163bcf8e6faf692fc7d742cf80a7ad2ab9f02b18d12a61f541d0e5f3b6e0fad7
Opcode Fuzzy Hash: b688e38a86e304598ba523499233de33c725aa065ad8cfaa41594eff6f7eb236
Instruction Fuzzy Hash: B8913872D00219EFCB11CFA9DC84AEEBBB9FF49320F144156E915B7251D378AA42CB60

Function 00443947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0044396B
CharUpperBuffW.USER32(?,?), ref: 00443A7A
_wcslen.LIBCMT ref: 00443A8A
VariantClear.OLEAUT32(?), ref: 00443C1F

Part of subcall function 00430CDF: VariantInit.OLEAUT32(00000000), ref: 00430D1F
Part of subcall function 00430CDF: VariantCopy.OLEAUT32(?,?), ref: 00430D28
Part of subcall function 00430CDF: VariantClear.OLEAUT32(?), ref: 00430D34

Strings

AUTOIT.ERROR, xrefs: 00443A80, 00443A85
Incorrect Parameter format, xrefs: 004439A6, 00443BA1

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 60b234f9ae97a321439452702049ab7695185ac1e0110066f8b9901cca0d0bd4
Instruction ID: da29af33d7d920d19dee2f0df69ef3d9212b69a5e37e0a3435ab71d3433a5138
Opcode Fuzzy Hash: 60b234f9ae97a321439452702049ab7695185ac1e0110066f8b9901cca0d0bd4
Instruction Fuzzy Hash: 50918C756083419FC700EF24C480A2AB7E4FF89715F14886EF88A9B352DB35EE05CB96

Function 00444BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0042000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0041FF41,80070057,?,?,?,0042035E), ref: 0042002B
Part of subcall function 0042000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0041FF41,80070057,?,?), ref: 00420046
Part of subcall function 0042000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0041FF41,80070057,?,?), ref: 00420054
Part of subcall function 0042000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0041FF41,80070057,?), ref: 00420064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00444C51
_wcslen.LIBCMT ref: 00444D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00444DCF
CoTaskMemFree.OLE32(?), ref: 00444DDA

Strings

NULL Pointer assignment, xrefs: 00444E23, 00444E52

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 23827f1ca42ac9bb4ff76a5b4c22bef2d3417c324f857cb3026a1ee9d04ca462
Instruction ID: 89026d48201acf8dcbbb15fa935b5985940e1ed3971b5cb6dcd841a81adbe3b6
Opcode Fuzzy Hash: 23827f1ca42ac9bb4ff76a5b4c22bef2d3417c324f857cb3026a1ee9d04ca462
Instruction Fuzzy Hash: 48911471D0021DAFEF11DFA4D891EEEB7B8BF48304F10816AE915AB241DB349E458FA4

Function 004520FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00452183
GetMenuItemCount.USER32(00000000), ref: 004521B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 004521DD
_wcslen.LIBCMT ref: 00452213
GetMenuItemID.USER32(?,?), ref: 0045224D
GetSubMenu.USER32(?,?), ref: 0045225B

Part of subcall function 00423A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00423A57
Part of subcall function 00423A3D: GetCurrentThreadId.KERNEL32 ref: 00423A5E
Part of subcall function 00423A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004225B3), ref: 00423A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 004522E3

Part of subcall function 0042E97B: Sleep.KERNEL32 ref: 0042E9F3

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: c1f200accaf7605aadb13b6069d1921c596443113e3d5288185012cd694e69a2
Instruction ID: 18eeb08755aceb9760d92db6452c487e94c88115aa67391ccfd5de83990123f0
Opcode Fuzzy Hash: c1f200accaf7605aadb13b6069d1921c596443113e3d5288185012cd694e69a2
Instruction Fuzzy Hash: 7D71C335A00215AFCB11DF64C981AAEB7F1EF49311F1484AAF816EB342D778EE418F94

Function 0042AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0042AEF9
GetKeyboardState.USER32(?), ref: 0042AF0E
SetKeyboardState.USER32(?), ref: 0042AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0042AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0042AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0042AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0042B020

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: f8c720a691b8c5076bd4ea5f15f6c6e57ded004c71f78db3eb32c9e5937e7c80
Instruction ID: adbd0471ee7338062a73e1224686eb200567d000a6a59a467136d1c89dfd8221
Opcode Fuzzy Hash: f8c720a691b8c5076bd4ea5f15f6c6e57ded004c71f78db3eb32c9e5937e7c80
Instruction Fuzzy Hash: 1151F2A07047E13EFB3742349845BBBBFE99B06304F48848AE5D5455C3C79CAC94D7A9

Function 0042ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0042AD19
GetKeyboardState.USER32(?), ref: 0042AD2E
SetKeyboardState.USER32(?), ref: 0042AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0042ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0042ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0042AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0042AE38

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 612cd0ed9e4218a95ed2096ab2807b04072378a1306ccf1271e624a793cdd775
Instruction ID: 0a551b861ad9b1bd79d740023a572251006e001bf7384c692964a04d935e7980
Opcode Fuzzy Hash: 612cd0ed9e4218a95ed2096ab2807b04072378a1306ccf1271e624a793cdd775
Instruction Fuzzy Hash: 5B5128A07547E13EFB328334AC45B7BBE995B05300F48848AE5D5469C3D39CECA9D36A

Function 003F542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00403CD6,?,?,?,?,?,?,?,?,003F5BA3,?,?,00403CD6,?,?), ref: 003F5470
__fassign.LIBCMT ref: 003F54EB
__fassign.LIBCMT ref: 003F5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00403CD6,00000005,00000000,00000000), ref: 003F552C
WriteFile.KERNEL32(?,00403CD6,00000000,003F5BA3,00000000,?,?,?,?,?,?,?,?,?,003F5BA3,?), ref: 003F554B
WriteFile.KERNEL32(?,?,00000001,003F5BA3,00000000,?,?,?,?,?,?,?,?,?,003F5BA3,?), ref: 003F5584

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 50f855548d12f342c08f80353dd624734cb5698a7d76b8a5f3bdc94f815beefa
Instruction ID: 6b37036efdafaddbb8535c0b8e7e5cb2948ec3ae65bc13717193528969d730e9
Opcode Fuzzy Hash: 50f855548d12f342c08f80353dd624734cb5698a7d76b8a5f3bdc94f815beefa
Instruction Fuzzy Hash: DC51A3719007499FDB11CFA8D885AEEBBF9EF09300F14412AE656E7291D770DA41CB64

Function 003F2051 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 003F20C3
_free.LIBCMT ref: 003F20E3

Strings

b, xrefs: 003F2076, 003F20B8, 003F20D8, 003F2158

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: _free
String ID: b
API String ID: 269201875-2387849686
Opcode ID: 6f1956958be1d59a199c1d1a810ecaeb9d421210b1b7a9e51da6d11afd22bf5a
Instruction ID: 5cd69152ccc51ca6ba55ff12f2db9824c844c9bc8e6c2415fad1e302762a3505
Opcode Fuzzy Hash: 6f1956958be1d59a199c1d1a810ecaeb9d421210b1b7a9e51da6d11afd22bf5a
Instruction Fuzzy Hash: A141B232A00208DFCB26DF78C981A6EB7A5EF89314F164569E615EF391DB31AD01CB90

Function 004410B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0044304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0044307A
Part of subcall function 0044304E: _wcslen.LIBCMT ref: 0044309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00441112
WSAGetLastError.WSOCK32 ref: 00441121
WSAGetLastError.WSOCK32 ref: 004411C9
closesocket.WSOCK32(00000000), ref: 004411F9

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 34364c4ec56b21ad74c3976a4521c3a11db6e5cf096b656767fe163c5b4288d7
Instruction ID: d35864707a6dd4a3fc40a3c7b12bf4ce3d8d91c6ad8f1496de8e15f9ae8bd738
Opcode Fuzzy Hash: 34364c4ec56b21ad74c3976a4521c3a11db6e5cf096b656767fe163c5b4288d7
Instruction Fuzzy Hash: 2141E931600204AFEB109F14C885BAAB7E9EF49355F14805AFD159B392D774ED81CBE5

Function 0042CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0042CF22,?), ref: 0042DDFD

Part of subcall function 0042DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0042CF22,?), ref: 0042DE16

lstrcmpiW.KERNEL32(?,?), ref: 0042CF45
MoveFileW.KERNEL32(?,?), ref: 0042CF7F
_wcslen.LIBCMT ref: 0042D005
_wcslen.LIBCMT ref: 0042D01B
SHFileOperationW.SHELL32(?), ref: 0042D061

Strings

\*.*, xrefs: 0042CFF3

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: db648ef9551e5f1ba3f0f5a957d87d6764310922f33f199ed2c7405fae3dd36a
Instruction ID: aa9a77f0e0f39288acc21538b1d7b9aa1604242b820da928c428d52c0fc06956
Opcode Fuzzy Hash: db648ef9551e5f1ba3f0f5a957d87d6764310922f33f199ed2c7405fae3dd36a
Instruction Fuzzy Hash: AB415771D452285EDF12EBA4DA81ADE77B8AF08340F5100E7E545EB182EB38A644CB54

Function 00452DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00452E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00452E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00452E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00452EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00452EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00452EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00452F0B

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: c20ab7f9c9c8f06680d387585dd42d3cc0fbff788e8269371177d453112fd4e4
Instruction ID: 1f8fd52df8fdc990afca85fd3cb9518bc3bf33eda68b7ee3c5650b86370c3cf6
Opcode Fuzzy Hash: c20ab7f9c9c8f06680d387585dd42d3cc0fbff788e8269371177d453112fd4e4
Instruction Fuzzy Hash: 87311331604251AFDB21CF58ED86F6637E0EB9A712F140176F9009F2B2CBB5E944DB09

Function 00427726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00427769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0042778F
SysAllocString.OLEAUT32(00000000), ref: 00427792
SysAllocString.OLEAUT32(?), ref: 004277B0
SysFreeString.OLEAUT32(?), ref: 004277B9
StringFromGUID2.OLE32(?,?,00000028), ref: 004277DE
SysAllocString.OLEAUT32(?), ref: 004277EC

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 875942ec196cb70a9f61414e1da4e2c732887811d845cedfdf8f86af5cb01972
Instruction ID: b5c4e54ea9498c220bd3481b54d82bfe360453a67da3a0753f0b5d1d0e4c7ff6
Opcode Fuzzy Hash: 875942ec196cb70a9f61414e1da4e2c732887811d845cedfdf8f86af5cb01972
Instruction Fuzzy Hash: 8821B276604329AFDB10EFA8EC88CBB77ACEB493647408036F905DB251D674EC41CB68

Function 004277FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00427842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00427868
SysAllocString.OLEAUT32(00000000), ref: 0042786B
SysAllocString.OLEAUT32 ref: 0042788C
SysFreeString.OLEAUT32 ref: 00427895
StringFromGUID2.OLE32(?,?,00000028), ref: 004278AF
SysAllocString.OLEAUT32(?), ref: 004278BD

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: dbe169934842590acfb38d1c3560d880a80733873a093ddfc49adfbfb96c84c2
Instruction ID: 0636e58dd36bbfa2a64f39fc935645fd5e0a6a7c46c10155607dd7bbb041638e
Opcode Fuzzy Hash: dbe169934842590acfb38d1c3560d880a80733873a093ddfc49adfbfb96c84c2
Instruction Fuzzy Hash: D8217435704224AFDB10AFA9ECC8DAB77ECEF097607508126F915CB2A1D674DC45CB68

Function 004304D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 004304F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0043052E

Strings

nul, xrefs: 00430567

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 0c4a41673afce055c69c84125ce80d2ba803ccc6707eaa9e0f47e7c2885c3a65
Instruction ID: 848bfa756e34d756c4fabd01336ab0c3147c884f7dcaefcc579e48eedab30f3e
Opcode Fuzzy Hash: 0c4a41673afce055c69c84125ce80d2ba803ccc6707eaa9e0f47e7c2885c3a65
Instruction Fuzzy Hash: D4216B75900305AFDB209F29DC54A9A7BA4AF48724F204B2AF8A1D62E0D774D940CF28

Function 004305A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 004305C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00430601

Strings

nul, xrefs: 00430639

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: faff5fce8a5b808eda29b1c829046fd7d7db9a876ccb326b6c5d3f4cd9b9262a
Instruction ID: 09bd5a427b25c01e64a5e23a341a69a4d87c588852493b27edd17f64937671de
Opcode Fuzzy Hash: faff5fce8a5b808eda29b1c829046fd7d7db9a876ccb326b6c5d3f4cd9b9262a
Instruction Fuzzy Hash: 7921A135500305AFDB209F69CC55A9B77E8BF89B20F200B1AF8A1E72E4D7749860CB18

Function 004540AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003C600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 003C604C
Part of subcall function 003C600E: GetStockObject.GDI32(00000011), ref: 003C6060
Part of subcall function 003C600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 003C606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00454112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0045411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0045412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00454139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00454145

Strings

Msctls_Progress32, xrefs: 004540E3

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 2c8db99e8ae3d41d645ed7a7fa7111b70cf87ed33b56b9638d0d67858a1e1dcb
Instruction ID: db4df97269f256cfb8a821e60e817f3f76bd8bd46736e3fa0882d02e54164589
Opcode Fuzzy Hash: 2c8db99e8ae3d41d645ed7a7fa7111b70cf87ed33b56b9638d0d67858a1e1dcb
Instruction Fuzzy Hash: 7911E6B11402197EEF119F64CC85EE77F5DEF08798F104111FA18A6150C776DC61DBA4

Function 003FD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 003FD7A3: _free.LIBCMT ref: 003FD7CC

_free.LIBCMT ref: 003FD82D

Part of subcall function 003F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,003FD7D1,00000000,00000000,00000000,00000000,?,003FD7F8,00000000,00000007,00000000,?,003FDBF5,00000000), ref: 003F29DE
Part of subcall function 003F29C8: GetLastError.KERNEL32(00000000,?,003FD7D1,00000000,00000000,00000000,00000000,?,003FD7F8,00000000,00000007,00000000,?,003FDBF5,00000000,00000000), ref: 003F29F0

_free.LIBCMT ref: 003FD838
_free.LIBCMT ref: 003FD843
_free.LIBCMT ref: 003FD897
_free.LIBCMT ref: 003FD8A2
_free.LIBCMT ref: 003FD8AD
_free.LIBCMT ref: 003FD8B8

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
Instruction ID: f56d47b54762d00f076d4df3e8209037f10842f2303ff5f2ee97015daef1ffa7
Opcode Fuzzy Hash: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
Instruction Fuzzy Hash: 7E112171580B0CEAD523BFB0CC4BFEB7BDD6F05700F404825B399AE4A2DB66B5194650

Function 0042DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0042DA74
LoadStringW.USER32(00000000), ref: 0042DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0042DA91
LoadStringW.USER32(00000000), ref: 0042DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0042DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0042DAB9

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 0c7fca70ccda6148753649fda6bc583e07f66b31a9f647f77525675a135c4919
Instruction ID: 08694399e1bde986b731adeb4277caace0ea61fed58fe5a0e9fb2fba2fd4d5d9
Opcode Fuzzy Hash: 0c7fca70ccda6148753649fda6bc583e07f66b31a9f647f77525675a135c4919
Instruction Fuzzy Hash: BC0167F29003187FE71197A09DC9EEB366CE708706F404466B705E2042EA749E848F78

Function 0043096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00C1E3E0,00C1E3E0), ref: 0043097B
EnterCriticalSection.KERNEL32(00C1E3C0,00000000), ref: 0043098D
TerminateThread.KERNEL32(00C19FB0,000001F6), ref: 0043099B
WaitForSingleObject.KERNEL32(00C19FB0,000003E8), ref: 004309A9
CloseHandle.KERNEL32(00C19FB0), ref: 004309B8
InterlockedExchange.KERNEL32(00C1E3E0,000001F6), ref: 004309C8
LeaveCriticalSection.KERNEL32(00C1E3C0), ref: 004309CF

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 0d188220de1c899720dd417c098eebb166222562a4831c0fb1c856437fe4ed5d
Instruction ID: 427973373447b668ff7a4a06904bca77cf300fd9c4b68ead8c4b91967b8ed7db
Opcode Fuzzy Hash: 0d188220de1c899720dd417c098eebb166222562a4831c0fb1c856437fe4ed5d
Instruction Fuzzy Hash: CEF01D71442B02AFD7415B94EEC8BDA7A25FF05702F402126F102508A2CB74D465CF98

Function 00441C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00441DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00441DE1
WSAGetLastError.WSOCK32 ref: 00441DF2
htons.WSOCK32(?,?,?,?,?), ref: 00441EDB
inet_ntoa.WSOCK32(?), ref: 00441E8C

Part of subcall function 004239E8: _strlen.LIBCMT ref: 004239F2

Part of subcall function 00443224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0043EC0C), ref: 00443240

_strlen.LIBCMT ref: 00441F35

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 6b95503088a6072ee76fe61d6f26d3d5a4010500c771425ebcad656f36486a9a
Instruction ID: 3d923def19b294f55b82d128977747782cdee5cd136bf712b5fc3bb02a6a2cc7
Opcode Fuzzy Hash: 6b95503088a6072ee76fe61d6f26d3d5a4010500c771425ebcad656f36486a9a
Instruction Fuzzy Hash: B0B1DE71204340AFD324DF24C885F2ABBA5AF84318F54894EF4569F3A2CB35ED86CB95

Function 003F01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 003F00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003F00D6
__allrem.LIBCMT ref: 003F00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003F010B
__allrem.LIBCMT ref: 003F0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003F0140

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: b3d76673a39f61cb81dae04925355bae84dc6ede8cbbdf38f44b7627426e5320
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 11811775600B0A9FE7269F2DCC41B7AB3A8AF41724F25463AF610DA6C2EBB0D9008750

Function 003F61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,003E82D9,003E82D9,?,?,?,003F644F,00000001,00000001,8BE85006), ref: 003F6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,003F644F,00000001,00000001,8BE85006,?,?,?), ref: 003F62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 003F63D8
__freea.LIBCMT ref: 003F63E5

Part of subcall function 003F3820: RtlAllocateHeap.NTDLL(00000000,?,00491444,?,003DFDF5,?,?,003CA976,00000010,00491440,003C13FC,?,003C13C6,?,003C1129), ref: 003F3852

__freea.LIBCMT ref: 003F63EE
__freea.LIBCMT ref: 003F6413

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 3043cbf01909bfd9997c366267ff18e67e73d3050ca890da61bef2a7b66fa98a
Instruction ID: 741d59a624f3a48276b6144645839c40c5e2d6a568333d2e22dad4874421b4ff
Opcode Fuzzy Hash: 3043cbf01909bfd9997c366267ff18e67e73d3050ca890da61bef2a7b66fa98a
Instruction Fuzzy Hash: 2D51037260021AAFDB278F64CC82EBF77A9EB55710F16462AFE05DB150DB38DC44C660

Function 0044BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 003C9CB3: _wcslen.LIBCMT ref: 003C9CBD

Part of subcall function 0044C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0044B6AE,?,?), ref: 0044C9B5
Part of subcall function 0044C998: _wcslen.LIBCMT ref: 0044C9F1
Part of subcall function 0044C998: _wcslen.LIBCMT ref: 0044CA68
Part of subcall function 0044C998: _wcslen.LIBCMT ref: 0044CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0044BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0044BD25
RegCloseKey.ADVAPI32(00000000), ref: 0044BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0044BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0044BDF3
RegCloseKey.ADVAPI32(?), ref: 0044BDFF

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 50aa6f1466075224c9b446772b5f5f741f6a79348631fcd0869775cf082c2b95
Instruction ID: 55f1f0eed07a94d37cac7985fd6e1a351d69462e521788c766365631b5edbbb7
Opcode Fuzzy Hash: 50aa6f1466075224c9b446772b5f5f741f6a79348631fcd0869775cf082c2b95
Instruction Fuzzy Hash: 82818D71108341AFD715DF24C885E2ABBE5FF84308F14859EF4598B2A2DB35ED45CB92

Function 0041F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0041F7B9
SysAllocString.OLEAUT32(00000001), ref: 0041F860
VariantCopy.OLEAUT32(0041FA64,00000000), ref: 0041F889
VariantClear.OLEAUT32(0041FA64), ref: 0041F8AD
VariantCopy.OLEAUT32(0041FA64,00000000), ref: 0041F8B1
VariantClear.OLEAUT32(?), ref: 0041F8BB

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 77b0d3d997fafa86c70de2e4a47fd9fe375ac2ba7676baadb076c692172b3ec0
Instruction ID: d3f90e1884d2995fe760638bf695d9e214a14ddd707a9a51dedd2eb4b9516e53
Opcode Fuzzy Hash: 77b0d3d997fafa86c70de2e4a47fd9fe375ac2ba7676baadb076c692172b3ec0
Instruction Fuzzy Hash: EA51F971510310FACF10BB65D895BA9B3A4EF45310F14446BE806DF292DB788C86CBAF

Function 0043910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 003C7620: _wcslen.LIBCMT ref: 003C7625

Part of subcall function 003C6B57: _wcslen.LIBCMT ref: 003C6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 004394E5
_wcslen.LIBCMT ref: 00439506
_wcslen.LIBCMT ref: 0043952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00439585

Strings

X, xrefs: 00439412

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: e8f84376178fc37d239329a38c8df0aed99e765b4a60cdc8aeb2dc73c13558f7
Instruction ID: 1bec66071f7bbfd1978220ac23be5f2815656537a7a33bf0c4ba956b68b705e8
Opcode Fuzzy Hash: e8f84376178fc37d239329a38c8df0aed99e765b4a60cdc8aeb2dc73c13558f7
Instruction Fuzzy Hash: 09E19F716083409FC715DF24C881F6AB7E0BF89314F04896EE8899B3A2DB75ED45CB96

Function 003D920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 003D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003D9BB2

BeginPaint.USER32(?,?,?), ref: 003D9241
GetWindowRect.USER32(?,?), ref: 003D92A5
ScreenToClient.USER32(?,?), ref: 003D92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 003D92D3
EndPaint.USER32(?,?,?,?,?), ref: 003D9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 004171EA

Part of subcall function 003D9339: BeginPath.GDI32(00000000), ref: 003D9357

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: a6c04d2654e99f891416d906c44e39ab0dae0af4056914f75f30852ead4d3a60
Instruction ID: e1b79e58e78feec60f4684a5adfbb5a48b27e6c9cf8585690a6a54336793a0a9
Opcode Fuzzy Hash: a6c04d2654e99f891416d906c44e39ab0dae0af4056914f75f30852ead4d3a60
Instruction Fuzzy Hash: B841AD71104301AFD712DF24DC84FAA7BB8EB59721F14063BF9948B2B2C7319845DB65

Function 004307EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0043080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00430847
EnterCriticalSection.KERNEL32(?), ref: 00430863
LeaveCriticalSection.KERNEL32(?), ref: 004308DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 004308F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00430921

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 183b8446e1b0edda705b2e8a177b550ac37ec9000f9a43007bc3f5a0f6e5033c
Instruction ID: e553f70f2c147209bd7284c8071f0641ddcf61702793e80ab7b6dadd7cff316c
Opcode Fuzzy Hash: 183b8446e1b0edda705b2e8a177b550ac37ec9000f9a43007bc3f5a0f6e5033c
Instruction Fuzzy Hash: 87414771900205AFDF15AF54DC85A6AB7B8FF08300F1441BAE9059E297DB34DE64DBA8

Function 004581DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0041F3AB,00000000,?,?,00000000,?,0041682C,00000004,00000000,00000000), ref: 0045824C
EnableWindow.USER32(00000000,00000000), ref: 00458272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 004582D1
ShowWindow.USER32(00000000,00000004), ref: 004582E5
EnableWindow.USER32(00000000,00000001), ref: 0045830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0045832F

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: d60ba009cae323ac9b1d8cb51b6644bc2bfd13f337311d7d03aa4f3ef210f96e
Instruction ID: 87bb273c2e4a9b78960cdd7b9fcbbb25bf3f3a20dd6b6e51e5451f0fe3f64de1
Opcode Fuzzy Hash: d60ba009cae323ac9b1d8cb51b6644bc2bfd13f337311d7d03aa4f3ef210f96e
Instruction Fuzzy Hash: 4D419330601645AFDB12CF15C895BA57BE0BB09716F1841BEFD089B273CF36A849CB58

Function 00424C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00424C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00424CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00424CEA
_wcslen.LIBCMT ref: 00424D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00424D10
_wcsstr.LIBVCRUNTIME ref: 00424D1A

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 8455c4c9fc225aa0b231bf01972168a2b3835e36294594e2c6f75c655f819e36
Instruction ID: 76f2c724722d27d1d1eb0c2521ad23c2b926f6b1f0ffc7beffa56fc759efc6a4
Opcode Fuzzy Hash: 8455c4c9fc225aa0b231bf01972168a2b3835e36294594e2c6f75c655f819e36
Instruction Fuzzy Hash: A121D7323042207FEB165B3ABC49E7B7B9CDF85750F50403AF805CE292DA65DD0196A4

Function 0043581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 003C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003C3A97,?,?,003C2E7F,?,?,?,00000000), ref: 003C3AC2

_wcslen.LIBCMT ref: 0043587B
CoInitialize.OLE32(00000000), ref: 00435995
CoCreateInstance.OLE32(0045FCF8,00000000,00000001,0045FB68,?), ref: 004359AE
CoUninitialize.OLE32 ref: 004359CC

Strings

.lnk, xrefs: 00435876, 004358C1, 00435985

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 4c6f1d4a18765b0e4aae4f249020cb4a1a813ddea6398292e7b86d8ea196273a
Instruction ID: 85eacac38c5903681dff6b1a03097f5a5a510a8ffcfeeadbe28b4be873d6ae56
Opcode Fuzzy Hash: 4c6f1d4a18765b0e4aae4f249020cb4a1a813ddea6398292e7b86d8ea196273a
Instruction Fuzzy Hash: 63D151716087019FC714EF24C480A2ABBE1FF89714F14895EF88A9B361DB36ED45CB96

Function 0042175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00420FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00420FCA
Part of subcall function 00420FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00420FD6
Part of subcall function 00420FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00420FE5
Part of subcall function 00420FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00420FEC
Part of subcall function 00420FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00421002

GetLengthSid.ADVAPI32(?,00000000,00421335), ref: 004217AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 004217BA
HeapAlloc.KERNEL32(00000000), ref: 004217C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 004217DA
GetProcessHeap.KERNEL32(00000000,00000000,00421335), ref: 004217EE
HeapFree.KERNEL32(00000000), ref: 004217F5

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 33c74de873e918d0e7372cf7baa636171ba8d335c61f828d35e8b3e330166d99
Instruction ID: 298008354b9ce9fcfe992f605c4fc0d7fe8fc0c949e48ea1fe5bf0475cde37c6
Opcode Fuzzy Hash: 33c74de873e918d0e7372cf7baa636171ba8d335c61f828d35e8b3e330166d99
Instruction Fuzzy Hash: DC11B131600715FFDB109FA4DC89BAFBBE9EB95356F50402AF44197222C739E940CB68

Function 004214CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 004214FF
OpenProcessToken.ADVAPI32(00000000), ref: 00421506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00421515
CloseHandle.KERNEL32(00000004), ref: 00421520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0042154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00421563

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 0418c7a85d2cb0a6f2afb0f365493bd13f5d3758b7cc0f75f13b7bf1136b9a09
Instruction ID: ccac151368c23fb5b9ec905f9bdfbc55ea1e773237096765f9599a98cd5d4738
Opcode Fuzzy Hash: 0418c7a85d2cb0a6f2afb0f365493bd13f5d3758b7cc0f75f13b7bf1136b9a09
Instruction Fuzzy Hash: 8611477260020DAFDB119F98EE89BDA7BA9EB48745F044065FA05A2161C375CEA0DB64

Function 003E3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,003E3379,003E2FE5), ref: 003E3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 003E339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 003E33B7
SetLastError.KERNEL32(00000000,?,003E3379,003E2FE5), ref: 003E3409

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: d40ed334e56dcf16cbd5bf96ac93ae35060b46aae97dcf00ad553033a225b090
Instruction ID: 8efd274fcce8a7d39a8d7751038545a9394b59df8ea64155c0fcee4f0e44e577
Opcode Fuzzy Hash: d40ed334e56dcf16cbd5bf96ac93ae35060b46aae97dcf00ad553033a225b090
Instruction Fuzzy Hash: 9201B532609371AEA72727B77CCDA6B2A94DB067B5731033DF510871F1EF614D015A68

Function 003F2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,003F5686,00403CD6,?,00000000,?,003F5B6A,?,?,?,?,?,003EE6D1,?,00488A48), ref: 003F2D78
_free.LIBCMT ref: 003F2DAB
_free.LIBCMT ref: 003F2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,003EE6D1,?,00488A48,00000010,003C4F4A,?,?,00000000,00403CD6), ref: 003F2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,003EE6D1,?,00488A48,00000010,003C4F4A,?,?,00000000,00403CD6), ref: 003F2DEC
_abort.LIBCMT ref: 003F2DF2

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: fa37a50fa5af0c25d60dfc4f980534427fabfc57907b9e6e1b025b1eb82d76ec
Instruction ID: 96e4e7f13e9dac437004c4fd0523b93612f744d07ce4142eae322d9a1300a557
Opcode Fuzzy Hash: fa37a50fa5af0c25d60dfc4f980534427fabfc57907b9e6e1b025b1eb82d76ec
Instruction Fuzzy Hash: 1AF0A431585B0DFBC6132738BC5AA7F2559AFC27A1B260529FB34961A3EF2889014564

Function 00458A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 003D9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 003D9693
Part of subcall function 003D9639: SelectObject.GDI32(?,00000000), ref: 003D96A2
Part of subcall function 003D9639: BeginPath.GDI32(?), ref: 003D96B9
Part of subcall function 003D9639: SelectObject.GDI32(?,00000000), ref: 003D96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00458A4E
LineTo.GDI32(?,00000003,00000000), ref: 00458A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00458A70
LineTo.GDI32(?,00000000,00000003), ref: 00458A80
EndPath.GDI32(?), ref: 00458A90
StrokePath.GDI32(?), ref: 00458AA0

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 62e16eaffd70326edb0763ca89c61dc17badf4b06537480ef247978c85d24bb5
Instruction ID: b15f496a00a628792bccc36d13d4a38d9a99d9044da8f5500a17e896bbdc0100
Opcode Fuzzy Hash: 62e16eaffd70326edb0763ca89c61dc17badf4b06537480ef247978c85d24bb5
Instruction Fuzzy Hash: 64111E7600020DFFDF129F90DC88EAA7F6CEB08351F048022BA15991A1C7719D55DF64

Function 004251FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00425218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00425229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00425230
ReleaseDC.USER32(00000000,00000000), ref: 00425238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0042524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00425261

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 770f93b0996f78cbae88a28102c809095e842649feca4dfa4dc13956e036750d
Instruction ID: 257dc09178b59a103220651401f3cb437c7bd1ed3ea74135bfead7938a24a65d
Opcode Fuzzy Hash: 770f93b0996f78cbae88a28102c809095e842649feca4dfa4dc13956e036750d
Instruction Fuzzy Hash: 81014F75A00718BFEB109BA69C89A5EBFB8EB48752F044066FA04A7281D670D901CFA4

Function 003C1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 003C1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 003C1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 003C1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 003C1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 003C1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 003C1C22

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 8ff14d435075213520999dceae0885cdf32fb6de22ece4509a266c778c0af48a
Instruction ID: fd25241413d5f7a812758b342be0c315c35ff35efd375642be06f78c27e15c0a
Opcode Fuzzy Hash: 8ff14d435075213520999dceae0885cdf32fb6de22ece4509a266c778c0af48a
Instruction Fuzzy Hash: C40167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 0042EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0042EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0042EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0042EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0042EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0042EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0042EB75

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: ae0f6921c43373bfd1de3b2b13bab085673118395973953fc4bce80bdbe4c529
Instruction ID: af118f23476c2d63ca46571ff01a0db781807d2d038017c33b2455c1c055eb1a
Opcode Fuzzy Hash: ae0f6921c43373bfd1de3b2b13bab085673118395973953fc4bce80bdbe4c529
Instruction Fuzzy Hash: 1AF03072240758BFE72157529C4DEEF3E7CEFCAB12F000169F601D1192D7A09A01CAB9

Function 00417439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00417452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00417469
GetWindowDC.USER32(?), ref: 00417475
GetPixel.GDI32(00000000,?,?), ref: 00417484
ReleaseDC.USER32(?,00000000), ref: 00417496
GetSysColor.USER32(00000005), ref: 004174B0

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 9a3ff1edddf400cc2a9b68282ef1883e51d65fee6108fc6a0731f6da2134e14a
Instruction ID: b75b95e54a3f023f1c64891a0be37ea447a1d4a832dd33b42b78aec3635273ea
Opcode Fuzzy Hash: 9a3ff1edddf400cc2a9b68282ef1883e51d65fee6108fc6a0731f6da2134e14a
Instruction Fuzzy Hash: 6D012831400315FFEB515FA4DC88BEA7BB5FB04312F510175F916A21A2CB315E51EB59

Function 00421874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0042187F
UnloadUserProfile.USERENV(?,?), ref: 0042188B
CloseHandle.KERNEL32(?), ref: 00421894
CloseHandle.KERNEL32(?), ref: 0042189C
GetProcessHeap.KERNEL32(00000000,?), ref: 004218A5
HeapFree.KERNEL32(00000000), ref: 004218AC

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 4507ace792bb98ef3ede1e6b7097a82d1c6029b89f32930a8de9359414990e46
Instruction ID: 4df49e0bb12b9ac46dc6276ed9ff430edc5371f0b08476b5f9431ca6c471e7c0
Opcode Fuzzy Hash: 4507ace792bb98ef3ede1e6b7097a82d1c6029b89f32930a8de9359414990e46
Instruction Fuzzy Hash: 8EE0C236004705BFDA016BA1ED4C90ABB69FB49B22B108230F22681472CB32A4A0DF58

Function 0042C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003C7620: _wcslen.LIBCMT ref: 003C7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0042C6EE
_wcslen.LIBCMT ref: 0042C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0042C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0042C7CA

Strings

0, xrefs: 0042C6AF

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 8ae170c46e28807783a4b9acb467ceb32bf56853d83fb5fa207069adee827c4d
Instruction ID: decb87151b1e8c5bcbc608c8d22e46b4417040964fc4605cf228c3495f110321
Opcode Fuzzy Hash: 8ae170c46e28807783a4b9acb467ceb32bf56853d83fb5fa207069adee827c4d
Instruction Fuzzy Hash: 7E51CF717043229BD7119F28E8C5B6F77E4AF89310F440A2FF995D62A0DB68DD04CB5A

Function 0044AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0044AEA3

Part of subcall function 003C7620: _wcslen.LIBCMT ref: 003C7625

GetProcessId.KERNEL32(00000000), ref: 0044AF38
CloseHandle.KERNEL32(00000000), ref: 0044AF67

Strings

@, xrefs: 0044AE72
<, xrefs: 0044AE6B

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 9183c4897cde510b705d968f395f2ab851d665e3c750d38b1baf8883c4697970
Instruction ID: 96869222b1650dc8e54b28dbe7124d09284aeec7cb1335923a316c5bcfca84e2
Opcode Fuzzy Hash: 9183c4897cde510b705d968f395f2ab851d665e3c750d38b1baf8883c4697970
Instruction Fuzzy Hash: FF717670A00218DFDB11DF54C484A9EBBF0AF08300F14849EE81AAF3A2CB79ED55CB95

Function 0042719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00427206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0042723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0042724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 004272CF

Strings

DllGetClassObject, xrefs: 00427242

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 1598d50ee11c9aca89b34596cdaec27a000706d81cdbf59631ab1c8663678dfa
Instruction ID: 3341b291ff6f2cd3b1e92c82081143ea83e3c6714b57bce0f84b7dac1c75a42d
Opcode Fuzzy Hash: 1598d50ee11c9aca89b34596cdaec27a000706d81cdbf59631ab1c8663678dfa
Instruction Fuzzy Hash: 02419B71A04214EFDB15CF54D884B9A7BA9EF44314F6180AEFD05DF20AD7B8D944CBA8

Function 00452F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00452F8D
LoadLibraryW.KERNEL32(?), ref: 00452F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00452FA9
DestroyWindow.USER32(?), ref: 00452FB1

Strings

SysAnimate32, xrefs: 00452F68

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 880167f70aab9959077a588923095f7b34a9a3d68524a7037b557725be67145e
Instruction ID: 8fce0cdefc4e8dd88f45f1b563e6203e5e0c62b77e9fbe42634ead3f051e8506
Opcode Fuzzy Hash: 880167f70aab9959077a588923095f7b34a9a3d68524a7037b557725be67145e
Instruction Fuzzy Hash: 3421D172204205AFEB104F64ED80FBB37B9EB5A325F10022BFD10D6292C3B5DC45A768

Function 003E4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,003E4D1E,003F28E9,?,003E4CBE,003F28E9,004888B8,0000000C,003E4E15,003F28E9,00000002), ref: 003E4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 003E4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,003E4D1E,003F28E9,?,003E4CBE,003F28E9,004888B8,0000000C,003E4E15,003F28E9,00000002,00000000), ref: 003E4DC3

Strings

mscoree.dll, xrefs: 003E4D86
CorExitProcess, xrefs: 003E4D98

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 44b0beebd560c26704cdb22f69943af193c4d3df5387a14b88a948820018a32c
Instruction ID: ca18fcb1e7cb7c135926f264e40dbcea0d01e36cbc04c92def54826de6f421c6
Opcode Fuzzy Hash: 44b0beebd560c26704cdb22f69943af193c4d3df5387a14b88a948820018a32c
Instruction Fuzzy Hash: 20F04F34A40318BFDB119F91DC89BEEBBB5EF48752F0101A9F805A62A1DB749D40CB99

Function 003C4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,003C4EDD,?,00491418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003C4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 003C4EAE
FreeLibrary.KERNEL32(00000000,?,?,003C4EDD,?,00491418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003C4EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 003C4EA8
kernel32.dll, xrefs: 003C4E94

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 629c9d4d31ebc63620f61e9595623e102d0e2cdbd9bce6ffd9bba941cb75b364
Instruction ID: 7cfe7ef621a9d966d2ed3781d92623e0f917879ef4fd1abb27bdb9da24e89063
Opcode Fuzzy Hash: 629c9d4d31ebc63620f61e9595623e102d0e2cdbd9bce6ffd9bba941cb75b364
Instruction Fuzzy Hash: 2EE08635A02B229F92221B356C68F5F7654AF81F637070129FC00E2106DF64CD0186A8

Function 003C4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00403CDE,?,00491418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003C4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 003C4E74
FreeLibrary.KERNEL32(00000000,?,?,00403CDE,?,00491418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003C4E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 003C4E6E
kernel32.dll, xrefs: 003C4E5B

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 2e78dbdc2b6a1ff49dda8fe32869aabaaf08951c8cf89b77d7689fd8aa5fd93c
Instruction ID: e14cd71880b13af0bf4bce3cc1c5af5f2a80ce3ed614330d906ead34745685e5
Opcode Fuzzy Hash: 2e78dbdc2b6a1ff49dda8fe32869aabaaf08951c8cf89b77d7689fd8aa5fd93c
Instruction Fuzzy Hash: 7AD01236502B216B56231B397C68F8F6A18AF85F573170629BD05E6116CF64CD01CAD8

Function 0044A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0044A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0044A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0044A468
CloseHandle.KERNEL32(?), ref: 0044A63D

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: db10530e37b0f3da55a3f82bba1eea5e4313a59a3726124cbb3b4eb44608c0fc
Instruction ID: 3eec79a47161d4d008badfdda63aa2a9a92176fc20585a2552ce7f742db1d49b
Opcode Fuzzy Hash: db10530e37b0f3da55a3f82bba1eea5e4313a59a3726124cbb3b4eb44608c0fc
Instruction Fuzzy Hash: 18A1A071604300AFE721DF24D886F2AB7E5AF84714F14881DF99ADB392D774EC418B86

Function 003FBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00463700), ref: 003FBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0049121C,000000FF,00000000,0000003F,00000000,?,?), ref: 003FBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00491270,000000FF,?,0000003F,00000000,?), ref: 003FBC36
_free.LIBCMT ref: 003FBB7F

Part of subcall function 003F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,003FD7D1,00000000,00000000,00000000,00000000,?,003FD7F8,00000000,00000007,00000000,?,003FDBF5,00000000), ref: 003F29DE
Part of subcall function 003F29C8: GetLastError.KERNEL32(00000000,?,003FD7D1,00000000,00000000,00000000,00000000,?,003FD7F8,00000000,00000007,00000000,?,003FDBF5,00000000,00000000), ref: 003F29F0

_free.LIBCMT ref: 003FBD4B

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: f488a378eca0f1095132c7fa6021ec291631aedaf0e11912290089d00ceaf3f0
Instruction ID: ed17363dc7c0ff5a3416de6e43c3e5428b0f6c14e9f438df77971a63887be575
Opcode Fuzzy Hash: f488a378eca0f1095132c7fa6021ec291631aedaf0e11912290089d00ceaf3f0
Instruction Fuzzy Hash: 5D51C6B190020DEFCB12EF65DC819BEF7BCAB41350B1142BBE654E71A1EB709D418B54

Function 0042E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0042CF22,?), ref: 0042DDFD

Part of subcall function 0042DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0042CF22,?), ref: 0042DE16

Part of subcall function 0042E199: GetFileAttributesW.KERNEL32(?,0042CF95), ref: 0042E19A

lstrcmpiW.KERNEL32(?,?), ref: 0042E473
MoveFileW.KERNEL32(?,?), ref: 0042E4AC
_wcslen.LIBCMT ref: 0042E5EB
_wcslen.LIBCMT ref: 0042E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0042E650

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 68ad58f3e9859e9848a49da1777a63fb0998d4623f1af7e0afc56b70e6141f09
Instruction ID: 67633b6d4d42bec2811b8f1da71e2b8247225b7e704aa3d197b578f0f96b17a9
Opcode Fuzzy Hash: 68ad58f3e9859e9848a49da1777a63fb0998d4623f1af7e0afc56b70e6141f09
Instruction Fuzzy Hash: 9B51A3B25083955BC725EB91DC81ADF73DCAF84344F40492FF689D3191EF38A688876A

Function 0044B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 003C9CB3: _wcslen.LIBCMT ref: 003C9CBD

Part of subcall function 0044C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0044B6AE,?,?), ref: 0044C9B5
Part of subcall function 0044C998: _wcslen.LIBCMT ref: 0044C9F1
Part of subcall function 0044C998: _wcslen.LIBCMT ref: 0044CA68
Part of subcall function 0044C998: _wcslen.LIBCMT ref: 0044CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0044BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0044BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0044BB63
RegCloseKey.ADVAPI32(?,?), ref: 0044BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0044BBB3

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 9d1cc68ab48d02593cd5b32dfc5e385683f43f8440a64a86f6a2f2e083587df8
Instruction ID: d053a57e62fcf92161ee09459ff61470096e05158bcde0094dfc53f696d8f906
Opcode Fuzzy Hash: 9d1cc68ab48d02593cd5b32dfc5e385683f43f8440a64a86f6a2f2e083587df8
Instruction Fuzzy Hash: 41618F31208241AFE715DF14C895F2ABBE5FF84308F14855EF4998B2A2DB35ED45CB92

Function 00428BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00428BCD
VariantClear.OLEAUT32 ref: 00428C3E
VariantClear.OLEAUT32 ref: 00428C9D
VariantClear.OLEAUT32(?), ref: 00428D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00428D3B

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 697acf31dbf21a218faa1cae4d0967d1123ca8da4609c7da37cfa15f3e165eb9
Instruction ID: c17ac98989aeaeeead1dab5aff33071760fb347ceb49d431713ee9635461fb98
Opcode Fuzzy Hash: 697acf31dbf21a218faa1cae4d0967d1123ca8da4609c7da37cfa15f3e165eb9
Instruction Fuzzy Hash: 845179B1A01219EFDB10CF68D884AAAB7F8FF89310B15856AE905DB350E734E911CF94

Function 00438AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00438BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00438BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00438C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00438C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00438C5F

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: a605b3b35c0a7fda66bf79d8b20b19e2510ec6a2f880ba17eb2c3eaf8b6fc3d6
Instruction ID: 850e317b2bdd6e5c1518ddb0ac57f6f69ce6302bd1c9ce6d818e86eec64bd4e6
Opcode Fuzzy Hash: a605b3b35c0a7fda66bf79d8b20b19e2510ec6a2f880ba17eb2c3eaf8b6fc3d6
Instruction Fuzzy Hash: 1D513835A002159FCB01DF64C881E6ABBF5FF49314F088099F849AB362CB35ED51CB94

Function 00448EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00448F40
GetProcAddress.KERNEL32(00000000,?), ref: 00448FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00448FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00449032
FreeLibrary.KERNEL32(00000000), ref: 00449052

Part of subcall function 003DF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00431043,?,761DE610), ref: 003DF6E6
Part of subcall function 003DF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0041FA64,00000000,00000000,?,?,00431043,?,761DE610,?,0041FA64), ref: 003DF70D

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: a38ea682757994714fb132949e723ca2886cf155e48b6e2e375af1e565f28be6
Instruction ID: 6c091a375204795b8443523ded9511720bfd6407dba790071126741d824f5b84
Opcode Fuzzy Hash: a38ea682757994714fb132949e723ca2886cf155e48b6e2e375af1e565f28be6
Instruction Fuzzy Hash: E45136356006059FD711DF68C484DAEBBB1FF49314B0580AAE80A9B362DB35ED86CB95

Function 00456B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00456C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00456C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00456C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0043AB79,00000000,00000000), ref: 00456C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00456CC7

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: babf0cddcf7c28b1aace443e913c284aafd4fd445862a10752642cfc47d0ed57
Instruction ID: 424879bd973e6c3758ac39a6a800e3fe6407e79aadf29fc82fe01210f2602b4b
Opcode Fuzzy Hash: babf0cddcf7c28b1aace443e913c284aafd4fd445862a10752642cfc47d0ed57
Instruction Fuzzy Hash: 14411D35604214AFD726CF28CC54FAA7BA4EB09351F96022AFC95E73E2C375ED45CA48

Function 003D912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 003D9141
ScreenToClient.USER32(00000000,?), ref: 003D915E
GetAsyncKeyState.USER32(00000001), ref: 003D9183
GetAsyncKeyState.USER32(00000002), ref: 003D919D

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 70ae9d93ad8aae42742f6f3a4d77c22d2a86753198d97f41e44049bfebe192b7
Instruction ID: 46f084a99532293e6e747de6de269383215aa112e73dc8d852404420f185aa60
Opcode Fuzzy Hash: 70ae9d93ad8aae42742f6f3a4d77c22d2a86753198d97f41e44049bfebe192b7
Instruction Fuzzy Hash: 51417F31A0861AFBDF0A9F64D844BEEB774FB05324F20822BE425A7391C7746994CB95

Function 00433874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 004338CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00433922
TranslateMessage.USER32(?), ref: 0043394B
DispatchMessageW.USER32(?), ref: 00433955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00433966

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 1ca466c58f6b8959523fe33356393f587c9155c24969457f389b47af9ca9804a
Instruction ID: d9fd4c277235513052822504b63a144e615445cf2e6f44c23c9ccfc402287a9a
Opcode Fuzzy Hash: 1ca466c58f6b8959523fe33356393f587c9155c24969457f389b47af9ca9804a
Instruction Fuzzy Hash: F731B5B0504346EEEB35DF359849BB73BA8AF1D306F04157BE452862A0E3B89685CB19

Function 0043CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0043CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0043CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0043C21E,00000000), ref: 0043CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0043C21E,00000000), ref: 0043CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0043C21E,00000000), ref: 0043CFF2

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 17a84f0bf6094b4d695f4c1baf4ece167a9ef2b26716edefdcd2941b975daec8
Instruction ID: e391a42879818a4c202140d907d665e016550a5f1269b724f109b7e6f97e8569
Opcode Fuzzy Hash: 17a84f0bf6094b4d695f4c1baf4ece167a9ef2b26716edefdcd2941b975daec8
Instruction Fuzzy Hash: 53315A71900305AFDB20DFA5D8C49ABBBFAEB08315F10442FF506E6281DB34EE419B68

Function 00421901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00421915
PostMessageW.USER32(00000001,00000201,00000001), ref: 004219C1
Sleep.KERNEL32(00000000,?,?,?), ref: 004219C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 004219DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 004219E2

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: a3f279a8bb8050716238d825b0724a81f1dc1a453f3b4a957bfea916a46de54d
Instruction ID: 7bd9a941908522a15be6a7c0d0301f4aecf737e337917b266914bec01249fc9e
Opcode Fuzzy Hash: a3f279a8bb8050716238d825b0724a81f1dc1a453f3b4a957bfea916a46de54d
Instruction Fuzzy Hash: 7731B3B1A00229EFCB00CFA8DD99ADE7BB5EB14315F104226F921A72E1C774D954CB94

Function 00455706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00455745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0045579D
_wcslen.LIBCMT ref: 004557AF
_wcslen.LIBCMT ref: 004557BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00455816

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 4e7e12a8653f2b8318eeeedd92b866b7a1fd0149559cd2592ede777415098c3a
Instruction ID: 8c237fbbe15825d16c6c277e074b365d6f326072e232053ec2d9629cfbbcdb7c
Opcode Fuzzy Hash: 4e7e12a8653f2b8318eeeedd92b866b7a1fd0149559cd2592ede777415098c3a
Instruction Fuzzy Hash: 892184759046189ADB21DFA0CC84AFE77B8FF05326F104227ED19EA282D7788989CF54

Function 00440930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00440951
GetForegroundWindow.USER32 ref: 00440968
GetDC.USER32(00000000), ref: 004409A4
GetPixel.GDI32(00000000,?,00000003), ref: 004409B0
ReleaseDC.USER32(00000000,00000003), ref: 004409E8

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 785799f77482ffa58320d1a458bfa8d6071fee8fa98b8f8709a744a54b5e69f5
Instruction ID: 6a382a76491d01c3da7414e99821975d68cd6d9c43a4ba1ef98d9ae45e3053e1
Opcode Fuzzy Hash: 785799f77482ffa58320d1a458bfa8d6071fee8fa98b8f8709a744a54b5e69f5
Instruction Fuzzy Hash: 08215B75600214AFD704EF65C985AAEBBE9EF49701F04846DE84AD7762CA34ED04CB94

Function 003FCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 003FCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 003FCDE9

Part of subcall function 003F3820: RtlAllocateHeap.NTDLL(00000000,?,00491444,?,003DFDF5,?,?,003CA976,00000010,00491440,003C13FC,?,003C13C6,?,003C1129), ref: 003F3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 003FCE0F
_free.LIBCMT ref: 003FCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 003FCE31

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: c0ab67909768eaaa54d42c8f180454a6a1844a21b0190a7e2aac0d8a448ded2f
Instruction ID: 29b67079cc62e1a6ab736b17fb07562cf930c834cb0fb8203be6a1314f3634f1
Opcode Fuzzy Hash: c0ab67909768eaaa54d42c8f180454a6a1844a21b0190a7e2aac0d8a448ded2f
Instruction Fuzzy Hash: 70012472A5131D7F632216B66D88CBB696CEEC2BA23161129FE00C7201EA60CD0181F0

Function 003D9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 003D9693
SelectObject.GDI32(?,00000000), ref: 003D96A2
BeginPath.GDI32(?), ref: 003D96B9
SelectObject.GDI32(?,00000000), ref: 003D96E2

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 4470e911f34eaa9502cec1697749a796c9252ce5d42785e3cdb2b6dfc2e24415
Instruction ID: 2fb4511f0dcc76f22062f67b04ee6217b25c8d63e60a5d76f185adb06248b017
Opcode Fuzzy Hash: 4470e911f34eaa9502cec1697749a796c9252ce5d42785e3cdb2b6dfc2e24415
Instruction Fuzzy Hash: 702183B1802306EFDB129F64EC447A93B78BB60765F104237F410A62B1D370D891CF98

Function 00425711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00425726
_memcmp.LIBVCRUNTIME ref: 00425744
_memcmp.LIBVCRUNTIME ref: 00425757
_memcmp.LIBVCRUNTIME ref: 0042576F
_memcmp.LIBVCRUNTIME ref: 00425787

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 6bd81eaa2e8cb5d742e76b8c830346c7d546746a167ece4978093409e5f04e98
Instruction ID: 281e192a6a05759914793b54476fa48d041eaeb8ad5cf232a11a2e2595ffdfd5
Opcode Fuzzy Hash: 6bd81eaa2e8cb5d742e76b8c830346c7d546746a167ece4978093409e5f04e98
Instruction Fuzzy Hash: B801D675781665BAD2099511AD42FBB634C9BA03A5F900032FD049E782F638FD1582AA

Function 003F2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,003EF2DE,003F3863,00491444,?,003DFDF5,?,?,003CA976,00000010,00491440,003C13FC,?,003C13C6), ref: 003F2DFD
_free.LIBCMT ref: 003F2E32
_free.LIBCMT ref: 003F2E59
SetLastError.KERNEL32(00000000,003C1129), ref: 003F2E66
SetLastError.KERNEL32(00000000,003C1129), ref: 003F2E6F

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 343d31f33193cb6fe68c94f68d08d06f52227efaac905a9e2338b4526706e3df
Instruction ID: 3994029791b85eca5d17be984b5cd70417def35475c7336b8cff95265981ff1f
Opcode Fuzzy Hash: 343d31f33193cb6fe68c94f68d08d06f52227efaac905a9e2338b4526706e3df
Instruction Fuzzy Hash: 5A01F93224570CFBC61327746C85D3F195DABE17617310539FB2196193EB74CC014120

Function 0042000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0041FF41,80070057,?,?,?,0042035E), ref: 0042002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0041FF41,80070057,?,?), ref: 00420046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0041FF41,80070057,?,?), ref: 00420054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0041FF41,80070057,?), ref: 00420064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0041FF41,80070057,?,?), ref: 00420070

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: daa5c3a47a90901e15d978bdedd45611216c27580b54cee4f6c2bcfeb4fa62b4
Instruction ID: e9284e259f2fcbe1b0a264c2dbbeb83fa5ec969deae074a084b97e86d58c28c1
Opcode Fuzzy Hash: daa5c3a47a90901e15d978bdedd45611216c27580b54cee4f6c2bcfeb4fa62b4
Instruction Fuzzy Hash: F2018F72700324BFEB105F68FC84BAA7AEDEB44753F144125F905D2222E779DD408BA8

Function 0042E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0042E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0042E9A5
Sleep.KERNEL32(00000000), ref: 0042E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0042E9B7
Sleep.KERNEL32 ref: 0042E9F3

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 2b6b8e9a11d3d9437b00b3dab22bc6d00710193bad68a4b1f0208acc73c37290
Instruction ID: c7dd1e620f507a1f366167603c350ac56fa5f5bfb3644ba881add049f4b7edac
Opcode Fuzzy Hash: 2b6b8e9a11d3d9437b00b3dab22bc6d00710193bad68a4b1f0208acc73c37290
Instruction Fuzzy Hash: 9E018B71D00639DBCF00ABE6E9896DEBB78BB09301F400167E502B2241CB788581CBAA

Function 004210F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00421114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00420B9B,?,?,?), ref: 00421120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00420B9B,?,?,?), ref: 0042112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00420B9B,?,?,?), ref: 00421136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0042114D

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: cc13a86baee97c0edc8667929f9180fc69fafe63abe3aa719128640ab77f8b19
Instruction ID: 333d7cbc693fe206e6f158e18e1bc101bb7112e9d762e0a7f7b4c2b36df9f47c
Opcode Fuzzy Hash: cc13a86baee97c0edc8667929f9180fc69fafe63abe3aa719128640ab77f8b19
Instruction Fuzzy Hash: 98016975200315BFDB114FA4EC89A6B3FAEEF893A1B200429FA41D3361EA31DC10CE64

Function 00420FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00420FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00420FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00420FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00420FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00421002

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f5fb7f58e62dda0037474a3006ca9efe627266bdf182737c267e6211f0782183
Instruction ID: 91638b364035e261986e0b0a9f8e4b1e6f1786e20bbdf378db733483396d3a5a
Opcode Fuzzy Hash: f5fb7f58e62dda0037474a3006ca9efe627266bdf182737c267e6211f0782183
Instruction Fuzzy Hash: 5AF0AF35200315AFDB210FA5AC89F5B3BADEF89762F500425F905D62A2CA30DC40CA64

Function 00421014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0042102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00421036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00421045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0042104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00421062

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 5c3ac39260f9a4c7556d0bea2783441443e079b734029f6a8ab5e770dc453550
Instruction ID: 112b0af1934404e99b1806531a09bb79e1207b411940331c44549fcf105fc29e
Opcode Fuzzy Hash: 5c3ac39260f9a4c7556d0bea2783441443e079b734029f6a8ab5e770dc453550
Instruction Fuzzy Hash: 65F0C235200315EFDB211FA5EC88F5B3BADEF89762F100425F905D72A1CA30D880CA64

Function 0043030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0043017D,?,004332FC,?,00000001,00402592,?), ref: 00430324
CloseHandle.KERNEL32(?,?,?,?,0043017D,?,004332FC,?,00000001,00402592,?), ref: 00430331
CloseHandle.KERNEL32(?,?,?,?,0043017D,?,004332FC,?,00000001,00402592,?), ref: 0043033E
CloseHandle.KERNEL32(?,?,?,?,0043017D,?,004332FC,?,00000001,00402592,?), ref: 0043034B
CloseHandle.KERNEL32(?,?,?,?,0043017D,?,004332FC,?,00000001,00402592,?), ref: 00430358
CloseHandle.KERNEL32(?,?,?,?,0043017D,?,004332FC,?,00000001,00402592,?), ref: 00430365

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: fdbedd68a512982f90b9148781f23079a8762764cf4d30d2922d552f668fb1e4
Instruction ID: 07fdb5c93691d2fbabc12141b00afcdfd8548844f425956ab26ea3a9709bea85
Opcode Fuzzy Hash: fdbedd68a512982f90b9148781f23079a8762764cf4d30d2922d552f668fb1e4
Instruction Fuzzy Hash: A001D872800B058FCB30AF66D8A0813FBF9BF602053149A3FD19252A31C3B4A988CE84

Function 003FD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 003FD752

Part of subcall function 003F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,003FD7D1,00000000,00000000,00000000,00000000,?,003FD7F8,00000000,00000007,00000000,?,003FDBF5,00000000), ref: 003F29DE
Part of subcall function 003F29C8: GetLastError.KERNEL32(00000000,?,003FD7D1,00000000,00000000,00000000,00000000,?,003FD7F8,00000000,00000007,00000000,?,003FDBF5,00000000,00000000), ref: 003F29F0

_free.LIBCMT ref: 003FD764
_free.LIBCMT ref: 003FD776
_free.LIBCMT ref: 003FD788
_free.LIBCMT ref: 003FD79A

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d09b5a291ad588180a46fb7109ca9abde10f11e4981014e808aa6b57f80d54bc
Instruction ID: c477b5ace397bfd2bfb7cb0ed4b8b0062afa9cf774555f1e221aa202ab5d5c82
Opcode Fuzzy Hash: d09b5a291ad588180a46fb7109ca9abde10f11e4981014e808aa6b57f80d54bc
Instruction Fuzzy Hash: C3F03C7258020DAB8622FB64F9C9C2B77DEBB053107A50C19F648EB511C730FC808674

Function 00425C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00425C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00425C6F
MessageBeep.USER32(00000000), ref: 00425C87
KillTimer.USER32(?,0000040A), ref: 00425CA3
EndDialog.USER32(?,00000001), ref: 00425CBD

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 2b7c82f6691d096926ed17cecae52ca96314d3b3ae0b137f45620092b13ae085
Instruction ID: 6e595a28571501efdf656b007ad757360c4ac7ab0cbb037c444693b28005dfc6
Opcode Fuzzy Hash: 2b7c82f6691d096926ed17cecae52ca96314d3b3ae0b137f45620092b13ae085
Instruction Fuzzy Hash: 47018B306007149FFB215B11ED8EF9677B8BF04706F40056AA543A14E1E7F4AA448B59

Function 003F22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 003F22BE

Part of subcall function 003F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,003FD7D1,00000000,00000000,00000000,00000000,?,003FD7F8,00000000,00000007,00000000,?,003FDBF5,00000000), ref: 003F29DE
Part of subcall function 003F29C8: GetLastError.KERNEL32(00000000,?,003FD7D1,00000000,00000000,00000000,00000000,?,003FD7F8,00000000,00000007,00000000,?,003FDBF5,00000000,00000000), ref: 003F29F0

_free.LIBCMT ref: 003F22D0
_free.LIBCMT ref: 003F22E3
_free.LIBCMT ref: 003F22F4
_free.LIBCMT ref: 003F2305

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 56fed80fecd54b911019bb9630d05a415c6bb61b67edeafd035e3281980f3895
Instruction ID: db97cd83884bc77e516218c18ada563f159f4a7aacb542a3e3079225898f6f2d
Opcode Fuzzy Hash: 56fed80fecd54b911019bb9630d05a415c6bb61b67edeafd035e3281980f3895
Instruction Fuzzy Hash: CEF03A71880126DB8613BF54BC4582E3B64BB29761701097BF514EB2B5C7B10921ABAC

Function 003D95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 003D95D4
StrokeAndFillPath.GDI32(?,?,004171F7,00000000,?,?,?), ref: 003D95F0
SelectObject.GDI32(?,00000000), ref: 003D9603
DeleteObject.GDI32 ref: 003D9616
StrokePath.GDI32(?), ref: 003D9631

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 65af5971788ebe4f0b681241750e715b26e343aa50427f54fa7d3d89ab32f3d3
Instruction ID: 0b561a70530054bc2b529407d870676b493fd10dc1797f2026f2ba471131f4bf
Opcode Fuzzy Hash: 65af5971788ebe4f0b681241750e715b26e343aa50427f54fa7d3d89ab32f3d3
Instruction Fuzzy Hash: 80F0147200670AEFDB235F69ED58B683B65AB213A2F048236F425591F1C7358A91DF28

Function 003F0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 003F10F9
__freea.LIBCMT ref: 003F1117

Part of subcall function 003F1537: _free.LIBCMT ref: 003F154F

Strings

am/pm, xrefs: 003F117A
a/p, xrefs: 003F11DE

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 4042d20ec92d9b6d1f27134a50df5f20f706e02b090c2d788002b91d6498355a
Instruction ID: 17eac1b879943ee6130d0242df9e1521ede16659c0f1de17e5509692f26e58de
Opcode Fuzzy Hash: 4042d20ec92d9b6d1f27134a50df5f20f706e02b090c2d788002b91d6498355a
Instruction Fuzzy Hash: 9FD1393990020EDADB2B9F68E855BFEB7B5FF05300F2A011AE7019BA51D7759D80CB51

Function 004461D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 003E0242: EnterCriticalSection.KERNEL32(0049070C,00491884,?,?,003D198B,00492518,?,?,?,003C12F9,00000000), ref: 003E024D
Part of subcall function 003E0242: LeaveCriticalSection.KERNEL32(0049070C,?,003D198B,00492518,?,?,?,003C12F9,00000000), ref: 003E028A

Part of subcall function 003E00A3: __onexit.LIBCMT ref: 003E00A9

__Init_thread_footer.LIBCMT ref: 00446238

Part of subcall function 003E01F8: EnterCriticalSection.KERNEL32(0049070C,?,?,003D8747,00492514), ref: 003E0202
Part of subcall function 003E01F8: LeaveCriticalSection.KERNEL32(0049070C,?,003D8747,00492514), ref: 003E0235

Part of subcall function 0043359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004335E4
Part of subcall function 0043359C: LoadStringW.USER32(00492390,?,00000FFF,?), ref: 0043360A

Strings

x#I, xrefs: 0044636F
x#I, xrefs: 00446353
x#I, xrefs: 0044633A

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#I$x#I$x#I
API String ID: 1072379062-1262894913
Opcode ID: 0f0805228cddabfb18ba84d3382d89dee6e02df6c26b8bcd083b8fc185e8ea69
Instruction ID: 834d0d82f5dfd1a7e7a0c73289a46a8eebaa15f973034fbe6ceaccb5ca9669c7
Opcode Fuzzy Hash: 0f0805228cddabfb18ba84d3382d89dee6e02df6c26b8bcd083b8fc185e8ea69
Instruction Fuzzy Hash: 88C1AC71A00105AFDB15EF98D880EBEB7B9FF49300F11806AE905AB291DB74ED45CB95

Function 003F8A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 003F8B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 003F8B7A
__dosmaperr.LIBCMT ref: 003F8B81

Strings

.>, xrefs: 003F8A63

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .>
API String ID: 2434981716-1757889381
Opcode ID: e23da81a288c0f2c3e479168a7f9582efffac53c02c396807cf192dc569a506f
Instruction ID: a5fd5d7addcbdbc6db1e85eee248180facddc71ff5e2a52127dc4e2f5b1867d4
Opcode Fuzzy Hash: e23da81a288c0f2c3e479168a7f9582efffac53c02c396807cf192dc569a506f
Instruction Fuzzy Hash: E741CF7160414DAFDB2B9F28DC85A7D7FA5DF85300F2885AAFA848B642DE31CC028794

Function 00422716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004221D0,?,?,00000034,00000800,?,00000034), ref: 0042B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00422760

Part of subcall function 0042B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004221FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0042B3F8

Part of subcall function 0042B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0042B355
Part of subcall function 0042B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00422194,00000034,?,?,00001004,00000000,00000000), ref: 0042B365
Part of subcall function 0042B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00422194,00000034,?,?,00001004,00000000,00000000), ref: 0042B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004227CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0042281A

Strings

@, xrefs: 00422832

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: e3ec30aab04c85c718a6c3bf184c1aada9c820cf15491bc90d0cfe1e08ae3df0
Instruction ID: e03d69a585777ff96aca98e6f43215e17b16e5ee86bc9004bd2604fde8b1fe8d
Opcode Fuzzy Hash: e3ec30aab04c85c718a6c3bf184c1aada9c820cf15491bc90d0cfe1e08ae3df0
Instruction Fuzzy Hash: 8A413E72A00228BFDB11DFA4DD81ADEBBB8EF05304F00405AFA55B7181DB74AE45CBA4

Function 003F172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\NEW ORDER.exe,00000104), ref: 003F1769
_free.LIBCMT ref: 003F1834
_free.LIBCMT ref: 003F183E

Strings

C:\Users\user\Desktop\NEW ORDER.exe, xrefs: 003F1760, 003F1767, 003F1796, 003F17CE

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\NEW ORDER.exe
API String ID: 2506810119-2458017483
Opcode ID: b8cd7ec3aab0a5c159ac0c10b004310d83a6924726c06d3c4ac7c74011fde16c
Instruction ID: 7c64a58c494eea9f9788fbc1f1c834bb8d09ec5816e6d3e7865b5139f063f84b
Opcode Fuzzy Hash: b8cd7ec3aab0a5c159ac0c10b004310d83a6924726c06d3c4ac7c74011fde16c
Instruction Fuzzy Hash: A7319371A4021CEFCB22EB99A985DAEBBBCEB95350F1041B6E6049B211D7B04A44CB90

Function 0042C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0042C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0042C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00491990,00C28270), ref: 0042C395

Strings

0, xrefs: 0042C2DF

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: feead95433365523c8d96f3776b3f673bcc4f49e7542c57068bd426530db2ded
Instruction ID: 552860444ed9649ebd5aa6855af7e6ce0c605ca456dac255a6d4c8ae5ef3f3bb
Opcode Fuzzy Hash: feead95433365523c8d96f3776b3f673bcc4f49e7542c57068bd426530db2ded
Instruction Fuzzy Hash: 8141BF312043519FD720DF25E884B5FBBE4AF85314F408A5EF8A5972D1D774E904CB5A

Function 00454416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0045CC08,00000000,?,?,?,?), ref: 004544AA
GetWindowLongW.USER32 ref: 004544C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004544D7

Strings

SysTreeView32, xrefs: 0045447C

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: f451008a3ff3f963c3232b28a73ec55586b74d0d656912ee0bdd161ab01adb66
Instruction ID: 41fb6865aabe79a9287f82f045c64a08580738c2b666bfef4f8ec1218f70dc20
Opcode Fuzzy Hash: f451008a3ff3f963c3232b28a73ec55586b74d0d656912ee0bdd161ab01adb66
Instruction Fuzzy Hash: F131DE31240209AFDF218E38DC45BDB37A9EB49329F204326FD35A62D2D734EC949754

Function 00426E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00426EED
VariantCopyInd.OLEAUT32(?,?), ref: 00426F08
VariantClear.OLEAUT32(?), ref: 00426F12

Strings

*jB, xrefs: 00426E8B, 00426E90, 00426EF8

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jB
API String ID: 2173805711-3445340597
Opcode ID: c8661fc62a22179146ab4968f4b0cfe89f8a0fbec9e980c0851d52c1a22c03cb
Instruction ID: 32bb2e0abfb745b4d34e089373926fdd72318d8f86d978c4e24f0ce3870d4584
Opcode Fuzzy Hash: c8661fc62a22179146ab4968f4b0cfe89f8a0fbec9e980c0851d52c1a22c03cb
Instruction Fuzzy Hash: CC31AF72704215DFCF05AF64E9919BE7775EF45300F5204AAF8068B3A1CB389D12DB99

Function 0044304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0044335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00443077,?,?), ref: 00443378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0044307A
_wcslen.LIBCMT ref: 0044309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00443106

Strings

255.255.255.255, xrefs: 00443095, 0044309A

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 601a784b45014084af8ba6465c531faa635808df3113e20af10278f5844fa27e
Instruction ID: 221736b230c5e124346a6d7a5c28fb17a75c7d30f4625bfc6dd1fa99ecec7779
Opcode Fuzzy Hash: 601a784b45014084af8ba6465c531faa635808df3113e20af10278f5844fa27e
Instruction Fuzzy Hash: AC310735200201DFEB10CF28C485E6A77E0EF14719F24819AE9158F393DB39EE41C765

Function 00454653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00454705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00454713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0045471A

Strings

msctls_updown32, xrefs: 00454684

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: fdf83c38ac0ba9f3d7924d6beb1f68742898454a2021a4cb3e3813f71fe445eb
Instruction ID: 7e710f076a51dfadb1e08aea62fc677b5c1d72d9aeddc856a3c79bd9480a9cec
Opcode Fuzzy Hash: fdf83c38ac0ba9f3d7924d6beb1f68742898454a2021a4cb3e3813f71fe445eb
Instruction Fuzzy Hash: CF2192B5600209AFDB11DF64DCC1DAB37ADEB9A359B00045AFA009B3A2CB34EC55CB64

Function 004295AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0042961D

Strings

#OnAutoItStartRegister, xrefs: 004295F3
#requireadmin, xrefs: 004295D9
#notrayicon, xrefs: 004295B7

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: efa2ea2cc2ee4090b6c9fe706b5e6dd208b79d13f7fdbc1331b8ce36f456afb0
Instruction ID: e8dee6c19fe8d2261e125ad04223dc7fe49cbc979b06b63b86462c20abe25932
Opcode Fuzzy Hash: efa2ea2cc2ee4090b6c9fe706b5e6dd208b79d13f7fdbc1331b8ce36f456afb0
Instruction Fuzzy Hash: C7213B3230413066D332BB25AC02FB773D89FA5300F94402BFD49DB281EB59AD85C39A

Function 004537B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00453840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00453850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00453876

Strings

Listbox, xrefs: 0045380F

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 11c952a65d74e90e4d0da9f140a4dfbc577601d2ea05dc9c3b144e536966ee47
Instruction ID: c4a20b29a96ff200b089904a4c508c461f0df73cd7d921fb2bbf2ce94211cf9b
Opcode Fuzzy Hash: 11c952a65d74e90e4d0da9f140a4dfbc577601d2ea05dc9c3b144e536966ee47
Instruction Fuzzy Hash: 0121F5726002187FEF119F54CC81FBB37AEEF89792F108125F9009B291C675DC1287A4

Function 004349F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00434A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00434A5C
SetErrorMode.KERNEL32(00000000,?,?,0045CC08), ref: 00434AD0

Strings

%lu, xrefs: 00434A6F

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 8a5c12544b0a2d1d74b99c3cd983ef020053e927864f226a721ac87f5ac79772
Instruction ID: dbba5d8e857e326e1c007bb638bd9298cfdd18d3a871664881767d03e94a7b34
Opcode Fuzzy Hash: 8a5c12544b0a2d1d74b99c3cd983ef020053e927864f226a721ac87f5ac79772
Instruction Fuzzy Hash: 23316D71A00208AFD711DF54C885EAA7BA8EF48308F1480AAF805DB252D775ED45CB65

Function 004541EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0045424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00454264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00454271

Strings

msctls_trackbar32, xrefs: 00454226

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 883fbbb1794021b55b526210394949e0e5bf2a5387535643b6dd322db5557e2d
Instruction ID: 010509201e510ea1d41381d538abaffe33b78487da069cb5c4728bc3e351223b
Opcode Fuzzy Hash: 883fbbb1794021b55b526210394949e0e5bf2a5387535643b6dd322db5557e2d
Instruction Fuzzy Hash: E4112331240208BEEF205E29CC06FAB3BACEFC5B69F110129FA41E61A1C275DC519B28

Function 00422F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003C6B57: _wcslen.LIBCMT ref: 003C6B6A

Part of subcall function 00422DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00422DC5
Part of subcall function 00422DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00422DD6
Part of subcall function 00422DA7: GetCurrentThreadId.KERNEL32 ref: 00422DDD
Part of subcall function 00422DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00422DE4

GetFocus.USER32 ref: 00422F78

Part of subcall function 00422DEE: GetParent.USER32(00000000), ref: 00422DF9

GetClassNameW.USER32(?,?,00000100), ref: 00422FC3
EnumChildWindows.USER32(?,0042303B), ref: 00422FEB

Strings

%s%d, xrefs: 00422FFF

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: b511811970cf5b9b5452d41b75c4872a6f393a8eac33d6aed6d01a860cc7276e
Instruction ID: 410a772ed6c43d98f81bd6a9014ef1b121b0ad8e0e31554f9b2752ec833dbb7c
Opcode Fuzzy Hash: b511811970cf5b9b5452d41b75c4872a6f393a8eac33d6aed6d01a860cc7276e
Instruction Fuzzy Hash: DD11D2713002156BCF01BF71ACD6FEE37AAAF84305F44407AB9099B252DE789E498B74

Function 00455882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004558C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004558EE
DrawMenuBar.USER32(?), ref: 004558FD

Strings

0, xrefs: 0045588F

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: c063fdd28f1c524bf9ada7e499d1c8e272624ea3b3c190dc3a75109b67ef3a9c
Instruction ID: dd5b92139ca64712db794edd8a087a53c3870fde3a36157020ed24cec943c5c3
Opcode Fuzzy Hash: c063fdd28f1c524bf9ada7e499d1c8e272624ea3b3c190dc3a75109b67ef3a9c
Instruction Fuzzy Hash: 31018871500218EFDB119F51DC44BAFBBB4FF45362F1080A6E849D6252DB348A98DF65

Function 0041D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0041D3BF
FreeLibrary.KERNEL32 ref: 0041D3E5

Strings

X64, xrefs: 0041D2A8
GetSystemWow64DirectoryW, xrefs: 0041D3B9

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 063e11048a64a2348a0d3dfc192aadb8b4873dd6b12d70c539cc3ebea077279f
Instruction ID: 675180d3adc94dcd05385d437d231b48652707cc2fc01bc5bc17e25c54d46693
Opcode Fuzzy Hash: 063e11048a64a2348a0d3dfc192aadb8b4873dd6b12d70c539cc3ebea077279f
Instruction Fuzzy Hash: 71F0ECB5C05B259FD77512105CD4AEA3314AF11702F6485A7EC12F1209D77CCDC5869F

Function 0042007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f24c099ba001d8d1cf9d950262748ea1de22c4d092e00961d9936fbbb143a52e
Instruction ID: 5fb32ca9f2d80a8d889a2990fc6f1008236225ccdcf488ccacc62e784bdad601
Opcode Fuzzy Hash: f24c099ba001d8d1cf9d950262748ea1de22c4d092e00961d9936fbbb143a52e
Instruction Fuzzy Hash: 68C16C75A0021AEFDB14CF94D894AAEB7F5FF48304F50859AE805EB252C735ED42CB94

Function 0044342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00443459
CoUninitialize.OLE32 ref: 00443463
VariantInit.OLEAUT32(?), ref: 0044346E
VariantClear.OLEAUT32(?), ref: 0044371B

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 0d505a16372d25d133cd6c8c945646953b48ee4033570227b3e407a1e182d34c
Instruction ID: 21a62102ccffa59cfaa7e7ebfdcca7d57651ed37d88c87ff0617221b1794d878
Opcode Fuzzy Hash: 0d505a16372d25d133cd6c8c945646953b48ee4033570227b3e407a1e182d34c
Instruction Fuzzy Hash: 8AA137752043009FD711DF28C485A2AB7E5EF89715F04885EF98A9B362DB35EE01CB56

Function 00420436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0045FC08,?), ref: 004205F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0045FC08,?), ref: 00420608
CLSIDFromProgID.OLE32(?,?,00000000,0045CC40,000000FF,?,00000000,00000800,00000000,?,0045FC08,?), ref: 0042062D
_memcmp.LIBVCRUNTIME ref: 0042064E

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: f04e90774c1ffb22c0855fde1e03ff187484e560763c6acaea4e7564e1fa7fc4
Instruction ID: 83de4c93d66bdc98d3623874c61c42a937d2d86f80262de47dcbbbfb3d309dda
Opcode Fuzzy Hash: f04e90774c1ffb22c0855fde1e03ff187484e560763c6acaea4e7564e1fa7fc4
Instruction Fuzzy Hash: 24815A71A00219EFCB04DF94C988EEEB7F9FF89305F204159E506AB251DB75AE06CB64

Function 00401391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004014C0

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: d81eefb84fd817e49304a1c24992a6df56fc91dbf77d423cb8af2ca2f8813a15
Instruction ID: 802091c233496a818cd2dd5639daa15f6ccfb87e7cd3fd4f1ab82b33d765f0db
Opcode Fuzzy Hash: d81eefb84fd817e49304a1c24992a6df56fc91dbf77d423cb8af2ca2f8813a15
Instruction Fuzzy Hash: 9F413E35500554AFDB226BBA8C45ABF3AA4EF41330F140737F918EB2F1E77848415366

Function 00456278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00C317D0,?), ref: 004562E2
ScreenToClient.USER32(?,?), ref: 00456315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00456382

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 33e0893ed1da8653f896044ae1b6327234f87639c1e2ba433c5decf8a46adf01
Instruction ID: 0470509709105e80db55744160ccc9e7fe4ca929847f114d95544c70da655794
Opcode Fuzzy Hash: 33e0893ed1da8653f896044ae1b6327234f87639c1e2ba433c5decf8a46adf01
Instruction Fuzzy Hash: 91514A70A00209EFCF10DF68D880AAE7BB5EB55361F51816AFC159B3A2D734ED85CB54

Function 00441AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00441AFD
WSAGetLastError.WSOCK32 ref: 00441B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00441B8A
WSAGetLastError.WSOCK32 ref: 00441B94

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: db7e90ec50a247167cfa96c5f51716d1d034d303791a00c869b1d2fd4db17ba9
Instruction ID: e1ad154dc21ed5e89e5ea64f3e8e6c25fe766211cc261069fd9b61d1afe8cf00
Opcode Fuzzy Hash: db7e90ec50a247167cfa96c5f51716d1d034d303791a00c869b1d2fd4db17ba9
Instruction Fuzzy Hash: 1A419E35600200AFE721AF24C886F2A77E5EB44718F54845DF91A9F7D2D676ED828B90

Function 003FB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d55fdfb3f6a4e4cd516ac10e985633f9da56fc716094946555a31253aaa2931
Instruction ID: a89b17c3db02387db0591336ba8cc56a9f9dc22b84a526dd17dd7e01aee37384
Opcode Fuzzy Hash: 0d55fdfb3f6a4e4cd516ac10e985633f9da56fc716094946555a31253aaa2931
Instruction Fuzzy Hash: EF4117B5A00708AFD726AF39CC41B7ABBE9EF84710F10452EF205DB692D375A9018B80

Function 004356D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00435783
GetLastError.KERNEL32(?,00000000), ref: 004357A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 004357CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 004357FA

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: ae830f178a4ca012901a45269eeb89bbc17b12c04357694c6755cf5af154db49
Instruction ID: 16747611f264ea159f04d6eeaec351195ade56a1bf10ec855d5608826b79fb8f
Opcode Fuzzy Hash: ae830f178a4ca012901a45269eeb89bbc17b12c04357694c6755cf5af154db49
Instruction Fuzzy Hash: A9411639600610DFCB11EF15C485A1ABBE2AF89720F188499EC5AAF362CB35FD01DF95

Function 003FD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,003E6D71,00000000,00000000,003E82D9,?,003E82D9,?,00000001,003E6D71,?,00000001,003E82D9,003E82D9), ref: 003FD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 003FD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 003FD9AB
__freea.LIBCMT ref: 003FD9B4

Part of subcall function 003F3820: RtlAllocateHeap.NTDLL(00000000,?,00491444,?,003DFDF5,?,?,003CA976,00000010,00491440,003C13FC,?,003C13C6,?,003C1129), ref: 003F3852

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 8c8e2627b513eb6781d46dca89cd864139daeaa77ef672cc3e064879e8d03ada
Instruction ID: c148f5482f45cc2efa1d8976cbcf908bb1c002435d69431c18c0218a3044277f
Opcode Fuzzy Hash: 8c8e2627b513eb6781d46dca89cd864139daeaa77ef672cc3e064879e8d03ada
Instruction Fuzzy Hash: 0231B272A0021AABDF269FA5DC89EBF7BA6EB41310F054168FD04DB291E775CD50CB90

Function 004552C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00455352
GetWindowLongW.USER32(?,000000F0), ref: 00455375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00455382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004553A8

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: af566bbf24f4ca0456e5d0012349c350d498bd375545967d25f56a33eec9ff2b
Instruction ID: 8b2309c25f0d2d63a8a9397b45c3ae60bcf9c25fde5aa30bafc6144578849fc1
Opcode Fuzzy Hash: af566bbf24f4ca0456e5d0012349c350d498bd375545967d25f56a33eec9ff2b
Instruction Fuzzy Hash: A731D430A55A08EFEB309F14CC65BFA3761AB04392F584013FE19962E3C7B89D48D74A

Function 0042AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7707C0D0,?,00008000), ref: 0042ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0042AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0042AC74
SendInput.USER32(00000001,?,0000001C,7707C0D0,?,00008000), ref: 0042ACC6

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 22fc09c245d1b1bfb2a72395ee6276d89553a81b79eb5ad22bb9f7768a92990e
Instruction ID: 2f60cc9884a377df12952b55a90266f96ffaa53fedf1c74dbf6025eb0cfe2917
Opcode Fuzzy Hash: 22fc09c245d1b1bfb2a72395ee6276d89553a81b79eb5ad22bb9f7768a92990e
Instruction Fuzzy Hash: D5310930B00328AFFB24CA66EC087FB7665AF85310F84425BE881522D1C37C89A5875A

Function 00457674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0045769A
GetWindowRect.USER32(?,?), ref: 00457710
PtInRect.USER32(?,?,00458B89), ref: 00457720
MessageBeep.USER32(00000000), ref: 0045778C

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: cd420f3bac496234595836110f7ec5c9aa51a481a9ef62509bb5b28d58fcc2d4
Instruction ID: ba808340d5fd485fe771cfc8e59c02c78cfcf36a0cc9429b3c305256d2564b56
Opcode Fuzzy Hash: cd420f3bac496234595836110f7ec5c9aa51a481a9ef62509bb5b28d58fcc2d4
Instruction Fuzzy Hash: F8418D746052159FCB01CF58E894EA977F4FB49316F1440BAE8149B362C338F94ACF98

Function 004516DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 004516EB

Part of subcall function 00423A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00423A57
Part of subcall function 00423A3D: GetCurrentThreadId.KERNEL32 ref: 00423A5E
Part of subcall function 00423A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004225B3), ref: 00423A65

GetCaretPos.USER32(?), ref: 004516FF
ClientToScreen.USER32(00000000,?), ref: 0045174C
GetForegroundWindow.USER32 ref: 00451752

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 9faf1f099a65ce9f7b29c29ea91ec31ef964c80a85e39a6fb9216b6e304f8076
Instruction ID: ad3200ba32597d0729fa21f83e00f770a032ecba6d8094ae63c8de336c537adb
Opcode Fuzzy Hash: 9faf1f099a65ce9f7b29c29ea91ec31ef964c80a85e39a6fb9216b6e304f8076
Instruction Fuzzy Hash: 85313075D00249AFC701EFAAC881DAEBBF9EF48304B5080AEE415E7212D735DE45CBA4

Function 0042D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0042D501
Process32FirstW.KERNEL32(00000000,?), ref: 0042D50F
Process32NextW.KERNEL32(00000000,?), ref: 0042D52F
CloseHandle.KERNEL32(00000000), ref: 0042D5DC

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: baaad3fbceea6ef17b5c04e8caede695dade7dfb14fe12ac7df5762b23ce81e1
Instruction ID: d977e088c3fc5a086c531507858f0fccdf98d66669f6d547dad121d1a53db4a6
Opcode Fuzzy Hash: baaad3fbceea6ef17b5c04e8caede695dade7dfb14fe12ac7df5762b23ce81e1
Instruction Fuzzy Hash: 50319271108300AFD301EF54D885FAFBBE8EF99344F50092EF581C61A1EB719984CB92

Function 00458FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003D9BB2

GetCursorPos.USER32(?), ref: 00459001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00417711,?,?,?,?,?), ref: 00459016
GetCursorPos.USER32(?), ref: 0045905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00417711,?,?,?), ref: 00459094

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: e8df39bad3b877c865407bac0786539cb4a00c4f603227933e3887ff8c4b93d4
Instruction ID: eb3e36bad0aa1f814d891a88187cab98ffed8e49721511eefe36eafc7a6f45dd
Opcode Fuzzy Hash: e8df39bad3b877c865407bac0786539cb4a00c4f603227933e3887ff8c4b93d4
Instruction Fuzzy Hash: 5C219F35600118FFCB268F94CC98EEB7BB9EB49752F044466F9054B2A2D3359D50EB64

Function 0042D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0045CB68), ref: 0042D2FB
GetLastError.KERNEL32 ref: 0042D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0042D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0045CB68), ref: 0042D376

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 0490c51eb22206d6bf968cba44f6deeb47130e3f3b657fd01532811cbbcc6234
Instruction ID: 8d81d8094d4a4b3cb38d06f257986cb975f8481cdf2019e33bb1b9dc7dcb0d0c
Opcode Fuzzy Hash: 0490c51eb22206d6bf968cba44f6deeb47130e3f3b657fd01532811cbbcc6234
Instruction Fuzzy Hash: EB21A370A083119F8300DF24D8859AF77E4EE56324F504A6EF899C72A2DB35DD46CB9B

Function 00421571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00421014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0042102A
Part of subcall function 00421014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00421036
Part of subcall function 00421014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00421045
Part of subcall function 00421014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0042104C
Part of subcall function 00421014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00421062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 004215BE
_memcmp.LIBVCRUNTIME ref: 004215E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00421617
HeapFree.KERNEL32(00000000), ref: 0042161E

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: d534c6ae85f263945180d810304239004162fdf016d3fc0acc49b25883efd2fd
Instruction ID: dbfb357edd7360930a0a89ea99ac1f40e4161f460f664c9c641358a27a2c68b7
Opcode Fuzzy Hash: d534c6ae85f263945180d810304239004162fdf016d3fc0acc49b25883efd2fd
Instruction Fuzzy Hash: E2219A31E00218EFDF00DFA4D944BEEB7B8EF50345F48445AE401AB351E734AA44CBA4

Function 00452782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0045280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00452824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00452832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00452840

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 9f8e56263d595df10d5706f0b17929801785d81d407a9e87ca6d1817e093c25a
Instruction ID: 33bcc47307e01d7927be1ab76fd3c87d30f4162a929a8308c1791477aea1d8c2
Opcode Fuzzy Hash: 9f8e56263d595df10d5706f0b17929801785d81d407a9e87ca6d1817e093c25a
Instruction Fuzzy Hash: 0E210231204210AFD710DB24C980F6AB795AF46325F14821EF8268B293C7B5EC46C794

Function 004278F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00428D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0042790A,?,000000FF,?,00428754,00000000,?,0000001C,?,?), ref: 00428D8C
Part of subcall function 00428D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00428DB2
Part of subcall function 00428D7D: lstrcmpiW.KERNEL32(00000000,?,0042790A,?,000000FF,?,00428754,00000000,?,0000001C,?,?), ref: 00428DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00428754,00000000,?,0000001C,?,?,00000000), ref: 00427923
lstrcpyW.KERNEL32(00000000,?), ref: 00427949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00428754,00000000,?,0000001C,?,?,00000000), ref: 00427984

Strings

cdecl, xrefs: 0042797B

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 24f228c3c3e44cdca929744d4696041a6c3feb3d335cd0bf225134094aa7aadb
Instruction ID: 0d234d36f1f11803f7b12c560869d844f48a422de3a9363f10f4a1fc82309e2f
Opcode Fuzzy Hash: 24f228c3c3e44cdca929744d4696041a6c3feb3d335cd0bf225134094aa7aadb
Instruction Fuzzy Hash: 5D11247A300311AFDB119F34E844E7B73A5EF45350B80402BE802CB3A5EB35D841C759

Function 00455660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 004556BB
_wcslen.LIBCMT ref: 004556CD
_wcslen.LIBCMT ref: 004556D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00455816

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 3bd9d56c7a51a95a7251e443b242d54d4e8d7049e9b5e5bb67e198a8c5adbfb3
Instruction ID: 5c6e245c546b80720d333cbab28bd1e5bca4b72a7f12c6a2260510a9b2b23fb8
Opcode Fuzzy Hash: 3bd9d56c7a51a95a7251e443b242d54d4e8d7049e9b5e5bb67e198a8c5adbfb3
Instruction Fuzzy Hash: 7A11DF7160061896DB20EBA18C81AFF37BCEF11362B104127FD0596183E778CA88CB68

Function 00421A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00421A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00421A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00421A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00421A8A

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 76acd007fe679b81027fd9ae7afd738cac71ec0e016128d5c8774c9620d7b54d
Instruction ID: c3ac2bdbefc1dbcae88dc9c28446b31d9772855f82c9057b3876509db2926cda
Opcode Fuzzy Hash: 76acd007fe679b81027fd9ae7afd738cac71ec0e016128d5c8774c9620d7b54d
Instruction Fuzzy Hash: CD113035E01229FFDB10DBA5CD85F9DBB78FB14750F200092E500B7290D6716E51DB98

Function 0042E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0042E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0042E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0042E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0042E24D

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 415ee7377d52230be8c983057282ff93de057e9b92090be52fb7454dc8284f64
Instruction ID: bfbe2293bd044bd229e8cb96d6e0669500698c16bd44611c2a583a1c8f62874f
Opcode Fuzzy Hash: 415ee7377d52230be8c983057282ff93de057e9b92090be52fb7454dc8284f64
Instruction Fuzzy Hash: 2B114872A04325FFD7119BA8AC05A9F3FACEB45310F104276F825E3291C274CD008BB4

Function 003ED1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,003ECFF9,00000000,00000004,00000000), ref: 003ED218
GetLastError.KERNEL32 ref: 003ED224
__dosmaperr.LIBCMT ref: 003ED22B
ResumeThread.KERNEL32(00000000), ref: 003ED249

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 2138f94fd932917b1c89add51a46df76f06195b85602198582ced62b50fb5dda
Instruction ID: fe07217591752779b16a54d43eab9d22a19ec6c8a094426fd38f108a23dc6bda
Opcode Fuzzy Hash: 2138f94fd932917b1c89add51a46df76f06195b85602198582ced62b50fb5dda
Instruction Fuzzy Hash: 84012636805268BFC7125BA7DC05BAE3A6DDF81331F100328FA24960D0CB70C801C7A0

Function 003C600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 003C604C
GetStockObject.GDI32(00000011), ref: 003C6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 003C606A

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 5892c66200a35b78314f952d10eb9c570734992ad888b41323c858a9b3a38238
Instruction ID: 8d9d52749477f8748a4ca65186ef63f506c8cfda644cd83fda9774bbc82b1a6e
Opcode Fuzzy Hash: 5892c66200a35b78314f952d10eb9c570734992ad888b41323c858a9b3a38238
Instruction Fuzzy Hash: E111A1B2105619BFEF124FA48C45FEA7B6DEF0C355F01012AFA04A2010C732DC60DBA0

Function 003E3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 003E3B56

Part of subcall function 003E3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 003E3AD2
Part of subcall function 003E3AA3: ___AdjustPointer.LIBCMT ref: 003E3AED

_UnwindNestedFrames.LIBCMT ref: 003E3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 003E3B7C
CallCatchBlock.LIBVCRUNTIME ref: 003E3BA4

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: b2f3a79aaeca2f14598b57f86f6bb9c1c67318e79eab0440881e998444e6f6c2
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: FE012D32100199BBDF125E96CC46DEB3B69EF48754F054114FE495A161C732E961DBA0

Function 003F3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,003C13C6,00000000,00000000,?,003F301A,003C13C6,00000000,00000000,00000000,?,003F328B,00000006,FlsSetValue), ref: 003F30A5
GetLastError.KERNEL32(?,003F301A,003C13C6,00000000,00000000,00000000,?,003F328B,00000006,FlsSetValue,00462290,FlsSetValue,00000000,00000364,?,003F2E46), ref: 003F30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,003F301A,003C13C6,00000000,00000000,00000000,?,003F328B,00000006,FlsSetValue,00462290,FlsSetValue,00000000), ref: 003F30BF

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 9f3343ebd4ca18dc9da11040e1f5c92e65e9f08a0c1957cf61b527165540e392
Instruction ID: 9aed2e87541b852450e600a15a60793d2c6c846916ffb6303d7330245767ed1f
Opcode Fuzzy Hash: 9f3343ebd4ca18dc9da11040e1f5c92e65e9f08a0c1957cf61b527165540e392
Instruction Fuzzy Hash: 6601D43274232BAFCB224A799C849777B98AF05BA1B110631FA07E3241DF21D941C6E4

Function 00427464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0042747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00427497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 004274AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 004274CA

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 5b1cbc6cc2f17cc0fb2da1197bcaadede0c1e5056fa7caf1449999aa969b10a0
Instruction ID: 349ced3050b07ffd926b8395a55d1aead664b12eeaded95b26933693b031fe66
Opcode Fuzzy Hash: 5b1cbc6cc2f17cc0fb2da1197bcaadede0c1e5056fa7caf1449999aa969b10a0
Instruction Fuzzy Hash: C611C4B1305320AFE7209F14ED48F967FFCEB00B00F90856AE616D6152D7B4E904DB95

Function 0042B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0042ACD3,?,00008000), ref: 0042B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0042ACD3,?,00008000), ref: 0042B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0042ACD3,?,00008000), ref: 0042B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0042ACD3,?,00008000), ref: 0042B126

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 8c4dbee9134b1c799233f60069b1cfc9ea50048a36e2af4a006412340cb351c7
Instruction ID: 3c6b54e52689fbed8ac1c81a89326f12725f25fc9bc050d21819ebc6d845bffc
Opcode Fuzzy Hash: 8c4dbee9134b1c799233f60069b1cfc9ea50048a36e2af4a006412340cb351c7
Instruction Fuzzy Hash: 3C113C31E01A39DBCF00AFA4E9A86FEBB78FF09751F504096D941B2242CB3495518B99

Function 00422DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00422DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00422DD6
GetCurrentThreadId.KERNEL32 ref: 00422DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00422DE4

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 62667b84b3cc1615c946b1c46781975c96add82e2f548a2ab0d10ae53e6e9f70
Instruction ID: f6381922b9b1327d1b5e7c176770ee54de93cf4217a546ce2b0ab9f339a85832
Opcode Fuzzy Hash: 62667b84b3cc1615c946b1c46781975c96add82e2f548a2ab0d10ae53e6e9f70
Instruction Fuzzy Hash: F3E092722413347FD7201B72AC4DFEB3E6CEF42BA2F400026F105D10819AE8C941C6B4

Function 00458863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 003D9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 003D9693
Part of subcall function 003D9639: SelectObject.GDI32(?,00000000), ref: 003D96A2
Part of subcall function 003D9639: BeginPath.GDI32(?), ref: 003D96B9
Part of subcall function 003D9639: SelectObject.GDI32(?,00000000), ref: 003D96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00458887
LineTo.GDI32(?,?,?), ref: 00458894
EndPath.GDI32(?), ref: 004588A4
StrokePath.GDI32(?), ref: 004588B2

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 394efb4033386f3b310e54d03fe720f87d948a1cf7df6135a808899b8522973b
Instruction ID: 8a439e896ca3ab2228c1131471ad53b83c0a826536bb7e6d7c62a3202d33c943
Opcode Fuzzy Hash: 394efb4033386f3b310e54d03fe720f87d948a1cf7df6135a808899b8522973b
Instruction Fuzzy Hash: E7F05E36041359FADB126F94AC49FCE3F59AF16712F048022FA11651E2CB799511CFED

Function 003D98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 003D98CC
SetTextColor.GDI32(?,?), ref: 003D98D6
SetBkMode.GDI32(?,00000001), ref: 003D98E9
GetStockObject.GDI32(00000005), ref: 003D98F1

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 8afa767fedb314259aefe026eb7aa7908b0f2df96b550f0fab6df5808fddfe92
Instruction ID: 1b43cb75d5a90eff52992c32b3baa5ded9229e20bf781f46c8ded42ae25342ca
Opcode Fuzzy Hash: 8afa767fedb314259aefe026eb7aa7908b0f2df96b550f0fab6df5808fddfe92
Instruction Fuzzy Hash: 85E06531244744AEDB215B74BC49BD93F21AB11336F04822AF6F9541E2C77186509F14

Function 0042162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00421634
OpenThreadToken.ADVAPI32(00000000,?,?,?,004211D9), ref: 0042163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,004211D9), ref: 00421648
OpenProcessToken.ADVAPI32(00000000,?,?,?,004211D9), ref: 0042164F

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 36a9bd73dca91d7a1a5411a7b0d22e492fa66eff55acd30b50093a2928186167
Instruction ID: 5835212ac12b0b29110f82411978e5f2b74ab9d3140beaec7c527b5c6c6a060d
Opcode Fuzzy Hash: 36a9bd73dca91d7a1a5411a7b0d22e492fa66eff55acd30b50093a2928186167
Instruction Fuzzy Hash: 37E04F71602321AFD7201BE0AD4DB4B3B68AF64B92F144869F646C9091D6288440C798

Function 0041D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0041D858
GetDC.USER32(00000000), ref: 0041D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0041D882
ReleaseDC.USER32(?), ref: 0041D8A3

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: e87e5a00d9b7732f2b2b217aa9556ee79b4dbe17230aec3a319aed33038e5885
Instruction ID: 08c3aa20b873e4ed90ce3d40e7978249136a25ecccd32372c01ded3900764091
Opcode Fuzzy Hash: e87e5a00d9b7732f2b2b217aa9556ee79b4dbe17230aec3a319aed33038e5885
Instruction Fuzzy Hash: 12E01AB1800304EFCF41AFA0D848A6DBBB6FB08712F108029E80AE7251C7388A42EF44

Function 0041D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0041D86C
GetDC.USER32(00000000), ref: 0041D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0041D882
ReleaseDC.USER32(?), ref: 0041D8A3

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 53eed799574118f77e517d54af7e549fee86deda801589fd330f6559bc67ea57
Instruction ID: 03176ce7b3d938cf38d2dbd37ed40dd055a1f55f8a80cdace7c9dc6a0e0e0a8a
Opcode Fuzzy Hash: 53eed799574118f77e517d54af7e549fee86deda801589fd330f6559bc67ea57
Instruction Fuzzy Hash: E1E09A75800304EFCF519FA0D84866DBBB5FB48712B149459E94AE7251C7389A06DF54

Function 00434D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 003C7620: _wcslen.LIBCMT ref: 003C7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00434ED4

Strings

*, xrefs: 00434E10
LPT, xrefs: 00434DFB

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 7d702572430dc123fcb306859cfdcb5a2ff834cd7b28c721b06d00dd58fa76e8
Instruction ID: de6c8da300fb7d2d6214ed78d39b721788cc5438050ff9224f335d58c4287a34
Opcode Fuzzy Hash: 7d702572430dc123fcb306859cfdcb5a2ff834cd7b28c721b06d00dd58fa76e8
Instruction Fuzzy Hash: 7E9174759002049FCB15DF54C485EAABBF1BF89304F19909EE80A9F362C735EE85CB55

Function 003EE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 003EE30D

Strings

pow, xrefs: 003EE2E5, 003EE302

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 474a57aaa40a0ee28fd8cf6ad19c3795027f4c82aebc7f2b42a7aa8511d7c26b
Instruction ID: 10704d9424b989448f9ef502a39bb04c293503c0225efe6d60c1a826286ccae1
Opcode Fuzzy Hash: 474a57aaa40a0ee28fd8cf6ad19c3795027f4c82aebc7f2b42a7aa8511d7c26b
Instruction Fuzzy Hash: 8851CE61A0C60AA6CB177B15CD013BA3BA8EB10740F354E79F1D1873F9EB308C819A47

Function 00447771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0041569E,00000000,?,0045CC08,?,00000000,00000000), ref: 004478DD

Part of subcall function 003C6B57: _wcslen.LIBCMT ref: 003C6B6A

CharUpperBuffW.USER32(0041569E,00000000,?,0045CC08,00000000,?,00000000,00000000), ref: 0044783B

Strings

<sH, xrefs: 004477C8

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <sH
API String ID: 3544283678-2921670257
Opcode ID: 286a9089b44615f1c652732f1a0fa8bff6663c7b1f9aeb4bd5189abe1d1de00c
Instruction ID: 093d3d3cd7e19595fbeec9c012d9b57b2a214d7153a805c212c16a5f00de821d
Opcode Fuzzy Hash: 286a9089b44615f1c652732f1a0fa8bff6663c7b1f9aeb4bd5189abe1d1de00c
Instruction Fuzzy Hash: DF616F76914218AADF06FBA4CC91EFEB374BF14300B54452AE542BB191EF385E06CBA4

Function 003DE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 003DE1B1

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 328438f4628f056c1ba932072068c0e8911cedfc07dd3454fb5d812911fe22a1
Instruction ID: a5fb2243e2029d3daa319a8a178a305a87dbdcdd323b9804b65963d7454d9698
Opcode Fuzzy Hash: 328438f4628f056c1ba932072068c0e8911cedfc07dd3454fb5d812911fe22a1
Instruction Fuzzy Hash: FA51157A500246DFEB16EF29D481AFA7BA8EF15310F24445BEC619F3D0D6389D82C754

Function 003DF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 003DF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 003DF2BB

Strings

@, xrefs: 003DF2AF

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 7d1f5b69413995c1b9809fe866b3dadb700b3fda25f79444db82ffb8677fa3e3
Instruction ID: 8525567cd6a5a0e6e1a23273ddcdf0034d37ed5d32b8506a78f1e22938fb29f5
Opcode Fuzzy Hash: 7d1f5b69413995c1b9809fe866b3dadb700b3fda25f79444db82ffb8677fa3e3
Instruction Fuzzy Hash: F65167714187449BD321AF10DC86BAFBBF8FB84304F81885CF1D9851A5EB308969CB6A

Function 00445745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 004457E0
_wcslen.LIBCMT ref: 004457EC

Strings

CALLARGARRAY, xrefs: 004457E6, 004457EB

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: af740609f2a23c523383d5a1adc8f5f6f5cb8efa2a6c0d886092586ee153afab
Instruction ID: 0cda1d0221c211ff15f95b2e54ac30e1345a9f5e5817d5e275846ad8f88be199
Opcode Fuzzy Hash: af740609f2a23c523383d5a1adc8f5f6f5cb8efa2a6c0d886092586ee153afab
Instruction Fuzzy Hash: DE41A131E002099FDF14EFA9C8819BEBBB5EF59314F10406EE505AB352EB389D91CB94

Function 0043D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0043D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0043D13A

Strings

|, xrefs: 0043D10B

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: addc2d991cad741bcf7bd06465ce9154c220bfcfec082ff012b5241f94cd9be4
Instruction ID: 10afe6e2101e4013535202a8ee6d4cc066f864fdbc638b1b0c7a838f58162d6c
Opcode Fuzzy Hash: addc2d991cad741bcf7bd06465ce9154c220bfcfec082ff012b5241f94cd9be4
Instruction Fuzzy Hash: 40310871D00219ABCF16EFA5DD85EEE7FB9FF08300F10005AE815AA262D735AA16CB54

Function 0045356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00453621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0045365C

Strings

static, xrefs: 004535BC

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: e4eff54ef56ae8e9e8023eb4898a9f92e228a755eaddc9e9bde87744406e0f9e
Instruction ID: a3e049e7c9ac3c95e4d31fd3328376dccdf894d314a39ca10b1cec0e3869270d
Opcode Fuzzy Hash: e4eff54ef56ae8e9e8023eb4898a9f92e228a755eaddc9e9bde87744406e0f9e
Instruction Fuzzy Hash: 5F31A071100604AEDB20DF24DC80FBB73A9FF48756F10961EFC5597291DA34AD85C764

Function 00454537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0045461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00454634

Strings

', xrefs: 0045458E

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: add9a7e0ec09014119cb0a4641b925f28cda2089c5d2f0b65d4f8f12f9a88acd
Instruction ID: 16afa9cb7c63d619709f3876d68ccf372217fb8eb0b84daf90630276b8ba1502
Opcode Fuzzy Hash: add9a7e0ec09014119cb0a4641b925f28cda2089c5d2f0b65d4f8f12f9a88acd
Instruction Fuzzy Hash: 9E313B74A01309AFDB14CF69C990BDA7BB5FF49305F10406AEE049B352E774A945CF94

Function 004531EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0045327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00453287

Strings

Combobox, xrefs: 00453249

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 9c26644d30ffd42f3a34e56f7e140fac55a485e2734ea3e9d50acd865b31f4d7
Instruction ID: 46ccfaf0c5188c979543803223d86de632342714c167ce4e399ff1e932da6a63
Opcode Fuzzy Hash: 9c26644d30ffd42f3a34e56f7e140fac55a485e2734ea3e9d50acd865b31f4d7
Instruction Fuzzy Hash: 5611E2713006087FEF219F94DC80EBB376AEB943A6F10412AF918E7292D639DD558764

Function 00453710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 003C600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 003C604C
Part of subcall function 003C600E: GetStockObject.GDI32(00000011), ref: 003C6060
Part of subcall function 003C600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 003C606A

GetWindowRect.USER32(00000000,?), ref: 0045377A
GetSysColor.USER32(00000012), ref: 00453794

Strings

static, xrefs: 00453757

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 69dfd42152fc09f03203176a2f01068d1af4e2b203740af0d4541f696af7f6d7
Instruction ID: 1482a58fd6a53dcf5fea3a611b488a941b9b565368f5730d8eec958f83f4c15c
Opcode Fuzzy Hash: 69dfd42152fc09f03203176a2f01068d1af4e2b203740af0d4541f696af7f6d7
Instruction Fuzzy Hash: 8D1159B2A10209AFDB00DFA8CC46EEA7BB8EB08346F004529FD55E2251E738E8559B50

Function 0043CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0043CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0043CDA6

Strings

<local>, xrefs: 0043CD66

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 943704515431c7504db129cb391cebe7015f1c1d474d17d977a6f90a4665b86d
Instruction ID: df5bb320b76d4f404454bdf4239f367f9fcc4fe95cafc9f6f9b311d90d3464bd
Opcode Fuzzy Hash: 943704515431c7504db129cb391cebe7015f1c1d474d17d977a6f90a4665b86d
Instruction Fuzzy Hash: 0E11E3712416327AD7244A668CC4EE7BE68EB1A7A4F005237B109A2180D7689841D7F4

Function 00453429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 004534AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004534BA

Strings

edit, xrefs: 0045348F

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: cb4219a5b12a9450a355589f5b42c85aa35b1b3921483ffcf1c9204e0840c726
Instruction ID: 6529c1f2de2bf0667fce0eccac18299850d86a519ae84aece224cdde0473b41f
Opcode Fuzzy Hash: cb4219a5b12a9450a355589f5b42c85aa35b1b3921483ffcf1c9204e0840c726
Instruction Fuzzy Hash: C511B271100208AFEB114E64DC80ABB376AEB063BAF504725FD61932D1C739DC599B58

Function 00426C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 003C9CB3: _wcslen.LIBCMT ref: 003C9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00426CB6
_wcslen.LIBCMT ref: 00426CC2

Strings

STOP, xrefs: 00426CBC, 00426CC1

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 7c98431da6030b5f490eaafbaf01da66290e1756402f6270eb6be0df29cdd23b
Instruction ID: 3f5b3bc86af9db9ff285351406241fe5bedddab858ac6c6409423e334a39c687
Opcode Fuzzy Hash: 7c98431da6030b5f490eaafbaf01da66290e1756402f6270eb6be0df29cdd23b
Instruction Fuzzy Hash: FC01C83271053A8BCB21AFBEEC809BF77A5EB61714792052AE452D7291EB39D900C754

Function 00421BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003C9CB3: _wcslen.LIBCMT ref: 003C9CBD

Part of subcall function 00423CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00423CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00421C46

Strings

ListBox, xrefs: 00421C10
ComboBox, xrefs: 00421BE5

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 0471eb5f6e7b1616441638c48eb2d6f80babbc3808ca8ad05ac69aebef577e5f
Instruction ID: 0d801b5b89318fa8dbc97c60b565d8294cbdb2d13c2bd36f37e5aaaad106fc99
Opcode Fuzzy Hash: 0471eb5f6e7b1616441638c48eb2d6f80babbc3808ca8ad05ac69aebef577e5f
Instruction Fuzzy Hash: E801F7767802186ACB05FB91D955FFF77A89B21380F50002FA416B7291EA289F08C7B9

Function 00421C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003C9CB3: _wcslen.LIBCMT ref: 003C9CBD

Part of subcall function 00423CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00423CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00421CC8

Strings

ListBox, xrefs: 00421C94
ComboBox, xrefs: 00421C69

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 536531baccd2ff583f33a330697bb07375ef0bacc6cfb375009b5d9ea7329032
Instruction ID: a158590d277a284aa8b93e644f0eed3cdea93b26d50d711088c14f2c1915e2af
Opcode Fuzzy Hash: 536531baccd2ff583f33a330697bb07375ef0bacc6cfb375009b5d9ea7329032
Instruction Fuzzy Hash: CC01DB7678022467CB05FB92DA15FFF77A89B21340F54002BB801B7291EA289F18D779

Function 003DA4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 003DA529

Part of subcall function 003C9CB3: _wcslen.LIBCMT ref: 003C9CBD

Strings

,%I, xrefs: 003DA509
3yA, xrefs: 003DA545, 003DA54D, 003DA552

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%I$3yA
API String ID: 2551934079-1638462002
Opcode ID: 7a996e9bc2f90ef67ea5d4853346fdf35e2b55dd43fab1e3b86d98856bbe8ed2
Instruction ID: 94d67a3979e1c4a218cefeee3bfe650b4003030baf66d6664b5bb94d54dfca31
Opcode Fuzzy Hash: 7a996e9bc2f90ef67ea5d4853346fdf35e2b55dd43fab1e3b86d98856bbe8ed2
Instruction Fuzzy Hash: 5401F733600A10ABC907F769FA5BB6D33659B06720F51407BF5116F3C2DE949D41869B

Function 00458172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00493018,0049305C), ref: 004581BF
CloseHandle.KERNEL32 ref: 004581D1

Strings

\0I, xrefs: 0045818A

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0I
API String ID: 3712363035-1252114689
Opcode ID: fa9e05470de9aca1bebd7b6f12eb477abe30fa1e1eebe3d7dfb8bf422da8ca26
Instruction ID: d556adc48edba2b99d843c9ef55fa830dd22d328f19f044a9559ab2d96739073
Opcode Fuzzy Hash: fa9e05470de9aca1bebd7b6f12eb477abe30fa1e1eebe3d7dfb8bf422da8ca26
Instruction Fuzzy Hash: 9DF05EB5640314BEE6206F62AC4AFB73A5CDB16752F004432BF08D91A2D6798E0087FC

Function 0044747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00447493
_wcslen.LIBCMT ref: 004474B9

Strings

3, 3, 16, 1, xrefs: 00447483

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: d4a3f3c920b84486f4b7eae8d1f8594739ddc39f1ba0e51aeb55f5571db97127
Instruction ID: 4679cb515c0640d193f721fdf92011dd1b11cf779ab9b3ed4e84c3eb42f3fa83
Opcode Fuzzy Hash: d4a3f3c920b84486f4b7eae8d1f8594739ddc39f1ba0e51aeb55f5571db97127
Instruction Fuzzy Hash: E0E02B0220427010A232227B9CC1A7F5789CFCD790720182BF981D63A7EB98CD9393F9

Function 00420B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00420B23

Strings

Error allocating memory., xrefs: 00420B1C
AutoIt, xrefs: 00420B17

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 2123457cdcc4e3f2aa0f58312b2b3caafa5375b5185bb130fbb4caedbc892829
Instruction ID: 43ca8503fd73008437baa1abf5b948a670aa8a5b4db25619610606da19fa45f7
Opcode Fuzzy Hash: 2123457cdcc4e3f2aa0f58312b2b3caafa5375b5185bb130fbb4caedbc892829
Instruction Fuzzy Hash: DAE0D8322443182ED22136957C83F8D7F84CF09F51F20042BFB48995C38AD5685046ED

Function 003E0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 003DF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,003E0D71,?,?,?,003C100A), ref: 003DF7CE

IsDebuggerPresent.KERNEL32(?,?,?,003C100A), ref: 003E0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,003C100A), ref: 003E0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 003E0D7F

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: dd211e479948664bbc18873b9404383a7e2c0375c148164ed77ab8112c4f8ba7
Instruction ID: a0fb6a9dc3cddfd039b969afea05758df1c12f218f203d5146c2c5680bbd45ea
Opcode Fuzzy Hash: dd211e479948664bbc18873b9404383a7e2c0375c148164ed77ab8112c4f8ba7
Instruction Fuzzy Hash: 0AE065742003518FD3359FB9D8447467BE0AB00745F004A7EF886C6792D7F4E4888B91

Function 003DE398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 003DE3D5

Strings

8%I, xrefs: 003DE3CA
0%I, xrefs: 003DE3B5

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%I$8%I
API String ID: 1385522511-3579212035
Opcode ID: 6ed697c77b6e3a13baf4f183dd6fb40148d2f5b466d47d933405f788cf69b556
Instruction ID: 94c56396d44fed9899b52ce0f8a0e3a26603a49fbef7209c05053af538b604ab
Opcode Fuzzy Hash: 6ed697c77b6e3a13baf4f183dd6fb40148d2f5b466d47d933405f788cf69b556
Instruction Fuzzy Hash: A3E0263A401920FBCB0BB718FA54AAE3B55AB14330B920277E1028F2D19BF42881868C

Function 0041D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0041D220

Strings

X64, xrefs: 0041D2A8
%.3d, xrefs: 0041D22B

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: a2f1c8af13e8051ba01b8a8e928dca7bf55e58adf6164eb9decd8b9f95068e76
Instruction ID: c5a22366f59e20ecf0af9cbb570c62046e9af1fe2236e276871a0e4354b4c5ea
Opcode Fuzzy Hash: a2f1c8af13e8051ba01b8a8e928dca7bf55e58adf6164eb9decd8b9f95068e76
Instruction Fuzzy Hash: 34D012F1C08218E9CB5096D0DC85AF9B37CFB19301F6084A3F81691441D63CD589A76B

Function 00452356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0045236C
PostMessageW.USER32(00000000), ref: 00452373

Part of subcall function 0042E97B: Sleep.KERNEL32 ref: 0042E9F3

Strings

Shell_TrayWnd, xrefs: 00452365

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 83d74a21fe0a38d5e1d9c6936590f0b8cf876c15d437c1edc48840b247b51e27
Instruction ID: 66d226dbca5b2399f74097b4ddab1cdf3cfdac72e8ca31a89be7e56abfa98841
Opcode Fuzzy Hash: 83d74a21fe0a38d5e1d9c6936590f0b8cf876c15d437c1edc48840b247b51e27
Instruction Fuzzy Hash: 64D0A972380320BAE2A4B371AC4FFCA66049B00B01F4009277201AA0D1C8A4A8008A4C

Function 00452322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0045232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0045233F

Part of subcall function 0042E97B: Sleep.KERNEL32 ref: 0042E9F3

Strings

Shell_TrayWnd, xrefs: 00452325

Memory Dump Source

Source File: 00000000.00000002.1308833661.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.1308607749.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1309667343.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310130535.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1310325641.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_NEW ORDER.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 53b794170305df4d5793700bf7cce1e5fe8483d9308ad03348eeab51df513c5d
Instruction ID: 8e5d5888c6a67985bf07e34cef75196608b5cf00aff9df0a4947e7ae9f865cfc
Opcode Fuzzy Hash: 53b794170305df4d5793700bf7cce1e5fe8483d9308ad03348eeab51df513c5d
Instruction Fuzzy Hash: DBD02272380320BBE2A4B371EC5FFCA7A049B00B01F0009277305AA0D1C8F4E800CB4C

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report NEW ORDER.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Bactris

C:\Users\user\AppData\Local\Temp\Prober

C:\Users\user\AppData\Local\Temp\autDE75.tmp

C:\Users\user\AppData\Local\Temp\autDEB4.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
NEW ORDER.exe

Function 003C42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 003C42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00402BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 003C2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 003F8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300
COMMONLIBRARYCODE

Function 0040065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 003C344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 003C2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 003C3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 033025D0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 003C2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 033023B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 139
fileCOMMON

Function 00432947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Function 003F5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186
COMMONLIBRARYCODE

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre