Edit tour

Windows Analysis Report
z1PURCHASEORDER.exe

Overview

General Information

Sample name:	z1PURCHASEORDER.exe
Analysis ID:	1528899
MD5:	c4224dd3cd6d013992c9680812a7f946
SHA1:	753a273f0864ebeebbb05fab9767e714b31edd1c
SHA256:	4fd906a04bf473c85deb5f4689c592b97e0ec46c747ff130bec022956369f59d
Tags:	exeuser-Porcupine
Infos:

Detection

FormBook

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

z1PURCHASEORDER.exe (PID: 6012 cmdline: "C:\Users\user\Desktop\z1PURCHASEORDER.exe" MD5: C4224DD3CD6D013992C9680812A7F946)

svchost.exe (PID: 4992 cmdline: "C:\Users\user\Desktop\z1PURCHASEORDER.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.1701368119.0000000003C50000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1701368119.0000000003C50000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2c290:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1434f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.1700764927.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1700764927.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2f5e3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x176a2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2e7e3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x168a2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2f5e3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x176a2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\z1PURCHASEORDER.exe", CommandLine: "C:\Users\user\Desktop\z1PURCHASEORDER.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\z1PURCHASEORDER.exe", ParentImage: C:\Users\user\Desktop\z1PURCHASEORDER.exe, ParentProcessId: 6012, ParentProcessName: z1PURCHASEORDER.exe, ProcessCommandLine: "C:\Users\user\Desktop\z1PURCHASEORDER.exe", ProcessId: 4992, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\z1PURCHASEORDER.exe", CommandLine: "C:\Users\user\Desktop\z1PURCHASEORDER.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\z1PURCHASEORDER.exe", ParentImage: C:\Users\user\Desktop\z1PURCHASEORDER.exe, ParentProcessId: 6012, ParentProcessName: z1PURCHASEORDER.exe, ProcessCommandLine: "C:\Users\user\Desktop\z1PURCHASEORDER.exe", ProcessId: 4992, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: z1PURCHASEORDER.exe	ReversingLabs: Detection: 28%
Source: z1PURCHASEORDER.exe	Virustotal: Detection: 24%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1701368119.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1700764927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: z1PURCHASEORDER.exe

Joe Sandbox ML: detected

Source: z1PURCHASEORDER.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: z1PURCHASEORDER.exe, 00000000.00000003.1439671739.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, z1PURCHASEORDER.exe, 00000000.00000003.1440282428.0000000003A50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1669510794.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1701067104.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1667683558.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1701067104.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: z1PURCHASEORDER.exe, 00000000.00000003.1439671739.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, z1PURCHASEORDER.exe, 00000000.00000003.1440282428.0000000003A50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1669510794.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1701067104.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1667683558.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1701067104.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_0073449B GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0073449B
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_0073C75D FindFirstFileW,FindClose,	0_2_0073C75D
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_0073C7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0073C7E8
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_0073F021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0073F021
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_0073F17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0073F17E
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_0073F47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0073F47F
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_00733833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00733833
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_00733B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00733B56
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_0073BD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0073BD48

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe

Code function: 0_2_00742404 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00742404

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe

Code function: 0_2_0074407C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0074407C

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe

Code function: 0_2_0074427A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0074427A

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe

0_2_0074407C

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe

Code function: 0_2_0073003A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_0073003A

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe

Code function: 0_2_0075CB26 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0075CB26

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1701368119.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1700764927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1701368119.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1700764927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: This is a third-party compiled AutoIt script.	0_2_006D3B4C
Source: z1PURCHASEORDER.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: z1PURCHASEORDER.exe, 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_c90ea749-5
Source: z1PURCHASEORDER.exe, 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"	memstr_1bbc829e-a
Source: z1PURCHASEORDER.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_5b924b7a-6
Source: z1PURCHASEORDER.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"	memstr_af62209a-9

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: z1PURCHASEORDER.exe

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042C8A3 NtClose,	2_2_0042C8A3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972B60 NtClose,LdrInitializeThunk,	2_2_03972B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03972DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039735C0 NtCreateMutant,LdrInitializeThunk,	2_2_039735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03974340 NtSetContextThread,	2_2_03974340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03974650 NtSuspendThread,	2_2_03974650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972B80 NtQueryInformationFile,	2_2_03972B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972BA0 NtEnumerateValueKey,	2_2_03972BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972BF0 NtAllocateVirtualMemory,	2_2_03972BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972BE0 NtQueryValueKey,	2_2_03972BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972AB0 NtWaitForSingleObject,	2_2_03972AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972AD0 NtReadFile,	2_2_03972AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972AF0 NtWriteFile,	2_2_03972AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972F90 NtProtectVirtualMemory,	2_2_03972F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972FB0 NtResumeThread,	2_2_03972FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972FA0 NtQuerySection,	2_2_03972FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972FE0 NtCreateFile,	2_2_03972FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972F30 NtCreateSection,	2_2_03972F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972F60 NtCreateProcessEx,	2_2_03972F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972E80 NtReadVirtualMemory,	2_2_03972E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972EA0 NtAdjustPrivilegesToken,	2_2_03972EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972EE0 NtQueueApcThread,	2_2_03972EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972E30 NtWriteVirtualMemory,	2_2_03972E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972DB0 NtEnumerateKey,	2_2_03972DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972DD0 NtDelayExecution,	2_2_03972DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972D10 NtMapViewOfSection,	2_2_03972D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972D00 NtSetInformationFile,	2_2_03972D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972D30 NtUnmapViewOfSection,	2_2_03972D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972CA0 NtQueryInformationToken,	2_2_03972CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972CC0 NtQueryVirtualMemory,	2_2_03972CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972CF0 NtOpenProcess,	2_2_03972CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972C00 NtQueryInformationProcess,	2_2_03972C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972C70 NtFreeVirtualMemory,	2_2_03972C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972C60 NtCreateKey,	2_2_03972C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03973090 NtSetValueKey,	2_2_03973090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03973010 NtOpenDirectoryObject,	2_2_03973010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039739B0 NtGetContextThread,	2_2_039739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03973D10 NtOpenProcessToken,	2_2_03973D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03973D70 NtOpenThread,	2_2_03973D70

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe

Code function: 0_2_0073A279: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_0073A279

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe

Code function: 0_2_00728638 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00728638

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe

Code function: 0_2_00735264 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00735264

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_006DE800	0_2_006DE800
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_006FDAF5	0_2_006FDAF5
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_006DFE40	0_2_006DFE40
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_006DE060	0_2_006DE060
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_006E4140	0_2_006E4140
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_006F2345	0_2_006F2345
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_00750465	0_2_00750465
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_00706452	0_2_00706452
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_007025AE	0_2_007025AE
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_006F277A	0_2_006F277A
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_006E6841	0_2_006E6841
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_007508E2	0_2_007508E2
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_006E8968	0_2_006E8968
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_00738932	0_2_00738932
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_0072E928	0_2_0072E928
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_0070890F	0_2_0070890F
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_007069C4	0_2_007069C4
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_006FCCA1	0_2_006FCCA1
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_00706F36	0_2_00706F36
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_006E70FE	0_2_006E70FE
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_006E3190	0_2_006E3190
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_006D1287	0_2_006D1287
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_006FF359	0_2_006FF359
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_006F3307	0_2_006F3307
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_006F1604	0_2_006F1604
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_006E5680	0_2_006E5680
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_006F7813	0_2_006F7813
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_006E58C0	0_2_006E58C0
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_006F1AF8	0_2_006F1AF8
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_00709C35	0_2_00709C35
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_00757E0D	0_2_00757E0D
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_006FBF26	0_2_006FBF26
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_006F1F10	0_2_006F1F10
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_0138C648	0_2_0138C648
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004100CC	2_2_004100CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004100D3	2_2_004100D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004030E0	2_2_004030E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040212C	2_2_0040212C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402130	2_2_00402130
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416A13	2_2_00416A13
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004102F3	2_2_004102F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004022B0	2_2_004022B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E373	2_2_0040E373
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402640	2_2_00402640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042EED3	2_2_0042EED3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A003E6	2_2_03A003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394E3F0	2_2_0394E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FA352	2_2_039FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C02C0	2_2_039C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A001AA	2_2_03A001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F41A2	2_2_039F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F81CC	2_2_039F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DA118	2_2_039DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03930100	2_2_03930100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C8158	2_2_039C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D2000	2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393C7C0	2_2_0393C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03964750	2_2_03964750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395C6E0	2_2_0395C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A00591	2_2_03A00591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940535	2_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039EE4F6	2_2_039EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E4420	2_2_039E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F2446	2_2_039F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F6BD7	2_2_039F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FAB40	2_2_039FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393EA80	2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A0A9A6	2_2_03A0A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03956962	2_2_03956962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039268B8	2_2_039268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E8F0	2_2_0396E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394A840	2_2_0394A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03942840	2_2_03942840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BEFA0	2_2_039BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03932FC8	2_2_03932FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394CFE0	2_2_0394CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03960F30	2_2_03960F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E2F30	2_2_039E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03982F28	2_2_03982F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B4F40	2_2_039B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03952E90	2_2_03952E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FCE93	2_2_039FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FEEDB	2_2_039FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393AE0D	2_2_0393AE0D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FEE26	2_2_039FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940E59	2_2_03940E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03958DBF	2_2_03958DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DCD1F	2_2_039DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394AD00	2_2_0394AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0CB5	2_2_039E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03930CF2	2_2_03930CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940C00	2_2_03940C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0398739A	2_2_0398739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F132D	2_2_039F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392D34C	2_2_0392D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039452A0	2_2_039452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395B2C0	2_2_0395B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E12ED	2_2_039E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394B1B0	2_2_0394B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A0B16B	2_2_03A0B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392F172	2_2_0392F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0397516C	2_2_0397516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039EF0CC	2_2_039EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039470C0	2_2_039470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F70E9	2_2_039F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FF0E0	2_2_039FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FF7B0	2_2_039FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F16CC	2_2_039F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03985630	2_2_03985630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DD5B0	2_2_039DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A095C3	2_2_03A095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F7571	2_2_039F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FF43F	2_2_039FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03931460	2_2_03931460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395FB80	2_2_0395FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B5BF0	2_2_039B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0397DBF9	2_2_0397DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FFB76	2_2_039FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DDAAC	2_2_039DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03985AA0	2_2_03985AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E1AA3	2_2_039E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039EDAC6	2_2_039EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FFA49	2_2_039FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F7A46	2_2_039F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B3A6C	2_2_039B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D5910	2_2_039D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03949950	2_2_03949950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395B950	2_2_0395B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039438E0	2_2_039438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AD800	2_2_039AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03941F92	2_2_03941F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FFFB1	2_2_039FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03903FD2	2_2_03903FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03903FD5	2_2_03903FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FFF09	2_2_039FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03949EB0	2_2_03949EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395FDC0	2_2_0395FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F1D5A	2_2_039F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03943D40	2_2_03943D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F7D73	2_2_039F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FFCF2	2_2_039FFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B9C32	2_2_039B9C32

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: String function: 006D7F41 appears 35 times
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: String function: 006F0C63 appears 70 times
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: String function: 006F8A80 appears 42 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 039BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0392B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03975130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 039AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03987E54 appears 111 times

Source: z1PURCHASEORDER.exe, 00000000.00000003.1441132568.00000000039D3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs z1PURCHASEORDER.exe
Source: z1PURCHASEORDER.exe, 00000000.00000003.1441470231.0000000003B7D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs z1PURCHASEORDER.exe

Source: z1PURCHASEORDER.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1701368119.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1700764927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal92.troj.evad.winEXE@3/2@0/0

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe

Code function: 0_2_0073A0F4 GetLastError,FormatMessageW,

0_2_0073A0F4

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_007284F3 AdjustTokenPrivileges,CloseHandle,		0_2_007284F3
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_00728AA3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00728AA3

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe

Code function: 0_2_0073B3BF SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0073B3BF

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe

Code function: 0_2_0074EF21 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0074EF21

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe

Code function: 0_2_0073C423 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0073C423

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe

Code function: 0_2_006D4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_006D4FE9

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe

File created: C:\Users\user\AppData\Local\Temp\aut2D22.tmp

Jump to behavior

Source: z1PURCHASEORDER.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: z1PURCHASEORDER.exe	ReversingLabs: Detection: 28%
Source: z1PURCHASEORDER.exe	Virustotal: Detection: 24%

Source: unknown	Process created: C:\Users\user\Desktop\z1PURCHASEORDER.exe "C:\Users\user\Desktop\z1PURCHASEORDER.exe"
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\z1PURCHASEORDER.exe"
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\z1PURCHASEORDER.exe"	Jump to behavior

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: z1PURCHASEORDER.exe

Static file information: File size 1199104 > 1048576

Source: z1PURCHASEORDER.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: z1PURCHASEORDER.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: z1PURCHASEORDER.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: z1PURCHASEORDER.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: z1PURCHASEORDER.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: z1PURCHASEORDER.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: z1PURCHASEORDER.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: z1PURCHASEORDER.exe, 00000000.00000003.1439671739.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, z1PURCHASEORDER.exe, 00000000.00000003.1440282428.0000000003A50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1669510794.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1701067104.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1667683558.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1701067104.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: z1PURCHASEORDER.exe, 00000000.00000003.1439671739.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, z1PURCHASEORDER.exe, 00000000.00000003.1440282428.0000000003A50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1669510794.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1701067104.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1667683558.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1701067104.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp

Source: z1PURCHASEORDER.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: z1PURCHASEORDER.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: z1PURCHASEORDER.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: z1PURCHASEORDER.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: z1PURCHASEORDER.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe

Code function: 0_2_0074C104 LoadLibraryA,GetProcAddress,

0_2_0074C104

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_006F8AC5 push ecx; ret	0_2_006F8AD8
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_006E5524 push dword ptr [ecx+00h]; retf	0_2_006E552C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040203F push eax; retf	2_2_00402049
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004170E9 push esp; ret	2_2_004170EC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00411A00 push ss; ret	2_2_00411A1A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403350 push eax; ret	2_2_00403352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040ABBD push ebx; iretd	2_2_0040ABC4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00412408 push edi; retf	2_2_0041241F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00412413 push edi; retf	2_2_0041241F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040D4D4 pushad ; ret	2_2_0040D4FE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040D626 push ebp; retf	2_2_0040D62A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040D631 push eax; iretd	2_2_0040D656
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040D63D push eax; iretd	2_2_0040D656
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004086A4 push esp; retf	2_2_004086B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00423F23 push esi; retf	2_2_00423F2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390225F pushad ; ret	2_2_039027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039027FA pushad ; ret	2_2_039027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039309AD push ecx; mov dword ptr [esp], ecx	2_2_039309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390283D push eax; iretd	2_2_03902858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03901368 push eax; iretd	2_2_03901369

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_006D4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_006D4A35
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_007553DF IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_007553DF

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe

Code function: 0_2_006F3307 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_006F3307

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe

API/Special instruction interceptor: Address: 138C26C

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0397096E rdtsc

2_2_0397096E

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-98678

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	API coverage: 4.4 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.6 %

Source: C:\Windows\SysWOW64\svchost.exe TID: 5612

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_0073449B GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0073449B
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_0073C75D FindFirstFileW,FindClose,	0_2_0073C75D
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_0073C7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0073C7E8
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_0073F021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0073F021
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_0073F17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0073F17E
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_0073F47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0073F47F
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_00733833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00733833
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_00733B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00733B56
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_0073BD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0073BD48

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe

Code function: 0_2_006D4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006D4AFE

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe

API call chain: ExitProcess graph end node

graph_0-97504

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0397096E rdtsc

2_2_0397096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_004179C3 LdrLoadDll,

2_2_004179C3

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe

Code function: 0_2_0074401F BlockInput,

0_2_0074401F

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe

Code function: 0_2_006D3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_006D3B4C

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe

Code function: 0_2_00705BFC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00705BFC

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe

Code function: 0_2_0074C104 LoadLibraryA,GetProcAddress,

0_2_0074C104

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_0138C538 mov eax, dword ptr fs:[00000030h]	0_2_0138C538
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_0138C4D8 mov eax, dword ptr fs:[00000030h]	0_2_0138C4D8
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_0138AEA8 mov eax, dword ptr fs:[00000030h]	0_2_0138AEA8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03928397 mov eax, dword ptr fs:[00000030h]	2_2_03928397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03928397 mov eax, dword ptr fs:[00000030h]	2_2_03928397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03928397 mov eax, dword ptr fs:[00000030h]	2_2_03928397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392E388 mov eax, dword ptr fs:[00000030h]	2_2_0392E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392E388 mov eax, dword ptr fs:[00000030h]	2_2_0392E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392E388 mov eax, dword ptr fs:[00000030h]	2_2_0392E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395438F mov eax, dword ptr fs:[00000030h]	2_2_0395438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395438F mov eax, dword ptr fs:[00000030h]	2_2_0395438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE3DB mov eax, dword ptr fs:[00000030h]	2_2_039DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE3DB mov eax, dword ptr fs:[00000030h]	2_2_039DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_039DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE3DB mov eax, dword ptr fs:[00000030h]	2_2_039DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D43D4 mov eax, dword ptr fs:[00000030h]	2_2_039D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D43D4 mov eax, dword ptr fs:[00000030h]	2_2_039D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039EC3CD mov eax, dword ptr fs:[00000030h]	2_2_039EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]	2_2_039383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]	2_2_039383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]	2_2_039383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]	2_2_039383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B63C0 mov eax, dword ptr fs:[00000030h]	2_2_039B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0394E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0394E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0394E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039663FF mov eax, dword ptr fs:[00000030h]	2_2_039663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]	2_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]	2_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]	2_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]	2_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]	2_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]	2_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]	2_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]	2_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392C310 mov ecx, dword ptr fs:[00000030h]	2_2_0392C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A08324 mov eax, dword ptr fs:[00000030h]	2_2_03A08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A08324 mov ecx, dword ptr fs:[00000030h]	2_2_03A08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A08324 mov eax, dword ptr fs:[00000030h]	2_2_03A08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A08324 mov eax, dword ptr fs:[00000030h]	2_2_03A08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03950310 mov ecx, dword ptr fs:[00000030h]	2_2_03950310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396A30B mov eax, dword ptr fs:[00000030h]	2_2_0396A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396A30B mov eax, dword ptr fs:[00000030h]	2_2_0396A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396A30B mov eax, dword ptr fs:[00000030h]	2_2_0396A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]	2_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]	2_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]	2_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B035C mov ecx, dword ptr fs:[00000030h]	2_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]	2_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]	2_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FA352 mov eax, dword ptr fs:[00000030h]	2_2_039FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D8350 mov ecx, dword ptr fs:[00000030h]	2_2_039D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D437C mov eax, dword ptr fs:[00000030h]	2_2_039D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A0634F mov eax, dword ptr fs:[00000030h]	2_2_03A0634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E284 mov eax, dword ptr fs:[00000030h]	2_2_0396E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E284 mov eax, dword ptr fs:[00000030h]	2_2_0396E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B0283 mov eax, dword ptr fs:[00000030h]	2_2_039B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B0283 mov eax, dword ptr fs:[00000030h]	2_2_039B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B0283 mov eax, dword ptr fs:[00000030h]	2_2_039B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039402A0 mov eax, dword ptr fs:[00000030h]	2_2_039402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039402A0 mov eax, dword ptr fs:[00000030h]	2_2_039402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]	2_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]	2_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]	2_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]	2_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]	2_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0393A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0393A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0393A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0393A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0393A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039402E1 mov eax, dword ptr fs:[00000030h]	2_2_039402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039402E1 mov eax, dword ptr fs:[00000030h]	2_2_039402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039402E1 mov eax, dword ptr fs:[00000030h]	2_2_039402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A062D6 mov eax, dword ptr fs:[00000030h]	2_2_03A062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392823B mov eax, dword ptr fs:[00000030h]	2_2_0392823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392A250 mov eax, dword ptr fs:[00000030h]	2_2_0392A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03936259 mov eax, dword ptr fs:[00000030h]	2_2_03936259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039EA250 mov eax, dword ptr fs:[00000030h]	2_2_039EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039EA250 mov eax, dword ptr fs:[00000030h]	2_2_039EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B8243 mov eax, dword ptr fs:[00000030h]	2_2_039B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B8243 mov ecx, dword ptr fs:[00000030h]	2_2_039B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03934260 mov eax, dword ptr fs:[00000030h]	2_2_03934260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03934260 mov eax, dword ptr fs:[00000030h]	2_2_03934260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03934260 mov eax, dword ptr fs:[00000030h]	2_2_03934260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392826B mov eax, dword ptr fs:[00000030h]	2_2_0392826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A0625D mov eax, dword ptr fs:[00000030h]	2_2_03A0625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]	2_2_039B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]	2_2_039B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]	2_2_039B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]	2_2_039B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392A197 mov eax, dword ptr fs:[00000030h]	2_2_0392A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392A197 mov eax, dword ptr fs:[00000030h]	2_2_0392A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392A197 mov eax, dword ptr fs:[00000030h]	2_2_0392A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03970185 mov eax, dword ptr fs:[00000030h]	2_2_03970185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039EC188 mov eax, dword ptr fs:[00000030h]	2_2_039EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039EC188 mov eax, dword ptr fs:[00000030h]	2_2_039EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D4180 mov eax, dword ptr fs:[00000030h]	2_2_039D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D4180 mov eax, dword ptr fs:[00000030h]	2_2_039D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A061E5 mov eax, dword ptr fs:[00000030h]	2_2_03A061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_039AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_039AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_039AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_039AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_039AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F61C3 mov eax, dword ptr fs:[00000030h]	2_2_039F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F61C3 mov eax, dword ptr fs:[00000030h]	2_2_039F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039601F8 mov eax, dword ptr fs:[00000030h]	2_2_039601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DA118 mov ecx, dword ptr fs:[00000030h]	2_2_039DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DA118 mov eax, dword ptr fs:[00000030h]	2_2_039DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DA118 mov eax, dword ptr fs:[00000030h]	2_2_039DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DA118 mov eax, dword ptr fs:[00000030h]	2_2_039DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F0115 mov eax, dword ptr fs:[00000030h]	2_2_039F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]	2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]	2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]	2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]	2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]	2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]	2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]	2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]	2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]	2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]	2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03960124 mov eax, dword ptr fs:[00000030h]	2_2_03960124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392C156 mov eax, dword ptr fs:[00000030h]	2_2_0392C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C8158 mov eax, dword ptr fs:[00000030h]	2_2_039C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04164 mov eax, dword ptr fs:[00000030h]	2_2_03A04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04164 mov eax, dword ptr fs:[00000030h]	2_2_03A04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03936154 mov eax, dword ptr fs:[00000030h]	2_2_03936154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03936154 mov eax, dword ptr fs:[00000030h]	2_2_03936154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]	2_2_039C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]	2_2_039C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C4144 mov ecx, dword ptr fs:[00000030h]	2_2_039C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]	2_2_039C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]	2_2_039C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393208A mov eax, dword ptr fs:[00000030h]	2_2_0393208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F60B8 mov eax, dword ptr fs:[00000030h]	2_2_039F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_039F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039280A0 mov eax, dword ptr fs:[00000030h]	2_2_039280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C80A8 mov eax, dword ptr fs:[00000030h]	2_2_039C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B20DE mov eax, dword ptr fs:[00000030h]	2_2_039B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0392C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039720F0 mov ecx, dword ptr fs:[00000030h]	2_2_039720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0392A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039380E9 mov eax, dword ptr fs:[00000030h]	2_2_039380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B60E0 mov eax, dword ptr fs:[00000030h]	2_2_039B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]	2_2_0394E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]	2_2_0394E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]	2_2_0394E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]	2_2_0394E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B4000 mov ecx, dword ptr fs:[00000030h]	2_2_039B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]	2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]	2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]	2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]	2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]	2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]	2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]	2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]	2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C6030 mov eax, dword ptr fs:[00000030h]	2_2_039C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392A020 mov eax, dword ptr fs:[00000030h]	2_2_0392A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392C020 mov eax, dword ptr fs:[00000030h]	2_2_0392C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03932050 mov eax, dword ptr fs:[00000030h]	2_2_03932050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B6050 mov eax, dword ptr fs:[00000030h]	2_2_039B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395C073 mov eax, dword ptr fs:[00000030h]	2_2_0395C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D678E mov eax, dword ptr fs:[00000030h]	2_2_039D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039307AF mov eax, dword ptr fs:[00000030h]	2_2_039307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E47A0 mov eax, dword ptr fs:[00000030h]	2_2_039E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0393C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B07C3 mov eax, dword ptr fs:[00000030h]	2_2_039B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039347FB mov eax, dword ptr fs:[00000030h]	2_2_039347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039347FB mov eax, dword ptr fs:[00000030h]	2_2_039347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039527ED mov eax, dword ptr fs:[00000030h]	2_2_039527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039527ED mov eax, dword ptr fs:[00000030h]	2_2_039527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039527ED mov eax, dword ptr fs:[00000030h]	2_2_039527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_039BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03930710 mov eax, dword ptr fs:[00000030h]	2_2_03930710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03960710 mov eax, dword ptr fs:[00000030h]	2_2_03960710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396C700 mov eax, dword ptr fs:[00000030h]	2_2_0396C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396273C mov eax, dword ptr fs:[00000030h]	2_2_0396273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396273C mov ecx, dword ptr fs:[00000030h]	2_2_0396273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396273C mov eax, dword ptr fs:[00000030h]	2_2_0396273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AC730 mov eax, dword ptr fs:[00000030h]	2_2_039AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396C720 mov eax, dword ptr fs:[00000030h]	2_2_0396C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396C720 mov eax, dword ptr fs:[00000030h]	2_2_0396C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03930750 mov eax, dword ptr fs:[00000030h]	2_2_03930750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BE75D mov eax, dword ptr fs:[00000030h]	2_2_039BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972750 mov eax, dword ptr fs:[00000030h]	2_2_03972750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972750 mov eax, dword ptr fs:[00000030h]	2_2_03972750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B4755 mov eax, dword ptr fs:[00000030h]	2_2_039B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396674D mov esi, dword ptr fs:[00000030h]	2_2_0396674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396674D mov eax, dword ptr fs:[00000030h]	2_2_0396674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396674D mov eax, dword ptr fs:[00000030h]	2_2_0396674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03938770 mov eax, dword ptr fs:[00000030h]	2_2_03938770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03934690 mov eax, dword ptr fs:[00000030h]	2_2_03934690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03934690 mov eax, dword ptr fs:[00000030h]	2_2_03934690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039666B0 mov eax, dword ptr fs:[00000030h]	2_2_039666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0396C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0396A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0396A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_039AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_039AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_039AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_039AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B06F1 mov eax, dword ptr fs:[00000030h]	2_2_039B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B06F1 mov eax, dword ptr fs:[00000030h]	2_2_039B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972619 mov eax, dword ptr fs:[00000030h]	2_2_03972619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE609 mov eax, dword ptr fs:[00000030h]	2_2_039AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]	2_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]	2_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]	2_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]	2_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]	2_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]	2_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]	2_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394E627 mov eax, dword ptr fs:[00000030h]	2_2_0394E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03966620 mov eax, dword ptr fs:[00000030h]	2_2_03966620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03968620 mov eax, dword ptr fs:[00000030h]	2_2_03968620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393262C mov eax, dword ptr fs:[00000030h]	2_2_0393262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394C640 mov eax, dword ptr fs:[00000030h]	2_2_0394C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03962674 mov eax, dword ptr fs:[00000030h]	2_2_03962674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F866E mov eax, dword ptr fs:[00000030h]	2_2_039F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F866E mov eax, dword ptr fs:[00000030h]	2_2_039F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396A660 mov eax, dword ptr fs:[00000030h]	2_2_0396A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396A660 mov eax, dword ptr fs:[00000030h]	2_2_0396A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E59C mov eax, dword ptr fs:[00000030h]	2_2_0396E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03932582 mov eax, dword ptr fs:[00000030h]	2_2_03932582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03932582 mov ecx, dword ptr fs:[00000030h]	2_2_03932582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03964588 mov eax, dword ptr fs:[00000030h]	2_2_03964588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039545B1 mov eax, dword ptr fs:[00000030h]	2_2_039545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039545B1 mov eax, dword ptr fs:[00000030h]	2_2_039545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B05A7 mov eax, dword ptr fs:[00000030h]	2_2_039B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B05A7 mov eax, dword ptr fs:[00000030h]	2_2_039B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B05A7 mov eax, dword ptr fs:[00000030h]	2_2_039B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039365D0 mov eax, dword ptr fs:[00000030h]	2_2_039365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0396A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0396A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E5CF mov eax, dword ptr fs:[00000030h]	2_2_0396E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E5CF mov eax, dword ptr fs:[00000030h]	2_2_0396E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039325E0 mov eax, dword ptr fs:[00000030h]	2_2_039325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396C5ED mov eax, dword ptr fs:[00000030h]	2_2_0396C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396C5ED mov eax, dword ptr fs:[00000030h]	2_2_0396C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C6500 mov eax, dword ptr fs:[00000030h]	2_2_039C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]	2_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]	2_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]	2_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]	2_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]	2_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]	2_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]	2_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]	2_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]	2_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]	2_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]	2_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]	2_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]	2_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]	2_2_0395E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]	2_2_0395E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]	2_2_0395E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]	2_2_0395E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]	2_2_0395E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03938550 mov eax, dword ptr fs:[00000030h]	2_2_03938550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03938550 mov eax, dword ptr fs:[00000030h]	2_2_03938550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396656A mov eax, dword ptr fs:[00000030h]	2_2_0396656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396656A mov eax, dword ptr fs:[00000030h]	2_2_0396656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396656A mov eax, dword ptr fs:[00000030h]	2_2_0396656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039EA49A mov eax, dword ptr fs:[00000030h]	2_2_039EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039644B0 mov ecx, dword ptr fs:[00000030h]	2_2_039644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_039BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039364AB mov eax, dword ptr fs:[00000030h]	2_2_039364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039304E5 mov ecx, dword ptr fs:[00000030h]	2_2_039304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03968402 mov eax, dword ptr fs:[00000030h]	2_2_03968402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03968402 mov eax, dword ptr fs:[00000030h]	2_2_03968402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03968402 mov eax, dword ptr fs:[00000030h]	2_2_03968402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396A430 mov eax, dword ptr fs:[00000030h]	2_2_0396A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392E420 mov eax, dword ptr fs:[00000030h]	2_2_0392E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392E420 mov eax, dword ptr fs:[00000030h]	2_2_0392E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392E420 mov eax, dword ptr fs:[00000030h]	2_2_0392E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392C427 mov eax, dword ptr fs:[00000030h]	2_2_0392C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]	2_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]	2_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]	2_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]	2_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]	2_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]	2_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]	2_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039EA456 mov eax, dword ptr fs:[00000030h]	2_2_039EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392645D mov eax, dword ptr fs:[00000030h]	2_2_0392645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395245A mov eax, dword ptr fs:[00000030h]	2_2_0395245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]	2_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]	2_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]	2_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]	2_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]	2_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]	2_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]	2_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]	2_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395A470 mov eax, dword ptr fs:[00000030h]	2_2_0395A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395A470 mov eax, dword ptr fs:[00000030h]	2_2_0395A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395A470 mov eax, dword ptr fs:[00000030h]	2_2_0395A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BC460 mov ecx, dword ptr fs:[00000030h]	2_2_039BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940BBE mov eax, dword ptr fs:[00000030h]	2_2_03940BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940BBE mov eax, dword ptr fs:[00000030h]	2_2_03940BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_039E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_039E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_039DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03950BCB mov eax, dword ptr fs:[00000030h]	2_2_03950BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03950BCB mov eax, dword ptr fs:[00000030h]	2_2_03950BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03950BCB mov eax, dword ptr fs:[00000030h]	2_2_03950BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03930BCD mov eax, dword ptr fs:[00000030h]	2_2_03930BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03930BCD mov eax, dword ptr fs:[00000030h]	2_2_03930BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03930BCD mov eax, dword ptr fs:[00000030h]	2_2_03930BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03938BF0 mov eax, dword ptr fs:[00000030h]	2_2_03938BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03938BF0 mov eax, dword ptr fs:[00000030h]	2_2_03938BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03938BF0 mov eax, dword ptr fs:[00000030h]	2_2_03938BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395EBFC mov eax, dword ptr fs:[00000030h]	2_2_0395EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_039BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]	2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]	2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]	2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]	2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]	2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]	2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]	2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]	2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]	2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04B00 mov eax, dword ptr fs:[00000030h]	2_2_03A04B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395EB20 mov eax, dword ptr fs:[00000030h]	2_2_0395EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395EB20 mov eax, dword ptr fs:[00000030h]	2_2_0395EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F8B28 mov eax, dword ptr fs:[00000030h]	2_2_039F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F8B28 mov eax, dword ptr fs:[00000030h]	2_2_039F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03928B50 mov eax, dword ptr fs:[00000030h]	2_2_03928B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DEB50 mov eax, dword ptr fs:[00000030h]	2_2_039DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E4B4B mov eax, dword ptr fs:[00000030h]	2_2_039E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E4B4B mov eax, dword ptr fs:[00000030h]	2_2_039E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C6B40 mov eax, dword ptr fs:[00000030h]	2_2_039C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C6B40 mov eax, dword ptr fs:[00000030h]	2_2_039C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FAB40 mov eax, dword ptr fs:[00000030h]	2_2_039FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D8B42 mov eax, dword ptr fs:[00000030h]	2_2_039D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392CB7E mov eax, dword ptr fs:[00000030h]	2_2_0392CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]	2_2_03A02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]	2_2_03A02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]	2_2_03A02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]	2_2_03A02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03968A90 mov edx, dword ptr fs:[00000030h]	2_2_03968A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]	2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]	2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]	2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]	2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]	2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]	2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]	2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]	2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]	2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04A80 mov eax, dword ptr fs:[00000030h]	2_2_03A04A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03938AA0 mov eax, dword ptr fs:[00000030h]	2_2_03938AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03938AA0 mov eax, dword ptr fs:[00000030h]	2_2_03938AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03986AA4 mov eax, dword ptr fs:[00000030h]	2_2_03986AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03930AD0 mov eax, dword ptr fs:[00000030h]	2_2_03930AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03964AD0 mov eax, dword ptr fs:[00000030h]	2_2_03964AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03964AD0 mov eax, dword ptr fs:[00000030h]	2_2_03964AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03986ACC mov eax, dword ptr fs:[00000030h]	2_2_03986ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03986ACC mov eax, dword ptr fs:[00000030h]	2_2_03986ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03986ACC mov eax, dword ptr fs:[00000030h]	2_2_03986ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396AAEE mov eax, dword ptr fs:[00000030h]	2_2_0396AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396AAEE mov eax, dword ptr fs:[00000030h]	2_2_0396AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BCA11 mov eax, dword ptr fs:[00000030h]	2_2_039BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03954A35 mov eax, dword ptr fs:[00000030h]	2_2_03954A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03954A35 mov eax, dword ptr fs:[00000030h]	2_2_03954A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396CA38 mov eax, dword ptr fs:[00000030h]	2_2_0396CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396CA24 mov eax, dword ptr fs:[00000030h]	2_2_0396CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395EA2E mov eax, dword ptr fs:[00000030h]	2_2_0395EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]	2_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]	2_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]	2_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]	2_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]	2_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]	2_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]	2_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940A5B mov eax, dword ptr fs:[00000030h]	2_2_03940A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940A5B mov eax, dword ptr fs:[00000030h]	2_2_03940A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039ACA72 mov eax, dword ptr fs:[00000030h]	2_2_039ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039ACA72 mov eax, dword ptr fs:[00000030h]	2_2_039ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396CA6F mov eax, dword ptr fs:[00000030h]	2_2_0396CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396CA6F mov eax, dword ptr fs:[00000030h]	2_2_0396CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396CA6F mov eax, dword ptr fs:[00000030h]	2_2_0396CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DEA60 mov eax, dword ptr fs:[00000030h]	2_2_039DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B89B3 mov esi, dword ptr fs:[00000030h]	2_2_039B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B89B3 mov eax, dword ptr fs:[00000030h]	2_2_039B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B89B3 mov eax, dword ptr fs:[00000030h]	2_2_039B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039309AD mov eax, dword ptr fs:[00000030h]	2_2_039309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039309AD mov eax, dword ptr fs:[00000030h]	2_2_039309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039649D0 mov eax, dword ptr fs:[00000030h]	2_2_039649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_039FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C69C0 mov eax, dword ptr fs:[00000030h]	2_2_039C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039629F9 mov eax, dword ptr fs:[00000030h]	2_2_039629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039629F9 mov eax, dword ptr fs:[00000030h]	2_2_039629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_039BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BC912 mov eax, dword ptr fs:[00000030h]	2_2_039BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03928918 mov eax, dword ptr fs:[00000030h]	2_2_03928918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03928918 mov eax, dword ptr fs:[00000030h]	2_2_03928918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE908 mov eax, dword ptr fs:[00000030h]	2_2_039AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE908 mov eax, dword ptr fs:[00000030h]	2_2_039AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B892A mov eax, dword ptr fs:[00000030h]	2_2_039B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C892B mov eax, dword ptr fs:[00000030h]	2_2_039C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B0946 mov eax, dword ptr fs:[00000030h]	2_2_039B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04940 mov eax, dword ptr fs:[00000030h]	2_2_03A04940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D4978 mov eax, dword ptr fs:[00000030h]	2_2_039D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D4978 mov eax, dword ptr fs:[00000030h]	2_2_039D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BC97C mov eax, dword ptr fs:[00000030h]	2_2_039BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03956962 mov eax, dword ptr fs:[00000030h]	2_2_03956962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03956962 mov eax, dword ptr fs:[00000030h]	2_2_03956962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03956962 mov eax, dword ptr fs:[00000030h]	2_2_03956962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0397096E mov eax, dword ptr fs:[00000030h]	2_2_0397096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0397096E mov edx, dword ptr fs:[00000030h]	2_2_0397096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0397096E mov eax, dword ptr fs:[00000030h]	2_2_0397096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BC89D mov eax, dword ptr fs:[00000030h]	2_2_039BC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03930887 mov eax, dword ptr fs:[00000030h]	2_2_03930887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E8C0 mov eax, dword ptr fs:[00000030h]	2_2_0395E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A008C0 mov eax, dword ptr fs:[00000030h]	2_2_03A008C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0396C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0396C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FA8E4 mov eax, dword ptr fs:[00000030h]	2_2_039FA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BC810 mov eax, dword ptr fs:[00000030h]	2_2_039BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03952835 mov eax, dword ptr fs:[00000030h]	2_2_03952835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03952835 mov eax, dword ptr fs:[00000030h]	2_2_03952835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03952835 mov eax, dword ptr fs:[00000030h]	2_2_03952835

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe

Code function: 0_2_007281D4 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_007281D4

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_006FA2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_006FA2D5
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_006FA2A4 SetUnhandledExceptionFilter,		0_2_006FA2A4

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2CC3008

Jump to behavior

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe

Code function: 0_2_00728A73 LogonUserW,

0_2_00728A73

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe

Code function: 0_2_006D3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_006D3B4C

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe

Code function: 0_2_006D4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_006D4A35

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe

Code function: 0_2_00734CFA mouse_event,

0_2_00734CFA

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe

Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\z1PURCHASEORDER.exe"

Jump to behavior

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe

0_2_007281D4

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe

Code function: 0_2_00734A08 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00734A08

Source: z1PURCHASEORDER.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: z1PURCHASEORDER.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe

Code function: 0_2_006F87AB cpuid

0_2_006F87AB

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe

Code function: 0_2_00705007 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00705007

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe

Code function: 0_2_0071215F GetUserNameW,

0_2_0071215F

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe

Code function: 0_2_007040BA __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_007040BA

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe

Code function: 0_2_006D4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006D4AFE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1701368119.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1700764927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: z1PURCHASEORDER.exe	Binary or memory string: WIN_81
Source: z1PURCHASEORDER.exe	Binary or memory string: WIN_XP
Source: z1PURCHASEORDER.exe	Binary or memory string: WIN_XPe
Source: z1PURCHASEORDER.exe	Binary or memory string: WIN_VISTA
Source: z1PURCHASEORDER.exe	Binary or memory string: WIN_7
Source: z1PURCHASEORDER.exe	Binary or memory string: WIN_8
Source: z1PURCHASEORDER.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1701368119.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1700764927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_00746399 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00746399
Source: C:\Users\user\Desktop\z1PURCHASEORDER.exe	Code function: 0_2_0074685D socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_0074685D

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	2 Valid Accounts	2 Valid Accounts	2 Valid Accounts	21 Input Capture	2 System Time Discovery	Remote Services	21 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	LSASS Memory	15 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	21 Access Token Manipulation	2 Virtualization/Sandbox Evasion	Security Account Manager	2 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	3 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	212 Process Injection	21 Access Token Manipulation	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	212 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	1 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	115 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
z1PURCHASEORDER.exe	29%	ReversingLabs	Win32.Trojan.Swotter
z1PURCHASEORDER.exe	25%	Virustotal		Browse
z1PURCHASEORDER.exe	100%	Joe Sandbox ML

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528899
Start date and time:	2024-10-08 12:31:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	z1PURCHASEORDER.exe
Detection:	MAL
Classification:	mal92.troj.evad.winEXE@3/2@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 47 Number of non-executed functions: 270
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
06:32:36	API Interceptor	3x Sleep call for process: svchost.exe modified

Process:	C:\Users\user\Desktop\z1PURCHASEORDER.exe
File Type:	data
Category:	dropped
Size (bytes):	288768
Entropy (8bit):	7.990731142855584
Encrypted:	true
SSDEEP:	6144:yNliqdmZ57RYZ+BqjAwMUgaLYtdOTOu/ro:Siq4JA+XwgaEjwj/ro
MD5:	909E055FA907D841DF5F29B434290020
SHA1:	F36F5A82D166379E667D6BBB20862C7992B554F8
SHA-256:	CE64737FEC4E78C9D1C625DAE63B6B5BF3F71201A150138FDEC3EFA2FF653337
SHA-512:	999EC1A4EE98731D92A701823E23FC18D188B764E9ACEBA5DC99D0B48474C33F5C9D7C4E4850BA628933A6DC156898DE49029FC4ACA95D26E81F2840A2AD916C
Malicious:	false
Reputation:	low
Preview:	.....P60T.._..d.63..{U@...XP60TSMSVHTPSXP60TSMSVHTPSXP60.SMSXW.^S.Y...R..w.<9 x D_3!,>v+5>=7$.R1s?&8h=>s..e.9<)6xEYZwXP60TSMWA.m3?..P3.p31.N...jVW.I...t47.B...h3..!78n87.0TSMSVHT..XPz1USD..(TPSXP60T.MQWCU[SX.20TSMSVHTP.LP60DSMS&LTPS.P6 TSMQVHRPSXP60TUMSVHTPSX 20TQMSVHTPQX..0TCMSFHTPSHP6 TSMSVHDPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTP},5NDTSM..LTPCXP6fPSMCVHTPSXP60TSMSVhTP3XP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMS

C:\Users\user\AppData\Local\Temp\nonplacental

Download File

Process:	C:\Users\user\Desktop\z1PURCHASEORDER.exe
File Type:	data
Category:	dropped
Size (bytes):	288768
Entropy (8bit):	7.990731142855584
Encrypted:	true
SSDEEP:	6144:yNliqdmZ57RYZ+BqjAwMUgaLYtdOTOu/ro:Siq4JA+XwgaEjwj/ro
MD5:	909E055FA907D841DF5F29B434290020
SHA1:	F36F5A82D166379E667D6BBB20862C7992B554F8
SHA-256:	CE64737FEC4E78C9D1C625DAE63B6B5BF3F71201A150138FDEC3EFA2FF653337
SHA-512:	999EC1A4EE98731D92A701823E23FC18D188B764E9ACEBA5DC99D0B48474C33F5C9D7C4E4850BA628933A6DC156898DE49029FC4ACA95D26E81F2840A2AD916C
Malicious:	false
Reputation:	low
Preview:	.....P60T.._..d.63..{U@...XP60TSMSVHTPSXP60TSMSVHTPSXP60.SMSXW.^S.Y...R..w.<9 x D_3!,>v+5>=7$.R1s?&8h=>s..e.9<)6xEYZwXP60TSMWA.m3?..P3.p31.N...jVW.I...t47.B...h3..!78n87.0TSMSVHT..XPz1USD..(TPSXP60T.MQWCU[SX.20TSMSVHTP.LP60DSMS&LTPS.P6 TSMQVHRPSXP60TUMSVHTPSX 20TQMSVHTPQX..0TCMSFHTPSHP6 TSMSVHDPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTP},5NDTSM..LTPCXP6fPSMCVHTPSXP60TSMSVhTP3XP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMSVHTPSXP60TSMS

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.1806627049183005
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	z1PURCHASEORDER.exe
File size:	1'199'104 bytes
MD5:	c4224dd3cd6d013992c9680812a7f946
SHA1:	753a273f0864ebeebbb05fab9767e714b31edd1c
SHA256:	4fd906a04bf473c85deb5f4689c592b97e0ec46c747ff130bec022956369f59d
SHA512:	999f18bdc58cf4b347dcab6d9b4cabf90274b6b7f6521314354867c0997b20310e7b9b514af70a2cc5256be741901648b42a3f436ee98e32567a19eac3025e04
SSDEEP:	24576:xCdxte/80jYLT3U1jfsWawqDLWXTtJkUq7qbxaiNWZ7Q:ww80cTsjkWaw4iDtJkUqgxeq
TLSH:	2B45CE2273DDC360CB769173BF69B7016EBF78610630B85B2F881D7DA950162162DBA3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427f4a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67048781 [Tue Oct 8 01:14:41 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F476D1560BDh
jmp 00007F476D148E84h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F476D14900Ah
cmp edi, eax
jc 00007F476D14936Eh
bt dword ptr [004C31FCh], 01h
jnc 00007F476D149009h
rep movsb
jmp 00007F476D14931Ch
cmp ecx, 00000080h
jc 00007F476D1491D4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F476D149010h
bt dword ptr [004BE324h], 01h
jc 00007F476D1494E0h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F476D1491ADh
test edi, 00000003h
jne 00007F476D1491BEh
test esi, 00000003h
jne 00007F476D14919Dh
bt edi, 02h
jnc 00007F476D14900Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F476D149013h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F476D149065h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x5c2c0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x124000	0x7130	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dd2e	0x8de00	c2c2260508750422d20cd5cbb116b146	False	0.5729952505506608	data	6.675875439961112	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	4513b58651e3d8d87c81a396e5b2f1d1	False	0.3353340955284553	OpenPGP Public Key	5.760731648769018	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	c2de4a3d214eae7e87c7bfc06bd79775	False	0.1017530487804878	data	1.1988106744719143	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x5c2c0	0x5c400	4d4c72ae70b64204bfbb7acbf388d2cd	False	0.9285018631436315	data	7.896058052099251	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x124000	0x7130	0x7200	1254908a9a03d2bcf12045d49cd572b9	False	0.7703536184210527	data	6.782377328042204	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x53587	data			1.0003251480009256
RT_GROUP_ICON	0x122d40	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x122db8	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x122dcc	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x122de0	0x14	data	English	Great Britain	1.25
RT_VERSION	0x122df4	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x122ed0	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Target ID:	0
Start time:	06:32:11
Start date:	08/10/2024
Path:	C:\Users\user\Desktop\z1PURCHASEORDER.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\z1PURCHASEORDER.exe"
Imagebase:	0x6d0000
File size:	1'199'104 bytes
MD5 hash:	C4224DD3CD6D013992C9680812A7F946
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:32:12
Start date:	08/10/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\z1PURCHASEORDER.exe"
Imagebase:	0x270000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1701368119.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1701368119.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1700764927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1700764927.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.7%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	8.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	80

Executed Functions

Function 006D3B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 006D3B7A
IsDebuggerPresent.KERNEL32 ref: 006D3B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,007952F8,007952E0,?,?), ref: 006D3BFD

Part of subcall function 006D7D2C: _memmove.LIBCMT ref: 006D7D66

Part of subcall function 006E0A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,006D3C26,007952F8,?,?,?), ref: 006E0ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 006D3C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00787770,00000010), ref: 0070D3EC
SetCurrentDirectoryW.KERNEL32(?,007952F8,?,?,?), ref: 0070D424
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00784260,007952F8,?,?,?), ref: 0070D4AA
ShellExecuteW.SHELL32(00000000,?,?), ref: 0070D4B1

Part of subcall function 006D3A58: GetSysColorBrush.USER32(0000000F), ref: 006D3A62
Part of subcall function 006D3A58: LoadCursorW.USER32(00000000,00007F00), ref: 006D3A71
Part of subcall function 006D3A58: LoadIconW.USER32(00000063), ref: 006D3A88
Part of subcall function 006D3A58: LoadIconW.USER32(000000A4), ref: 006D3A9A
Part of subcall function 006D3A58: LoadIconW.USER32(000000A2), ref: 006D3AAC
Part of subcall function 006D3A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 006D3AD2
Part of subcall function 006D3A58: RegisterClassExW.USER32(?), ref: 006D3B28

Part of subcall function 006D39E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 006D3A15
Part of subcall function 006D39E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 006D3A36
Part of subcall function 006D39E7: ShowWindow.USER32(00000000,?,?), ref: 006D3A4A
Part of subcall function 006D39E7: ShowWindow.USER32(00000000,?,?), ref: 006D3A53

Part of subcall function 006D43DB: _memset.LIBCMT ref: 006D4401
Part of subcall function 006D43DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 006D44A6

Strings

%v, xrefs: 006D3C56
runas, xrefs: 0070D4A5
This is a third-party compiled AutoIt script., xrefs: 0070D3E4

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%v
API String ID: 529118366-287773948
Opcode ID: c72ed2d5b24ce06abedf6cceb710ddd6df05effb98e588c5c4ab4a7d53167ec5
Instruction ID: 589e65712a49e543315ccb2b83900632aa845367f8ae8c8d5bfe020693a1b4ce
Opcode Fuzzy Hash: c72ed2d5b24ce06abedf6cceb710ddd6df05effb98e588c5c4ab4a7d53167ec5
Instruction Fuzzy Hash: F151DAB0D04358AADF12EBB4EC05DFD7B76BF44340F10816BF451A6391DA785A46CB2A

Function 006D4FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,006D4EEE,?,?,00000000,00000000), ref: 006D4FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,006D4EEE,?,?,00000000,00000000), ref: 006D5010
LoadResource.KERNEL32(?,00000000,?,?,006D4EEE,?,?,00000000,00000000,?,?,?,?,?,?,006D4F8F), ref: 0070DC90
SizeofResource.KERNEL32(?,00000000,?,?,006D4EEE,?,?,00000000,00000000,?,?,?,?,?,?,006D4F8F), ref: 0070DCA5
LockResource.KERNEL32(Nm,?,?,006D4EEE,?,?,00000000,00000000,?,?,?,?,?,?,006D4F8F,00000000), ref: 0070DCB8

Strings

Nm, xrefs: 0070DCB5
SCRIPT, xrefs: 006D5006

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT$Nm
API String ID: 3051347437-3508647929
Opcode ID: 987da9a4d218c54b876fdc5ede0e3c8441b2b7538fcc6b76e316601185e60524
Instruction ID: 5562f0b4718aef060f3a650cb8c28c84fafbca68503ba8080734cc64be14f3fc
Opcode Fuzzy Hash: 987da9a4d218c54b876fdc5ede0e3c8441b2b7538fcc6b76e316601185e60524
Instruction Fuzzy Hash: D0115EB5600700BFE7318B65DC48FA77BBAEBC9B12F208169F406C6690DBA1EC018661

Function 006D4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 006D4B2B

Part of subcall function 006D7D2C: _memmove.LIBCMT ref: 006D7D66

GetCurrentProcess.KERNEL32(?,0075FAEC,00000000,00000000,?), ref: 006D4BF8
IsWow64Process.KERNEL32(00000000), ref: 006D4BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 006D4C45
FreeLibrary.KERNEL32(00000000), ref: 006D4C50
GetSystemInfo.KERNEL32(00000000), ref: 006D4C81
GetSystemInfo.KERNEL32(00000000), ref: 006D4C8D

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: a4e8965af4b468ffbbc983d196153323933066f08e303506e95d02021dcfdab4
Instruction ID: cc10c584b1294ac8b925a3e67faadc310d42f37916e7eed5d24c92f1aff05649
Opcode Fuzzy Hash: a4e8965af4b468ffbbc983d196153323933066f08e303506e95d02021dcfdab4
Instruction Fuzzy Hash: 8691C47194A7C4DBC731CB6885511AABFE6AF3A300B484A9FD0CB83B41D635ED08D759

Function 006DFE40 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON

Download Yara Rule

Strings

%v, xrefs: 006DFE53
pby, xrefs: 00714D12

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: BuffCharUpper
String ID: pby$%v
API String ID: 3964851224-305120522
Opcode ID: 74d67a0bd995046beff7bd707884f5d00a3ea4407c3e85b9d84a7652aa560580
Instruction ID: cb879e8d7011692304cf91190a12113f1ebfc0894ec65d54c3c0ef425c5991cf
Opcode Fuzzy Hash: 74d67a0bd995046beff7bd707884f5d00a3ea4407c3e85b9d84a7652aa560580
Instruction Fuzzy Hash: 91927E71609341DFE720DF19C480B6AB7E2BF84304F14896DE98A9B392D775EC85CB92

Function 006DE800 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

Ddy, xrefs: 00713E87
Variable must be of type 'Object'., xrefs: 007141BB
Ddy, xrefs: 006DEC21
Ddy, xrefs: 006DEC1A
Ddy, xrefs: 00713E4E

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID:
String ID: Ddy$Ddy$Ddy$Ddy$Variable must be of type 'Object'.
API String ID: 0-813853314
Opcode ID: 010c4233c4eee4cf0725a7263d4af406676aded813d212c90b422332804cfd2a
Instruction ID: b1d3b52d3ec3919faf069bd114a0e3a891537c12803f26dbe035d342585aed27
Opcode Fuzzy Hash: 010c4233c4eee4cf0725a7263d4af406676aded813d212c90b422332804cfd2a
Instruction Fuzzy Hash: 78A26C75E00205CFCB24DF58C480AAEB7B2FF58314F64816AE916AF351D736AD82CB91

Function 0073449B Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0070E6F1), ref: 007344AB
FindFirstFileW.KERNELBASE(?,?), ref: 007344BC
FindClose.KERNEL32(00000000), ref: 007344CC

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 22b3db488269b991b6ce86f63a71cb6f19adf001473fafbb19fcd84039510f20
Instruction ID: 0031eb12dc97cbf2b4b9eee17f44e5c6d2916f01f0d3c387df90baa0510d3baf
Opcode Fuzzy Hash: 22b3db488269b991b6ce86f63a71cb6f19adf001473fafbb19fcd84039510f20
Instruction Fuzzy Hash: FBE0D832810500676614B738EC0D4ED775CAE06336F104725F935C20E1E7BC6D10859A

Function 006E0B30 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006E0BBB
timeGetTime.WINMM ref: 006E0E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006E0FB3
Sleep.KERNEL32(0000000A), ref: 006E0FC1
LockWindowUpdate.USER32(00000000,?,?), ref: 006E105A
DestroyWindow.USER32 ref: 006E1066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 006E1080
Sleep.KERNEL32(0000000A,?,?), ref: 007151DC
TranslateMessage.USER32(?), ref: 00715FB9
DispatchMessageW.USER32(?), ref: 00715FC7
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00715FDB

Strings

@GUI_CTRLID, xrefs: 00715293
@TRAY_ID, xrefs: 00715AE8
pby, xrefs: 00715B0D
pby, xrefs: 007152B2
@GUI_WINHANDLE, xrefs: 007152E8
pby, xrefs: 00715307
pby, xrefs: 0071535C
@GUI_CTRLHANDLE, xrefs: 0071533D
@COM_EVENTOBJ, xrefs: 00715849

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pby$pby$pby$pby
API String ID: 4212290369-17411944
Opcode ID: 24e11a9a7ce91438257335443334eb417eb60bae4e755931eb389563bb553402
Instruction ID: 5e73110a57d00044f02da0c9c1367cbff8abed05c5150ab73cbe5972ba658c45
Opcode Fuzzy Hash: 24e11a9a7ce91438257335443334eb417eb60bae4e755931eb389563bb553402
Instruction Fuzzy Hash: BAB2F670609741DFD728DF28C884BAAB7E6FF84304F14891DE49987391D779E885CB86

Function 007391FE Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00739008: __time64.LIBCMT ref: 00739012

Part of subcall function 006D5045: _fseek.LIBCMT ref: 006D505D

__wsplitpath.LIBCMT ref: 007392DD

Part of subcall function 006F426E: __wsplitpath_helper.LIBCMT ref: 006F42AE

_wcscpy.LIBCMT ref: 007392F0
_wcscat.LIBCMT ref: 00739303
__wsplitpath.LIBCMT ref: 00739328
_wcscat.LIBCMT ref: 0073933E
_wcscat.LIBCMT ref: 00739351

Part of subcall function 0073904E: _memmove.LIBCMT ref: 00739087
Part of subcall function 0073904E: _memmove.LIBCMT ref: 00739096

_wcscmp.LIBCMT ref: 00739298

Part of subcall function 007397DD: _wcscmp.LIBCMT ref: 007398CD
Part of subcall function 007397DD: _wcscmp.LIBCMT ref: 007398E0

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 007394FB
_wcsncpy.LIBCMT ref: 0073956E
DeleteFileW.KERNEL32(?,?), ref: 007395A4
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 007395BA
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007395CB
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007395DD

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 2ecf0326bb228ec68535c0f8e0ff801fa3b2cdb12fa99aa9c089c74ee4174ed3
Instruction ID: d43fd8b7dd77e9818b9d1478b3173c720c311336786d82f4d6012125714a8112
Opcode Fuzzy Hash: 2ecf0326bb228ec68535c0f8e0ff801fa3b2cdb12fa99aa9c089c74ee4174ed3
Instruction Fuzzy Hash: 96C13BB1D0021DAADF21DF95CC85EDEB7BDEF54310F0040AAF609E6252DB749A848F65

Function 006D3019 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 006D3074
RegisterClassExW.USER32(00000030), ref: 006D309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006D30AF
InitCommonControlsEx.COMCTL32(?), ref: 006D30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006D30DC
LoadIconW.USER32(000000A9), ref: 006D30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006D3101

Strings

TaskbarCreated, xrefs: 006D30A4
AutoIt v3 GUI, xrefs: 006D3090
+, xrefs: 006D305D
0, xrefs: 006D3056

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 39997e61fb470c69076da03e42080f7eccdb528d8a7675e00dac09f19beee45f
Instruction ID: b625d975ba465c09fa4012b8dc7c6308a4ae60803520c2d1a9707fb349de91d4
Opcode Fuzzy Hash: 39997e61fb470c69076da03e42080f7eccdb528d8a7675e00dac09f19beee45f
Instruction Fuzzy Hash: 113149B1D01319AFDB01CFA4DC88ADDBBF0FB09311F14856AE580EA2A0D7B94646CF95

Function 006D3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 006D3074
RegisterClassExW.USER32(00000030), ref: 006D309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006D30AF
InitCommonControlsEx.COMCTL32(?), ref: 006D30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006D30DC
LoadIconW.USER32(000000A9), ref: 006D30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006D3101

Strings

TaskbarCreated, xrefs: 006D30A4
AutoIt v3 GUI, xrefs: 006D3090
+, xrefs: 006D305D
0, xrefs: 006D3056

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 4f7c7224f25bce070ac3a8eb433746a4976c81bedc2cfc6dfc5881ee1bf6db6b
Instruction ID: 0b7b40d1c30a25158429207b55cecdcc20e281029ca9768c21d9aa054fc353fd
Opcode Fuzzy Hash: 4f7c7224f25bce070ac3a8eb433746a4976c81bedc2cfc6dfc5881ee1bf6db6b
Instruction Fuzzy Hash: 0821F4B1D01718AFDB01DFA4EC88BDEBBF4FB08701F00812AF910A62A0D7B945458F99

Function 006D71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006D4864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,007952F8,?,006D37C0,?), ref: 006D4882

Part of subcall function 006F068B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,006D72C5), ref: 006F06AD

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 006D7308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0070EC21
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0070EC62
RegCloseKey.ADVAPI32(?), ref: 0070ECA0
_wcscat.LIBCMT ref: 0070ECF9

Strings

Software\AutoIt v3\AutoIt, xrefs: 006D72FE
\, xrefs: 0070ED1C
\Include\, xrefs: 006D72C5
Include, xrefs: 0070EC18, 0070EC59

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 23a0020d2310068f1a3979823c4a5ce3080d38698bdf9016c5266ab634b3fc90
Instruction ID: 793e79abc15ef74a09e05c841e93c5cad5b81b0e2b9275d5402f48c10e0b5a7e
Opcode Fuzzy Hash: 23a0020d2310068f1a3979823c4a5ce3080d38698bdf9016c5266ab634b3fc90
Instruction Fuzzy Hash: E371A1715093019EC704DF25EC419ABBBE9FF88350F408A2FF445C32A1EB799949CB9A

Function 006D3633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 006D36D2
KillTimer.USER32(?,00000001), ref: 006D36FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 006D371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006D372A
CreatePopupMenu.USER32 ref: 006D373E
PostQuitMessage.USER32(00000000), ref: 006D375F

Strings

TaskbarCreated, xrefs: 006D3725
%v, xrefs: 0070D201, 0070D24F

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%v
API String ID: 129472671-4049267007
Opcode ID: df54c8e8caa940298d6254bee398b862242c6a48e28934fcdf17dd6ae38d2eab
Instruction ID: a2916e403d0396a443021f9260bc165b6206296ba560258d6f9e72618ddab22e
Opcode Fuzzy Hash: df54c8e8caa940298d6254bee398b862242c6a48e28934fcdf17dd6ae38d2eab
Instruction Fuzzy Hash: ED4138B1900A65BBDF115B64EC09BB93797FB04300F10452BF502863E1DAB8DE02976B

Function 006D3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 006D3A62
LoadCursorW.USER32(00000000,00007F00), ref: 006D3A71
LoadIconW.USER32(00000063), ref: 006D3A88
LoadIconW.USER32(000000A4), ref: 006D3A9A
LoadIconW.USER32(000000A2), ref: 006D3AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 006D3AD2
RegisterClassExW.USER32(?), ref: 006D3B28

Part of subcall function 006D3041: GetSysColorBrush.USER32(0000000F), ref: 006D3074
Part of subcall function 006D3041: RegisterClassExW.USER32(00000030), ref: 006D309E
Part of subcall function 006D3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006D30AF
Part of subcall function 006D3041: InitCommonControlsEx.COMCTL32(?), ref: 006D30CC
Part of subcall function 006D3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006D30DC
Part of subcall function 006D3041: LoadIconW.USER32(000000A9), ref: 006D30F2
Part of subcall function 006D3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006D3101

Strings

AutoIt v3, xrefs: 006D3B17
#, xrefs: 006D3B0D
0, xrefs: 006D3B06

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: f8249e3ef612ccf759a0b766daca987cecec72d48ecc2efebe79d167238fd4b3
Instruction ID: 92b2dde89213c846b5a5172fed5468a988026d143cd893b8ca266e0a8322f148
Opcode Fuzzy Hash: f8249e3ef612ccf759a0b766daca987cecec72d48ecc2efebe79d167238fd4b3
Instruction Fuzzy Hash: 38214BB0D00328AFEB11DFA4EC09B9D7BB5FB08711F00816BE504A63A1D3B956418F88

Function 006D3778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CMDLINE, xrefs: 006D3834
/AutoIt3OutputDebug, xrefs: 006D38A4
/AutoIt3ExecuteScript, xrefs: 006D38CE
/AutoIt3ExecuteLine, xrefs: 006D38B9
CMDLINERAW, xrefs: 006D380D
/ErrorStdOut, xrefs: 006D388F
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 006D37C0
Ry, xrefs: 0070D37E

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$Ry
API String ID: 1825951767-3154507284
Opcode ID: 21b9ce0ef4c7259c73b370daa6a274ee12a4375e8fb143c7ea227be2d4f4b0d2
Instruction ID: 492377edee0f425c5541080578112148bb8d69211130d805bca3d04199c47f6c
Opcode Fuzzy Hash: 21b9ce0ef4c7259c73b370daa6a274ee12a4375e8fb143c7ea227be2d4f4b0d2
Instruction Fuzzy Hash: E0A14FB2C102299ACB55EBA0DC95EEEB77ABF14300F44052FE412B7391EF745A09CB65

Function 006DF8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006F02E2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 006F0313
Part of subcall function 006F02E2: MapVirtualKeyW.USER32(00000010,00000000), ref: 006F031B
Part of subcall function 006F02E2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 006F0326
Part of subcall function 006F02E2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 006F0331
Part of subcall function 006F02E2: MapVirtualKeyW.USER32(00000011,00000000), ref: 006F0339
Part of subcall function 006F02E2: MapVirtualKeyW.USER32(00000012,00000000), ref: 006F0341

Part of subcall function 006E6259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,006DFA90), ref: 006E62B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 006DFB2D
OleInitialize.OLE32(00000000), ref: 006DFBAA
CloseHandle.KERNEL32(00000000), ref: 00714921

Strings

Sy, xrefs: 006DF94B
<Wy, xrefs: 006DFA90
%v, xrefs: 006DF8F6, 006DF908, 006DFACE, 006DFBB1
\Ty, xrefs: 006DF957

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <Wy$\Ty$%v$Sy
API String ID: 1986988660-633510519
Opcode ID: eacc36e668fc6e1c96e4ad76d59229607ec9b982a7693975fa18d578b89e329b
Instruction ID: b52ee37a6bf1cd2ff478b8b92175f52691d5988cca80e1df343a890b6eb47a65
Opcode Fuzzy Hash: eacc36e668fc6e1c96e4ad76d59229607ec9b982a7693975fa18d578b89e329b
Instruction Fuzzy Hash: 8681CAB0905AA08FC7C6DF79A9456197BE6AB8830A350C13B9409CB372EB7C44868F59

Function 0138B628 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 0138B6F9
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0138B91F

Memory Dump Source

Source File: 00000000.00000002.1448929528.0000000001389000.00000040.00000020.00020000.00000000.sdmp, Offset: 01389000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1389000_z1PURCHASEORDER.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction ID: d559231bd0928c172431f0f4503897f79c006cee58bea8f55d07d4d9d279fc27
Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction Fuzzy Hash: F4A1E474E10309EFDB14EBA8C894BEEBBB5BF48308F208159E615BB284D7759A41CB54

Function 006D39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 006D3A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 006D3A36
ShowWindow.USER32(00000000,?,?), ref: 006D3A4A
ShowWindow.USER32(00000000,?,?), ref: 006D3A53

Strings

AutoIt v3, xrefs: 006D3A0D, 006D3A12, 006D3A13
edit, xrefs: 006D3A30

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: ae892db3183a81ec1d031820f713192e584707ae47e44075d4b5edf4ca62bb49
Instruction ID: f7d4c183f6a1c3e5d872d335f990189ed554cdc086277834418babc5841a9a41
Opcode Fuzzy Hash: ae892db3183a81ec1d031820f713192e584707ae47e44075d4b5edf4ca62bb49
Instruction Fuzzy Hash: 87F0D0B15416A07EEA3257176C49E672F7DE7C6F61B00812EF904A21B0C6A91852DBB8

Function 0138B3E8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0138B2D8: Sleep.KERNELBASE(000001F4), ref: 0138B2E9

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0138B518

Strings

HTPSXP60TSMSV, xrefs: 0138B57B, 0138B57E

Memory Dump Source

Source File: 00000000.00000002.1448929528.0000000001389000.00000040.00000020.00020000.00000000.sdmp, Offset: 01389000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1389000_z1PURCHASEORDER.jbxd

Similarity

API ID: CreateFileSleep
String ID: HTPSXP60TSMSV
API String ID: 2694422964-3515363255
Opcode ID: da9fa9496b1e13b8c72b8893d3d0db3901684908e74ef64f38909ecadd5c3704
Instruction ID: 28c563c36958349ce4bcce533320a8166a858d4b6c60c087b880a6f28fd96676
Opcode Fuzzy Hash: da9fa9496b1e13b8c72b8893d3d0db3901684908e74ef64f38909ecadd5c3704
Instruction Fuzzy Hash: A2517130D14349EBEF11DBA4C854BEEBB79AF58704F004199E609BB2C0DBB90B45CBA5

Function 006D410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0070D51C

Part of subcall function 006D7D2C: _memmove.LIBCMT ref: 006D7D66

_memset.LIBCMT ref: 006D418D
_wcscpy.LIBCMT ref: 006D41E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 006D41F1

Strings

Line: , xrefs: 0070D545

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 0e7d7268e9445c4a6db4566c0d5b8a6ae935cbb7edf9d7649a52ec4497835380
Instruction ID: 4a58acf06990ab9532d56c0cdc9a3da12b1e1d5709ff992ddd5de314320e046e
Opcode Fuzzy Hash: 0e7d7268e9445c4a6db4566c0d5b8a6ae935cbb7edf9d7649a52ec4497835380
Instruction Fuzzy Hash: AC31E4718083149FD762EB60DC45BEB77E9AF44304F10461FF18592291EF749A49C78B

Function 006D69CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 006D4F3D: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,007952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 006D4F6F

_free.LIBCMT ref: 0070E5BC
_free.LIBCMT ref: 0070E603

Part of subcall function 006D6BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 006D6D0D

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0070E392
Bad directive syntax error, xrefs: 0070E5EB

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 224773bd3a2b390833dcf701caa4d53bcb504eae21310a9479bfd6719e49030a
Instruction ID: 87a0450431e55eb3a9ec7e668230817c4ced36b68c4b47c9846aa14fe9a0ad61
Opcode Fuzzy Hash: 224773bd3a2b390833dcf701caa4d53bcb504eae21310a9479bfd6719e49030a
Instruction Fuzzy Hash: 74917A71D10259EFCF14EFA4CC919EDB7B5BF08314F14492AF816AB2A1EB38A914CB54

Function 006D35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,006D35A1,SwapMouseButtons,00000004,?), ref: 006D35D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,006D35A1,SwapMouseButtons,00000004,?,?,?,?,006D2754), ref: 006D35F5
RegCloseKey.KERNELBASE(00000000,?,?,006D35A1,SwapMouseButtons,00000004,?,?,?,?,006D2754), ref: 006D3617

Strings

Control Panel\Mouse, xrefs: 006D35D2

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: e62ebd31a33a84caa8639459e996239736e6c1820c59a8da9d04da54dac31119
Instruction ID: fac3a66b0b00dc34260c3a6c69bda99f5c2a62483a461f1cc14a158195fc7765
Opcode Fuzzy Hash: e62ebd31a33a84caa8639459e996239736e6c1820c59a8da9d04da54dac31119
Instruction Fuzzy Hash: E9113375A10268BADB208F64DC80EEABBA9EF04740F00846AE809D7310E2719E409BA5

Function 0138A2D8 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0138AA93
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0138AB29
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0138AB4B

Memory Dump Source

Source File: 00000000.00000002.1448929528.0000000001389000.00000040.00000020.00020000.00000000.sdmp, Offset: 01389000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1389000_z1PURCHASEORDER.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
Instruction ID: 2688a4d81ed935abcec8fae3260f2a96189d53dd1d3c6acbd1648dca9456c8f9
Opcode Fuzzy Hash: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
Instruction Fuzzy Hash: 7F621C30A14618DBEB24DFA4C850BDEB376EF58304F1095A9D20DEB390E7799E81CB59

Function 00739604 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 006D5045: _fseek.LIBCMT ref: 006D505D

Part of subcall function 007397DD: _wcscmp.LIBCMT ref: 007398CD
Part of subcall function 007397DD: _wcscmp.LIBCMT ref: 007398E0

_free.LIBCMT ref: 0073974B
_free.LIBCMT ref: 00739752
_free.LIBCMT ref: 007397BD

Part of subcall function 006F2ED5: RtlFreeHeap.NTDLL(00000000,00000000,?,006F9BA4), ref: 006F2EE9
Part of subcall function 006F2ED5: GetLastError.KERNEL32(00000000,?,006F9BA4), ref: 006F2EFB

_free.LIBCMT ref: 007397C5

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: e7380544773663296b0c3136f1e3976d6f6c9a32d6817a33089202c8b0d22308
Instruction ID: 0bf21b88e1c1d42c399372369857a3c9c6a8e49135ec678576a6741b0533d590
Opcode Fuzzy Hash: e7380544773663296b0c3136f1e3976d6f6c9a32d6817a33089202c8b0d22308
Instruction Fuzzy Hash: 9A5160B1D04219AFDF649F64CC85AAEBB7AEF48310F10049EF609A7342DB755A80CF58

Function 006F487A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006F4910
__flush.LIBCMT ref: 006F4930
__write.LIBCMT ref: 006F4963
__flsbuf.LIBCMT ref: 006F4991

Part of subcall function 006F8CA8: __getptd_noexit.LIBCMT ref: 006F8CA8

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: c192cc0e54a8f9db57de2592849b4d8a529bf1476805975b929b304db04efb62
Instruction ID: 76d92a8f64a17c90b0ebce1dba4c56f59ed11c9a1d62233f3c4a532ce704a0bb
Opcode Fuzzy Hash: c192cc0e54a8f9db57de2592849b4d8a529bf1476805975b929b304db04efb62
Instruction Fuzzy Hash: F241C531B0474EABDB188E69C8819BF77A7AF443A0B24857DEA55C7B80DEB0DD418B44

Function 006D4DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006D4E1A

Strings

EA06, xrefs: 0070DC25
AU3!P/v, xrefs: 006D4E14

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/v$EA06
API String ID: 4104443479-2268320372
Opcode ID: 802cc36beabb0fad290d86f2978399c35877494a39195fbed2dceee7036dea5f
Instruction ID: 5e30e207497dbf2e01c4747a1109eaa6e6fca89906e8f59a24ec7e3629af5515
Opcode Fuzzy Hash: 802cc36beabb0fad290d86f2978399c35877494a39195fbed2dceee7036dea5f
Instruction Fuzzy Hash: D8415C61E04258BBDF219B6488917BE7FA7AF45300F68406BEC82DB382CE359D4587E1

Function 006D73E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0070ED92
GetOpenFileNameW.COMDLG32(?), ref: 0070EDDC

Part of subcall function 006D48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006D48A1,?,?,006D37C0,?), ref: 006D48CE

Part of subcall function 006F0911: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006F0930

Strings

X, xrefs: 0070EDAA

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: e73136d8d92e6a5f4b99b123f3a1e54279d362dff24405cac30f934f805ec6a3
Instruction ID: b4fa168b56f6e9c207b5690437d6b8b57ad4af49b16814f3cc5472ba59b24900
Opcode Fuzzy Hash: e73136d8d92e6a5f4b99b123f3a1e54279d362dff24405cac30f934f805ec6a3
Instruction Fuzzy Hash: 2821A170E002589BDB51DF94CC45BEE7BFAAF48304F04801AE508A7381DFB859898BA6

Function 0073998C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 007399A1
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 007399B8

Strings

aut, xrefs: 007399B2

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 27d1448a4255222eebba42f79123bbb8f47ff34bceb17cb51b868499cbcf2039
Instruction ID: 3f810a0c62ff5f8f96d0b61cbe8fe94b1edc701196563ca903230f4da6b9aabd
Opcode Fuzzy Hash: 27d1448a4255222eebba42f79123bbb8f47ff34bceb17cb51b868499cbcf2039
Instruction Fuzzy Hash: 50D05EB998030DABDB50BBA0DC0EFDA773CE704701F4042B1FA54960A1EAB495988B96

Function 0074CBF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8556eaa5da9a05cf8c323025be23e9401799f611d1db20c53008f87e4c26415
Instruction ID: a4696cd21e28a97fd836cdff04a97d505c29e2bce5ec105fa193d1bffa5ecc25
Opcode Fuzzy Hash: f8556eaa5da9a05cf8c323025be23e9401799f611d1db20c53008f87e4c26415
Instruction Fuzzy Hash: 02F13571A083119FCB64DF28C484A6ABBE5FF88314F14892EF8999B351D735E945CF82

Function 006D43DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006D4401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 006D44A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 006D44C3

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 3881c7e85e97501f1c69af0e6710a8ac7fcd2a46d859992fbcf14605054961b2
Instruction ID: ca6b07ed2ed31ea3e92ddb0e29484643ae8a9a66e2d8f0627e6bdcfdbaadc51c
Opcode Fuzzy Hash: 3881c7e85e97501f1c69af0e6710a8ac7fcd2a46d859992fbcf14605054961b2
Instruction Fuzzy Hash: 20318EB09047118FD721DF64D88469BBBE9FB48308F00492FF59A82351DBB5AD84CB96

Function 006F588C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 006F58A3

Part of subcall function 006FA2EB: __NMSG_WRITE.LIBCMT ref: 006FA312
Part of subcall function 006FA2EB: __NMSG_WRITE.LIBCMT ref: 006FA31C

__NMSG_WRITE.LIBCMT ref: 006F58AA

Part of subcall function 006FA348: GetModuleFileNameW.KERNEL32(00000000,007933BA,00000104,?,00000001,00000000), ref: 006FA3DA
Part of subcall function 006FA348: ___crtMessageBoxW.LIBCMT ref: 006FA488

Part of subcall function 006F321F: ___crtCorExitProcess.LIBCMT ref: 006F3225
Part of subcall function 006F321F: ExitProcess.KERNEL32 ref: 006F322E

Part of subcall function 006F8CA8: __getptd_noexit.LIBCMT ref: 006F8CA8

RtlAllocateHeap.NTDLL(01000000,00000000,00000001,00000000,?,?,?,006F0F53,?), ref: 006F58CF

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: f059ffcc44fe38473419b58717d3b1ad2b2f24eecc50ede441f95ae35201bcde
Instruction ID: fa17fc7818f77e2ac0e93e5584f80342f63386c97917359c60c5760552a1def0
Opcode Fuzzy Hash: f059ffcc44fe38473419b58717d3b1ad2b2f24eecc50ede441f95ae35201bcde
Instruction Fuzzy Hash: 6C01D231341B2D9AD65427749C52A7E735BDF817A0B10012AF712AB282DFB09E014669

Function 0073994B Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,007395F1,?,?,?,?,?,00000004), ref: 00739964
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,007395F1,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 0073997A
CloseHandle.KERNEL32(00000000,?,007395F1,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00739981

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 06bbfd29e62e1a883de36c94ae781237c9a15d183a9f69dc1be79b6fcb95ca22
Instruction ID: 6d92077d59974afc589e7039d1e072607329e304e41126b0d618fd66e98d8bc7
Opcode Fuzzy Hash: 06bbfd29e62e1a883de36c94ae781237c9a15d183a9f69dc1be79b6fcb95ca22
Instruction Fuzzy Hash: 11E08632141728B7EB212B54EC09FDA7F18AB45761F108220FB54A90E087F52911979C

Function 00738DB6 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00738DC4

Part of subcall function 006F2ED5: RtlFreeHeap.NTDLL(00000000,00000000,?,006F9BA4), ref: 006F2EE9
Part of subcall function 006F2ED5: GetLastError.KERNEL32(00000000,?,006F9BA4), ref: 006F2EFB

_free.LIBCMT ref: 00738DD5
_free.LIBCMT ref: 00738DE7

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3221efda5ec1aeb3564d3aaca8a62a8878e7642d45a62f0f0d26450024f2f6e1
Instruction ID: fa0bf962da5113e02916313c6a4eb06850dd3878aa23ccb937885c8baaa4cf27
Opcode Fuzzy Hash: 3221efda5ec1aeb3564d3aaca8a62a8878e7642d45a62f0f0d26450024f2f6e1
Instruction Fuzzy Hash: 20E012A171170643DAA465786950EA313ED5F9C361B64081EB949D7583CE38F8818568

Function 006DAB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0070FF5A

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: f785e57e40c75738d043c8a6f81dd03629948c7fad4ee585f02361e93388b184
Instruction ID: 84c4b9631980420612c8991a26920b6f650d2228ab90aba1ce08ae34e6d72793
Opcode Fuzzy Hash: f785e57e40c75738d043c8a6f81dd03629948c7fad4ee585f02361e93388b184
Instruction Fuzzy Hash: 3A225970908341CFDB24DF54C494B6AB7E2BF84304F15896EE88A8B362D775ED85CB86

Function 006D492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 006D4992

Part of subcall function 006F34EC: __lock.LIBCMT ref: 006F34F2
Part of subcall function 006F34EC: DecodePointer.KERNEL32(00000001,?,006D49A7,00727F9C), ref: 006F34FE
Part of subcall function 006F34EC: EncodePointer.KERNEL32(?,?,006D49A7,00727F9C), ref: 006F3509

Part of subcall function 006D4A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 006D4A73
Part of subcall function 006D4A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 006D4A88

Part of subcall function 006D3B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 006D3B7A
Part of subcall function 006D3B4C: IsDebuggerPresent.KERNEL32 ref: 006D3B8C
Part of subcall function 006D3B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,007952F8,007952E0,?,?), ref: 006D3BFD
Part of subcall function 006D3B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 006D3C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 006D49D2

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: e8b8aa7bbc1eba0baa2eec62912517c26536dbb31597a97e042051e7482b386b
Instruction ID: f945f73ab8a3a7571d9b6be3ae2556959281a5bd51311b6bfe829d6b05f6412e
Opcode Fuzzy Hash: e8b8aa7bbc1eba0baa2eec62912517c26536dbb31597a97e042051e7482b386b
Instruction Fuzzy Hash: 8F119DB18043219BC710EF69E84591AFFE9FB88710F00891FF045873B1DBB49A46CB9A

Function 006F0F36 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006F588C: __FF_MSGBANNER.LIBCMT ref: 006F58A3
Part of subcall function 006F588C: __NMSG_WRITE.LIBCMT ref: 006F58AA
Part of subcall function 006F588C: RtlAllocateHeap.NTDLL(01000000,00000000,00000001,00000000,?,?,?,006F0F53,?), ref: 006F58CF

std::exception::exception.LIBCMT ref: 006F0F6C
__CxxThrowException@8.LIBCMT ref: 006F0F81

Part of subcall function 006F871B: RaiseException.KERNEL32(?,?,?,00789E78,00000000,?,?,?,?,006F0F86,?,00789E78,?,00000001), ref: 006F8770

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: beceb6822caf245e953721e235ce269911c4252cf7f8c9f7f441b3aa96f3a81c
Instruction ID: 2ffb122c790b22b56ed537f475b5c407c4a6be86e4ac94472c2a6c1b35e49e23
Opcode Fuzzy Hash: beceb6822caf245e953721e235ce269911c4252cf7f8c9f7f441b3aa96f3a81c
Instruction Fuzzy Hash: B7F0F43190521D6ADB20BA98EC019FE7BAE9F00350F200469FF09D6283DF708E5182D9

Function 006F5516 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006F8CA8: __getptd_noexit.LIBCMT ref: 006F8CA8

__lock_file.LIBCMT ref: 006F555B

Part of subcall function 006F6D8E: __lock.LIBCMT ref: 006F6DB1

__fclose_nolock.LIBCMT ref: 006F5566

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 0ec63baa3c92b798561bf8fb32a0e1852c1ab784cad9bb357ffb80e7dc198c5a
Instruction ID: 437ba42295fee83124b419aea2ae52f3e8ca35f7eac8c0f528239be789cb797a
Opcode Fuzzy Hash: 0ec63baa3c92b798561bf8fb32a0e1852c1ab784cad9bb357ffb80e7dc198c5a
Instruction Fuzzy Hash: 94F09071905A0C9EEB506B7988027BE66A36F41331F14824DB716AB1C1DB7C8D029B5A

Function 0138A2D5 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0138AA93
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0138AB29
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0138AB4B

Memory Dump Source

Source File: 00000000.00000002.1448929528.0000000001389000.00000040.00000020.00020000.00000000.sdmp, Offset: 01389000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1389000_z1PURCHASEORDER.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction ID: 7b25a8d2d093c0b16fba93b09e267cc824f01e3f0e42ef2b5dbb5d775c684ce9
Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction Fuzzy Hash: C412CE24E14658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4F81CF5A

Function 006D766F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006D774A

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 2bfb27314d905280b056b4b7b5233f1a1f420e589514f8b07931f4aa42e02bde
Instruction ID: bc94e342ce92c6ae3396f632ec8576d2d2a200e5afe679733ca2c1b0eef5c0cc
Opcode Fuzzy Hash: 2bfb27314d905280b056b4b7b5233f1a1f420e589514f8b07931f4aa42e02bde
Instruction Fuzzy Hash: F831B479A09A02DFD7249F19D490971F7E2FF09320714C56EE9898B7A5F730E882CB85

Function 006F0D88 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 006F0E37

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: c6d4df6de196a1b058258a1e0a5a6465ba11f4ae5daf84dd7a70b0f1e20bf77a
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 1F31C874A00109DFE719DF58D4859A9FBB6FF49300B6486A5E509CB356DB31EDC1CB80

Function 00710005 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00710010

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 2556c89564b1a9447106c75c6284168be09a3b984211e4ccf81c6626b4114a41
Instruction ID: f206e03c2de17d8b79337b68bf377aa3eab8441a1ee2558a9f8cdb55bcc4bac7
Opcode Fuzzy Hash: 2556c89564b1a9447106c75c6284168be09a3b984211e4ccf81c6626b4114a41
Instruction Fuzzy Hash: F6412B74908341CFDB14DF14C444B5ABBE2BF45318F19889DE8858B362C776E885CB96

Function 006D4F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 006D4D13: FreeLibrary.KERNEL32(00000000,?), ref: 006D4D4D

Part of subcall function 006F53CB: __wfsopen.LIBCMT ref: 006F53D6

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,007952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 006D4F6F

Part of subcall function 006D4CC8: FreeLibrary.KERNEL32(00000000), ref: 006D4D02

Part of subcall function 006D4DD0: _memmove.LIBCMT ref: 006D4E1A

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: f3787ac1454692bf03e295ea7bd78e4ad48b5d5e454a7e0c70826d275204903b
Instruction ID: 334b07357bb13f3668c19da4edfcc21aba8c59f7ca0b7e913a76c94b384aeb93
Opcode Fuzzy Hash: f3787ac1454692bf03e295ea7bd78e4ad48b5d5e454a7e0c70826d275204903b
Instruction Fuzzy Hash: FB11EB32A40709ABDB20BF70CC16FAE77A69F40701F10842EF541A63C1DFB55E059764

Function 007100DE Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 007100EA

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: fc0513110e3a689a231e788bcee8cbeb44071f725738aa0b286b898a9c602714
Instruction ID: 38c52d76173489782458dbc56dd95328d61f8ab3fe7c4a548c1db953174fdf13
Opcode Fuzzy Hash: fc0513110e3a689a231e788bcee8cbeb44071f725738aa0b286b898a9c602714
Instruction Fuzzy Hash: 7E2162B0908341CFDB24DF54C844B5ABBE2BF88304F04896CE88A47362C771E849DB97

Function 006F49D3 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 006F4A16

Part of subcall function 006F8CA8: __getptd_noexit.LIBCMT ref: 006F8CA8

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: aae4b3e43960080fc322bab0b3b2501a78a8e2edca06404ca1e2a7bfa67eca46
Instruction ID: f52fb26218650fa6e6d787d557df96bc9a2caafcd425dd46c7403a5bfd8d262f
Opcode Fuzzy Hash: aae4b3e43960080fc322bab0b3b2501a78a8e2edca06404ca1e2a7bfa67eca46
Instruction Fuzzy Hash: 40F08C3194024DABDF51AF748C063FF36A2AF00365F048558B624AB1A1DF788911DB59

Function 006D4FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,007952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 006D4FDE

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 8db5cccf8b4630bab0efbb7aaecc6e6c0037e602775f887103b536fb3472b604
Instruction ID: 1950ec5db8ea9b67c84ee5f57feb6864a8738587cec08384bf6f1cd92fba0c7e
Opcode Fuzzy Hash: 8db5cccf8b4630bab0efbb7aaecc6e6c0037e602775f887103b536fb3472b604
Instruction Fuzzy Hash: 19F03971905B12CFCB349F64E494862BBE2AF843293208A3FE2D782720CB31AC40DF40

Function 006F0911 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006F0930

Part of subcall function 006D7D2C: _memmove.LIBCMT ref: 006D7D66

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: a3afe6f7c4b6830dbcc41f66b1f3ff9cd97f95e7f0b57b0b6c18bc98c782ad06
Instruction ID: b9b850268802042f2ad70164a23eb99f173550da93d321f3c1ae85ae291da8a1
Opcode Fuzzy Hash: a3afe6f7c4b6830dbcc41f66b1f3ff9cd97f95e7f0b57b0b6c18bc98c782ad06
Instruction Fuzzy Hash: 3AE0CD76A0522897C720E6589C05FFA77EDDF88791F0441B6FC0CD7344D9A45C818695

Function 006F53CB Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 006F53D6

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 240b776d96947a7023d1f776426a416a9afa487352e39822eb7dea7852a5b6de
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 10B0927644020C77CE012A86EC02A593F5A9B407A4F408020FB0C181A2A6B3AA649689

Function 0138B2D8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 0138B2E9

Memory Dump Source

Source File: 00000000.00000002.1448929528.0000000001389000.00000040.00000020.00020000.00000000.sdmp, Offset: 01389000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1389000_z1PURCHASEORDER.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 8ad5da1715d669159b5e8df4054f315fda965676c403bbe6f7fdbb9ef6728f4d
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: B9E0E67494020EDFDB00EFB4D64969D7BB4EF04301F100161FD01D2280D6709E508A62

Non-executed Functions

Function 0075CB26 Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 006D2612: GetWindowLongW.USER32(?,000000EB), ref: 006D2623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0075CBA1
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0075CBFF
GetWindowLongW.USER32(?,000000F0), ref: 0075CC40
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0075CC6A
SendMessageW.USER32 ref: 0075CC93
_wcsncpy.LIBCMT ref: 0075CCFF
GetKeyState.USER32(00000011), ref: 0075CD20
GetKeyState.USER32(00000009), ref: 0075CD2D
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0075CD43
GetKeyState.USER32(00000010), ref: 0075CD4D
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0075CD76
SendMessageW.USER32 ref: 0075CD9D
SendMessageW.USER32(?,00001030,?,0075B37C), ref: 0075CEA1
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0075CEB7
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0075CECA
SetCapture.USER32(?), ref: 0075CED3
ClientToScreen.USER32(?,?), ref: 0075CF38
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0075CF45
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0075CF5F
ReleaseCapture.USER32 ref: 0075CF6A
GetCursorPos.USER32(?), ref: 0075CFA4
ScreenToClient.USER32(?,?), ref: 0075CFB1
SendMessageW.USER32(?,00001012,00000000,?), ref: 0075D00D
SendMessageW.USER32 ref: 0075D03B
SendMessageW.USER32(?,00001111,00000000,?), ref: 0075D078
SendMessageW.USER32 ref: 0075D0A7
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0075D0C8
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0075D0D7
GetCursorPos.USER32(?), ref: 0075D0F7
ScreenToClient.USER32(?,?), ref: 0075D104
GetParent.USER32(?), ref: 0075D124
SendMessageW.USER32(?,00001012,00000000,?), ref: 0075D18D
SendMessageW.USER32 ref: 0075D1BE
ClientToScreen.USER32(?,?), ref: 0075D21C
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0075D24C
SendMessageW.USER32(?,00001111,00000000,?), ref: 0075D276
SendMessageW.USER32 ref: 0075D299
ClientToScreen.USER32(?,?), ref: 0075D2EB
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0075D31F

Part of subcall function 006D25DB: GetWindowLongW.USER32(?,000000EB), ref: 006D25EC

GetWindowLongW.USER32(?,000000F0), ref: 0075D3BB

Strings

F, xrefs: 0075D29F
pby, xrefs: 0075CF19
@GUI_DRAGID, xrefs: 0075CF06

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$pby
API String ID: 3977979337-733098577
Opcode ID: 0903240b2f7bc6791466edad06c88a90ff57dc6b2097ae401ea27e35c6b69d2a
Instruction ID: 2b03ec351316106349e1a649e40823273adb9df217fbcf87ca74bc18b02e016d
Opcode Fuzzy Hash: 0903240b2f7bc6791466edad06c88a90ff57dc6b2097ae401ea27e35c6b69d2a
Instruction Fuzzy Hash: 0642BB70604341AFDB22CF24C844FAABBE5FF49312F14496DF955972A0C7BAD848CB96

Function 006E70FE Relevance: 54.0, APIs: 19, Strings: 9, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006E7323
_memset.LIBCMT ref: 006E7699
_memmove.LIBCMT ref: 006E780C

Strings

]x, xrefs: 00721D78
\b(?=\w), xrefs: 00723ABF
\b(?<=\w), xrefs: 00723AC9
P\x, xrefs: 00721E0E
[:>:]], xrefs: 006E75F2
[:<:]], xrefs: 006E75D9
Q\E, xrefs: 006E812B
Oan, xrefs: 00722721
DEFINE, xrefs: 00722459

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: _memmove$_memset
String ID: ]x$DEFINE$Oan$P\x$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1467149932
Opcode ID: 306ff86722e551a0a59e7acd5f9a79733bc88df28aa1c80c3aa13cd86133989d
Instruction ID: 7b43b66e991524e2fd1513b442dc504b5ed185434315e37e063849b284b43bd1
Opcode Fuzzy Hash: 306ff86722e551a0a59e7acd5f9a79733bc88df28aa1c80c3aa13cd86133989d
Instruction Fuzzy Hash: B093B471A00365DFDB24CF59D881BADB7B1FF48710F24816AE945AB381E7789E82CB50

Function 006D4A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 006D4A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0070D9BE
IsIconic.USER32(?), ref: 0070D9C7
ShowWindow.USER32(?,00000009), ref: 0070D9D4
SetForegroundWindow.USER32(?), ref: 0070D9DE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0070D9F4
GetCurrentThreadId.KERNEL32 ref: 0070D9FB
GetWindowThreadProcessId.USER32(?,00000000), ref: 0070DA07
AttachThreadInput.USER32(?,00000000,00000001), ref: 0070DA18
AttachThreadInput.USER32(?,00000000,00000001), ref: 0070DA20
AttachThreadInput.USER32(00000000,?,00000001), ref: 0070DA28
SetForegroundWindow.USER32(?), ref: 0070DA2B
MapVirtualKeyW.USER32(00000012,00000000), ref: 0070DA40
keybd_event.USER32(00000012,00000000), ref: 0070DA4B
MapVirtualKeyW.USER32(00000012,00000000), ref: 0070DA55
keybd_event.USER32(00000012,00000000), ref: 0070DA5A
MapVirtualKeyW.USER32(00000012,00000000), ref: 0070DA63
keybd_event.USER32(00000012,00000000), ref: 0070DA68
MapVirtualKeyW.USER32(00000012,00000000), ref: 0070DA72
keybd_event.USER32(00000012,00000000), ref: 0070DA77
SetForegroundWindow.USER32(?), ref: 0070DA7A
AttachThreadInput.USER32(?,?,00000000), ref: 0070DAA1

Strings

Shell_TrayWnd, xrefs: 0070D9B9

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: d08a71a938b21bcf4766c174e3e2aa75535d683ac5429d1e0de08f0099c571d1
Instruction ID: 8e0052377b573b7da6f2f8d6e2603e9bb96d5adbc97248be4547559409c054ee
Opcode Fuzzy Hash: d08a71a938b21bcf4766c174e3e2aa75535d683ac5429d1e0de08f0099c571d1
Instruction Fuzzy Hash: 92316571A80318BBEB306FA19C49FBF7E6CEB44B51F108025FA05EA1D1D6B45D11ABA4

Function 00728638 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00728AA3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00728AED
Part of subcall function 00728AA3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00728B1A
Part of subcall function 00728AA3: GetLastError.KERNEL32 ref: 00728B27

_memset.LIBCMT ref: 0072867B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 007286CD
CloseHandle.KERNEL32(?), ref: 007286DE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 007286F5
GetProcessWindowStation.USER32 ref: 0072870E
SetProcessWindowStation.USER32(00000000), ref: 00728718
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00728732

Part of subcall function 007284F3: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00728631), ref: 00728508
Part of subcall function 007284F3: CloseHandle.KERNEL32(?,?,00728631), ref: 0072851A

Strings

winsta0, xrefs: 007286F0
, xrefs: 0072868A
default, xrefs: 0072872D

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 9feaaf03556d4fe52c794a7410864a8e17ecb39c4870a4ff0fc925be98b200e9
Instruction ID: 6f5d47f2f9e5d14932900e28815d7cd081a0625d8b5518ecf14ef6f05404f655
Opcode Fuzzy Hash: 9feaaf03556d4fe52c794a7410864a8e17ecb39c4870a4ff0fc925be98b200e9
Instruction Fuzzy Hash: 6481AF71812229EFDF519FA0EC49AEE7B78EF04304F048129F914A6161DB7A8E04DB22

Function 0074407C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0075F910), ref: 007440A6
IsClipboardFormatAvailable.USER32(0000000D), ref: 007440B4
GetClipboardData.USER32(0000000D), ref: 007440BC
CloseClipboard.USER32 ref: 007440C8
GlobalLock.KERNEL32(00000000), ref: 007440E4
CloseClipboard.USER32 ref: 007440EE
GlobalUnlock.KERNEL32(00000000), ref: 00744103
IsClipboardFormatAvailable.USER32(00000001), ref: 00744110
GetClipboardData.USER32(00000001), ref: 00744118
GlobalLock.KERNEL32(00000000), ref: 00744125
GlobalUnlock.KERNEL32(00000000), ref: 00744159
CloseClipboard.USER32 ref: 00744269

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 21bd2d162259a9a7a301b2efe5b6302b1f26f7ec5be973d4ca82f8931498d242
Instruction ID: b585a0b6cd6fddb7c061b94fafeece9640f18d20cc82f163d97c8411d881e665
Opcode Fuzzy Hash: 21bd2d162259a9a7a301b2efe5b6302b1f26f7ec5be973d4ca82f8931498d242
Instruction Fuzzy Hash: 04519075204306ABD310AF64DC85FAF77A8FF84B01F10452EF646D22A1DFB8D9059B6A

Function 0073C7E8 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0073C819
FindClose.KERNEL32(00000000), ref: 0073C86D
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0073C892
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0073C8A9
FileTimeToSystemTime.KERNEL32(?,?), ref: 0073C8D0
__swprintf.LIBCMT ref: 0073C91C
__swprintf.LIBCMT ref: 0073C95F

Part of subcall function 006D7F41: _memmove.LIBCMT ref: 006D7F82

__swprintf.LIBCMT ref: 0073C9B3

Part of subcall function 006F3818: __woutput_l.LIBCMT ref: 006F3871

__swprintf.LIBCMT ref: 0073CA01

Part of subcall function 006F3818: __flsbuf.LIBCMT ref: 006F3893
Part of subcall function 006F3818: __flsbuf.LIBCMT ref: 006F38AB

__swprintf.LIBCMT ref: 0073CA50
__swprintf.LIBCMT ref: 0073CA9F
__swprintf.LIBCMT ref: 0073CAEE

Strings

%02d, xrefs: 0073C9A7, 0073C9B1, 0073C9FF, 0073CA4E, 0073CA9D, 0073CAEC
%4d%02d%02d%02d%02d%02d, xrefs: 0073C916
%4d, xrefs: 0073C959

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 00da3e2ea49f536b17ce65ef13c10e17a0f672dbaa0f5d8331a36bd1c321ac90
Instruction ID: 09799a00763116ebce91e6e783a38025463333324f6e2a9fe33d56d765fe9f41
Opcode Fuzzy Hash: 00da3e2ea49f536b17ce65ef13c10e17a0f672dbaa0f5d8331a36bd1c321ac90
Instruction Fuzzy Hash: 35A14FB2808314ABC750FB54C886DAFB7EDEF94704F44491EF596D2291EB34DA08CB66

Function 0073F021 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 0073F042
_wcscmp.LIBCMT ref: 0073F057
_wcscmp.LIBCMT ref: 0073F06E
GetFileAttributesW.KERNEL32(?), ref: 0073F080
SetFileAttributesW.KERNEL32(?,?), ref: 0073F09A
FindNextFileW.KERNEL32(00000000,?), ref: 0073F0B2
FindClose.KERNEL32(00000000), ref: 0073F0BD
FindFirstFileW.KERNEL32(*.*,?), ref: 0073F0D9
_wcscmp.LIBCMT ref: 0073F100
_wcscmp.LIBCMT ref: 0073F117
SetCurrentDirectoryW.KERNEL32(?), ref: 0073F129
SetCurrentDirectoryW.KERNEL32(00788920), ref: 0073F147
FindNextFileW.KERNEL32(00000000,00000010), ref: 0073F151
FindClose.KERNEL32(00000000), ref: 0073F15E
FindClose.KERNEL32(00000000), ref: 0073F170

Strings

*.*, xrefs: 0073F0D4

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: b25dd9df3340a83ad0df5d8714dbdf02daf9f6e1b5b7c5a747193385974dc837
Instruction ID: bbf076591674b6de4a51e2af6e6fd499f68f7829bdd2521472a6b844a52afc8f
Opcode Fuzzy Hash: b25dd9df3340a83ad0df5d8714dbdf02daf9f6e1b5b7c5a747193385974dc837
Instruction Fuzzy Hash: 1131D87290021DAAEF10EBB4EC49AEE77ACAF043A1F104175E904D31A1DB78DA45CB59

Function 007508E2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007509DE
RegCreateKeyExW.ADVAPI32(?,?,00000000,0075F910,00000000,?,00000000,?,?), ref: 00750A4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00750A94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00750B1D
RegCloseKey.ADVAPI32(?), ref: 00750E3D
RegCloseKey.ADVAPI32(00000000), ref: 00750E4A

Strings

REG_SZ, xrefs: 00750B5B
REG_BINARY, xrefs: 00750DD8
REG_EXPAND_SZ, xrefs: 00750ABA
REG_DWORD, xrefs: 00750D0E
REG_MULTI_SZ, xrefs: 00750C05
REG_QWORD, xrefs: 00750D8B

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: c7940af9fbaee7cd4346986ceeb8c6ca56a6114327b5f6a1aad62280177c4239
Instruction ID: 19dd1579fee536ada4cb3e9d218a8b300491a2115d3a26f2d48e9307d5ee586d
Opcode Fuzzy Hash: c7940af9fbaee7cd4346986ceeb8c6ca56a6114327b5f6a1aad62280177c4239
Instruction Fuzzy Hash: 43028D756006119FCB54EF24C855E6AB7E6FF88710F08885DF88A9B362CB74ED04CB95

Function 006E6841 Relevance: 24.6, Strings: 19, Instructions: 889COMMON

Download Yara Rule

Strings

CRLF), xrefs: 00721617
LIMIT_MATCH=, xrefs: 007214C6
UTF16), xrefs: 00721425
UCP), xrefs: 00721463
CR), xrefs: 007215DD
LF), xrefs: 007215FA
0Ew, xrefs: 006E689D
LIMIT_RECURSION=, xrefs: 00721552
NO_START_OPT), xrefs: 007214A5
ANYCRLF), xrefs: 00721651
UTF), xrefs: 00721450
BSR_ANYCRLF), xrefs: 00721674
ANY), xrefs: 00721634
Oan, xrefs: 007217BB, 00721862, 0072190A
NO_AUTO_POSSESS), xrefs: 00721484
pGw, xrefs: 006E68B1
BSR_UNICODE), xrefs: 0072168E
0Fw, xrefs: 006E68A7
0Dw, xrefs: 006E6893

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID:
String ID: 0Dw$0Ew$0Fw$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$Oan$UCP)$UTF)$UTF16)$pGw
API String ID: 0-1771680070
Opcode ID: e7d9e4d730c6005bb61e5a23f1574a042c7e476560b2c1294c56ee7182882788
Instruction ID: f7a25384441e75f66f55cd934314f59a85ed541ca88b2fdec7eaf581e5e52811
Opcode Fuzzy Hash: e7d9e4d730c6005bb61e5a23f1574a042c7e476560b2c1294c56ee7182882788
Instruction Fuzzy Hash: 70728171E00369DBDB24CF59D8407AEB7B6FF64750F54816AE809EB280EB349D81CB90

Function 0073F17E Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 0073F19F
_wcscmp.LIBCMT ref: 0073F1B4
_wcscmp.LIBCMT ref: 0073F1CB

Part of subcall function 007343C6: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 007343E1

FindNextFileW.KERNEL32(00000000,?), ref: 0073F1FA
FindClose.KERNEL32(00000000), ref: 0073F205
FindFirstFileW.KERNEL32(*.*,?), ref: 0073F221
_wcscmp.LIBCMT ref: 0073F248
_wcscmp.LIBCMT ref: 0073F25F
SetCurrentDirectoryW.KERNEL32(?), ref: 0073F271
SetCurrentDirectoryW.KERNEL32(00788920), ref: 0073F28F
FindNextFileW.KERNEL32(00000000,00000010), ref: 0073F299
FindClose.KERNEL32(00000000), ref: 0073F2A6
FindClose.KERNEL32(00000000), ref: 0073F2B8

Strings

*.*, xrefs: 0073F21C

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 124eeee05fe08a6f540144a5bc505ea084e85b943b5632d3d0eea652662e389b
Instruction ID: b1e375130c952b35aa20d5c352fd019587235a85961a55ba031f4ed00fba30b3
Opcode Fuzzy Hash: 124eeee05fe08a6f540144a5bc505ea084e85b943b5632d3d0eea652662e389b
Instruction Fuzzy Hash: 6731FA7590161DAEEF10AFA4EC48EEF73ACAF053A1F104175E900E31A1DB78DE45CA58

Function 0073A279 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0073A299
__swprintf.LIBCMT ref: 0073A2BB
CreateDirectoryW.KERNEL32(?,00000000), ref: 0073A2F8
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0073A31D
_memset.LIBCMT ref: 0073A33C
_wcsncpy.LIBCMT ref: 0073A378
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0073A3AD
CloseHandle.KERNEL32(00000000), ref: 0073A3B8
RemoveDirectoryW.KERNEL32(?), ref: 0073A3C1
CloseHandle.KERNEL32(00000000), ref: 0073A3CB

Strings

\, xrefs: 0073A2D1
\??\%s, xrefs: 0073A2B5
:, xrefs: 0073A2DC

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: c9806f14e9db6826285c878e3f5a474106dc978b0518db7a494ffa848985e079
Instruction ID: 71a7cb17e712ad8d85c3d94e8e638183a96504e4a3884c3ceb03fe8af22c0786
Opcode Fuzzy Hash: c9806f14e9db6826285c878e3f5a474106dc978b0518db7a494ffa848985e079
Instruction Fuzzy Hash: D731B3B150020AABEB20DFA0DC45FEB77BDEF88741F1041B6F648D6161EB7896448B25

Function 007281D4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0072852A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00728546
Part of subcall function 0072852A: GetLastError.KERNEL32(?,0072800A,?,?,?), ref: 00728550
Part of subcall function 0072852A: GetProcessHeap.KERNEL32(00000008,?,?,0072800A,?,?,?), ref: 0072855F
Part of subcall function 0072852A: HeapAlloc.KERNEL32(00000000,?,0072800A,?,?,?), ref: 00728566
Part of subcall function 0072852A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0072857D

Part of subcall function 007285C7: GetProcessHeap.KERNEL32(00000008,00728020,00000000,00000000,?,00728020,?), ref: 007285D3
Part of subcall function 007285C7: HeapAlloc.KERNEL32(00000000,?,00728020,?), ref: 007285DA
Part of subcall function 007285C7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00728020,?), ref: 007285EB

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00728238
_memset.LIBCMT ref: 0072824D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0072826C
GetLengthSid.ADVAPI32(?), ref: 0072827D
GetAce.ADVAPI32(?,00000000,?), ref: 007282BA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 007282D6
GetLengthSid.ADVAPI32(?), ref: 007282F3
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00728302
HeapAlloc.KERNEL32(00000000), ref: 00728309
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0072832A
CopySid.ADVAPI32(00000000), ref: 00728331
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00728362
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00728388
SetUserObjectSecurity.USER32(?,00000004,?), ref: 0072839C

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 239e2c625e883e84eef259368f9f3a93c4301c1251fd8a2a205e278ac554aefb
Instruction ID: c9bf2ea2cf94c6f71373fe84aad509fface90c28efa2283854725e9131d10cfc
Opcode Fuzzy Hash: 239e2c625e883e84eef259368f9f3a93c4301c1251fd8a2a205e278ac554aefb
Instruction Fuzzy Hash: 9A616C71901219EFDF10DFA4EC44AEEBB79FF04711F048129F915A7291DB7A9A10CBA1

Function 00750465 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00750EA5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0074FE38,?,?), ref: 00750EBC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00750537

Part of subcall function 006D9997: __itow.LIBCMT ref: 006D99C2
Part of subcall function 006D9997: __swprintf.LIBCMT ref: 006D9A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 007505D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0075066E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 007508AD
RegCloseKey.ADVAPI32(00000000), ref: 007508BA

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 03bbc677bbcc4c46af588b3fce67236990e8994327685d14348e225e0c00fab4
Instruction ID: a102848a433f83dd421383c5930fa8abd27ea464d5e9cb11e3e4526c16710c19
Opcode Fuzzy Hash: 03bbc677bbcc4c46af588b3fce67236990e8994327685d14348e225e0c00fab4
Instruction Fuzzy Hash: C6E15D31604310AFCB14DF25C895E6ABBE5EF88714F04896DF84ADB262DB74ED05CB91

Function 006E4140 Relevance: 16.9, APIs: 1, Strings: 8, Instructions: 1132COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00717A3B
VUUU, xrefs: 006E4520
0Dw, xrefs: 006E446C
0Dw, xrefs: 006E4392
VUUU, xrefs: 006E44ED
VUUU, xrefs: 006E44DB
Oan, xrefs: 006E4984, 007180A2
ERCP, xrefs: 006E421F

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID:
String ID: 0Dw$0Dw$ERCP$Oan$VUUU$VUUU$VUUU$VUUU
API String ID: 0-4025930724
Opcode ID: 79c2bdcb399353b13da8ab1c4048c474e5d40a7e8cc74a0b9df60dfb36fa7861
Instruction ID: 2662698a3d507b39f4af3768d9d108e4eafe6084bc6cb2dbae4f191695498c9e
Opcode Fuzzy Hash: 79c2bdcb399353b13da8ab1c4048c474e5d40a7e8cc74a0b9df60dfb36fa7861
Instruction Fuzzy Hash: D6A27070E0525ACBDF28CF69C9507EEB7B2BB54314F2481A9D855A7380EB349EC5CB90

Function 0073003A Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00730062
GetAsyncKeyState.USER32(000000A0), ref: 007300E3
GetKeyState.USER32(000000A0), ref: 007300FE
GetAsyncKeyState.USER32(000000A1), ref: 00730118
GetKeyState.USER32(000000A1), ref: 0073012D
GetAsyncKeyState.USER32(00000011), ref: 00730145
GetKeyState.USER32(00000011), ref: 00730157
GetAsyncKeyState.USER32(00000012), ref: 0073016F
GetKeyState.USER32(00000012), ref: 00730181
GetAsyncKeyState.USER32(0000005B), ref: 00730199
GetKeyState.USER32(0000005B), ref: 007301AB

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: acd1c753433fb9cdbd86d97f263a30253512e91c2612e05198f6d5750a8171bf
Instruction ID: 42d16c514b2a5c8bf3e8d5d4f359a1a67dd75fb7d77ff56117d1b920953d6eaf
Opcode Fuzzy Hash: acd1c753433fb9cdbd86d97f263a30253512e91c2612e05198f6d5750a8171bf
Instruction Fuzzy Hash: FD41C8346047CE69FF359A6488243BABEA1AF11340F088099D5C6571C3EBDC99D4C7E6

Function 0074427A Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 007442A1
EmptyClipboard.USER32 ref: 007442A7
GlobalAlloc.KERNEL32(00000002,?), ref: 007442BC
CloseClipboard.USER32 ref: 0074435B

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 14fe67cdeba284b662b39cc8a421335adad4fc6ef00d2c4416633eb3ef039b72
Instruction ID: 4f31c08078354564a156c1acb32d6e4ead642cf7ae4665f0373b85d887ed36ec
Opcode Fuzzy Hash: 14fe67cdeba284b662b39cc8a421335adad4fc6ef00d2c4416633eb3ef039b72
Instruction Fuzzy Hash: D721B535200220DFDB10AF60EC49BAE77A8FF04711F14C01AF946DB2A1DB78AC01CB58

Function 00733833 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006D48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006D48A1,?,?,006D37C0,?), ref: 006D48CE

Part of subcall function 00734AD8: GetFileAttributesW.KERNEL32(?,0073374F), ref: 00734AD9

FindFirstFileW.KERNEL32(?,?), ref: 007338E7
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0073398F
MoveFileW.KERNEL32(?,?), ref: 007339A2
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 007339BF
FindNextFileW.KERNEL32(00000000,00000010), ref: 007339E1
FindClose.KERNEL32(00000000,?,?,?,?), ref: 007339FD

Strings

\*.*, xrefs: 00733892, 0073389B, 007338B0

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: ee93afa0cf8fd5ce3911f418cca8c6807ee1d2f442d218646edeff78da5cf857
Instruction ID: defbe73c3f6abee81cae223090d8e124e305db52506df94efac526959675cdaf
Opcode Fuzzy Hash: ee93afa0cf8fd5ce3911f418cca8c6807ee1d2f442d218646edeff78da5cf857
Instruction Fuzzy Hash: 4F51C231C0520D9BDF25EBA0CD92AEDB779AF14301F64416AE40277292EF746F09CBA5

Function 0073F47F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 006D7F41: _memmove.LIBCMT ref: 006D7F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0073F4CC
Sleep.KERNEL32(0000000A), ref: 0073F4FC
_wcscmp.LIBCMT ref: 0073F510
_wcscmp.LIBCMT ref: 0073F52B
FindNextFileW.KERNEL32(?,?), ref: 0073F5C9
FindClose.KERNEL32(00000000), ref: 0073F5DF

Strings

*.*, xrefs: 0073F4B1

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: b303faf81538244ae16a5e9a6ebdd0147f7ad84962f21c7a3258ec0bb8942c12
Instruction ID: f501a059ee6502d591c755baa7041445e88a70ee29270f5d99ee925de9ff278f
Opcode Fuzzy Hash: b303faf81538244ae16a5e9a6ebdd0147f7ad84962f21c7a3258ec0bb8942c12
Instruction Fuzzy Hash: 2E416D71D0021AABDF50DFA4CC49AEEBBB5FF05350F14456AF815A32A2EB349E54CB90

Function 006E58C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006E5A05
_memmove.LIBCMT ref: 006E5A55
_memmove.LIBCMT ref: 006E5ABB

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 657e2cd4aceac7e98c98c2b5aa6ed20cbbe6ef4434abdfb5f107b18bfa273591
Instruction ID: 708671981e1a8df6e84a3602c1f92708d21a2fddb6da186854cad103cefdc8d5
Opcode Fuzzy Hash: 657e2cd4aceac7e98c98c2b5aa6ed20cbbe6ef4434abdfb5f107b18bfa273591
Instruction Fuzzy Hash: FF12BD70A01619DFDF14CFA5D981AEEB7F6FF48304F108529E806A7252EB39AD11CB64

Function 006E5680 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 006F0F36: std::exception::exception.LIBCMT ref: 006F0F6C
Part of subcall function 006F0F36: __CxxThrowException@8.LIBCMT ref: 006F0F81

_memmove.LIBCMT ref: 007205AE
_memmove.LIBCMT ref: 007206C3
_memmove.LIBCMT ref: 0072076A

Strings

yZn, xrefs: 00720800, 0072077E

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID: yZn
API String ID: 1300846289-1312781132
Opcode ID: ab03dc3f6ee64142e537b61d216f02e1821f1590485942a0ad62c4672bb72dbe
Instruction ID: 66208e29f1b16e56fec4654bb5dd89401ce677c63293bea9b5f02a7b9737bd06
Opcode Fuzzy Hash: ab03dc3f6ee64142e537b61d216f02e1821f1590485942a0ad62c4672bb72dbe
Instruction Fuzzy Hash: 5102B070E01219DFDF04DF65D981AAEBBB6EF44300F148069E80ADB356EB34DA51CBA5

Function 00735264 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00728AA3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00728AED
Part of subcall function 00728AA3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00728B1A
Part of subcall function 00728AA3: GetLastError.KERNEL32 ref: 00728B27

ExitWindowsEx.USER32(?,00000000), ref: 007352A0

Strings

, xrefs: 0073528E
SeShutdownPrivilege, xrefs: 00735270
@, xrefs: 00735293

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: aa99034671930304e0ffaadfb28ca6058ea087c36bd9c5f53512db72ca01c03e
Instruction ID: 47ba97652e59bfe658497db287ac238ee68fb4a4c1746379cbeaa22e79c7d8f3
Opcode Fuzzy Hash: aa99034671930304e0ffaadfb28ca6058ea087c36bd9c5f53512db72ca01c03e
Instruction Fuzzy Hash: 9F0126B2695712ABF7283678AC4BBBB72A8FB09742F244125FC57D20D3E9AD5C0081D4

Function 006E3190 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON

Download Yara Rule

Strings

Oan, xrefs: 006E3482

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: __itow__swprintf
String ID: Oan
API String ID: 674341424-1382745430
Opcode ID: d22c14e96365543f3937a027e626518fef987c470af5bd1cd60323df8feca323
Instruction ID: c2a4fcd7e56934d1a7e01d8a8debabdb97427f60521dbbc1800945905f74683d
Opcode Fuzzy Hash: d22c14e96365543f3937a027e626518fef987c470af5bd1cd60323df8feca323
Instruction Fuzzy Hash: 1822CB715083519FC724DF28C885BAFB7E6AF84304F10492DF89A97391EB34EA45CB92

Function 00746399 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 007463F2
WSAGetLastError.WSOCK32(00000000), ref: 00746401
bind.WSOCK32(00000000,?,00000010), ref: 0074641D
listen.WSOCK32(00000000,00000005), ref: 0074642C
WSAGetLastError.WSOCK32(00000000), ref: 00746446
closesocket.WSOCK32(00000000,00000000), ref: 0074645A

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 7151225dc69b0b1db358e379831b5e9b352b7a9ea906df8c04060c454e50e6d6
Instruction ID: c8c605ff65ee9b7f2c485262a2171014a748c86ecaf0aa8187849dd01101a51b
Opcode Fuzzy Hash: 7151225dc69b0b1db358e379831b5e9b352b7a9ea906df8c04060c454e50e6d6
Instruction Fuzzy Hash: 9B210131600214AFCB10EF68C849B6EB3E9EF49720F148569F856A7391CB78AD01CB66

Function 006D1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 006D2612: GetWindowLongW.USER32(?,000000EB), ref: 006D2623

DefDlgProcW.USER32(?,?,?,?,?), ref: 006D19FA
GetSysColor.USER32(0000000F), ref: 006D1A4E
SetBkColor.GDI32(?,00000000), ref: 006D1A61

Part of subcall function 006D1290: DefDlgProcW.USER32(?,00000020,?), ref: 006D12D8

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: d5e476ca0fa3bec7e8fb68a36678610ae5bcccda8e0944b4bbcafab3168e99ec
Instruction ID: af12ad529cf87e7d4e6b54c4c4aee0f39db924692ca863dc66162f199cd3b1b5
Opcode Fuzzy Hash: d5e476ca0fa3bec7e8fb68a36678610ae5bcccda8e0944b4bbcafab3168e99ec
Instruction Fuzzy Hash: C8A158B0901694FEE635AB298C58EFB359FDB43342B18421BF402DD3D5DBA89E028275

Function 0074685D Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00747EA0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00747ECB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 007468B4
WSAGetLastError.WSOCK32(00000000), ref: 007468DD
bind.WSOCK32(00000000,?,00000010), ref: 00746916
WSAGetLastError.WSOCK32(00000000), ref: 00746923
closesocket.WSOCK32(00000000,00000000), ref: 00746937

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 2ca16fda340d0f9cb930743ac284a6aa87021fbb490cd59fb623fba4125bc515
Instruction ID: 713e35cd28d1536ab4bcd800bb3d80f10b1ec444b24caad0c816cd28988bb311
Opcode Fuzzy Hash: 2ca16fda340d0f9cb930743ac284a6aa87021fbb490cd59fb623fba4125bc515
Instruction Fuzzy Hash: 3841C375A00210AFEB50BF649C86F6E77AADF08710F44805DF91AAB3C2DB749D008BA5

Function 007553DF Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 0075542E
IsWindowEnabled.USER32 ref: 0075543C
GetForegroundWindow.USER32(?,?,00000001), ref: 00755449
IsIconic.USER32 ref: 00755457
IsZoomed.USER32 ref: 00755465

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: ead5c8b716f7ec6e68cd6f6148fcb98d9be790d81aacfc32c56eaf9268b4b1ed
Instruction ID: b4c0641422126b694e29ddf1ea4d80f832003b3fd13bf20fb636b65df52af829
Opcode Fuzzy Hash: ead5c8b716f7ec6e68cd6f6148fcb98d9be790d81aacfc32c56eaf9268b4b1ed
Instruction Fuzzy Hash: A7112B31B006605FD7216F27DC64BAE7799FF44723B058029FC46C7251CBB8D842C6A8

Function 0073C423 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0073C4BE
CoCreateInstance.OLE32(00762D6C,00000000,00000001,00762BDC,?), ref: 0073C4D6

Part of subcall function 006D7F41: _memmove.LIBCMT ref: 006D7F82

CoUninitialize.OLE32 ref: 0073C743

Strings

.lnk, xrefs: 0073C452, 0073C47A, 0073C484

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 331ceafffa9e9ced7611bda477d4ceb0525aeabd9f6856bb365c8bb58eed032b
Instruction ID: f91ec0aeac72c20e385bd4d8f4b6932f2d373dcb906b4f8201cd055c01c64bc1
Opcode Fuzzy Hash: 331ceafffa9e9ced7611bda477d4ceb0525aeabd9f6856bb365c8bb58eed032b
Instruction Fuzzy Hash: BFA14D71508305AFD340EF54C891EABB7EDEF98304F04491DF55697292EB70EA09CBA6

Function 0074C104 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00711CB7,?), ref: 0074C112
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0074C124

Strings

GetSystemWow64DirectoryW, xrefs: 0074C11E
kernel32.dll, xrefs: 0074C10D

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: b34a5b81b59eb6723bb79d805bd104572d816fccd01ca19ddd3d977a4cc3306d
Instruction ID: 8f6c34c7b62205acd43ec795255afd02964bd8457f3b1fdbf0b406b98d703297
Opcode Fuzzy Hash: b34a5b81b59eb6723bb79d805bd104572d816fccd01ca19ddd3d977a4cc3306d
Instruction Fuzzy Hash: 8BE012F8611B27CFD7616F35D818A9276E4EF09756F44C439E885D26A0E7BCD840C750

Function 0074EF21 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0074EF51
Process32FirstW.KERNEL32(00000000,?), ref: 0074EF5F

Part of subcall function 006D7F41: _memmove.LIBCMT ref: 006D7F82

Process32NextW.KERNEL32(00000000,?), ref: 0074F01F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0074F02E

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 1a674e1e19310bc11f184bc0816cf6ac529c880c402aac61acebb6a91ae34d90
Instruction ID: c4e5aab5927d4fb066f39d0b99d2077eb348140dd016237cb2d8d06f97539a59
Opcode Fuzzy Hash: 1a674e1e19310bc11f184bc0816cf6ac529c880c402aac61acebb6a91ae34d90
Instruction Fuzzy Hash: 18519071904711AFD350EF24DC85E6BB7E9FF84710F14482EF59687262EB70A908CB96

Function 0072E928 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0072E93A

Strings

(, xrefs: 0072E980
|, xrefs: 0072E96A

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 71bd58264f91f9de58802c47e1c4cb6d6d8988cb40a1bc46943a611df9f8669d
Instruction ID: 5e0640e1830a329df7ef9e7c471eb3988328ce40368e3f43cc9b2455a3f36650
Opcode Fuzzy Hash: 71bd58264f91f9de58802c47e1c4cb6d6d8988cb40a1bc46943a611df9f8669d
Instruction Fuzzy Hash: 97323675A00615DFDB28CF29D48196AB7F0FF48320B15C56EE89ADB3A1E770E981CB40

Function 00742404 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00741920,00000000), ref: 007424F7
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 0074252E

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 15db2aecb6fd8b363d9e911eb798bef08f8d286f8936e593cb451253dfff9a28
Instruction ID: 7e3d4874fc52a3f21a46f2b368ad92d9d04e2cd43169c91d6d08a6a198aaac7b
Opcode Fuzzy Hash: 15db2aecb6fd8b363d9e911eb798bef08f8d286f8936e593cb451253dfff9a28
Instruction Fuzzy Hash: C641FA71604309FFEB20DE95DC85EBBB7BCEB40324F50406EF605A7142DB789E629664

Function 0073B3BF Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0073B3CF
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0073B429
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0073B476

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: e52c1db60824d3cb74c1e6197cc64ac99c7dc32e2b56fc70ea38e5b9539c2261
Instruction ID: 1850e9cda0f5b09fa52535376bd3e9d9b1db724fa28017ee894bdfdd75c69a70
Opcode Fuzzy Hash: e52c1db60824d3cb74c1e6197cc64ac99c7dc32e2b56fc70ea38e5b9539c2261
Instruction Fuzzy Hash: 92217175A00618EFDB00EFA5D884EEDBBB8FF48310F1480AAF905AB352CB359915CB54

Function 00728AA3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 006F0F36: std::exception::exception.LIBCMT ref: 006F0F6C
Part of subcall function 006F0F36: __CxxThrowException@8.LIBCMT ref: 006F0F81

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00728AED
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00728B1A
GetLastError.KERNEL32 ref: 00728B27

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: fdb018fd792f4145a846f0568e8cd204dff22d4a9f35f675e00eaf47a6ab2676
Instruction ID: 77fc583799ba919bf93b509f63e55fd99449088155538535d92661bfe79e5048
Opcode Fuzzy Hash: fdb018fd792f4145a846f0568e8cd204dff22d4a9f35f675e00eaf47a6ab2676
Instruction Fuzzy Hash: 5B11BFB1515308AFE728AF54EC86D6BB7B9EB44311B20C16EF45593641EB75AC00CA64

Function 00734A08 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00734A31
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00734A48
FreeSid.ADVAPI32(?), ref: 00734A58

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 7f21eaf1ff9958706ebe1a480b2305bc0f2bb044c05db7c31b16b74f69c6a0b9
Instruction ID: 0fc263a62d166bcfb2355bbe49f91a02bd3b59ecc15d35575a6413dcf0667210
Opcode Fuzzy Hash: 7f21eaf1ff9958706ebe1a480b2305bc0f2bb044c05db7c31b16b74f69c6a0b9
Instruction Fuzzy Hash: F7F04F75A5130CBFDF04DFF0DC89AEEBBBCEF08211F008469E505E2181D6746A048B54

Function 00738932 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00738944

Part of subcall function 006F537A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00739017,00000000,?,?,?,?,007391C8,00000000,?), ref: 006F5383
Part of subcall function 006F537A: __aulldiv.LIBCMT ref: 006F53A3

Strings

0ey, xrefs: 0073893B

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0ey
API String ID: 2893107130-3933825784
Opcode ID: 314c4b3356af46fb3a54fe7f76cec65d8478b7e4340f512ccaac42c188544e26
Instruction ID: 54fee2731c9e1f67a62fefc73512385b51b3706853ea93b68cb0d57d93145c86
Opcode Fuzzy Hash: 314c4b3356af46fb3a54fe7f76cec65d8478b7e4340f512ccaac42c188544e26
Instruction Fuzzy Hash: 2021B472635610CBD729CF29D441B62B3E1EBA5310F298F6DE1E5CB2D0CA78B905CB54

Function 006DE060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 345c831371183904b8337ee5dbd8089279e0f11d66b54e89f014c999ddb50a8c
Instruction ID: 09b287415a88ff66134af38bd4bc12cd904a1df6448b7826f4fe1ae648dce947
Opcode Fuzzy Hash: 345c831371183904b8337ee5dbd8089279e0f11d66b54e89f014c999ddb50a8c
Instruction Fuzzy Hash: 8C228D75E00215CFDB24EF58C481ABEB7F2FF08310F14816AE9569B381E776A985CB91

Function 0073C75D Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0073C787
FindClose.KERNEL32(00000000), ref: 0073C7B7

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 2a64e3152ef0f3834407efa20d9c923e73facd20702cacb20871a046a9592e94
Instruction ID: ef6a7e0960c2c675585be216120a8e1e9a56a10fc05fbc39b120b1ff3b11b9e2
Opcode Fuzzy Hash: 2a64e3152ef0f3834407efa20d9c923e73facd20702cacb20871a046a9592e94
Instruction Fuzzy Hash: 1711A1726002109FD710EF29D849A2AF7E9FF84320F04851EF9A9D73A1DB74AC00CB95

Function 0073A0F4 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0074957D,?,0075FB84,?), ref: 0073A121
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0074957D,?,0075FB84,?), ref: 0073A133

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 8f574ad2ac7938984e570eb147ed67effb5e08ac7218fd17b51bdac1f72a6532
Instruction ID: 9755383cb4dc2b434b2a822c4c2556c6189a87631a3604e2740faf1f3ee109a2
Opcode Fuzzy Hash: 8f574ad2ac7938984e570eb147ed67effb5e08ac7218fd17b51bdac1f72a6532
Instruction Fuzzy Hash: DAF05E7550522DFBEB20ABA4CC49FEA776DBF08361F008266F909D6281D6749940CBA1

Function 007284F3 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00728631), ref: 00728508
CloseHandle.KERNEL32(?,?,00728631), ref: 0072851A

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 77036d8acc981c29a321c491a6d8a04431338bd930dbb7de33a3cbb0619716f5
Instruction ID: 9d08e42e8dacf5747ed762d9d2ad8c636c95f7ec47274695192896126ae8ac23
Opcode Fuzzy Hash: 77036d8acc981c29a321c491a6d8a04431338bd930dbb7de33a3cbb0619716f5
Instruction Fuzzy Hash: 31E08C32005610AFFB612F20FC08DB77BEAEF00311724C82DF99680471DB62ACA0DB54

Function 006FA2D5 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,006F8ED7,?,?,?,00000001), ref: 006FA2DA
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 006FA2E3

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: ab5b57990e0ff42989defd9161060ada092461d7535a8e9f4ee45063304972db
Instruction ID: cbeca91d90c7bb436d75edb79d741ba2d2006d53c438655129d04ae8825a3bf9
Opcode Fuzzy Hash: ab5b57990e0ff42989defd9161060ada092461d7535a8e9f4ee45063304972db
Instruction Fuzzy Hash: 3FB09231054308ABEA002F91ED09BC93F68EB44AA3F408020F60D84070CBA654508A99

Function 006FF359 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9607ab3461df31b78389d913391e9fd8ec148fdf74827556932c562ae35cefa7
Instruction ID: 1421520f0b6f85b5c10b5419fcb5901a51a19622efbbb1bae4c3d22bc72849da
Opcode Fuzzy Hash: 9607ab3461df31b78389d913391e9fd8ec148fdf74827556932c562ae35cefa7
Instruction Fuzzy Hash: B8323662D29F454DD7279735C832336A24AAFB73C8F14D737F82AB5AA5EB68C4834104

Function 007025AE Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfc6c85b0898dc42763eecc88b4034775aa1a6fd8c8da2235d30cbbafc99f54e
Instruction ID: d80bd162ea637db3ebb4587f7e63a8a645f46a7a0aa42f0514cbdcc14a74c84b
Opcode Fuzzy Hash: dfc6c85b0898dc42763eecc88b4034775aa1a6fd8c8da2235d30cbbafc99f54e
Instruction Fuzzy Hash: 63B11F21E2AF404DD32396398835336BA8CAFBB2C5F51D31BFC2774E62EB6685834545

Function 0074401F Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0074403A

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 19b797236ca3273737b0de4a41712c8013ec2225265f62b6849b73048dc51183
Instruction ID: 772f281e250020ec9c7359343c10f7c86df50d2e6b7ebc67a8c2dbd69d81d687
Opcode Fuzzy Hash: 19b797236ca3273737b0de4a41712c8013ec2225265f62b6849b73048dc51183
Instruction Fuzzy Hash: DBE048322102145FC760AF59D404B96FBD9EF64761F00C05AFD49C7361DB74E8508BA4

Function 00734CFA Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00734D1D

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 1d25577fc96d3ad79102a179682799ec53be70c208717b01a623e4b6d5b5f19a
Instruction ID: 9866b52df440e1bf007c5a8ef3c1ba8c35adc3a3f92b61cdc524f4e122b01134
Opcode Fuzzy Hash: 1d25577fc96d3ad79102a179682799ec53be70c208717b01a623e4b6d5b5f19a
Instruction Fuzzy Hash: 44D09EA437460579FCAC0B309C1FB761119F300796FA4554977029A2C7B8EC7841A436

Function 00728A73 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,007286B1), ref: 00728A93

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 59304c250d44974475b5b3530cd037c1dc898038194889670fe6076f9ebc5d71
Instruction ID: 5f60c5b46e00959e05142414c0c45782f224715772bc51e1982b7774fd3ea5ec
Opcode Fuzzy Hash: 59304c250d44974475b5b3530cd037c1dc898038194889670fe6076f9ebc5d71
Instruction Fuzzy Hash: F1D05E3226060EABEF018EA4DC01EEE3B69EB04B01F408111FE15C50A1C7B5D835AB60

Function 0071215F Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00712171

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: fc68e4ef612192c58799fd2aad732b51d1fc4af2bccf858346db15719c4d7deb
Instruction ID: e4a8f1904397ae3e697a98bd0cc5d9fbb4fd91a1040c24a0377a45f30a2db459
Opcode Fuzzy Hash: fc68e4ef612192c58799fd2aad732b51d1fc4af2bccf858346db15719c4d7deb
Instruction Fuzzy Hash: C1C04CF1801109DBCB05DB90D988DFE77BCAB04315F148055E105F2140D7789B448B71

Function 006FA2A4 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 006FA2AA

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 059c1ea6d46cfb8a92f06533e2a2545dbf77a09abf5c8f6e17d094b5206f7e1d
Instruction ID: 19578f34d7fff65eb4ecb7015eb0f767de98a409101956b5771b5cc85d9f2b1b
Opcode Fuzzy Hash: 059c1ea6d46cfb8a92f06533e2a2545dbf77a09abf5c8f6e17d094b5206f7e1d
Instruction Fuzzy Hash: 77A0113000020CAB8A002F82EC08888BFACEA002A2B008020F80C800328BB2A8208A88

Function 006E8968 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21576ed3fdc2af2e8f210329d5313d559df859a65f187a364e8c99942bf21afb
Instruction ID: 9f913b0240aa2c2dbb714b0179b627a04d34ba986bc0fd91c8c2aead56ff4649
Opcode Fuzzy Hash: 21576ed3fdc2af2e8f210329d5313d559df859a65f187a364e8c99942bf21afb
Instruction Fuzzy Hash: B5220770A01BE58FDF388B1AD8946BCB7A3FB01304F78846AD859DB691DB389D81C751

Function 006F2345 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 3f6a989578e9799c7a63de13957bc8bc6cdcdbf958c0e3ae1f1dee9f264b3be4
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: F9C174722160974ADF2D463AC4340BEBFE25AA37B231A175DE5B2CF2D5EF10C564DA20

Function 006F277A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 1d244b6bba0d10492d092ec7ede7ca29ba616fefa5d95c312a28e0601108a79d
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: FCC1843221619749DB2D463A847407EBFE25AA37B231A176DE5B2DF2C4EF10C524DA20

Function 0138C648 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448929528.0000000001389000.00000040.00000020.00020000.00000000.sdmp, Offset: 01389000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1389000_z1PURCHASEORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 3676d3fc21542696c86ce6d6c88153e505272a3a39b66e504bde8248f6eb5fe1
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 7541D571D1051CDBCF48CFADC991AEEBBF1AF88201F548299D516AB345D730AB41DB90

Function 0138C538 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448929528.0000000001389000.00000040.00000020.00020000.00000000.sdmp, Offset: 01389000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1389000_z1PURCHASEORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: c7033c4596c354a3444ba06d43d393cb79f3d4139694efd75f8583f5e4f8e042
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 7E019278A00209EFCB44EF99C5909AEF7F5FB48314F208599D809A7701D730AE41DB90

Function 0138C4D8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448929528.0000000001389000.00000040.00000020.00020000.00000000.sdmp, Offset: 01389000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1389000_z1PURCHASEORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 2389c5001d3a1726e72b3b0a45d5e24db2290c2803eb2fcb7927b29feeec976b
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: CC019279A00209EFCB44EF99C5909AEF7B5FB88314F20859AD809A7701D730AE41DB90

Function 0138AEA8 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448929528.0000000001389000.00000040.00000020.00020000.00000000.sdmp, Offset: 01389000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1389000_z1PURCHASEORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 0074791B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00747970
DeleteObject.GDI32(00000000), ref: 00747982
DestroyWindow.USER32 ref: 00747990
GetDesktopWindow.USER32 ref: 007479AA
GetWindowRect.USER32(00000000), ref: 007479B1
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00747AF2
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00747B02
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00747B4A
GetClientRect.USER32(00000000,?), ref: 00747B56
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00747B90
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00747BB2
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00747BC5
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00747BD0
GlobalLock.KERNEL32(00000000), ref: 00747BD9
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00747BE8
GlobalUnlock.KERNEL32(00000000), ref: 00747BF1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00747BF8
GlobalFree.KERNEL32(00000000), ref: 00747C03
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00747C15
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00762CAC,00000000), ref: 00747C2B
GlobalFree.KERNEL32(00000000), ref: 00747C3B
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00747C61
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00747C80
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00747CA2
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00747E8F

Strings

DISPLAY, xrefs: 00747CF2
AutoIt v3, xrefs: 00747B42
static, xrefs: 00747B8A, 00747CE1
, xrefs: 00747E15

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 8e1022d564a6a47fcb4c016a9f4f95c18f5c19a5983cfc7cff4e60cde8bc922d
Instruction ID: 40666ac75785fe33507db1d3211fbd5e00c4974dadee0c02984c5a13297e9ad1
Opcode Fuzzy Hash: 8e1022d564a6a47fcb4c016a9f4f95c18f5c19a5983cfc7cff4e60cde8bc922d
Instruction Fuzzy Hash: ED02A171A00219EFDB14DF68CC89EAE7BB9FF48311F148159F905AB2A1D778AD01CB64

Function 007535D4 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0075F910), ref: 00753690
IsWindowVisible.USER32(?), ref: 007536B4

Strings

GETSELECTED, xrefs: 0075390C
GETCURRENTLINE, xrefs: 00753956
ADDSTRING, xrefs: 0075377F
GETLINECOUNT, xrefs: 0075392F
HIDEDROPDOWN, xrefs: 00753769
SENDCOMMANDID, xrefs: 00753A43
ISENABLED, xrefs: 007536D4
CURRENTTAB, xrefs: 00753726
SELECTSTRING, xrefs: 0075386F
GETCURRENTCOL, xrefs: 00753991
SETCURRENTSELECTION, xrefs: 0075381F
ISCHECKED, xrefs: 007538A2
TABRIGHT, xrefs: 00753706
GETLINE, xrefs: 00753A04
FINDSTRING, xrefs: 007537DF
GETCURRENTSELECTION, xrefs: 0075384C
UNCHECK, xrefs: 007538EC
SHOWDROPDOWN, xrefs: 00753749
ISVISIBLE, xrefs: 007536A0
EDITPASTE, xrefs: 007539C8
DELSTRING, xrefs: 007537B2
CHECK, xrefs: 007538D6
TABLEFT, xrefs: 007536F0

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: f024fc4afe6a5399f19aa581d1be01420a6ec397b9bc9955a3200f09b3b053a5
Instruction ID: 824a57fc86e22e3acfdbfbfd51e0f71ae0bda760b01ee77f8152232e83693ae1
Opcode Fuzzy Hash: f024fc4afe6a5399f19aa581d1be01420a6ec397b9bc9955a3200f09b3b053a5
Instruction Fuzzy Hash: CAD17E306043019BCB14EF10C591ABA77A6AF95385F18846CFD865B3B3CB79EE0ACB55

Function 0075A60C Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0075A662
GetSysColorBrush.USER32(0000000F), ref: 0075A693
GetSysColor.USER32(0000000F), ref: 0075A69F
SetBkColor.GDI32(?,000000FF), ref: 0075A6B9
SelectObject.GDI32(?,00000000), ref: 0075A6C8
InflateRect.USER32(?,000000FF,000000FF), ref: 0075A6F3
GetSysColor.USER32(00000010), ref: 0075A6FB
CreateSolidBrush.GDI32(00000000), ref: 0075A702
FrameRect.USER32(?,?,00000000), ref: 0075A711
DeleteObject.GDI32(00000000), ref: 0075A718
InflateRect.USER32(?,000000FE,000000FE), ref: 0075A763
FillRect.USER32(?,?,00000000), ref: 0075A795
GetWindowLongW.USER32(?,000000F0), ref: 0075A7C0

Part of subcall function 0075A8FC: GetSysColor.USER32(00000012), ref: 0075A935
Part of subcall function 0075A8FC: SetTextColor.GDI32(?,?), ref: 0075A939
Part of subcall function 0075A8FC: GetSysColorBrush.USER32(0000000F), ref: 0075A94F
Part of subcall function 0075A8FC: GetSysColor.USER32(0000000F), ref: 0075A95A
Part of subcall function 0075A8FC: GetSysColor.USER32(00000011), ref: 0075A977
Part of subcall function 0075A8FC: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0075A985
Part of subcall function 0075A8FC: SelectObject.GDI32(?,00000000), ref: 0075A996
Part of subcall function 0075A8FC: SetBkColor.GDI32(?,00000000), ref: 0075A99F
Part of subcall function 0075A8FC: SelectObject.GDI32(?,?), ref: 0075A9AC
Part of subcall function 0075A8FC: InflateRect.USER32(?,000000FF,000000FF), ref: 0075A9CB
Part of subcall function 0075A8FC: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0075A9E2
Part of subcall function 0075A8FC: GetWindowLongW.USER32(00000000,000000F0), ref: 0075A9F7
Part of subcall function 0075A8FC: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0075AA1F

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 1c1c1b456048de423fbeb17c32efffba95da360517be4acd54de7537d9f2ce3a
Instruction ID: e6598aa23672bad2984e3f8a34935d1d468bfe53f040c1562c45792d181f59c5
Opcode Fuzzy Hash: 1c1c1b456048de423fbeb17c32efffba95da360517be4acd54de7537d9f2ce3a
Instruction Fuzzy Hash: CC918E71408305FFD711AF64DC08A9B7BA9FF88322F148B29F962961E0D7B9D844CB56

Function 006D2C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 006D2CA2
DeleteObject.GDI32(00000000), ref: 006D2CE8
DeleteObject.GDI32(00000000), ref: 006D2CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 006D2CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 006D2D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 0070C5BB
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0070C5F4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0070CA1D

Part of subcall function 006D1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,006D2036,?,00000000,?,?,?,?,006D16CB,00000000,?), ref: 006D1B9A

SendMessageW.USER32(?,00001053), ref: 0070CA5A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0070CA71
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0070CA87
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0070CA92

Strings

0, xrefs: 0070C8B1

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: f3464366af597b19b231a1289ed11c830e12f2e79a0ed78fd2d0012cd3298b23
Instruction ID: 461bd9e163a4e9b4262cdd6ad9c144271e4a01662ecfb608f83bc05df336068a
Opcode Fuzzy Hash: f3464366af597b19b231a1289ed11c830e12f2e79a0ed78fd2d0012cd3298b23
Instruction Fuzzy Hash: 91129E30610202EFDB62CF24C894BA9B7E6FF14311F54866AF995DB2A2C775EC42CB51

Function 007475C0 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 007475F3
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 007476B2
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 007476F0
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00747702
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00747748
GetClientRect.USER32(00000000,?), ref: 00747754
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00747798
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 007477A7
GetStockObject.GDI32(00000011), ref: 007477B7
SelectObject.GDI32(00000000,00000000), ref: 007477BB
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 007477CB
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007477D4
DeleteDC.GDI32(00000000), ref: 007477DD
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00747809
SendMessageW.USER32(00000030,00000000,00000001), ref: 00747820
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 0074785B
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0074786F
SendMessageW.USER32(00000404,00000001,00000000), ref: 00747880
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 007478B0
GetStockObject.GDI32(00000011), ref: 007478BB
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 007478C6
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 007478D0

Strings

DISPLAY, xrefs: 0074779D
msctls_progress32, xrefs: 00747851
AutoIt v3, xrefs: 00747740
static, xrefs: 00747792, 007478AA

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 12cd13fd97b195d8ded21c6023f047e6ab262dce3a981bbe08ccf78ea31d5ad5
Instruction ID: 39f23d902ddaf95a9663ffaa291db3a45cfec3a3bc4d25291356158024385426
Opcode Fuzzy Hash: 12cd13fd97b195d8ded21c6023f047e6ab262dce3a981bbe08ccf78ea31d5ad5
Instruction Fuzzy Hash: 09A182B1A40619BFEB14DF64DC4AFAE7BB9EB04711F008115FA15A72E0D7B4AD01CB68

Function 0073AD9C Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0073ADAA
GetDriveTypeW.KERNEL32(?,0075FAC0,?,\\.\,0075F910), ref: 0073AE87
SetErrorMode.KERNEL32(00000000,0075FAC0,?,\\.\,0075F910), ref: 0073AFE5

Strings

Fixed, xrefs: 0073AECF
SSA, xrefs: 0073AF6E
Virtual, xrefs: 0073AFAD
ATA, xrefs: 0073AF60
RAID, xrefs: 0073AF83
CDROM, xrefs: 0073AEBB
SATA, xrefs: 0073AF98
RAMDisk, xrefs: 0073AEB1
FileBackedVirtual, xrefs: 0073AFB4
Network, xrefs: 0073AEC5
\\.\, xrefs: 0073ADFC
Fibre, xrefs: 0073AF75
MMC, xrefs: 0073AFA6
1394, xrefs: 0073AF67
SCSI, xrefs: 0073AF52
Unknown, xrefs: 0073AEA7, 0073AF4B
SSD, xrefs: 0073AF12
PhysicalDrive, xrefs: 0073AE33
ATAPI, xrefs: 0073AF59
SAS, xrefs: 0073AF91
Removable, xrefs: 0073AED9
iSCSI, xrefs: 0073AF8A
USB, xrefs: 0073AF7C

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: d7a05d1945cc29f776cdc5fc9a2bbcca0b4742e8c30ce83b5d444b76fb2abe53
Instruction ID: 10a6d7b9a5611416db881b472eb96aec16ba649ef7cbaf3921ce780b8fa6d8af
Opcode Fuzzy Hash: d7a05d1945cc29f776cdc5fc9a2bbcca0b4742e8c30ce83b5d444b76fb2abe53
Instruction Fuzzy Hash: D05192F4688306BBDB54EB10C9838B9B771AB44700F64805AF886A7292DB7DDD01DB93

Function 006D6A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 006D6A91
__wcsnicmp.LIBCMT ref: 006D6AA9
__wcsnicmp.LIBCMT ref: 006D6AC1
__wcsnicmp.LIBCMT ref: 006D6AD9
__wcsnicmp.LIBCMT ref: 006D6AF1
__wcsnicmp.LIBCMT ref: 006D6B09
__wcsnicmp.LIBCMT ref: 006D6B21
__wcsnicmp.LIBCMT ref: 006D6B35
__wcsnicmp.LIBCMT ref: 006D6B76
__wcsnicmp.LIBCMT ref: 006D6B8A
__wcsnicmp.LIBCMT ref: 006D6B9E
__wcsnicmp.LIBCMT ref: 006D6BB2

Strings

#requireadmin, xrefs: 006D6ABB
Cannot parse #include, xrefs: 0070E749
#pragma compile, xrefs: 006D6A8B
#include-once, xrefs: 006D6AEB
#comments-end, xrefs: 006D6B98
#ce, xrefs: 006D6BAC
Bad directive syntax error, xrefs: 0070E673
#cs, xrefs: 006D6B2F, 006D6B84
#OnAutoItStartRegister, xrefs: 006D6AD3
#notrayicon, xrefs: 006D6AA3
#include, xrefs: 006D6B03
Unterminated group of comments, xrefs: 0070E75C
#comments-start, xrefs: 006D6B1B, 006D6B70

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: f46c5adffdc7d20cafa1ceb9751307d67bec355f96ff7f70e494a688f0d8af94
Instruction ID: 5918ccb335b51e94630da3db319886e69cab628dcd0f0cf9624144c512cb961e
Opcode Fuzzy Hash: f46c5adffdc7d20cafa1ceb9751307d67bec355f96ff7f70e494a688f0d8af94
Instruction Fuzzy Hash: DB815D70A00615BACB60AF64DC43FBE77AAAF14700F04412AFD45AA3C3FBA5DE11C695

Function 00759A4E Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00759B04
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00759BBD
SendMessageW.USER32(?,00001102,00000002,?), ref: 00759BD9

Strings

0, xrefs: 00759C16

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 37c56343b71584b28b3942ed8cf12d24330e67d35907bf85ed50a6e73f2aed03
Instruction ID: 7902e759d650ec6147e2e01332ac768570b0eda73f2cc1c326386c3bef4f318a
Opcode Fuzzy Hash: 37c56343b71584b28b3942ed8cf12d24330e67d35907bf85ed50a6e73f2aed03
Instruction Fuzzy Hash: 5702BF30104341EFEB15CF24C849BEABBE5FF49316F04862DFA95962A1D7B8D948CB91

Function 0075A8FC Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0075A935
SetTextColor.GDI32(?,?), ref: 0075A939
GetSysColorBrush.USER32(0000000F), ref: 0075A94F
GetSysColor.USER32(0000000F), ref: 0075A95A
CreateSolidBrush.GDI32(?), ref: 0075A95F
GetSysColor.USER32(00000011), ref: 0075A977
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0075A985
SelectObject.GDI32(?,00000000), ref: 0075A996
SetBkColor.GDI32(?,00000000), ref: 0075A99F
SelectObject.GDI32(?,?), ref: 0075A9AC
InflateRect.USER32(?,000000FF,000000FF), ref: 0075A9CB
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0075A9E2
GetWindowLongW.USER32(00000000,000000F0), ref: 0075A9F7
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0075AA1F
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0075AA46
InflateRect.USER32(?,000000FD,000000FD), ref: 0075AA64
DrawFocusRect.USER32(?,?), ref: 0075AA6F
GetSysColor.USER32(00000011), ref: 0075AA7D
SetTextColor.GDI32(?,00000000), ref: 0075AA85
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0075AA99
SelectObject.GDI32(?,0075A62C), ref: 0075AAB0
DeleteObject.GDI32(?), ref: 0075AABB
SelectObject.GDI32(?,?), ref: 0075AAC1
DeleteObject.GDI32(?), ref: 0075AAC6
SetTextColor.GDI32(?,?), ref: 0075AACC
SetBkColor.GDI32(?,?), ref: 0075AAD6

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 8429282d4c52c5f2e466fd4d875f29442a9d02268ed44bf9b910195c82d92a6d
Instruction ID: 937e9d180675a7946d20cd8f9dc8be9dabf94d133c1bcd17ff966976c7de0ce2
Opcode Fuzzy Hash: 8429282d4c52c5f2e466fd4d875f29442a9d02268ed44bf9b910195c82d92a6d
Instruction Fuzzy Hash: 0C514D71900218FFDB119FA4DC48EEE7B79EF08322F118625F911AB2A1D7B99940CB94

Function 00758A07 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00758AF3
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00758B04
CharNextW.USER32(0000014E), ref: 00758B33
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00758B74
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00758B8A
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00758B9B
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00758BB8
SetWindowTextW.USER32(?,0000014E), ref: 00758C0A
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00758C20
SendMessageW.USER32(?,00001002,00000000,?), ref: 00758C51
_memset.LIBCMT ref: 00758C76
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00758CBF
_memset.LIBCMT ref: 00758D1E
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00758D48
SendMessageW.USER32(?,00001074,?,00000001), ref: 00758DA0
SendMessageW.USER32(?,0000133D,?,?), ref: 00758E4D
InvalidateRect.USER32(?,00000000,00000001), ref: 00758E6F
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00758EB9
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00758EE6
DrawMenuBar.USER32(?), ref: 00758EF5
SetWindowTextW.USER32(?,0000014E), ref: 00758F1D

Strings

0, xrefs: 00758E87

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: f8220fb2329bf1c34fa6cc679e7debf39af98ab4118ad19d43987079be685e71
Instruction ID: 1b739541e883f423f6d397ef6d6e16300aaa7cd3e1fef140507cdd1ef9e41b64
Opcode Fuzzy Hash: f8220fb2329bf1c34fa6cc679e7debf39af98ab4118ad19d43987079be685e71
Instruction Fuzzy Hash: 8DE17070901218EBDF609F60CC84EEE7BB9EF09751F10815AFD15AA291DFB88A45CF61

Function 007548F8 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00754A33
GetDesktopWindow.USER32 ref: 00754A48
GetWindowRect.USER32(00000000), ref: 00754A4F
GetWindowLongW.USER32(?,000000F0), ref: 00754AB1
DestroyWindow.USER32(?), ref: 00754ADD
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00754B06
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00754B24
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00754B4A
SendMessageW.USER32(?,00000421,?,?), ref: 00754B5F
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00754B72
IsWindowVisible.USER32(?), ref: 00754B92
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00754BAD
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00754BC1
GetWindowRect.USER32(?,?), ref: 00754BD9
MonitorFromPoint.USER32(?,?,00000002), ref: 00754BFF
GetMonitorInfoW.USER32(00000000,?), ref: 00754C19
CopyRect.USER32(?,?), ref: 00754C30
SendMessageW.USER32(?,00000412,00000000), ref: 00754C9B

Strings

(, xrefs: 00754C0C
tooltips_class32, xrefs: 00754AFF
0, xrefs: 007549DE

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 8b968eb1e647aeb03c8fb0461caca3d391a0e2af46b321e257a47d2bda30e1cf
Instruction ID: 16e923e0d7a2c8afca2e8a6aac4b4e6681eaeda02ef21c94ccf7e421f8b117dd
Opcode Fuzzy Hash: 8b968eb1e647aeb03c8fb0461caca3d391a0e2af46b321e257a47d2bda30e1cf
Instruction Fuzzy Hash: 4AB1BE71604340AFDB44DF24C889BAABBE5FF84305F00891DF9999B291D7B4EC48CBA5

Function 007344DB Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 007344ED
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00734513
_wcscpy.LIBCMT ref: 00734541
_wcscmp.LIBCMT ref: 0073454C
_wcscat.LIBCMT ref: 00734562
_wcsstr.LIBCMT ref: 0073456D
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00734589
_wcscat.LIBCMT ref: 007345D2
_wcscat.LIBCMT ref: 007345D9
_wcsncpy.LIBCMT ref: 00734604

Strings

04090000, xrefs: 007345BF
%u.%u.%u.%u, xrefs: 00734667
DefaultLangCodepage, xrefs: 007345EC
\VarFileInfo\Translation, xrefs: 00734581
StringFileInfo\, xrefs: 0073455C

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 19b14fad68696ab01bb22fa1318e02c564c812640b70422538cc3bf331086987
Instruction ID: b5418ee1ca5db87be9c9baa243e779e15954da7b4711f3a4d656b4080a9d6b37
Opcode Fuzzy Hash: 19b14fad68696ab01bb22fa1318e02c564c812640b70422538cc3bf331086987
Instruction Fuzzy Hash: 23412A72A012097BEB54BB608C03EFF376DDF45710F50406DF904E6183EB78AA1196AE

Function 006D27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006D28BC
GetSystemMetrics.USER32(00000007), ref: 006D28C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006D28EF
GetSystemMetrics.USER32(00000008), ref: 006D28F7
GetSystemMetrics.USER32(00000004), ref: 006D291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 006D2939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 006D2949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 006D297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 006D2990
GetClientRect.USER32(00000000,000000FF), ref: 006D29AE
GetStockObject.GDI32(00000011), ref: 006D29CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 006D29D5

Part of subcall function 006D2344: GetCursorPos.USER32(?), ref: 006D2357
Part of subcall function 006D2344: ScreenToClient.USER32(007957B0,?), ref: 006D2374
Part of subcall function 006D2344: GetAsyncKeyState.USER32(00000001), ref: 006D2399
Part of subcall function 006D2344: GetAsyncKeyState.USER32(00000002), ref: 006D23A7

SetTimer.USER32(00000000,00000000,00000028,006D1256), ref: 006D29FC

Strings

AutoIt v3 GUI, xrefs: 006D2974

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 9be039c30cc18fd81a238531aaf1a25194f3702c4a409755f185d78d8f7f469c
Instruction ID: 7b25bdb952071f1c42a85941983fa9574ea08592f9ff458e204e73aa5c12c7aa
Opcode Fuzzy Hash: 9be039c30cc18fd81a238531aaf1a25194f3702c4a409755f185d78d8f7f469c
Instruction Fuzzy Hash: BBB18C71A0020AEFDB15DFA8DC55BEE7BB5FB18311F10822AFA15A7390DB789841CB54

Function 0072A844 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0072A885
__swprintf.LIBCMT ref: 0072A926
_wcscmp.LIBCMT ref: 0072A939
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0072A98E
_wcscmp.LIBCMT ref: 0072A9CA
GetClassNameW.USER32(?,?,00000400), ref: 0072AA01
GetDlgCtrlID.USER32(?), ref: 0072AA53
GetWindowRect.USER32(?,?), ref: 0072AA89
GetParent.USER32(?), ref: 0072AAA7
ScreenToClient.USER32(00000000), ref: 0072AAAE
GetClassNameW.USER32(?,?,00000100), ref: 0072AB28
_wcscmp.LIBCMT ref: 0072AB3C
GetWindowTextW.USER32(?,?,00000400), ref: 0072AB62
_wcscmp.LIBCMT ref: 0072AB76

Part of subcall function 006F37AC: _iswctype.LIBCMT ref: 006F37B4

Strings

%s%u, xrefs: 0072A920

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 735febc7a34ce64195972ac48479419da69f156bf461332ffc74ef31d70edbb1
Instruction ID: dac028964ca27e5ed3cdd35813a2e1a2c416109fe87b07280c233b21eb310295
Opcode Fuzzy Hash: 735febc7a34ce64195972ac48479419da69f156bf461332ffc74ef31d70edbb1
Instruction Fuzzy Hash: 17A1E071204726FFDB15DF24D884BAAB7E9FF04354F008629F999C2151DB38E945CB92

Function 0072B196 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0072B1DA
_wcscmp.LIBCMT ref: 0072B1EB
GetWindowTextW.USER32(00000001,?,00000400), ref: 0072B213
CharUpperBuffW.USER32(?,00000000), ref: 0072B230
_wcscmp.LIBCMT ref: 0072B24E
_wcsstr.LIBCMT ref: 0072B25F
GetClassNameW.USER32(00000018,?,00000400), ref: 0072B297
_wcscmp.LIBCMT ref: 0072B2A7
GetWindowTextW.USER32(00000002,?,00000400), ref: 0072B2CE
GetClassNameW.USER32(00000018,?,00000400), ref: 0072B317
_wcscmp.LIBCMT ref: 0072B327
GetClassNameW.USER32(00000010,?,00000400), ref: 0072B34F
GetWindowRect.USER32(00000004,?), ref: 0072B3B8

Strings

ThumbnailClass, xrefs: 0072B2A2, 0072B322
@, xrefs: 0072B1BB

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 831932837249387489765f7b78a7b83c367a66f856e199cbdb34fe952cb25486
Instruction ID: 4ead3bc802b5841b6c394580ffa6fd6b3a5c1a0069a256fa21736af705f2cfea
Opcode Fuzzy Hash: 831932837249387489765f7b78a7b83c367a66f856e199cbdb34fe952cb25486
Instruction Fuzzy Hash: 0781BF7100835A9FDB04DF14D885FAA7BE9FF44314F18846AFD858A1A2DB38DD49CBA1

Function 0075C668 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 006D2612: GetWindowLongW.USER32(?,000000EB), ref: 006D2623

DragQueryPoint.SHELL32(?,?), ref: 0075C691

Part of subcall function 0075AB69: ClientToScreen.USER32(?,?), ref: 0075AB92
Part of subcall function 0075AB69: GetWindowRect.USER32(?,?), ref: 0075AC08
Part of subcall function 0075AB69: PtInRect.USER32(?,?,0075C07E), ref: 0075AC18

SendMessageW.USER32(?,000000B0,?,?), ref: 0075C6FA
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0075C705
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0075C728
_wcscat.LIBCMT ref: 0075C758
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0075C76F
SendMessageW.USER32(?,000000B0,?,?), ref: 0075C788
SendMessageW.USER32(?,000000B1,?,?), ref: 0075C79F
SendMessageW.USER32(?,000000B1,?,?), ref: 0075C7C1
DragFinish.SHELL32(?), ref: 0075C7C8
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0075C8BB

Strings

@GUI_DRAGID, xrefs: 0075C833
@GUI_DROPID, xrefs: 0075C7E8
@GUI_DRAGFILE, xrefs: 0075C86A
pby, xrefs: 0075C805

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pby
API String ID: 169749273-2968689537
Opcode ID: d238a57e661cc90f01c62612ec412c7f7474a2d036a183bedd7a072bcc5af1cc
Instruction ID: 8454d222da077af8db98990526306dec8efb0e6c71b77c1b9bdcec8807a7986d
Opcode Fuzzy Hash: d238a57e661cc90f01c62612ec412c7f7474a2d036a183bedd7a072bcc5af1cc
Instruction Fuzzy Hash: D1616D71508301AFC701EF64DC85E9BBBE9EF88710F00492EF691972A1DB749A49CB96

Function 0072AFDF Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0072B03E

Strings

[LAST, xrefs: 0072B0EB
LAST, xrefs: 0072B003
CLASSNAME=, xrefs: 0072B07B
ACTIVE, xrefs: 0072B019
REGEXP=, xrefs: 0072B053
ALL, xrefs: 0072B0D2
HANDLE=, xrefs: 0072B037
[ACTIVE, xrefs: 0072B02B
[ALL, xrefs: 0072B0E4
[CLASS:, xrefs: 0072B08E
[HANDLE:, xrefs: 0072B04A
[REGEXPTITLE:, xrefs: 0072B066

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: b4e957c581b68e5395954f467fc44a8f042a114916eaa23390f5041ad3222d9f
Instruction ID: 4dc9e5ab190d0899c8dc0f59d206420984886835aed74e6482c1c254cea37030
Opcode Fuzzy Hash: b4e957c581b68e5395954f467fc44a8f042a114916eaa23390f5041ad3222d9f
Instruction Fuzzy Hash: F631C470A88219A6DB28FA64DC83EAF77A69F10710F30451EB462711D2FF69AF04C656

Function 0072C2C0 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0072C2D3
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0072C2E5
SetWindowTextW.USER32(?,?), ref: 0072C2FC
GetDlgItem.USER32(?,000003EA), ref: 0072C311
SetWindowTextW.USER32(00000000,?), ref: 0072C317
GetDlgItem.USER32(?,000003E9), ref: 0072C327
SetWindowTextW.USER32(00000000,?), ref: 0072C32D
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0072C34E
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0072C368
GetWindowRect.USER32(?,?), ref: 0072C371
SetWindowTextW.USER32(?,?), ref: 0072C3DC
GetDesktopWindow.USER32 ref: 0072C3E2
GetWindowRect.USER32(00000000), ref: 0072C3E9
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0072C435
GetClientRect.USER32(?,?), ref: 0072C442
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0072C467
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0072C492

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 4f9ce32d067ea73e1adcf2ecb38731e51b81093df7c48de2d81ca8224b6d0aee
Instruction ID: 0cda901a60c1de9ec9d91e2213ce24680e62cf8a0e7171fb08d23fb132918004
Opcode Fuzzy Hash: 4f9ce32d067ea73e1adcf2ecb38731e51b81093df7c48de2d81ca8224b6d0aee
Instruction Fuzzy Hash: F0516E31900709EFDB21DFA8DD89BAFBBF5FF04705F008928E546A25A1C7B9A944CB50

Function 00745113 Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00745129
LoadCursorW.USER32(00000000,00007F00), ref: 00745134
LoadCursorW.USER32(00000000,00007F03), ref: 0074513F
LoadCursorW.USER32(00000000,00007F8B), ref: 0074514A
LoadCursorW.USER32(00000000,00007F01), ref: 00745155
LoadCursorW.USER32(00000000,00007F81), ref: 00745160
LoadCursorW.USER32(00000000,00007F88), ref: 0074516B
LoadCursorW.USER32(00000000,00007F80), ref: 00745176
LoadCursorW.USER32(00000000,00007F86), ref: 00745181
LoadCursorW.USER32(00000000,00007F83), ref: 0074518C
LoadCursorW.USER32(00000000,00007F85), ref: 00745197
LoadCursorW.USER32(00000000,00007F82), ref: 007451A2
LoadCursorW.USER32(00000000,00007F84), ref: 007451AD
LoadCursorW.USER32(00000000,00007F04), ref: 007451B8
LoadCursorW.USER32(00000000,00007F02), ref: 007451C3
LoadCursorW.USER32(00000000,00007F89), ref: 007451CE
GetCursorInfo.USER32(?), ref: 007451DE

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 772bca61f4ae8025c8e9e10f01c58ca46ff9703484fadd1a4f764f398ea85c96
Instruction ID: 1fec07aa0a666b8dae23d4c6c21347feba2a632fcc5a9ca60b5acdeb74a72617
Opcode Fuzzy Hash: 772bca61f4ae8025c8e9e10f01c58ca46ff9703484fadd1a4f764f398ea85c96
Instruction Fuzzy Hash: CA3117B1D483196BDB109FB68C8995FBEE8FF04750F50452BE50DE7281DB7865008FA1

Function 0075A1EB Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0075A28B
DestroyWindow.USER32(?,?), ref: 0075A305

Part of subcall function 006D7D2C: _memmove.LIBCMT ref: 006D7D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0075A37F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0075A3A1
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0075A3B4
DestroyWindow.USER32(00000000), ref: 0075A3D6
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,006D0000,00000000), ref: 0075A40D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0075A426
GetDesktopWindow.USER32 ref: 0075A43F
GetWindowRect.USER32(00000000), ref: 0075A446
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0075A45E
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0075A476

Part of subcall function 006D25DB: GetWindowLongW.USER32(?,000000EB), ref: 006D25EC

Strings

0, xrefs: 0075A2A1
tooltips_class32, xrefs: 0075A378, 0075A406

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 0e8fe0ebec5f07e3914344f8e5fc805b310fb54c37e23e8c6ec86e4d60731035
Instruction ID: af61ce871d345db592b31dd834430695c01c7ed9f0eff7d2e59f5bb2516f2c93
Opcode Fuzzy Hash: 0e8fe0ebec5f07e3914344f8e5fc805b310fb54c37e23e8c6ec86e4d60731035
Instruction Fuzzy Hash: B2719C70150344AFDB21CF68DC49FA67BE5EB88705F04462DF986872A0D7B8E906CF26

Function 007543FB Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0075448D
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007544D8

Strings

GETSELECTED, xrefs: 007545E8
EXPAND, xrefs: 0075458A
SELECT, xrefs: 00754689
GETITEMCOUNT, xrefs: 007545BA
GETTOTALCOUNT, xrefs: 007544BF
GETTEXT, xrefs: 0075462B
UNCHECK, xrefs: 007546B4
EXISTS, xrefs: 00754541
COLLAPSE, xrefs: 0075451E
CHECK, xrefs: 007544F8
ISCHECKED, xrefs: 0075465B

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: e3324e00d2f643b6ce7519c0d8a21b7c2b68d0185feaf03c53073ca84b2450d4
Instruction ID: 36449dfc243453c42791feb24990f693a4bb063b7bf766c61832aadc8391478e
Opcode Fuzzy Hash: e3324e00d2f643b6ce7519c0d8a21b7c2b68d0185feaf03c53073ca84b2450d4
Instruction Fuzzy Hash: 3D919F306047119FCB54EF10C491AB9B7A2EF85314F08886DFC965B3A2DB78ED4ACB95

Function 0075B832 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0075B8E8
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,007591F4), ref: 0075B944
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0075B97D
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0075B9C0
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0075B9F7
FreeLibrary.KERNEL32(?), ref: 0075BA03
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0075BA13
DestroyIcon.USER32(?,?,?,?,?,007591F4), ref: 0075BA22
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0075BA3F
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0075BA4B

Part of subcall function 006F307D: __wcsicmp_l.LIBCMT ref: 006F3106

Strings

.dll, xrefs: 0075B8A1
.icl, xrefs: 0075B85E
.exe, xrefs: 0075B87E

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 5cfee202a7b4f65a0882aa993abf5d3b517a32098b9681fb0d807eeb12924903
Instruction ID: bb8e62049baa5ae19289c5303231884602d220f448b732226a294d6806cb4f7c
Opcode Fuzzy Hash: 5cfee202a7b4f65a0882aa993abf5d3b517a32098b9681fb0d807eeb12924903
Instruction Fuzzy Hash: F561BEB1940619BEEB14DF64CC45BFE77A8EF08712F10851AFD15D61D0DBB8A988CBA0

Function 0073A3DC Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 006D9997: __itow.LIBCMT ref: 006D99C2
Part of subcall function 006D9997: __swprintf.LIBCMT ref: 006D9A0C

CharLowerBuffW.USER32(?,?), ref: 0073A455
GetDriveTypeW.KERNEL32 ref: 0073A4A2
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0073A4EA
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0073A521
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0073A54F

Part of subcall function 006D7D2C: _memmove.LIBCMT ref: 006D7D66

Strings

open , xrefs: 0073A4B1
closed, xrefs: 0073A469, 0073A472
close cd wait, xrefs: 0073A53A
wait, xrefs: 0073A50C
type cdaudio alias cd wait, xrefs: 0073A4CD
close, xrefs: 0073A45B
set cd door , xrefs: 0073A4F0
open, xrefs: 0073A47C

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: eddf8014a89a95c267aef56ecf7ecf892f52cd138ce94336f864a97f51fc8e3f
Instruction ID: 5ecdae80fcf967c8ede843b0f125a8aecf990e22e0688108a1cb7243b84c219e
Opcode Fuzzy Hash: eddf8014a89a95c267aef56ecf7ecf892f52cd138ce94336f864a97f51fc8e3f
Instruction Fuzzy Hash: B7518B71504304AFC750EF20C89196AB7E5FF88718F04896EF88A573A2DB35EE09CB56

Function 0075BA67 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00759239,?,?), ref: 0075BA8A
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00759239,?,?,00000000,?), ref: 0075BAA1
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00759239,?,?,00000000,?), ref: 0075BAAC
CloseHandle.KERNEL32(00000000,?,?,?,?,00759239,?,?,00000000,?), ref: 0075BAB9
GlobalLock.KERNEL32(00000000), ref: 0075BAC2
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00759239,?,?,00000000,?), ref: 0075BAD1
GlobalUnlock.KERNEL32(00000000), ref: 0075BADA
CloseHandle.KERNEL32(00000000,?,?,?,?,00759239,?,?,00000000,?), ref: 0075BAE1
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00759239,?,?,00000000,?), ref: 0075BAF2
OleLoadPicture.OLEAUT32(?,00000000,00000000,00762CAC,?), ref: 0075BB0B
GlobalFree.KERNEL32(00000000), ref: 0075BB1B
GetObjectW.GDI32(00000000,00000018,?), ref: 0075BB3F
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0075BB6A
DeleteObject.GDI32(00000000), ref: 0075BB92
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0075BBA8

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 55a4fd906a01f6a1f6f5065c8ec7c79ab048c89bf86479c1d9c4977ae1305da5
Instruction ID: 247e17c93d3410620ae4a7d5809b0e83d5a0a0aea087ca82c081c5a68a2a702e
Opcode Fuzzy Hash: 55a4fd906a01f6a1f6f5065c8ec7c79ab048c89bf86479c1d9c4977ae1305da5
Instruction Fuzzy Hash: 0C410675600209AFDB119F65DC88EEA7BB8FB89712F108068F909D7260D7B89905DB64

Function 0073D925 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0073DA9C
_wcscat.LIBCMT ref: 0073DAB4
_wcscat.LIBCMT ref: 0073DAC6
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0073DADB
SetCurrentDirectoryW.KERNEL32(?), ref: 0073DAEF
GetFileAttributesW.KERNEL32(?), ref: 0073DB07
SetFileAttributesW.KERNEL32(?,00000000), ref: 0073DB21
SetCurrentDirectoryW.KERNEL32(?), ref: 0073DB33

Strings

*.*, xrefs: 0073DB72

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: e6e4d650f9609c50bc4185b1d001cac9f6ce749f2d45922986b4b013ffc40278
Instruction ID: 4a3864b9e8671b64e301243fc3b2cbf74f8860c99e881d0cfcb060fc1e9725ec
Opcode Fuzzy Hash: e6e4d650f9609c50bc4185b1d001cac9f6ce749f2d45922986b4b013ffc40278
Instruction Fuzzy Hash: C481A2B29083449FDB74DF64D94496AB7E9FB88310F18882EF485D7252E738ED44CB52

Function 0075C216 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006D2612: GetWindowLongW.USER32(?,000000EB), ref: 006D2623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0075C266
GetFocus.USER32 ref: 0075C276
GetDlgCtrlID.USER32(00000000), ref: 0075C281
_memset.LIBCMT ref: 0075C3AC
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0075C3D7
GetMenuItemCount.USER32(?), ref: 0075C3F7
GetMenuItemID.USER32(?,00000000), ref: 0075C40A
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0075C43E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0075C486
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0075C4BE
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0075C4F3

Strings

0, xrefs: 0075C3A4

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: c8048d1492c571367435a2c16feb6edc555b5ad2fa5546625f301a2746fa99f8
Instruction ID: 9185f248b5aaab82a015c954268f2156e7f5b52428133b54c45395a6f4f3b7c5
Opcode Fuzzy Hash: c8048d1492c571367435a2c16feb6edc555b5ad2fa5546625f301a2746fa99f8
Instruction Fuzzy Hash: 0D819C71208341AFD712CF14C894EBABBE8FB88315F00452EFD9597291D7B8D909CBA2

Function 0074742F Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 007474A4
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 007474B0
CreateCompatibleDC.GDI32(?), ref: 007474BC
SelectObject.GDI32(00000000,?), ref: 007474C9
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 0074751D
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00747559
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 0074757D
SelectObject.GDI32(00000006,?), ref: 00747585
DeleteObject.GDI32(?), ref: 0074758E
DeleteDC.GDI32(00000006), ref: 00747595
ReleaseDC.USER32(00000000,?), ref: 007475A0

Strings

(, xrefs: 00747525

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: f8adb77839858882c4044a9254c6c9abd69836a4126528704d5fc2a803af0a6c
Instruction ID: 26e2a93882ed177c8992a6073dfb9ef78fa4f7b13196f42132ccfd26e4e76247
Opcode Fuzzy Hash: f8adb77839858882c4044a9254c6c9abd69836a4126528704d5fc2a803af0a6c
Instruction Fuzzy Hash: 51514971904309EFCB15CFA8CC85EAEBBB9EF48310F14842DFA4997251D775A940CB64

Function 006D6BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 006F0AD7: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,006D6C6C,?,00008000), ref: 006F0AF3

Part of subcall function 006D48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006D48A1,?,?,006D37C0,?), ref: 006D48CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 006D6D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 006D6E5A

Part of subcall function 006D59CD: _wcscpy.LIBCMT ref: 006D5A05

Part of subcall function 006F37BD: _iswctype.LIBCMT ref: 006F37C5

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0070E7EF
Unterminated string, xrefs: 0070EB3D
Error opening the file, xrefs: 0070E796, 0070E811
Bad directive syntax error, xrefs: 0070EAF6
AU3!, xrefs: 006D6CC1
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0070E77A
EA06, xrefs: 0070E7AB

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 8b9302ce3961f9e3593d5e1f01dcb5e9adc4ea47bd7b30fae98d1b1c9cc7257b
Instruction ID: 6ca605ab1e3dbf7e630cb490ccba7cd6566fc1a92f2849648c940e3a0c131bec
Opcode Fuzzy Hash: 8b9302ce3961f9e3593d5e1f01dcb5e9adc4ea47bd7b30fae98d1b1c9cc7257b
Instruction Fuzzy Hash: BC029E71908341DFC764EF24C881AAFBBE6AF98314F04491EF486972A1DB34E949CB56

Function 006D45DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006D45F9
GetMenuItemCount.USER32(00795890), ref: 0070D6FD
GetMenuItemCount.USER32(00795890), ref: 0070D7AD
GetCursorPos.USER32(?), ref: 0070D7F1
SetForegroundWindow.USER32(00000000), ref: 0070D7FA
TrackPopupMenuEx.USER32(00795890,00000000,?,00000000,00000000,00000000), ref: 0070D80D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0070D819

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 38ff111951bd2e7f68e05650c233dee044ed0eb190a71f1b2ad3598c12a8f0df
Instruction ID: fd20fc1e869d0f54d5bb68706a6a2005aaa2d8c9c1e71a6f183b4161fc7aedde
Opcode Fuzzy Hash: 38ff111951bd2e7f68e05650c233dee044ed0eb190a71f1b2ad3598c12a8f0df
Instruction Fuzzy Hash: 1271E330600345FBEB309F94DC89FAABFA5FB05364F104216F519A62D1DBB9AC60CB54

Function 007489C0 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007489EC
CoInitialize.OLE32(00000000), ref: 00748A19
CoUninitialize.OLE32 ref: 00748A23
GetRunningObjectTable.OLE32(00000000,?), ref: 00748B23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00748C50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00762C0C), ref: 00748C84
CoGetObject.OLE32(?,00000000,00762C0C,?), ref: 00748CA7
SetErrorMode.KERNEL32(00000000), ref: 00748CBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00748D3A
VariantClear.OLEAUT32(?), ref: 00748D4A

Strings

,,v, xrefs: 007489D6

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,v
API String ID: 2395222682-1312938289
Opcode ID: 9b6f38fa7aeb6f2855e95492dbe8975c76401e1f9f3b472a4c9e97ae84705553
Instruction ID: 4d2a0f369af854daa8d93428d0432e217152b1f3554915ead9c6753799809c8a
Opcode Fuzzy Hash: 9b6f38fa7aeb6f2855e95492dbe8975c76401e1f9f3b472a4c9e97ae84705553
Instruction Fuzzy Hash: 5DC147B1608309AFC740DF24C88496BB7E9FF89348F00495DF98A9B251DB75ED05CB62

Function 00750EA5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0074FE38,?,?), ref: 00750EBC

Strings

HKCC, xrefs: 00750F8A
HKEY_CURRENT_USER, xrefs: 00750F9B
HKEY_CURRENT_CONFIG, xrefs: 00750F79
HKU, xrefs: 00750FCE
HKEY_USERS, xrefs: 00750FBD
HKLM, xrefs: 00750F3A
HKEY_CLASSES_ROOT, xrefs: 00750F4F
HKCR, xrefs: 00750F64
HKEY_LOCAL_MACHINE, xrefs: 00750F25
HKCU, xrefs: 00750FAC

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 0f05223fc2cf017dac4d59586dab06d23972fcc19981a2e218c3e3cb120c7332
Instruction ID: 45710fbb5450a42d3a333ddd00b50336dd57a5f3292fb24400089d25d49921c0
Opcode Fuzzy Hash: 0f05223fc2cf017dac4d59586dab06d23972fcc19981a2e218c3e3cb120c7332
Instruction Fuzzy Hash: 49417F3054028A8BDF60EF10DD91AFE3721EF12302F584429FD595B292EB799D5ECBA4

Function 0073536E Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 006D7D2C: _memmove.LIBCMT ref: 006D7D66

Part of subcall function 006D7A84: _memmove.LIBCMT ref: 006D7B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 007353D7
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 007353ED
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007353FE
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00735410
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00735421

Strings

open , xrefs: 00735386
alias PlayMe, xrefs: 007353B0
close PlayMe, xrefs: 007353E8, 00735415
play PlayMe wait, xrefs: 0073540B
status PlayMe mode, xrefs: 007353D2
play PlayMe, xrefs: 0073541C

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 4615dcaa18c1e05f9ce31f6a11b2027739efd5a8d6bec697c2532983b395d5b6
Instruction ID: be6c547a65912af7424f28aa764d08f25cf0cc2c876786088c333b07305eb324
Opcode Fuzzy Hash: 4615dcaa18c1e05f9ce31f6a11b2027739efd5a8d6bec697c2532983b395d5b6
Instruction Fuzzy Hash: 9C11C461AD016979E7A4F7A1CC4ADFF7B7CEF95B40F40042AB401A21D2FEA40D44C6A2

Function 007346F8 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00734713
gethostname.WSOCK32(?,00000100), ref: 0073472D
gethostbyname.WSOCK32(?), ref: 0073473A
_wcscpy.LIBCMT ref: 00734762
_memmove.LIBCMT ref: 00734775
inet_ntoa.WSOCK32(?), ref: 00734780
_strcat.LIBCMT ref: 0073478E
_wcscpy.LIBCMT ref: 007347A5
WSACleanup.WSOCK32 ref: 007347B3
_wcscpy.LIBCMT ref: 007347C1

Strings

0.0.0.0, xrefs: 0073475C

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 1fc5610840fdbca951224fc5c089ce711dc417992fff9b954ac7c3760aef1349
Instruction ID: 0f6cf6793e8c6afa481f1e77bf120ed59faac544bce221625194320a7b825af1
Opcode Fuzzy Hash: 1fc5610840fdbca951224fc5c089ce711dc417992fff9b954ac7c3760aef1349
Instruction Fuzzy Hash: E8110A31504218AFEB24A720DC4AEEA77FDDF12721F0441B9F50596192EFB8AE818B95

Function 0073501C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00735021

Part of subcall function 006F034A: timeGetTime.WINMM(?,76C1B400,006E0FDB), ref: 006F034E

Sleep.KERNEL32(0000000A), ref: 0073504D
EnumThreadWindows.USER32(?,Function_00064FCF,00000000), ref: 00735071
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00735093
SetActiveWindow.USER32 ref: 007350B2
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 007350C0
SendMessageW.USER32(00000010,00000000,00000000), ref: 007350DF
Sleep.KERNEL32(000000FA), ref: 007350EA
IsWindow.USER32 ref: 007350F6
EndDialog.USER32(00000000), ref: 00735107

Strings

BUTTON, xrefs: 00735085

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 185e82323e86f72d7d6017512eab29e82cdbabafb487683da64a111c6d2548ef
Instruction ID: 332e6ac6a807ba81ee098dcd450e17f765109961db5ebadfb34ace5f7fc279af
Opcode Fuzzy Hash: 185e82323e86f72d7d6017512eab29e82cdbabafb487683da64a111c6d2548ef
Instruction Fuzzy Hash: 6E2199B0201708FFF7119F70EC89F663769E749346F169125F50182172DB6D8D61876A

Function 0073D619 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 006D9997: __itow.LIBCMT ref: 006D99C2
Part of subcall function 006D9997: __swprintf.LIBCMT ref: 006D9A0C

CoInitialize.OLE32(00000000), ref: 0073D676
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0073D709
SHGetDesktopFolder.SHELL32(?), ref: 0073D71D
CoCreateInstance.OLE32(00762D7C,00000000,00000001,00788C1C,?), ref: 0073D769
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0073D7D8
CoTaskMemFree.OLE32(?,?), ref: 0073D830
_memset.LIBCMT ref: 0073D86D
SHBrowseForFolderW.SHELL32(?), ref: 0073D8A9
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0073D8CC
CoTaskMemFree.OLE32(00000000), ref: 0073D8D3
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0073D90A
CoUninitialize.OLE32(00000001,00000000), ref: 0073D90C

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: c0e198c7742c00e52e467eea0fe2766c0c04d237e78afee11cbfc829dd86ab17
Instruction ID: cc3a4b18f78d402b15b27bc7340a0660a37f457a290e38a36ecc28c1a0d62eeb
Opcode Fuzzy Hash: c0e198c7742c00e52e467eea0fe2766c0c04d237e78afee11cbfc829dd86ab17
Instruction Fuzzy Hash: B6B1FA75A00209AFDB14DFA4D889DAEBBB9FF48314F148069F809EB251DB34ED45CB54

Function 0073034D Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 007303C8
SetKeyboardState.USER32(?), ref: 00730433
GetAsyncKeyState.USER32(000000A0), ref: 00730453
GetKeyState.USER32(000000A0), ref: 0073046A
GetAsyncKeyState.USER32(000000A1), ref: 00730499
GetKeyState.USER32(000000A1), ref: 007304AA
GetAsyncKeyState.USER32(00000011), ref: 007304D6
GetKeyState.USER32(00000011), ref: 007304E4
GetAsyncKeyState.USER32(00000012), ref: 0073050D
GetKeyState.USER32(00000012), ref: 0073051B
GetAsyncKeyState.USER32(0000005B), ref: 00730544
GetKeyState.USER32(0000005B), ref: 00730552

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 6f0842543dd5618ad76065b7c7136d18dcd6d96658d4b067b01f3cfa39970530
Instruction ID: fd50f9e83713969fa84826790c51d3be7b23c10ad1f9e612dbcd3505a3d80d2c
Opcode Fuzzy Hash: 6f0842543dd5618ad76065b7c7136d18dcd6d96658d4b067b01f3cfa39970530
Instruction Fuzzy Hash: E051B9209087946AFB35DBB08425BEEBFB49F02380F48859DD5C2565C3DA6C9B4CCBE1

Function 0072C529 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0072C545
GetWindowRect.USER32(00000000,?), ref: 0072C557
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0072C5B5
GetDlgItem.USER32(?,00000002), ref: 0072C5C0
GetWindowRect.USER32(00000000,?), ref: 0072C5D2
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0072C626
GetDlgItem.USER32(?,000003E9), ref: 0072C634
GetWindowRect.USER32(00000000,?), ref: 0072C645
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0072C688
GetDlgItem.USER32(?,000003EA), ref: 0072C696
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0072C6B3
InvalidateRect.USER32(?,00000000,00000001), ref: 0072C6C0

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 02cccf1199c6c5c00f7f3b78be78775a7962c305bc0c1bdcb40dddc977c0111f
Instruction ID: f314b1399a98afc9e611495f078c48982ba69a83afd629905929d1542b391481
Opcode Fuzzy Hash: 02cccf1199c6c5c00f7f3b78be78775a7962c305bc0c1bdcb40dddc977c0111f
Instruction Fuzzy Hash: 5D514071B00305AFDB18CFA9DD89AAEBBBAEB98311F14812DF515D7290D7B4ED008B54

Function 006D201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 006D1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,006D2036,?,00000000,?,?,?,?,006D16CB,00000000,?), ref: 006D1B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 006D20D3
KillTimer.USER32(-00000001,?,?,?,?,006D16CB,00000000,?,?,006D1AE2,?,?), ref: 006D216E
DestroyAcceleratorTable.USER32(00000000), ref: 0070BE26
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006D16CB,00000000,?,?,006D1AE2,?,?), ref: 0070BE57
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006D16CB,00000000,?,?,006D1AE2,?,?), ref: 0070BE6E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006D16CB,00000000,?,?,006D1AE2,?,?), ref: 0070BE8A
DeleteObject.GDI32(00000000), ref: 0070BE9C

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 0b6c4361d0bba6192f19f0b8eeda22879457d553bba60527eee8cdb80256895e
Instruction ID: 6049f86daf86c88b1752f57827d62ef1f518dc06b33172b3b5794bf5998e7156
Opcode Fuzzy Hash: 0b6c4361d0bba6192f19f0b8eeda22879457d553bba60527eee8cdb80256895e
Instruction Fuzzy Hash: 5E619F30900B12DFDB26DF14DD58B6AB7F2FF54312F50C52AE642476A0C378A992DB54

Function 006D21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 006D25DB: GetWindowLongW.USER32(?,000000EB), ref: 006D25EC

GetSysColor.USER32(0000000F), ref: 006D21D3

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 504cf492eb1e9d496b3dcc0230ca60c20893783eede4c5d214ea1f46ccb2c57f
Instruction ID: e0e2860b49ec76c7f1ce7faecf8d51d3b422c5d5b7235634eeb23524ed064057
Opcode Fuzzy Hash: 504cf492eb1e9d496b3dcc0230ca60c20893783eede4c5d214ea1f46ccb2c57f
Instruction Fuzzy Hash: F041D331504605DBDB215F28EC98BF93BA6EB16331F148366FD618A2E1C7758E42DB21

Function 0073A931 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0075F910), ref: 0073A995
GetDriveTypeW.KERNEL32(00000061,007889A0,00000061), ref: 0073AA5F
_wcscpy.LIBCMT ref: 0073AA89

Strings

all, xrefs: 0073A99B
ramdisk, xrefs: 0073AA09
removable, xrefs: 0073A9C7
cdrom, xrefs: 0073A9B1
network, xrefs: 0073A9F3
fixed, xrefs: 0073A9DD
unknown, xrefs: 0073AA20

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: d22a6e1ac1104d1225457b47301da8be61a7c143d709dc5e144b802e49173f31
Instruction ID: 804e90bcc04d76de532ada4c35badd6a3e5902016705966dcce89500fc752bc3
Opcode Fuzzy Hash: d22a6e1ac1104d1225457b47301da8be61a7c143d709dc5e144b802e49173f31
Instruction Fuzzy Hash: 8951DD31508301AFD350EF14C9D2AAEB7A6EF85300F54892EF596972A3DB35AD09CB53

Function 006D9997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 006D99C2
__swprintf.LIBCMT ref: 006D9A0C
__i64tow.LIBCMT ref: 0070F93F

Strings

%.15g, xrefs: 006D9A06
False, xrefs: 0070F907
True, xrefs: 0070F900
0x%p, xrefs: 0070F921

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: d658ae9bd6a85f85d9a7dc68bb28e162d6fdb54d6c6f00046870905c1cd2901e
Instruction ID: cffac17f4da80d95d8d387299163a06637fa59372c1b7000ff5d22ab6fbb0662
Opcode Fuzzy Hash: d658ae9bd6a85f85d9a7dc68bb28e162d6fdb54d6c6f00046870905c1cd2901e
Instruction Fuzzy Hash: 5B41E671914209EEEB74AF34C842E7673E6EB44300F24856EE549DB3D2EA35AD428B21

Function 00757184 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0075719C
CreateMenu.USER32 ref: 007571B7
SetMenu.USER32(?,00000000), ref: 007571C6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00757253
IsMenu.USER32(?), ref: 00757269
CreatePopupMenu.USER32 ref: 00757273
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007572A0
DrawMenuBar.USER32 ref: 007572A8

Strings

F, xrefs: 00757294
0, xrefs: 00757192

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 2a32f9841087a734ddff7663f18ebee58d5b9c7b107dbac11da199f5579833d3
Instruction ID: c2ceefdd4ae95d6932079981a40357d81db2d9137f96076f5881820ca7a3cee7
Opcode Fuzzy Hash: 2a32f9841087a734ddff7663f18ebee58d5b9c7b107dbac11da199f5579833d3
Instruction Fuzzy Hash: B0413574A01209EFDB14DF64E884ADA7BB5FF49342F144129FD09A7360D7B8AD24CBA4

Function 007574ED Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00757590
CreateCompatibleDC.GDI32(00000000), ref: 00757597
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 007575AA
SelectObject.GDI32(00000000,00000000), ref: 007575B2
GetPixel.GDI32(00000000,00000000,00000000), ref: 007575BD
DeleteDC.GDI32(00000000), ref: 007575C6
GetWindowLongW.USER32(?,000000EC), ref: 007575D0
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 007575E4
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 007575F0

Strings

static, xrefs: 00757528

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 5fd8f6d5ccc18935ca42fce130cdcf93e14228a94828ec9d7b301adfdfb1e5c8
Instruction ID: 0a96af0bbca31fa094d1f26f575ff39c5df3aa4fbd5c5687d6009292bd702547
Opcode Fuzzy Hash: 5fd8f6d5ccc18935ca42fce130cdcf93e14228a94828ec9d7b301adfdfb1e5c8
Instruction Fuzzy Hash: 7D31A171104218BBDF169F64DC08FDB3B69FF09322F104224FA15961A0D7B9D825DB64

Function 006F6F80 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006F6FBB

Part of subcall function 006F8CA8: __getptd_noexit.LIBCMT ref: 006F8CA8

__gmtime64_s.LIBCMT ref: 006F7054
__gmtime64_s.LIBCMT ref: 006F708A
__gmtime64_s.LIBCMT ref: 006F70A7
__allrem.LIBCMT ref: 006F70FD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006F7119
__allrem.LIBCMT ref: 006F7130
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006F714E
__allrem.LIBCMT ref: 006F7165
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006F7183
__invoke_watson.LIBCMT ref: 006F71F4

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction ID: 83e762a5c010c62e538b2f98e011d2c393727b4558de53f8e6d38504aceebd41
Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction Fuzzy Hash: C171F6B1A0171AEBE714DE68CC41BBAB3AAAF11324F144229F614D73C1EB74E9448790

Function 0073281F Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0073283A
GetMenuItemInfoW.USER32(00795890,000000FF,00000000,00000030), ref: 0073289B
SetMenuItemInfoW.USER32(00795890,00000004,00000000,00000030), ref: 007328D1
Sleep.KERNEL32(000001F4), ref: 007328E3
GetMenuItemCount.USER32(?), ref: 00732927
GetMenuItemID.USER32(?,00000000), ref: 00732943
GetMenuItemID.USER32(?,-00000001), ref: 0073296D
GetMenuItemID.USER32(?,?), ref: 007329B2
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 007329F8
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00732A0C
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00732A2D

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 2e14bffa10256b4a91f84101734333d269b97779ca14853355d78a6c3f75a2b1
Instruction ID: 0ca90a9d25bee76a923dc201c32473c6108b3048882797061152329e61502592
Opcode Fuzzy Hash: 2e14bffa10256b4a91f84101734333d269b97779ca14853355d78a6c3f75a2b1
Instruction Fuzzy Hash: 1661A0B0900259AFEB21CF64CC88AFE7BB9FB05304F148059E842A7253D779AD07DB61

Function 00756F55 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00756FD7
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00756FDA
GetWindowLongW.USER32(?,000000F0), ref: 00756FFE
_memset.LIBCMT ref: 0075700F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00757021
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00757099

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 98c8faebac4647a02c24e38fea531383ae128cc5fea2fc1887570ab35d504118
Instruction ID: 4350c6d29f227c7594eae1d7ee4ec41c750b1c741e3ea4f69b71ad436aab45b9
Opcode Fuzzy Hash: 98c8faebac4647a02c24e38fea531383ae128cc5fea2fc1887570ab35d504118
Instruction Fuzzy Hash: 37619F71900218EFDB11DFA4DC81EEE77F8EB09710F10415AFA14AB2A1C7B8AD45DB64

Function 00726EEE Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00726F15
SafeArrayAllocData.OLEAUT32(?), ref: 00726F6E
VariantInit.OLEAUT32(?), ref: 00726F80
SafeArrayAccessData.OLEAUT32(?,?), ref: 00726FA0
VariantCopy.OLEAUT32(?,?), ref: 00726FF3
SafeArrayUnaccessData.OLEAUT32(?), ref: 00727007
VariantClear.OLEAUT32(?), ref: 0072701C
SafeArrayDestroyData.OLEAUT32(?), ref: 00727029
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00727032
VariantClear.OLEAUT32(?), ref: 00727044
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0072704F

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 0e6a17b4f2d8bf7bda0f8a8673bd41b86012bacec534dcd58c6ba5d03bc40f93
Instruction ID: f4fadf14a80729c0f1d568359a5c07e45878bb2297fa027c4743fc0e7d287395
Opcode Fuzzy Hash: 0e6a17b4f2d8bf7bda0f8a8673bd41b86012bacec534dcd58c6ba5d03bc40f93
Instruction Fuzzy Hash: C2417131900229DFCF14EF64E848DEEBBB9FF08311F008069E915A7261CB79A945CFA4

Function 007484D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 006D9997: __itow.LIBCMT ref: 006D99C2
Part of subcall function 006D9997: __swprintf.LIBCMT ref: 006D9A0C

CoInitialize.OLE32 ref: 00748518
CoUninitialize.OLE32 ref: 00748523
CoCreateInstance.OLE32(?,00000000,00000017,00762BEC,?), ref: 00748583
IIDFromString.OLE32(?,?), ref: 007485F6
VariantInit.OLEAUT32(?), ref: 00748690
VariantClear.OLEAUT32(?), ref: 007486F1

Strings

Invalid parameter, xrefs: 0074860F
Failed to create object, xrefs: 0074858E, 00748644
NULL Pointer assignment, xrefs: 007485C8

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 8d5c6ef11ea0aa07001fdd26a0093b96418a719945b3c3ac170613b916b2f747
Instruction ID: dc81a983afb2e909aa9eb94ac58223d4112b076e3a8542f46a3d0194440bf550
Opcode Fuzzy Hash: 8d5c6ef11ea0aa07001fdd26a0093b96418a719945b3c3ac170613b916b2f747
Instruction Fuzzy Hash: 6061BD70608305AFD790DF24C848B6EBBE4AF48714F05491DF9859B292CB78ED48CB97

Function 00745848 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 007458A9
inet_addr.WSOCK32(?,?,?), ref: 007458EE
gethostbyname.WSOCK32(?), ref: 007458FA
IcmpCreateFile.IPHLPAPI ref: 00745908
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00745978
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 0074598E
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00745A03
WSACleanup.WSOCK32 ref: 00745A09

Strings

Ping, xrefs: 0074592C

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 096bc46b6445f3b33242d6966f54a42c9ee959b51c5b070d094d1f9b95871c08
Instruction ID: 75820247c54a095444bbcaecf1c63367d8d1c47845f4fa341766537d73ccaacd
Opcode Fuzzy Hash: 096bc46b6445f3b33242d6966f54a42c9ee959b51c5b070d094d1f9b95871c08
Instruction Fuzzy Hash: FB517131604700EFD711AF24CC49B6A77E5EF48720F14892AF956DB2A2DB74EC04DB55

Function 0073B54F Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0073B55C
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0073B5D2
GetLastError.KERNEL32 ref: 0073B5DC
SetErrorMode.KERNEL32(00000000,READY), ref: 0073B649

Strings

READY, xrefs: 0073B622
UNKNOWN, xrefs: 0073B601
NOTREADY, xrefs: 0073B608
INVALID, xrefs: 0073B61B
READONLY, xrefs: 0073B614

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: e5fe9917bbdfae263a726b117118a97bc1078a0db25b6aef638a19dea9fa158f
Instruction ID: c383caacd017b248cec440d0400e2b4d87079005a42b9aa3fc921d118805d4d4
Opcode Fuzzy Hash: e5fe9917bbdfae263a726b117118a97bc1078a0db25b6aef638a19dea9fa158f
Instruction Fuzzy Hash: 8C318175A44209DFEB10EFA4D886AFE7BB4EF44310F14406AF6019B293DB799901CB95

Function 00729251 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006D7F41: _memmove.LIBCMT ref: 006D7F82

Part of subcall function 0072AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 0072AEC7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 007292D6
GetDlgCtrlID.USER32 ref: 007292E1
GetParent.USER32 ref: 007292FD
SendMessageW.USER32(00000000,?,00000111,?), ref: 00729300
GetDlgCtrlID.USER32(?), ref: 00729309
GetParent.USER32(?), ref: 00729325
SendMessageW.USER32(00000000,?,?,00000111), ref: 00729328

Strings

ComboBox, xrefs: 0072925E
ListBox, xrefs: 00729293

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 475a0652c788d5029b24e89d864296cda26f2031c7ef8483257c7eab9a7eaeae
Instruction ID: 7de272c07e3a0e3d176be4d00f2493ea5df0a2f62c97ab1234080511c7e5215d
Opcode Fuzzy Hash: 475a0652c788d5029b24e89d864296cda26f2031c7ef8483257c7eab9a7eaeae
Instruction Fuzzy Hash: 9C21F170E40214BBDF04AB64CC89EFEBBA5EF49310F14411AF922972E2DB7D5815DB24

Function 0072933C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006D7F41: _memmove.LIBCMT ref: 006D7F82

Part of subcall function 0072AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 0072AEC7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 007293BF
GetDlgCtrlID.USER32 ref: 007293CA
GetParent.USER32 ref: 007293E6
SendMessageW.USER32(00000000,?,00000111,?), ref: 007293E9
GetDlgCtrlID.USER32(?), ref: 007293F2
GetParent.USER32(?), ref: 0072940E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00729411

Strings

ComboBox, xrefs: 00729349
ListBox, xrefs: 0072937E

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: e6193e6189aa5e47b0716c1d264924d7349451cfccac7b209d6174d7738129d5
Instruction ID: c0b3e099002f6f2c088051a9ea1ce6472b7a8401bc44df8e466e0fb635ce3cd5
Opcode Fuzzy Hash: e6193e6189aa5e47b0716c1d264924d7349451cfccac7b209d6174d7738129d5
Instruction Fuzzy Hash: 0F21C874D00214BBDF04AB64DC85EFEBBB5EF49300F14405AF911972A2DB7D9916DB24

Function 00729425 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00729431
GetClassNameW.USER32(00000000,?,00000100), ref: 00729446
_wcscmp.LIBCMT ref: 00729458
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 007294D3

Strings

SHELLDLL_DefView, xrefs: 00729452
smallicons, xrefs: 0072949B
largeicons, xrefs: 00729467
details, xrefs: 00729481
list, xrefs: 007294B5

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 2edbdc80a4f6db200d71b5dd3f5411cdca62122c660f644c36d39da91a21ea5e
Instruction ID: cfc378abd0382e8aca4407157ccec8bc30bdda88c00dc4826c56237d39785fa7
Opcode Fuzzy Hash: 2edbdc80a4f6db200d71b5dd3f5411cdca62122c660f644c36d39da91a21ea5e
Instruction Fuzzy Hash: DB110A76288366B9F6143620BC07DA7739CDF05320F20412BFB05E40E1FE99A8528658

Function 00737A39 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00737B15

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 18ed57adfaf72005c46a7fcdd6b62aabff561932343b8c8ff160da97f1479245
Instruction ID: 39c130a9d273c616661597d64d322dd48810b2e8c0ede30e23775db33d719b85
Opcode Fuzzy Hash: 18ed57adfaf72005c46a7fcdd6b62aabff561932343b8c8ff160da97f1479245
Instruction Fuzzy Hash: DDB192B1A1421A9FEB24DF94C885BBEB7B5FF08321F244469E500EB252D738D941DBA1

Function 007314FF Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00731521
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00730599,?,00000001), ref: 00731535
GetWindowThreadProcessId.USER32(00000000), ref: 0073153C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00730599,?,00000001), ref: 0073154B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0073155D
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00730599,?,00000001), ref: 00731576
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00730599,?,00000001), ref: 00731588
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00730599,?,00000001), ref: 007315CD
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00730599,?,00000001), ref: 007315E2
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00730599,?,00000001), ref: 007315ED

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: f17b71df0218d619a077aac27e4fb1d7d575ab2d60298a1ed955ddff432d5d5f
Instruction ID: 97f4365353e5b570cc8e7a4e5ad7fe5b6612835d2b097b3f5a35ab2d89e068b1
Opcode Fuzzy Hash: f17b71df0218d619a077aac27e4fb1d7d575ab2d60298a1ed955ddff432d5d5f
Instruction Fuzzy Hash: C4318D71900304BFEB10AF64EC48BB977BAEB94352F50C126F906C61A1DBBC9D518B68

Function 00749228 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0074927C
VariantInit.OLEAUT32(?), ref: 0074934D
VariantInit.OLEAUT32(?), ref: 0074944E
VariantClear.OLEAUT32(?), ref: 00749458
VariantClear.OLEAUT32(?), ref: 007494B5

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00749431
,,v, xrefs: 007492FA
Null Object assignment in FOR..IN loop, xrefs: 007492DD, 0074940B, 007494C3

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,v$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-3574538243
Opcode ID: 46cad8904ba07bc1b857b4f51a9d0f0a3e19309ef2f95d4112cd34e63a171dcf
Instruction ID: 80b6c17f7a5395d8352cbb3afcdc4ba99625c3508ffd67332de479905f520593
Opcode Fuzzy Hash: 46cad8904ba07bc1b857b4f51a9d0f0a3e19309ef2f95d4112cd34e63a171dcf
Instruction Fuzzy Hash: 2E917D71A00219AFDF24DFA5C848FAFBBB8EF45710F108559F615AB280D7789946CFA0

Function 0072A473 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0072A844), ref: 0072A782

Strings

INSTANCE, xrefs: 0072A690
CLASS, xrefs: 0072A501
NAME, xrefs: 0072A5B4
REGEXPCLASS, xrefs: 0072A547
TEXT, xrefs: 0072A6B9
CLASSNN, xrefs: 0072A524

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 36e5a5da7e0f1af24edc82c13789d6a84409ff85f939981c531fdbc0e76a12d4
Instruction ID: cf532feb78f31829305784a41d9d2239864929b4dbad59dc9834226ad401c7a9
Opcode Fuzzy Hash: 36e5a5da7e0f1af24edc82c13789d6a84409ff85f939981c531fdbc0e76a12d4
Instruction Fuzzy Hash: 9691C170A0061AFBDB48EF60D481BE9FB76BF04304F148129E95AA7241DF34A999CB95

Function 006D2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 006D2EAE

Part of subcall function 006D1DB3: GetClientRect.USER32(?,?), ref: 006D1DDC
Part of subcall function 006D1DB3: GetWindowRect.USER32(?,?), ref: 006D1E1D
Part of subcall function 006D1DB3: ScreenToClient.USER32(?,?), ref: 006D1E45

GetDC.USER32 ref: 0070CEB2
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0070CEC5
SelectObject.GDI32(00000000,00000000), ref: 0070CED3
SelectObject.GDI32(00000000,00000000), ref: 0070CEE8
ReleaseDC.USER32(?,00000000), ref: 0070CEF0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0070CF7B

Strings

U, xrefs: 0070CE50

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: a6f4a117456a64615db5b8149c1d3ddbac1c46967b9aa1b07a2a104750b3b100
Instruction ID: 9b7c60edd1f3b6f2aa32a0710e7ce5bb4561dc0e8e18a2d45f986e4c28937cff
Opcode Fuzzy Hash: a6f4a117456a64615db5b8149c1d3ddbac1c46967b9aa1b07a2a104750b3b100
Instruction Fuzzy Hash: AF71B131800206DFCF22CF64C894AEA7BB6FF58321F14836AFD555A2A6C7399841DF61

Function 00748D5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0075F910), ref: 00748E3D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0075F910), ref: 00748E71
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00748FEB
SysFreeString.OLEAUT32(?), ref: 00749015

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 70e54ef87d64da1ad17ff6284c3f95769e3c3f4c63fb11111266eeb006c49160
Instruction ID: 25af19cf3bc27912f49108ee26b04b33f760bacdff9bb3353846599acc0156a8
Opcode Fuzzy Hash: 70e54ef87d64da1ad17ff6284c3f95769e3c3f4c63fb11111266eeb006c49160
Instruction Fuzzy Hash: 09F15A71A00209EFCF44DF94C888EAEB7BAFF49315F108099F915AB251DB35AE45CB51

Function 0074F7A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0074F7C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0074F95C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0074F980
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0074F9C0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0074F9E2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0074FB5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0074FB90
CloseHandle.KERNEL32(?), ref: 0074FBBF
CloseHandle.KERNEL32(?), ref: 0074FC36

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 62460e10fa80162ec51de772c2ba74f42386d7bf76e47594c30c08e177ceb417
Instruction ID: 8e3e3c7dc9d6703307f48c1c2200b9070020109b673e82cf8c2d58172cc62803
Opcode Fuzzy Hash: 62460e10fa80162ec51de772c2ba74f42386d7bf76e47594c30c08e177ceb417
Instruction Fuzzy Hash: C4E1C031604341EFD714EF24C891B6ABBE5AF89354F18846DF8899B3A2DB35EC40CB56

Function 00734D68 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 007346AF: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007336DB,?), ref: 007346CC

Part of subcall function 007346AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,007336DB,?), ref: 007346E5

Part of subcall function 00734AD8: GetFileAttributesW.KERNEL32(?,0073374F), ref: 00734AD9

lstrcmpiW.KERNEL32(?,?), ref: 00734DE7
_wcscmp.LIBCMT ref: 00734E01
MoveFileW.KERNEL32(?,?), ref: 00734E1C

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: aefe3164d56676e0655dfff3a937d3647923f56ca2b9feddc18ae970a0dc0f8f
Instruction ID: 2d3f5066cbc1cb72d488ad01102e2faf7db19001f5d5d8be0a84bd7861888a8e
Opcode Fuzzy Hash: aefe3164d56676e0655dfff3a937d3647923f56ca2b9feddc18ae970a0dc0f8f
Instruction Fuzzy Hash: BD5165B24083859BD764DB94D8819DFB3ECAF85300F04492EF685D3152EF78B688CB5A

Function 00758677 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00758731

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 1bb1ceb9d0854e5a4092f2cdffc33df981dbf43cd0b95d0f53982b78cbf5c1a1
Instruction ID: 5e029abf1aec56078d1932d3066b2a2d892386da0655b5187e18fa95b2456d0f
Opcode Fuzzy Hash: 1bb1ceb9d0854e5a4092f2cdffc33df981dbf43cd0b95d0f53982b78cbf5c1a1
Instruction Fuzzy Hash: AC51E630500204FFEB609B69CC89BD93B64EB05312F604516FE14F61E1CFF9A988CB96

Function 006D2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0070C477
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0070C499
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0070C4B1
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0070C4CF
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0070C4F0
DestroyIcon.USER32(00000000), ref: 0070C4FF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0070C51C
DestroyIcon.USER32(?), ref: 0070C52B

Part of subcall function 0075A4E1: DeleteObject.GDI32(00000000), ref: 0075A51A

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 0b9f0f01b01790a5ea94a8bdf68791ed1748e11afe073fb901c6873e95b2833a
Instruction ID: 8de7ffb93b942749f0fdf946953a03ef533d0da61342e50ce1af61f1abc9f52a
Opcode Fuzzy Hash: 0b9f0f01b01790a5ea94a8bdf68791ed1748e11afe073fb901c6873e95b2833a
Instruction Fuzzy Hash: 8A516974A1020AEFDB21DF24DC55FAA3BE6EB68311F10462AF902972D0D7B4AD91DB50

Function 00729930 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0072AC37: GetWindowThreadProcessId.USER32(?,00000000), ref: 0072AC57
Part of subcall function 0072AC37: GetCurrentThreadId.KERNEL32 ref: 0072AC5E
Part of subcall function 0072AC37: AttachThreadInput.USER32(00000000,?,00729945,?,00000001), ref: 0072AC65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00729950
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 0072996D
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00729970
MapVirtualKeyW.USER32(00000025,00000000), ref: 00729979
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00729997
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0072999A
MapVirtualKeyW.USER32(00000025,00000000), ref: 007299A3
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 007299BA
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 007299BD

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 1989f180d4abe699738abe32952ba9f734a1e4135b3e53286f335dee35a9d4ea
Instruction ID: 962bff91db9e094580eef8f4535c7fbd701ebd571c87a60bd28e51bd21213874
Opcode Fuzzy Hash: 1989f180d4abe699738abe32952ba9f734a1e4135b3e53286f335dee35a9d4ea
Instruction Fuzzy Hash: C711E571950618FFF6106B60DC49FAA7B1DEB4C752F104429F344AB0A0C9F66C50DAB8

Function 00728BE3 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00728864,00000B00,?,?), ref: 00728BEC
HeapAlloc.KERNEL32(00000000,?,00728864,00000B00,?,?), ref: 00728BF3
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00728864,00000B00,?,?), ref: 00728C08
GetCurrentProcess.KERNEL32(?,00000000,?,00728864,00000B00,?,?), ref: 00728C10
DuplicateHandle.KERNEL32(00000000,?,00728864,00000B00,?,?), ref: 00728C13
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00728864,00000B00,?,?), ref: 00728C23
GetCurrentProcess.KERNEL32(00728864,00000000,?,00728864,00000B00,?,?), ref: 00728C2B
DuplicateHandle.KERNEL32(00000000,?,00728864,00000B00,?,?), ref: 00728C2E
CreateThread.KERNEL32(00000000,00000000,00728C54,00000000,00000000,00000000), ref: 00728C48

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 1963b314d6fdb30a1c02278509fa9f0be0a45cfb1bcff958cb76115e49b5be12
Instruction ID: 697a97cffb4aaf1156b1eba40c69dd440fba6d35493ad41d34c0f6452619c1ff
Opcode Fuzzy Hash: 1963b314d6fdb30a1c02278509fa9f0be0a45cfb1bcff958cb76115e49b5be12
Instruction Fuzzy Hash: 2601ACB5240748FFE610AB65DC49FAB3B6CEB89711F008421FA05DB191CAB598008A25

Function 00749872 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00727432: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0072736C,80070057,?,?,?,0072777D), ref: 0072744F
Part of subcall function 00727432: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0072736C,80070057,?,?), ref: 0072746A
Part of subcall function 00727432: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0072736C,80070057,?,?), ref: 00727478
Part of subcall function 00727432: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0072736C,80070057,?), ref: 00727488

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 0074991B
_memset.LIBCMT ref: 00749928
_memset.LIBCMT ref: 00749A6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00749A97
CoTaskMemFree.OLE32(?), ref: 00749AA2

Strings

NULL Pointer assignment, xrefs: 00749AF0

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 2c0c0016bf79bf58c04369ecd4680740ba152c54ec669f274abee2c0d54fae32
Instruction ID: 6d3a96869712fdd9ce7d943ee8083ae4040657de181767d684a11b076b06dc8b
Opcode Fuzzy Hash: 2c0c0016bf79bf58c04369ecd4680740ba152c54ec669f274abee2c0d54fae32
Instruction Fuzzy Hash: 1C912871D00229EBDB10DFA4DC85EDEBBB9EF08710F10815AF519A7281DB75AA44CFA0

Function 00756DB2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00756E56
SendMessageW.USER32(?,00001036,00000000,?), ref: 00756E6A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00756E84
_wcscat.LIBCMT ref: 00756EDF
SendMessageW.USER32(?,00001057,00000000,?), ref: 00756EF6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00756F24

Strings

SysListView32, xrefs: 00756E28

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: a0ad4e4d3e0bea66d49986256d1d2db7eb21f52247c2d68862078c89cb6e6687
Instruction ID: e882e2e369eaf4fa4718a1497034d14442889eca416b0f3eb5e036c540a5a84d
Opcode Fuzzy Hash: a0ad4e4d3e0bea66d49986256d1d2db7eb21f52247c2d68862078c89cb6e6687
Instruction Fuzzy Hash: 6B41A370A00308EBEB219F64CC85BEE77F9EF08351F50446AF945E7191D7BA9D888B64

Function 0074EA47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00733C99: CreateToolhelp32Snapshot.KERNEL32 ref: 00733CBE
Part of subcall function 00733C99: Process32FirstW.KERNEL32(00000000,?), ref: 00733CCC
Part of subcall function 00733C99: CloseHandle.KERNEL32(00000000), ref: 00733D96

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0074EAB8
GetLastError.KERNEL32 ref: 0074EACB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0074EAFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 0074EB77
GetLastError.KERNEL32(00000000), ref: 0074EB82
CloseHandle.KERNEL32(00000000), ref: 0074EBB7

Strings

SeDebugPrivilege, xrefs: 0074EAD6

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 9a90e7534d83a0f9bfa10727043ecc1ffed5c1c4a6f69feacd437ea23ab51694
Instruction ID: e04db0d75f2902df11a0f0c194d2f0702f3d064247c2ac9cc95f62f7582a9069
Opcode Fuzzy Hash: 9a90e7534d83a0f9bfa10727043ecc1ffed5c1c4a6f69feacd437ea23ab51694
Instruction Fuzzy Hash: 31419D716002119FDB24EF54CC99F6DB7A6FF40724F08845DF9429B2D2CBB9A804CB9A

Function 0073302E Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 007330CD

Strings

stop, xrefs: 0073309E
blank, xrefs: 0073304F
info, xrefs: 0073306E
warning, xrefs: 007330B6
question, xrefs: 00733086

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 596912b4fc07d6de200cba18df69ba88f1a9d4c292688af7350091d991848489
Instruction ID: ced9966922e6279b6e723cf74029f3d5f05865ac537ad902e9bc6b3baf89ec47
Opcode Fuzzy Hash: 596912b4fc07d6de200cba18df69ba88f1a9d4c292688af7350091d991848489
Instruction Fuzzy Hash: 2F11EB3564835BBAF738AA54DC82DBB779DDF05720F10402AF60456283DEBD9F4046B5

Function 00734339 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00734353
LoadStringW.USER32(00000000), ref: 0073435A
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00734370
LoadStringW.USER32(00000000), ref: 00734377
_wprintf.LIBCMT ref: 0073439D
MessageBoxW.USER32(00000000,?,?,00011010), ref: 007343BB

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00734398

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 585bc4be91976dbf9a201076b4c9cb685182e04ea98566dc6a93adbc62c7b01e
Instruction ID: 14ac10f3b6598c4038d7df176a9076e26e28df2b8998f977c8a71cd8974df9e6
Opcode Fuzzy Hash: 585bc4be91976dbf9a201076b4c9cb685182e04ea98566dc6a93adbc62c7b01e
Instruction Fuzzy Hash: 9D014FF290030CBFE751ABA09D89EE7776CDB08302F4045A5FB45E2051EAB89E854B75

Function 0075D4A8 Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006D2612: GetWindowLongW.USER32(?,000000EB), ref: 006D2623

GetSystemMetrics.USER32(0000000F), ref: 0075D4E6
GetSystemMetrics.USER32(0000000F), ref: 0075D506
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0075D741
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0075D75F
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0075D780
ShowWindow.USER32(00000003,00000000), ref: 0075D79F
InvalidateRect.USER32(?,00000000,00000001), ref: 0075D7C4
DefDlgProcW.USER32(?,00000005,?,?), ref: 0075D7E7

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 39a5032f9b4de5ae31b449207ecea0b66a175237dcc702136ba9c156d3f953a5
Instruction ID: c0a968fb5be2fceaf5e9b75be1f7cb0bf4d8f15c19442ea2154320ffa8b283f5
Opcode Fuzzy Hash: 39a5032f9b4de5ae31b449207ecea0b66a175237dcc702136ba9c156d3f953a5
Instruction Fuzzy Hash: 7AB17A71500229EFDF24CF68C9857EE7BB1FF08712F088069EC489A295E7B8AD55CB50

Function 006D2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0070C347,00000004,00000000,00000000,00000000), ref: 006D2ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0070C347,00000004,00000000,00000000,00000000,000000FF), ref: 006D2B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0070C347,00000004,00000000,00000000,00000000), ref: 0070C39A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0070C347,00000004,00000000,00000000,00000000), ref: 0070C406

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: d378d4cf60bae4994ab5a6ca644943cffd95c506922aed8f42853ec63c7c274f
Instruction ID: 7d9a5d88219c349b8681d55b718cc7746c52d5ae5ab3a03025e37d919076cfad
Opcode Fuzzy Hash: d378d4cf60bae4994ab5a6ca644943cffd95c506922aed8f42853ec63c7c274f
Instruction Fuzzy Hash: 2741DB30A14781DAC7368B289DACBAB7BD7EB65304F5CC91FE047C67A0C6B99842D711

Function 0073716F Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00737186

Part of subcall function 006F0F36: std::exception::exception.LIBCMT ref: 006F0F6C
Part of subcall function 006F0F36: __CxxThrowException@8.LIBCMT ref: 006F0F81

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 007371BD
EnterCriticalSection.KERNEL32(?), ref: 007371D9
_memmove.LIBCMT ref: 00737227
_memmove.LIBCMT ref: 00737244
LeaveCriticalSection.KERNEL32(?), ref: 00737253
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00737268
InterlockedExchange.KERNEL32(?,000001F6), ref: 00737287

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 29c87678bd78653377f70a016e4d3eedd2790e9b03f10a8241b752168b115681
Instruction ID: 491c4f8a11fa48441f38fa7fe063b33898ff5a357b905d6cac4694654bbb389b
Opcode Fuzzy Hash: 29c87678bd78653377f70a016e4d3eedd2790e9b03f10a8241b752168b115681
Instruction Fuzzy Hash: 6C318E71900209EBEF209F64DC85AAF7778FF44310F1481A9F9049B246DB749A10CBA4

Function 00756205 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0075621D
GetDC.USER32(00000000), ref: 00756225
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00756230
ReleaseDC.USER32(00000000,00000000), ref: 0075623C
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00756278
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00756289
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0075905C,?,?,000000FF,00000000,?,000000FF,?), ref: 007562C3
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 007562E3

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: b337587fcd459ab9b32602ab45aacdf1de04863c3f0eb26da6179d139f43cddc
Instruction ID: 519e0b54f6177cea92b283b638e4e702f14051d40e8cb72ded48fcef27f7fad4
Opcode Fuzzy Hash: b337587fcd459ab9b32602ab45aacdf1de04863c3f0eb26da6179d139f43cddc
Instruction Fuzzy Hash: 20314D76201214BFEB118F54DC4AFEB3BA9FF09752F044065FE089A191D6B99C45CBA4

Function 0073EBAF Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 006D9997: __itow.LIBCMT ref: 006D99C2
Part of subcall function 006D9997: __swprintf.LIBCMT ref: 006D9A0C

Part of subcall function 006EFE06: _wcscpy.LIBCMT ref: 006EFE29

_wcstok.LIBCMT ref: 0073ED20
_wcscpy.LIBCMT ref: 0073EDAF
_memset.LIBCMT ref: 0073EDE2

Strings

X, xrefs: 0073EE1F

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: f1e17be025f6770c90f99d495fd9ee5f24875e2ec7077f6a43c4dc25cba5b105
Instruction ID: 2bc4e2f58b23578ee1a81ab4e5b31fa20860158bdb2e4de3c36414d4cdaeecb9
Opcode Fuzzy Hash: f1e17be025f6770c90f99d495fd9ee5f24875e2ec7077f6a43c4dc25cba5b105
Instruction Fuzzy Hash: 28C181319087019FD7A4EF24C885A5AB7E1FF84310F14492EF8998B3A2DB74ED05CB96

Function 00746C19 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00746D16
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00746D37
WSAGetLastError.WSOCK32(00000000), ref: 00746D4A
htons.WSOCK32(?,?,?,00000000,?), ref: 00746E00
inet_ntoa.WSOCK32(?), ref: 00746DBD

Part of subcall function 0072ABF4: _strlen.LIBCMT ref: 0072ABFE
Part of subcall function 0072ABF4: _memmove.LIBCMT ref: 0072AC20

_strlen.LIBCMT ref: 00746E5A
_memmove.LIBCMT ref: 00746EC3

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 8639ded40eaaa555f77a69ee414f3e684a3f2c6e52ead39a06d838f854845dbb
Instruction ID: b4b71aa58ebd897f712c7b26b622a2614b6a45ca79f5a0bdb61bb866084f4a4b
Opcode Fuzzy Hash: 8639ded40eaaa555f77a69ee414f3e684a3f2c6e52ead39a06d838f854845dbb
Instruction Fuzzy Hash: 9F81FF71A04310ABD710EF24CC86E6BB3EAEF85714F04491EF5559B2A2DB74ED00CBA6

Function 006D1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ff07ba5e249f53c6284d9f79b40ebcfcb4efa08a87c0cc8d0b41f983d935221
Instruction ID: daafc1632368d78dd5478807050387b5030a176a26f5609f7f2e123dac992ed9
Opcode Fuzzy Hash: 6ff07ba5e249f53c6284d9f79b40ebcfcb4efa08a87c0cc8d0b41f983d935221
Instruction Fuzzy Hash: 56714B70900109FFCB049F98C844AAEBBBAFF86314F14815AF915AB391C774AA51CBA4

Function 0075B385 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(010161E8), ref: 0075B41F
IsWindowEnabled.USER32(010161E8), ref: 0075B42B
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0075B50F
SendMessageW.USER32(010161E8,000000B0,?,?), ref: 0075B546
IsDlgButtonChecked.USER32(?,?), ref: 0075B583
GetWindowLongW.USER32(010161E8,000000EC), ref: 0075B5A5
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0075B5BD

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 3c049b5e6a96fcf284c94a39929087cba7f55e17ffcf3b0e37120f1bfe1ba2b7
Instruction ID: 28f3d67e3e18223039a9658847c9cccbb09c3c3d500ef3e7733e057f6f5952e5
Opcode Fuzzy Hash: 3c049b5e6a96fcf284c94a39929087cba7f55e17ffcf3b0e37120f1bfe1ba2b7
Instruction Fuzzy Hash: DD71CE34600244EFDB319FA4C894FFA7BB5EF09302F148069ED45973A2C7B9A959CB10

Function 0074F532 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0074F55C
_memset.LIBCMT ref: 0074F625
ShellExecuteExW.SHELL32(?), ref: 0074F66A

Part of subcall function 006D9997: __itow.LIBCMT ref: 006D99C2
Part of subcall function 006D9997: __swprintf.LIBCMT ref: 006D9A0C

Part of subcall function 006EFE06: _wcscpy.LIBCMT ref: 006EFE29

GetProcessId.KERNEL32(00000000), ref: 0074F6E1
CloseHandle.KERNEL32(00000000), ref: 0074F710

Strings

@, xrefs: 0074F639

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 3294cdb55d13985d56452ad5ae93181d5984bef140b803152c7a551f3518cad3
Instruction ID: bcb56878c9725d115cffd762010e48ccc378dfb1a6613fa68de8579400f2b8d4
Opcode Fuzzy Hash: 3294cdb55d13985d56452ad5ae93181d5984bef140b803152c7a551f3518cad3
Instruction Fuzzy Hash: C5619F75A00619DFCB14EF64C9819AEBBF6FF48310F15846EE846AB361DB34AD40CB94

Function 0073127E Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 007312BD
GetKeyboardState.USER32(?), ref: 007312D2
SetKeyboardState.USER32(?), ref: 00731333
PostMessageW.USER32(?,00000101,00000010,?), ref: 00731361
PostMessageW.USER32(?,00000101,00000011,?), ref: 00731380
PostMessageW.USER32(?,00000101,00000012,?), ref: 007313C6
PostMessageW.USER32(?,00000101,0000005B,?), ref: 007313E9

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 5f658c9fae5d2526d087ce7678abe0f19771af6554d2144a1f32113d81131448
Instruction ID: b0d2e37c08c35d0939263da8da8bfb5c8b76e4e26cce9cb3769a59028ddeb831
Opcode Fuzzy Hash: 5f658c9fae5d2526d087ce7678abe0f19771af6554d2144a1f32113d81131448
Instruction Fuzzy Hash: 3151C1A0A087D57DFB364634CC49BBABFA96F06304F888589E0D5868C3C6DCAC94D761

Function 00731097 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 007310D6
GetKeyboardState.USER32(?), ref: 007310EB
SetKeyboardState.USER32(?), ref: 0073114C
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00731178
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00731195
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 007311D9
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 007311FA

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 237f9159a163be2109b2ae1445eb9ae0ceb6ffde765e698eca85484a8bcdb67f
Instruction ID: 23a856b463ff9647268ea65a7f79bfa55afc7c0da5962e4d998297ad55f835c3
Opcode Fuzzy Hash: 237f9159a163be2109b2ae1445eb9ae0ceb6ffde765e698eca85484a8bcdb67f
Instruction Fuzzy Hash: 975128A06047DA7DFB3687348C45BBBBFA96B06300F488589E1D54A8C3D29CEC98D750

Function 007356A4 Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 007356B1
_wcsncpy.LIBCMT ref: 007356E6
_wcsncpy.LIBCMT ref: 00735718
_wcsncpy.LIBCMT ref: 0073574B
_wcsncpy.LIBCMT ref: 0073578D
_wcsncpy.LIBCMT ref: 007357C7
_wcsncpy.LIBCMT ref: 007357F6

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 1fc717207970661d5b8f4fe0a30344b23f6bf3ca597887193576dc4a782cc81b
Instruction ID: ae7379433bfdefa2670c268bb98e3baa52fa343248f0121732ad1322e09e27c5
Opcode Fuzzy Hash: 1fc717207970661d5b8f4fe0a30344b23f6bf3ca597887193576dc4a782cc81b
Instruction Fuzzy Hash: F441C5A6C2051875DB51EBB49C469EF77B99F05310F10846AF608E3222FB389704C7ED

Function 0072D87B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0072D8E3
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0072D919
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0072D92A
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0072D9AC

Strings

DllGetClassObject, xrefs: 0072D91F
,,v, xrefs: 0072D887

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,v$DllGetClassObject
API String ID: 753597075-302409378
Opcode ID: 61b07b70243744ae171da50278a7828ce1726a64bd7e8acb6675911bffae71e7
Instruction ID: ac17d21cf3bc8882c84d652ffe6878f3bb84d0edc7e1c14df93b97a48921adb9
Opcode Fuzzy Hash: 61b07b70243744ae171da50278a7828ce1726a64bd7e8acb6675911bffae71e7
Instruction Fuzzy Hash: D4419DB1600614EFDB24DF54D884A9ABBB9EF45314F1580A9FC459F246D7B8EE80CBA0

Function 007336B5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 007346AF: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007336DB,?), ref: 007346CC

Part of subcall function 007346AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,007336DB,?), ref: 007346E5

lstrcmpiW.KERNEL32(?,?), ref: 007336FB
_wcscmp.LIBCMT ref: 00733717
MoveFileW.KERNEL32(?,?), ref: 0073372F
_wcscat.LIBCMT ref: 00733777
SHFileOperationW.SHELL32(?), ref: 007337E3

Strings

\*.*, xrefs: 00733771

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 4db2b99cd7c2e7e8d324a6dd3aa51d786c8e735701dec4fa54216fed89cc4e7b
Instruction ID: 6f405e59e8ac76894eaf4de072f96aa922ff586ab289a6562cc9da791e331314
Opcode Fuzzy Hash: 4db2b99cd7c2e7e8d324a6dd3aa51d786c8e735701dec4fa54216fed89cc4e7b
Instruction Fuzzy Hash: 6F419FB25083459AD765EF64C485ADBB7E8EF89380F00092EF48AC3162EA38D748C756

Function 007572C3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007572DC
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00757383
IsMenu.USER32(?), ref: 0075739B
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007573E3
DrawMenuBar.USER32 ref: 007573F6

Strings

0, xrefs: 007572D0

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 00c57e8d809b15550652074a2d09adf620889f917a013facd84d2043fc7f4907
Instruction ID: 758b22ccd931af461ca6edec7b6ecd72fd71893086c772707c682ae8a2c92cc6
Opcode Fuzzy Hash: 00c57e8d809b15550652074a2d09adf620889f917a013facd84d2043fc7f4907
Instruction Fuzzy Hash: 4F415970A04249EFDB21DF50E884EEABBF8FB04326F048029ED159B260D7B4AD15DF90

Function 0075102D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 0075105C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00751086
FreeLibrary.KERNEL32(00000000), ref: 0075113D

Part of subcall function 0075102D: RegCloseKey.ADVAPI32(?), ref: 007510A3
Part of subcall function 0075102D: FreeLibrary.KERNEL32(?), ref: 007510F5
Part of subcall function 0075102D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00751118

RegDeleteKeyW.ADVAPI32(?,?), ref: 007510E0

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 3d81ba7d2edd975d26e1d2aaf19ffdcd4127ce2b5fd0c2c02db5924017181614
Instruction ID: 436eef864f90abe70fc5101625da356d4a686a16ba4d36e18cc6a643c11475ee
Opcode Fuzzy Hash: 3d81ba7d2edd975d26e1d2aaf19ffdcd4127ce2b5fd0c2c02db5924017181614
Instruction Fuzzy Hash: 1D31527190110DBFDB14DB90DC89EFFB7BCEF08302F4041A9E915A2141EBB85E899BA4

Function 007562FF Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 0075631E
GetWindowLongW.USER32(010161E8,000000F0), ref: 00756351
GetWindowLongW.USER32(010161E8,000000F0), ref: 00756386
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 007563B8
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 007563E2
GetWindowLongW.USER32(00000000,000000F0), ref: 007563F3
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0075640D

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: a6998a2d04c22e542be6fdf1c0dccf7e0daf60c1410fc128420f03eea74d43a6
Instruction ID: 8aebe7b98de0fbc8220cd553cfdcf69c2cdc91cba59e9bdbd2fcf559f35f1520
Opcode Fuzzy Hash: a6998a2d04c22e542be6fdf1c0dccf7e0daf60c1410fc128420f03eea74d43a6
Instruction Fuzzy Hash: A6311430604250DFEB21CF18DC84F9537E1FB4A752F5981A4F9018F2B2CBBAA845DB55

Function 00746289 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00747EA0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00747ECB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 007462DC
WSAGetLastError.WSOCK32(00000000), ref: 007462EB
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00746324
connect.WSOCK32(00000000,?,00000010), ref: 0074632D
WSAGetLastError.WSOCK32 ref: 00746337
closesocket.WSOCK32(00000000), ref: 00746360
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00746379

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: cafa0c26c62e748928ca0fb22a53605161fe5ec9055b2617b560ca25abf4ef75
Instruction ID: d175df9fa6619019e3c763dd1262132b5d2cde259cf1d9489ba23ead8e07e099
Opcode Fuzzy Hash: cafa0c26c62e748928ca0fb22a53605161fe5ec9055b2617b560ca25abf4ef75
Instruction Fuzzy Hash: 5631B631600218AFDB10AF64CC85BBE7BADEF45725F048069FD0597291DBB8AD04CBA6

Function 0072F98F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0072F9A2
__wcsnicmp.LIBCMT ref: 0072F9C3
__wcsnicmp.LIBCMT ref: 0072F9DD

Strings

#requireadmin, xrefs: 0072F9BD
#OnAutoItStartRegister, xrefs: 0072F9D7
#notrayicon, xrefs: 0072F99A

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 57ed5f018b82f19fe6300bb0b5a1b044707b5439bd3ffe2a24e2d9bfb2200f7b
Instruction ID: 8ebb6e6235c49b8199c1231887f262eee5ad537c844c995a863e6d0e83805ef3
Opcode Fuzzy Hash: 57ed5f018b82f19fe6300bb0b5a1b044707b5439bd3ffe2a24e2d9bfb2200f7b
Instruction Fuzzy Hash: 51214C3210863576D270FA25EC02FB773B9AF52310F50803AF9C686182FBA86D82C395

Function 007575FF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006D1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 006D1D73
Part of subcall function 006D1D35: GetStockObject.GDI32(00000011), ref: 006D1D87
Part of subcall function 006D1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 006D1D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00757664
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00757671
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0075767C
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0075768B
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00757697

Strings

Msctls_Progress32, xrefs: 00757635

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: ee4737f5304d63cd86c56c31327db2b5630f5edbf5652748f87a6163433d5382
Instruction ID: b27098254fbc96585e9227d7cd3c1c400e7cf0dba28ae0db375a3668770123fe
Opcode Fuzzy Hash: ee4737f5304d63cd86c56c31327db2b5630f5edbf5652748f87a6163433d5382
Instruction Fuzzy Hash: F011B2B2150219BFEF159F64DC85EEB7F6DEF08758F014115FA04A6090CBB6AC21DBA4

Function 0075B669 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0075B678
_memset.LIBCMT ref: 0075B687
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00796F20,00796F64), ref: 0075B6B6
CloseHandle.KERNEL32 ref: 0075B6C8

Strings

doy, xrefs: 0075B681
oy, xrefs: 0075B672

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: oy$doy
API String ID: 3277943733-4102241462
Opcode ID: a82e4861e0eb589fccc3652a9c539d1e2aaea791d13e5e0cefa5cabab5176bb9
Instruction ID: 4d6c48d81900394308f82e500b66a845264c631c9f47ec96c7d777367b896a8e
Opcode Fuzzy Hash: a82e4861e0eb589fccc3652a9c539d1e2aaea791d13e5e0cefa5cabab5176bb9
Instruction Fuzzy Hash: 7EF082B2640308BAF6102761BC46FBB3E5EEB09395F008135FB08D51A2D7B95C018BAC

Function 006F4109 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,006F41D2,?), ref: 006F4123
GetProcAddress.KERNEL32(00000000), ref: 006F412A
EncodePointer.KERNEL32(00000000), ref: 006F4136
DecodePointer.KERNEL32(00000001,006F41D2,?), ref: 006F4153

Strings

RoInitialize, xrefs: 006F4112
combase.dll, xrefs: 006F411E

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 91af0afa5b93489e43ff0e11928b5276b26ba12cd18e29863c1e33150eca9f45
Instruction ID: 5698fae0c6392663ae01ddd49f9cb3fc704976730ed24ca7e2d1bde4da160268
Opcode Fuzzy Hash: 91af0afa5b93489e43ff0e11928b5276b26ba12cd18e29863c1e33150eca9f45
Instruction Fuzzy Hash: B2E01AB47D0B48AEEB106B70EC09BA53AA5B716B47F10C425F922D61F0CBFD45828F08

Function 006F41DE Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,006F40F8), ref: 006F41F8
GetProcAddress.KERNEL32(00000000), ref: 006F41FF
EncodePointer.KERNEL32(00000000), ref: 006F420A
DecodePointer.KERNEL32(006F40F8), ref: 006F4225

Strings

combase.dll, xrefs: 006F41F3
RoUninitialize, xrefs: 006F41E7

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 28458a5489e656716dfab9f32a9f893729f919b6219116c2f89eb6e6a3438922
Instruction ID: fbc7ed8584cd401afc42abed6dbe4ff57854bc3e45fa6945747861d1ba82324f
Opcode Fuzzy Hash: 28458a5489e656716dfab9f32a9f893729f919b6219116c2f89eb6e6a3438922
Instruction Fuzzy Hash: 80E0BFB06D1B08ABEB609B61EC0DB9536A5B704743F10C125F515D11B0CFBF4701CA1C

Function 00736561 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007366B4
_memmove.LIBCMT ref: 007365EF

Part of subcall function 006D9997: __itow.LIBCMT ref: 006D99C2
Part of subcall function 006D9997: __swprintf.LIBCMT ref: 006D9A0C

_memmove.LIBCMT ref: 00736662
_memmove.LIBCMT ref: 00736749
_memmove.LIBCMT ref: 00736762
_memmove.LIBCMT ref: 0073677E

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: d027cfa0694f563443b84c93fe108b1ac6900860a03bab4d85fe296abdf48ce7
Instruction ID: 96ca294e816fee4df912548e9edf158a7c39d4a6de15ebcda670e0c1f6d76749
Opcode Fuzzy Hash: d027cfa0694f563443b84c93fe108b1ac6900860a03bab4d85fe296abdf48ce7
Instruction Fuzzy Hash: 9D61CF3090065AABEF11EF20CC82EFE37A6AF04308F44851EF9555B293DB38AD11CB65

Function 0075026F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006D7F41: _memmove.LIBCMT ref: 006D7F82

Part of subcall function 00750EA5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0074FE38,?,?), ref: 00750EBC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00750348
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00750388
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 007503AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 007503D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00750417
RegCloseKey.ADVAPI32(00000000), ref: 00750424

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 5a6ebd81a6c6ff80e3b9d9b1129e9e8a072e7118a77e6d50b7ee1d6621a62054
Instruction ID: 457bd561c9055dd48ea3f17ccef1ad958a97b1ba01683f98ddca6570bef1b9b4
Opcode Fuzzy Hash: 5a6ebd81a6c6ff80e3b9d9b1129e9e8a072e7118a77e6d50b7ee1d6621a62054
Instruction Fuzzy Hash: 55515A31508340AFD714EF64C885EAABBE9FF85315F04491DF985872A1DB75E908CB92

Function 00755802 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00755864
GetMenuItemCount.USER32(00000000), ref: 0075589B
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 007558C3
GetMenuItemID.USER32(?,?), ref: 00755932
GetSubMenu.USER32(?,?), ref: 00755940
PostMessageW.USER32(?,00000111,?,00000000), ref: 00755991

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 243801017a0d4253612a7f7809fc071a2d9bcfcc054b3a1bd2e105a4d054a679
Instruction ID: dd0bebb69dddbf878e3c7f6b4bd553495ba9e560a51da4294c9ac94b1bad89f0
Opcode Fuzzy Hash: 243801017a0d4253612a7f7809fc071a2d9bcfcc054b3a1bd2e105a4d054a679
Instruction Fuzzy Hash: 37518C31E00615EFCB10EFA4C855AEEB7B5EF48321F144059ED06AB351CBB8AE418B94

Function 0072F1FE Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0072F218
VariantClear.OLEAUT32(00000013), ref: 0072F28A
VariantClear.OLEAUT32(00000000), ref: 0072F2E5
_memmove.LIBCMT ref: 0072F30F
VariantClear.OLEAUT32(?), ref: 0072F35C
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0072F38A

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: dc7da06e1439500567c32543e4dced1378ed25038e9bd1ed64a02e9eaf2d787b
Instruction ID: 1f3907615d091869f0965ef9102286b21313f5266a5d12ea3bcfdb3c5de5bf88
Opcode Fuzzy Hash: dc7da06e1439500567c32543e4dced1378ed25038e9bd1ed64a02e9eaf2d787b
Instruction Fuzzy Hash: 435149B5A00219EFCB14DF58D884AAAB7B8FF4C314B158569ED59DB301E334EA11CFA0

Function 00732502 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00732550
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0073259B
IsMenu.USER32(00000000), ref: 007325BB
CreatePopupMenu.USER32 ref: 007325EF
GetMenuItemCount.USER32(000000FF), ref: 0073264D
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 0073267E

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 4616de7de83bd1f5d006c93edfd3fcf319fce671b3b1ed2919e122423ddf46fc
Instruction ID: 8b68bd480ddf468798e569f354f5a895b089a0cce8a58ca79397b9c93502c875
Opcode Fuzzy Hash: 4616de7de83bd1f5d006c93edfd3fcf319fce671b3b1ed2919e122423ddf46fc
Instruction Fuzzy Hash: FF51B170600309DFEF21DF68D889AADBBF4BF44314F148159E81197293E7789906CB51

Function 006D1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 006D2612: GetWindowLongW.USER32(?,000000EB), ref: 006D2623

BeginPaint.USER32(?,?,?,?,?,?), ref: 006D179A
GetWindowRect.USER32(?,?), ref: 006D17FE
ScreenToClient.USER32(?,?), ref: 006D181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 006D182C
EndPaint.USER32(?,?), ref: 006D1876

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 58284099d323b36079e9a94b197512254c4b112ef659cfb4c20891c677f60d81
Instruction ID: c8cd41c8bff350c6224436579395eb1d3c625c1180a053591c8dd426db3574b2
Opcode Fuzzy Hash: 58284099d323b36079e9a94b197512254c4b112ef659cfb4c20891c677f60d81
Instruction Fuzzy Hash: FF41D230500700EFDB11DF25CC84FBA7BE9EB46324F04422AFA948B2B1C7B49946DB65

Function 0075B6D2 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(007957B0,00000000,010161E8,?,?,007957B0,?,0075B5DC,?,?), ref: 0075B746
EnableWindow.USER32(00000000,00000000), ref: 0075B76A
ShowWindow.USER32(007957B0,00000000,010161E8,?,?,007957B0,?,0075B5DC,?,?), ref: 0075B7CA
ShowWindow.USER32(00000000,00000004,?,0075B5DC,?,?), ref: 0075B7DC
EnableWindow.USER32(00000000,00000001), ref: 0075B800
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0075B823

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 52a740be4e1992caba246c70d4c71555f08b288b5532518a3a74ca0f3be276c6
Instruction ID: deac67f67a3cdf3b3f941d3c8e32bce08e76128f9e376026f4475ab678977eaa
Opcode Fuzzy Hash: 52a740be4e1992caba246c70d4c71555f08b288b5532518a3a74ca0f3be276c6
Instruction Fuzzy Hash: D1412434600144EFDB25CF24C489BE47BE5FB49316F1885BAFD498F2A2C7B5A849CB91

Function 007471B3 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00744F57,?,?,00000000,00000001), ref: 007471C1

Part of subcall function 00743AB6: GetWindowRect.USER32(?,?), ref: 00743AC9

GetDesktopWindow.USER32 ref: 007471EB
GetWindowRect.USER32(00000000), ref: 007471F2
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00747224

Part of subcall function 007352EB: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00735363

GetCursorPos.USER32(?), ref: 00747250
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 007472AE

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 7c4bd2eaf1c492642f82abc5f75b851228d6a4d70890529b6e78581c52b1f2e1
Instruction ID: b634576cfe6817835e448fdf414fef4bcc1761548f495811752c69796c594df4
Opcode Fuzzy Hash: 7c4bd2eaf1c492642f82abc5f75b851228d6a4d70890529b6e78581c52b1f2e1
Instruction Fuzzy Hash: 6B31E172509305AFD724DF14C849B9BB7E9FF88314F004929F589A7191DBB8EA08CB96

Function 00728B3B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007283D1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007283E8
Part of subcall function 007283D1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007283F2
Part of subcall function 007283D1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00728401
Part of subcall function 007283D1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00728408
Part of subcall function 007283D1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0072841E

GetLengthSid.ADVAPI32(?,00000000,00728757), ref: 00728B8C
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00728B98
HeapAlloc.KERNEL32(00000000), ref: 00728B9F
CopySid.ADVAPI32(00000000,00000000,?), ref: 00728BB8
GetProcessHeap.KERNEL32(00000000,00000000,00728757), ref: 00728BCC
HeapFree.KERNEL32(00000000), ref: 00728BD3

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 755805d980ee5ece8bc9da947333ae3b7822e6f9008587dde7f2afe05b86ed4d
Instruction ID: f8dd8facc3d2d379104729de3ea46510011f7117bcef1535257d3fc2dc7eae57
Opcode Fuzzy Hash: 755805d980ee5ece8bc9da947333ae3b7822e6f9008587dde7f2afe05b86ed4d
Instruction Fuzzy Hash: AB11AFB1502618FFDB909F64EC09BAF77A8EB45316F14802CE84597150DB7A9D00CB61

Function 007288D9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 0072890A
OpenProcessToken.ADVAPI32(00000000), ref: 00728911
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00728920
CloseHandle.KERNEL32(00000004), ref: 0072892B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0072895A
DestroyEnvironmentBlock.USERENV(00000000), ref: 0072896E

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: ceb7598bc4a7a7efc21423823e94b424e4cc910087e8cb3017a635768752e7b4
Instruction ID: 146e4190e53744d352d5d8302a29f3ec204bb4e71891b54f622cc33a42edf612
Opcode Fuzzy Hash: ceb7598bc4a7a7efc21423823e94b424e4cc910087e8cb3017a635768752e7b4
Instruction Fuzzy Hash: F1115C7250121DABDF018FA4ED49BEE7BA9FF09309F048064FE04A2160C77A9D609B62

Function 0072BA52 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0072BA77
GetDeviceCaps.GDI32(00000000,00000058), ref: 0072BA88
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0072BA8F
ReleaseDC.USER32(00000000,00000000), ref: 0072BA97
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0072BAAE
MulDiv.KERNEL32(000009EC,?,?), ref: 0072BAC0

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: b33dabc50623e48d0df76cd4c549a8a55b3e377b0e5cb84e1ec66484845ff130
Instruction ID: fbc98bab0f0e1fdaf70820f770787fe151030f25e72d5db82bd60da54e0d621a
Opcode Fuzzy Hash: b33dabc50623e48d0df76cd4c549a8a55b3e377b0e5cb84e1ec66484845ff130
Instruction Fuzzy Hash: DA01A775E00318BBEF109BA59D49A5EBFB8EB48311F008076FA08E7291D6759D00CF91

Function 006F02E2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 006F0313
MapVirtualKeyW.USER32(00000010,00000000), ref: 006F031B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 006F0326
MapVirtualKeyW.USER32(000000A1,00000000), ref: 006F0331
MapVirtualKeyW.USER32(00000011,00000000), ref: 006F0339
MapVirtualKeyW.USER32(00000012,00000000), ref: 006F0341

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 4844013ab18127f6e25a90a5eb9af2ea5e36fd2e407e6cbdaa96d36aa2d53ad8
Instruction ID: 3b1d2d278ab6ea47de52b57e541a50a57173a653e47cab5954237c452027736b
Opcode Fuzzy Hash: 4844013ab18127f6e25a90a5eb9af2ea5e36fd2e407e6cbdaa96d36aa2d53ad8
Instruction Fuzzy Hash: E10148B0901759BDE3009F5A8C85A52FEA8FF19354F00411BE15847941C7F5A864CBE5

Function 00735490 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 007354A0
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 007354B6
GetWindowThreadProcessId.USER32(?,?), ref: 007354C5
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007354D4
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007354DE
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007354E5

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: e7327fdd9f8d66b0fbb88b4b9d0fa7674b41b25b01c4fa4295c842ef71e5dbee
Instruction ID: 1d891b3596f6289bcefefb44b04968a365e6a5a4b71d2e5b2de9b088e2c356e5
Opcode Fuzzy Hash: e7327fdd9f8d66b0fbb88b4b9d0fa7674b41b25b01c4fa4295c842ef71e5dbee
Instruction Fuzzy Hash: ABF03631141658BBE7215B52DC0DEEF7F7CEFC6B12F004169FA04D1051D7E91A0186B9

Function 007372D9 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 007372EC
EnterCriticalSection.KERNEL32(?,?,006E1044,?,?), ref: 007372FD
TerminateThread.KERNEL32(00000000,000001F6,?,006E1044,?,?), ref: 0073730A
WaitForSingleObject.KERNEL32(00000000,000003E8,?,006E1044,?,?), ref: 00737317

Part of subcall function 00736CDE: CloseHandle.KERNEL32(00000000,?,00737324,?,006E1044,?,?), ref: 00736CE8

InterlockedExchange.KERNEL32(?,000001F6), ref: 0073732A
LeaveCriticalSection.KERNEL32(?,?,006E1044,?,?), ref: 00737331

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: dd4317222513a3881e0977b5018d0ca68db3a9fa19b4d87f40226662c3ca4c30
Instruction ID: bfbdc8c4fb1acbe95364621f9a9c85ec80cf38844d8b69d0a34461f9e19c2efa
Opcode Fuzzy Hash: dd4317222513a3881e0977b5018d0ca68db3a9fa19b4d87f40226662c3ca4c30
Instruction Fuzzy Hash: 9FF05EB6141712EBEB212B64ED8C9DF772AFF49303F004531F602914A1CBBA6811DBA4

Function 00728C54 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00728C5F
UnloadUserProfile.USERENV(?,?), ref: 00728C6B
CloseHandle.KERNEL32(?), ref: 00728C74
CloseHandle.KERNEL32(?), ref: 00728C7C
GetProcessHeap.KERNEL32(00000000,?), ref: 00728C85
HeapFree.KERNEL32(00000000), ref: 00728C8C

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 359d1c720d15f8255a1049b56ac5f4cb8b2de56ac951d9cb900bf1c6a4f4120e
Instruction ID: af45ecbb35d373e35d8aec2a6544b6894e57de15d6334603ff8041e4904dff77
Opcode Fuzzy Hash: 359d1c720d15f8255a1049b56ac5f4cb8b2de56ac951d9cb900bf1c6a4f4120e
Instruction Fuzzy Hash: 01E0C236004605FBDA012FE1EC0C98ABF69FB89323B508630F21981470CBBAA820DB58

Function 00727858 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00762C7C,?), ref: 00727A12
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00762C7C,?), ref: 00727A2A
CLSIDFromProgID.OLE32(?,?,00000000,0075FB80,000000FF,?,00000000,00000800,00000000,?,00762C7C,?), ref: 00727A4F
_memcmp.LIBCMT ref: 00727A70

Strings

,,v, xrefs: 00727865

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,v
API String ID: 314563124-1312938289
Opcode ID: bdaae5115723d6ecde59e3fa8b9b7ce70702097e4a3290996a924983e0e2e2e7
Instruction ID: 4aa00bb11a57b24de5f0c3c4c64ae0e132d203571663d94d7fe715fdbf36efc5
Opcode Fuzzy Hash: bdaae5115723d6ecde59e3fa8b9b7ce70702097e4a3290996a924983e0e2e2e7
Instruction Fuzzy Hash: 7C813D71A00219EFCB04DF94C984EEEB7B9FF89315F208199E506AB250DB75AE45CB60

Function 00748702 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00748728
CharUpperBuffW.USER32(?,?), ref: 00748837
VariantClear.OLEAUT32(?), ref: 007489AF

Part of subcall function 0073760B: VariantInit.OLEAUT32(00000000), ref: 0073764B
Part of subcall function 0073760B: VariantCopy.OLEAUT32(00000000,?), ref: 00737654
Part of subcall function 0073760B: VariantClear.OLEAUT32(00000000), ref: 00737660

Strings

Incorrect Parameter format, xrefs: 00748760, 00748922
AUTOIT.ERROR, xrefs: 0074883D

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 2b949b69e02a6031b00ab96dad00c07b2608fe0cf12e626af3a457b3f40a044d
Instruction ID: 3e0e636ec01e849726c0426db7f1b188e404f66b63a79c246f5d9d287e695f10
Opcode Fuzzy Hash: 2b949b69e02a6031b00ab96dad00c07b2608fe0cf12e626af3a457b3f40a044d
Instruction Fuzzy Hash: 58919B74608705DFC750EF28C48496EBBE5EF89314F14896EF89A8B362DB34E905CB52

Function 00732D8E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006EFE06: _wcscpy.LIBCMT ref: 006EFE29

_memset.LIBCMT ref: 00732E7F
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00732EAE
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00732F61
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00732F8F

Strings

0, xrefs: 00732E6B

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: c9334bcd10bdceba79748cd487322a89435894fe23bb08da4c3b4f6759b8248d
Instruction ID: 8579a685f5524e690ecc33de0e2b55ffa643c92261d7c86550d49c79acab9fa5
Opcode Fuzzy Hash: c9334bcd10bdceba79748cd487322a89435894fe23bb08da4c3b4f6759b8248d
Instruction Fuzzy Hash: D351E1716083029EE725AF28D845A6BB7F4AF45310F144A2EF880D31A3DB78CD028796

Function 00732A4B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00732AB8
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00732AD4
DeleteMenu.USER32(?,00000007,00000000), ref: 00732B1A
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00795890,00000000), ref: 00732B63

Strings

0, xrefs: 00732AAD

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 548ec845a240d143106c995bf99c54fe2b4503d7d67f273b7aeeedfbc8b43120
Instruction ID: f314cae192fc4b2912fc7162ab552bcaee4c9f87b2087896c40b622498426efb
Opcode Fuzzy Hash: 548ec845a240d143106c995bf99c54fe2b4503d7d67f273b7aeeedfbc8b43120
Instruction Fuzzy Hash: 3941B6B0204342DFE720DF24C885B6AF7E9AF85320F10455EF96597293E774E906CB56

Function 0074D8B9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0074D8D9

Part of subcall function 006D79AB: _memmove.LIBCMT ref: 006D79F9

Strings

none, xrefs: 0074D9B4
winapi, xrefs: 0074D94A
stdcall, xrefs: 0074D95B
cdecl, xrefs: 0074D930

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 09f350ff662e297739760078cf651686aab11c870786a85a6b7690517961967b
Instruction ID: b763268bb1c8ee25d6a2f02a4cad0e3227ad59182c86416e5736bc99ab09b339
Opcode Fuzzy Hash: 09f350ff662e297739760078cf651686aab11c870786a85a6b7690517961967b
Instruction Fuzzy Hash: 37319E70904619ABCF20EF54C8909FEB3B5FF05710B148A2EE8A6977D1DB75AD05CB80

Function 00729152 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006D7F41: _memmove.LIBCMT ref: 006D7F82

Part of subcall function 0072AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 0072AEC7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 007291D6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 007291E9
SendMessageW.USER32(?,00000189,?,00000000), ref: 00729219

Part of subcall function 006D7D2C: _memmove.LIBCMT ref: 006D7D66

Strings

ComboBox, xrefs: 00729160
ListBox, xrefs: 00729195

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 48cdca6b4923236288cce0d78a2365872d599787e04a233dd4472f592e42c3ef
Instruction ID: a1e068b5b00b8b4a8ee9a26011963ed720ff13094e34c58ea16abd5b12ae6833
Opcode Fuzzy Hash: 48cdca6b4923236288cce0d78a2365872d599787e04a233dd4472f592e42c3ef
Instruction Fuzzy Hash: DC21E471900218BBDB14AB64EC8ACFFB7A9EF45360F14412EF925972E1DB3D4D0A9614

Function 00741943 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00741962
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00741988
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 007419B8
InternetCloseHandle.WININET(00000000), ref: 007419FF

Part of subcall function 00742599: GetLastError.KERNEL32(?,?,0074192D,00000000,00000000,00000001), ref: 007425AE
Part of subcall function 00742599: SetEvent.KERNEL32(?,?,0074192D,00000000,00000000,00000001), ref: 007425C3

Strings

, xrefs: 007419A9

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 78992634cc73ebe1e3c274a7a0af266cd7956655570ff428eff7b68b8440fc21
Instruction ID: 7c18dd00ffe9f3ac18c4d1aa143b32964507f4e715a468eca620b3d0d3fa7a60
Opcode Fuzzy Hash: 78992634cc73ebe1e3c274a7a0af266cd7956655570ff428eff7b68b8440fc21
Instruction Fuzzy Hash: DF21D1B2600308BFEB11AF60DC95EBF77ACEB48745F50811AF40593240EB78AE4597A5

Function 00756419 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 006D1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 006D1D73
Part of subcall function 006D1D35: GetStockObject.GDI32(00000011), ref: 006D1D87
Part of subcall function 006D1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 006D1D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00756493
LoadLibraryW.KERNEL32(?), ref: 0075649A
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 007564AF
DestroyWindow.USER32(?), ref: 007564B7

Strings

SysAnimate32, xrefs: 0075646E

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 148986610e32ab8c0233e380810d6a8e3df01f3db48e0f11f54855d6776c351f
Instruction ID: cdd8198376b714811a424bdcdde6e2ab51c7a5d031e63e93679a9562812b63cc
Opcode Fuzzy Hash: 148986610e32ab8c0233e380810d6a8e3df01f3db48e0f11f54855d6776c351f
Instruction Fuzzy Hash: BC21CF71600245ABEF104EA4DC80EFB37A9EF58366F908619FE10931A0C7B9CD859760

Function 00736E45 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00736E65
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00736E98
GetStdHandle.KERNEL32(0000000C), ref: 00736EAA
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00736EE4

Strings

nul, xrefs: 00736EDF

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 411fc192f4464d7ade9407eaa6fda8c0f94e774ae8482b8536e9f069d8bc7487
Instruction ID: bd5d772a5cfbcff2e4f22faab164f298b00a13cb8ee4744bf14dc6e16e347796
Opcode Fuzzy Hash: 411fc192f4464d7ade9407eaa6fda8c0f94e774ae8482b8536e9f069d8bc7487
Instruction Fuzzy Hash: E52160B9640305BBEF209F29DC09A9A7BB4BF45720F20C629FCA0D72D1DB7498548B50

Function 00736F13 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00736F32
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00736F64
GetStdHandle.KERNEL32(000000F6), ref: 00736F75
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00736FAF

Strings

nul, xrefs: 00736FAA

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: be719ba1505b1fd39933ec9096e3e4505862c0dc03382ba4b12b544312449059
Instruction ID: 2ff1f458da624301c02a16ce4a38c633b08ac8bd20dac44ae3a07d6b4d01859c
Opcode Fuzzy Hash: be719ba1505b1fd39933ec9096e3e4505862c0dc03382ba4b12b544312449059
Instruction Fuzzy Hash: 5321C571600316BBEB209F68AC04E9977F8BF45730F208A59FCA0E72D1DB749850CB65

Function 0073ACCA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0073ACDE
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0073AD32
__swprintf.LIBCMT ref: 0073AD4B
SetErrorMode.KERNEL32(00000000,00000001,00000000,0075F910), ref: 0073AD89

Strings

%lu, xrefs: 0073AD45

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: b7ed1944bbd9425c23cdf39841667c7c0d76ba4dfb47bbfa48734a3c1538f0db
Instruction ID: 33546647474b9d7f11749cb5747d583aa10024adfb6e59dc000e405c310d7063
Opcode Fuzzy Hash: b7ed1944bbd9425c23cdf39841667c7c0d76ba4dfb47bbfa48734a3c1538f0db
Instruction Fuzzy Hash: 6A217174A00209EFCB10EF64C985EEE7BB8EF49705B008069F505EB352DB75EA01CB61

Function 0072A30F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006D7D2C: _memmove.LIBCMT ref: 006D7D66

Part of subcall function 0072A15C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0072A179
Part of subcall function 0072A15C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0072A18C
Part of subcall function 0072A15C: GetCurrentThreadId.KERNEL32 ref: 0072A193
Part of subcall function 0072A15C: AttachThreadInput.USER32(00000000), ref: 0072A19A

GetFocus.USER32 ref: 0072A334

Part of subcall function 0072A1A5: GetParent.USER32(?), ref: 0072A1B3

GetClassNameW.USER32(?,?,00000100), ref: 0072A37D
EnumChildWindows.USER32(?,0072A3F5), ref: 0072A3A5
__swprintf.LIBCMT ref: 0072A3BF

Strings

%s%d, xrefs: 0072A3B9

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 593c1b09ede089a0920e7e84766912f28c12a68834c31094ff5193b96129fee8
Instruction ID: 37eafcf521da7c4f3ee629a793cdd26ffa129810934a891f38c33567574f43b8
Opcode Fuzzy Hash: 593c1b09ede089a0920e7e84766912f28c12a68834c31094ff5193b96129fee8
Instruction Fuzzy Hash: C011A271600219BBDF11BF64EC89FEA3779EF44711F00407AF908AA142DA7859558B76

Function 0074EC69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0074ED1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0074ED4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0074EE7E
CloseHandle.KERNEL32(?), ref: 0074EEFF

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: c584a18107afc849af3993a02a239da52db85268ff7e63cc81dada796dad51e0
Instruction ID: 10e3e0971de9685f16d5bd3a077a965c688385499a1c3c1fafec9474be62818f
Opcode Fuzzy Hash: c584a18107afc849af3993a02a239da52db85268ff7e63cc81dada796dad51e0
Instruction Fuzzy Hash: C1817371A003119FE760EF25C846F6AB7E6BF48720F14881EF995DB392DB74AC408B55

Function 006F558D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 006F55EB
_memcpy_s.LIBCMT ref: 006F565D
__read_nolock.LIBCMT ref: 006F56BB
__filbuf.LIBCMT ref: 006F56DE
_memset.LIBCMT ref: 006F5722

Part of subcall function 006F8CA8: __getptd_noexit.LIBCMT ref: 006F8CA8

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 17c9c7776e299596ed796557eca7f8bd29831e9b0e98da48d3161094909ff33f
Instruction ID: e2934eb40a44798a23bc962b2d1633436dc06d6b40a2bc12baa3147943b456d0
Opcode Fuzzy Hash: 17c9c7776e299596ed796557eca7f8bd29831e9b0e98da48d3161094909ff33f
Instruction Fuzzy Hash: 85519F30A00A0DDBDB249F79C8856BE77A7AF41320F248729EB36962E0D7719D518B50

Function 007500C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006D7F41: _memmove.LIBCMT ref: 006D7F82

Part of subcall function 00750EA5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0074FE38,?,?), ref: 00750EBC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00750188
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007501C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0075020E
RegCloseKey.ADVAPI32(?,?), ref: 0075023A
RegCloseKey.ADVAPI32(00000000), ref: 00750247

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: e1d303ff26b7e788a8cd6d3c2482c5c81ed7068891e154af646a50847c34e24b
Instruction ID: b55df5fb46e08e118defb233e342755b09cc3f793bd8df17318f408e5ca647ca
Opcode Fuzzy Hash: e1d303ff26b7e788a8cd6d3c2482c5c81ed7068891e154af646a50847c34e24b
Instruction Fuzzy Hash: 8A516B31608204AFD704EF64DC85EAEB7E9FF84705F04882EF99587291DB74E908CB96

Function 0074D9DC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 006D9997: __itow.LIBCMT ref: 006D99C2
Part of subcall function 006D9997: __swprintf.LIBCMT ref: 006D9A0C

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0074DA3B
GetProcAddress.KERNEL32(00000000,?), ref: 0074DABE
GetProcAddress.KERNEL32(00000000,00000000), ref: 0074DADA
GetProcAddress.KERNEL32(00000000,?), ref: 0074DB1B
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0074DB35

Part of subcall function 006D5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,0073793F,?,?,00000000), ref: 006D5B8C
Part of subcall function 006D5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,0073793F,?,?,00000000,?,?), ref: 006D5BB0

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: ee36e3d7acbec9e35831f3478472a2710eb3d7006b0635128a8efbffec3f627d
Instruction ID: b8f167d9cdb58b66b42dc4c642e48081aebcc6fd0655648b160fb5107ba1ca1e
Opcode Fuzzy Hash: ee36e3d7acbec9e35831f3478472a2710eb3d7006b0635128a8efbffec3f627d
Instruction Fuzzy Hash: F3512775A00609EFCB10EFA8C4949ADB7F5FF48310B09C06AE85AAB311DB34AD45CB95

Function 0073E5FD Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0073E6AB
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0073E6D4
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0073E713

Part of subcall function 006D9997: __itow.LIBCMT ref: 006D99C2
Part of subcall function 006D9997: __swprintf.LIBCMT ref: 006D9A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0073E738
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0073E740

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 05cc3798a92006311e4dc3d42cce383cff91927869cea3373c1dbae8a1c26b57
Instruction ID: a7a5c08905676c4dbd5eb5cebc86c853044479685fe60628a7aa60fc3c67cf82
Opcode Fuzzy Hash: 05cc3798a92006311e4dc3d42cce383cff91927869cea3373c1dbae8a1c26b57
Instruction Fuzzy Hash: 62512D75A00215EFDB41EF64C9819ADBBF5FF08314F148099E849AB362CB35ED11DB64

Function 0075A088 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fb2029432feff98e7401cc5fece161677831457c9760bc16271b96de241659e
Instruction ID: c21487885b3c22264bf2eba494a461c444df8ae880def506f250d2b72c54b5a9
Opcode Fuzzy Hash: 2fb2029432feff98e7401cc5fece161677831457c9760bc16271b96de241659e
Instruction Fuzzy Hash: 3441D035900A18BBD710DF28DC44FE9BBB4EB09362F154275EC16A72E0D7B89E058B91

Function 006D2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 006D2357
ScreenToClient.USER32(007957B0,?), ref: 006D2374
GetAsyncKeyState.USER32(00000001), ref: 006D2399
GetAsyncKeyState.USER32(00000002), ref: 006D23A7

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: daaceaad6346eead81752b355b49bf0acda80aa5c401835b9c707b193eabec7b
Instruction ID: 9fc702f7c33adf40f160034e40d033ecaaaf748f894e7fece563db029a39697f
Opcode Fuzzy Hash: daaceaad6346eead81752b355b49bf0acda80aa5c401835b9c707b193eabec7b
Instruction Fuzzy Hash: 6341917590811AFBCF169F68C844AEDBBB5FB05320F20436AF828922D1C7786D54DF91

Function 00726700 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0072673D
TranslateAcceleratorW.USER32(?,?,?), ref: 00726789
TranslateMessage.USER32(?), ref: 007267B2
DispatchMessageW.USER32(?), ref: 007267BC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007267CB

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: f6d4906df7815d268326d5ca492b56a5e29ce8aa54ef05aff2f35ab0095e35bc
Instruction ID: 6152618e5109a9fd2925e71bc617dd8e57c0b107f00b13fc745e47c42c69b264
Opcode Fuzzy Hash: f6d4906df7815d268326d5ca492b56a5e29ce8aa54ef05aff2f35ab0095e35bc
Instruction Fuzzy Hash: 5A31D070901666AFDB21CBB0BC84FB67BE8AB01308F14816BE521C32A1E76D9586D794

Function 00728CE1 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00728CF2
PostMessageW.USER32(?,00000201,00000001), ref: 00728D9C
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00728DA4
PostMessageW.USER32(?,00000202,00000000), ref: 00728DB2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00728DBA

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: aa040d95bed1eae9e68e995e13fe1206f14d45137488e77127561cc0bfbe0f7b
Instruction ID: fe9b5986de46e6de97c93774e5ea5efe2446100961d179e4bad8fe7c9903f9e4
Opcode Fuzzy Hash: aa040d95bed1eae9e68e995e13fe1206f14d45137488e77127561cc0bfbe0f7b
Instruction Fuzzy Hash: C431E071601229EBDF00CF68E94CADE3BB5EB18316F108229F924E71D0C7B99918CB91

Function 0072B4AE Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0072B4C6
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0072B4E3
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0072B51B
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0072B541
_wcsstr.LIBCMT ref: 0072B54B

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: c840079098fbdd5ec0f593dbf156a7b53e60af6715ec1bc1d93ab8febacd1efe
Instruction ID: 6ed70ada77df52f7cce539ac64daafac656a8785a3a6a0bd21a03f067346b1a3
Opcode Fuzzy Hash: c840079098fbdd5ec0f593dbf156a7b53e60af6715ec1bc1d93ab8febacd1efe
Instruction Fuzzy Hash: C8214C31604214BAFB255B39AC45E7B7BA9DF48750F10803DFD05CE161EFA9DC5093A0

Function 0075B17F Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 006D2612: GetWindowLongW.USER32(?,000000EB), ref: 006D2623

GetWindowLongW.USER32(?,000000F0), ref: 0075B1C6
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0075B1EB
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0075B203
GetSystemMetrics.USER32(00000004), ref: 0075B22C
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00740FA5,00000000), ref: 0075B24A

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 276ee6c3c49f07390d5671603cc7f4c1285e2293fddbd361013f491ad671ac8b
Instruction ID: 32b9c04c5189ea552efbcfe133a3523d0d0246b6d282f85c8f991b95258d25da
Opcode Fuzzy Hash: 276ee6c3c49f07390d5671603cc7f4c1285e2293fddbd361013f491ad671ac8b
Instruction Fuzzy Hash: 35219131914625AFCB109F398C48BBA37A4FB45322F108739FD22D71E0E7789819CBA0

Function 007295C9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 007295E2

Part of subcall function 006D7D2C: _memmove.LIBCMT ref: 006D7D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00729614
__itow.LIBCMT ref: 0072962C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00729654
__itow.LIBCMT ref: 00729665

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 2dd4a4013844d174996fedc20935abd563e98b6bcd07d29d8016422a35ce0116
Instruction ID: 2c0e293969df8a823066d5329f655f2c77dd169b12234e610b15252bef01dd93
Opcode Fuzzy Hash: 2dd4a4013844d174996fedc20935abd563e98b6bcd07d29d8016422a35ce0116
Instruction Fuzzy Hash: 85212931B00228BBEB20AB60DC89EEE7BE9EF49710F084029FF04D7240E6748D45C796

Function 006D12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 006D134D
SelectObject.GDI32(?,00000000), ref: 006D135C
BeginPath.GDI32(?), ref: 006D1373
SelectObject.GDI32(?,00000000), ref: 006D139C

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 3243d76ab504ab05e81182a86233bad759cdb539f45826627819ac5a92569c5a
Instruction ID: 382cec2857be3a314b49ab35635b65771fe32f8cdb81844fe1e80622935831ec
Opcode Fuzzy Hash: 3243d76ab504ab05e81182a86233bad759cdb539f45826627819ac5a92569c5a
Instruction Fuzzy Hash: 29215330C01718EBDB119F15DC04B997BA5EB11321F148217F4149A3A0D7B99992DF54

Function 00734B3A Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00734B61
__beginthreadex.LIBCMT ref: 00734B7F
MessageBoxW.USER32(?,?,?,?), ref: 00734B94
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00734BAA
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00734BB1

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: f50a16f509403166608cb57726d359572a742c417a0ba46000d7e8305eeb264d
Instruction ID: e8b2059798a73c221b9e8ffa66fddc2c1b7b0134b4db1c4092caf329783c91d3
Opcode Fuzzy Hash: f50a16f509403166608cb57726d359572a742c417a0ba46000d7e8305eeb264d
Instruction Fuzzy Hash: 331144F2904658BBD7119FA89C04ADBBFACEB49321F14826AF814D3252D6B9CD0087A4

Function 0072852A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00728546
GetLastError.KERNEL32(?,0072800A,?,?,?), ref: 00728550
GetProcessHeap.KERNEL32(00000008,?,?,0072800A,?,?,?), ref: 0072855F
HeapAlloc.KERNEL32(00000000,?,0072800A,?,?,?), ref: 00728566
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0072857D

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 82d1e9366115ee02988fac1e2bf5571702b2b10d2d19007d84d4702b220f1f5a
Instruction ID: 8d8b82fdc4ff717d4a06391fc3afc4aa57cb1203df29781e83a6bbfd2b8e3a92
Opcode Fuzzy Hash: 82d1e9366115ee02988fac1e2bf5571702b2b10d2d19007d84d4702b220f1f5a
Instruction Fuzzy Hash: 3A016271601314FFDB114FA6EC48DAB7F6CFF45356B144569F809C3120DA768D50CA61

Function 007352EB Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00735307
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00735315
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 0073531D
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00735327
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00735363

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: dcb1a2b2f0c5c2784f4ce605efb849aae757ac6c0c2f2ece59356bee00dfb571
Instruction ID: 95a57d0d4c609f728dccbb39e902d4f653a664992bc05c9a5658afff13513837
Opcode Fuzzy Hash: dcb1a2b2f0c5c2784f4ce605efb849aae757ac6c0c2f2ece59356bee00dfb571
Instruction Fuzzy Hash: E0018031C05A1DDBDF00AFE4EC8C5EDBB78FB08751F054559E941F2141CBB85A5087A5

Function 00727432 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0072736C,80070057,?,?,?,0072777D), ref: 0072744F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0072736C,80070057,?,?), ref: 0072746A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0072736C,80070057,?,?), ref: 00727478
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0072736C,80070057,?), ref: 00727488
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0072736C,80070057,?,?), ref: 00727494

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 48723f8d69e89190a355cb0d3275bf136ecdef31838261314c49e29f2a1c1115
Instruction ID: a57726654ae8c4ccd656b422343bde8d2843ce3f1bdfee87d95ba45280afb7fa
Opcode Fuzzy Hash: 48723f8d69e89190a355cb0d3275bf136ecdef31838261314c49e29f2a1c1115
Instruction Fuzzy Hash: 4D017172601328FBDB146F64ED44AAA7FADEB44762F148024F908D3220D779EE40DBA0

Function 007283D1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007283E8
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007283F2
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00728401
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00728408
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0072841E

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 205c47589395f84b22d4c9e54abfd369eccbb1f1555447ecdf1235f129336611
Instruction ID: 46d469c838d3a29d5ac5b72ebec57a171b40c30b6135d24434a78d9f47c35877
Opcode Fuzzy Hash: 205c47589395f84b22d4c9e54abfd369eccbb1f1555447ecdf1235f129336611
Instruction Fuzzy Hash: E1F0C230206355EFEB102FB4EC8CEAB3BACEF89755B004025F909C3190CBB99C41DA61

Function 00728432 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00728449
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00728453
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00728462
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00728469
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0072847F

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: fddd51d6503b09902a8eee3b2317c3228d55066607950f12cd696d0f49c1ff06
Instruction ID: a2b63bbc08124c8aeb2f7322247a2d156c479400cb5922ffc2ec0a251aca16a0
Opcode Fuzzy Hash: fddd51d6503b09902a8eee3b2317c3228d55066607950f12cd696d0f49c1ff06
Instruction Fuzzy Hash: E0F0C230202355AFEB512FA4EC8CEAB3FACEF49756F084025F909C3190CBA99D00DA61

Function 0072C4A5 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0072C4B9
GetWindowTextW.USER32(00000000,?,00000100), ref: 0072C4D0
MessageBeep.USER32(00000000), ref: 0072C4E8
KillTimer.USER32(?,0000040A), ref: 0072C504
EndDialog.USER32(?,00000001), ref: 0072C51E

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 53383ea46a7d4ee4c2c7f14da5163e3c6bdd879522ccd8ee12a766caa775b754
Instruction ID: 44a4a03f8ea0b3d19bbfa4f53df7dd3159255ac0e94fe5e633f0022f27b90ba8
Opcode Fuzzy Hash: 53383ea46a7d4ee4c2c7f14da5163e3c6bdd879522ccd8ee12a766caa775b754
Instruction Fuzzy Hash: CA016230540714ABEB216B20ED5EFAA7BBCFF14706F004669F582A10E1DBE8B9548A85

Function 006D13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 006D13BF
StrokeAndFillPath.GDI32(?,?,0070BA08,00000000,?), ref: 006D13DB
SelectObject.GDI32(?,00000000), ref: 006D13EE
DeleteObject.GDI32 ref: 006D1401
StrokePath.GDI32(?), ref: 006D141C

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 4e11b8957df54b4ba29d51766c70ccd50079bab2ad71181e80a98e7b8cb5ba42
Instruction ID: ae0675690c8f259ec5990dd093d77435eabf96be5f118b276748ee50a121edb3
Opcode Fuzzy Hash: 4e11b8957df54b4ba29d51766c70ccd50079bab2ad71181e80a98e7b8cb5ba42
Instruction Fuzzy Hash: 9AF0E130405B18EBDB125F16EC4CB983FE5A701326F08C326E429892F1C7B949A6DF58

Function 006E2E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 006F0F36: std::exception::exception.LIBCMT ref: 006F0F6C
Part of subcall function 006F0F36: __CxxThrowException@8.LIBCMT ref: 006F0F81

Part of subcall function 006D7F41: _memmove.LIBCMT ref: 006D7F82

Part of subcall function 006D7BB1: _memmove.LIBCMT ref: 006D7C0B

__swprintf.LIBCMT ref: 006E302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 006E2EC6

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 679a78f718bb8ef29be447d0656421a8eda7197587b75dd8feb6f5e90d2ce67b
Instruction ID: b51db8ffa49914a1c7ebd06ce2835c18e618c198bf9a495865f232400667f6e5
Opcode Fuzzy Hash: 679a78f718bb8ef29be447d0656421a8eda7197587b75dd8feb6f5e90d2ce67b
Instruction Fuzzy Hash: 31918E715093519FC754EF28C895CAEB7A6EF85700F04491EF8829B3A1EB30EE45CB56

Function 0073B9C7 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 006D48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006D48A1,?,?,006D37C0,?), ref: 006D48CE

CoInitialize.OLE32(00000000), ref: 0073BA47
CoCreateInstance.OLE32(00762D6C,00000000,00000001,00762BDC,?), ref: 0073BA60
CoUninitialize.OLE32 ref: 0073BA7D

Part of subcall function 006D9997: __itow.LIBCMT ref: 006D99C2
Part of subcall function 006D9997: __swprintf.LIBCMT ref: 006D9A0C

Strings

.lnk, xrefs: 0073BA29, 0073BA37

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: f8ce270106d25e742e1350e859739727ed99ada4041966a8f4a9adf79aac76e0
Instruction ID: 4a7fe33e1648d9d587bc1b2b067b5ceaa771989159ae501bc2d067e9f3c00423
Opcode Fuzzy Hash: f8ce270106d25e742e1350e859739727ed99ada4041966a8f4a9adf79aac76e0
Instruction Fuzzy Hash: A3A13375604301AFDB10DF14C494E6ABBE6BF88314F04898DF99A9B3A2CB35EC45CB91

Function 0072B5B5 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0072B780

Strings

AutoIt3GUI, xrefs: 0072B6F8
%v, xrefs: 0072B823
Container, xrefs: 0072B6FD

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%v
API String ID: 3565006973-1258757215
Opcode ID: 393c1ca29185e472bef4c6c5e300764f3752f7692423beec092956ccd90cef93
Instruction ID: 13a4478f7c12281aa411bf03aeb4f1ede7902f7e31106c8bd620f779199e6c93
Opcode Fuzzy Hash: 393c1ca29185e472bef4c6c5e300764f3752f7692423beec092956ccd90cef93
Instruction Fuzzy Hash: E19149B0600611AFDB54DF64D884B66BBF9FF48710F24856EF90ACB691DBB4E841CB90

Function 006F518D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 006F521D

Part of subcall function 00700270: __87except.LIBCMT ref: 007002AB

Strings

pow, xrefs: 006F51F5, 006F5212

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 739f2947a2d909e7ae9ca0b6c67dd7bf90714e26582c1e16398d490fd3631708
Instruction ID: 802863471388bbd9e59b4afd6477de13609a2138c921377de75d1db2b2e5e5bf
Opcode Fuzzy Hash: 739f2947a2d909e7ae9ca0b6c67dd7bf90714e26582c1e16398d490fd3631708
Instruction Fuzzy Hash: F7517C21A0CA09C7DB11A718C8453BE6BD5EB40760F208F5DF297822E5EF3C8DC596CA

Function 006F017B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

+, xrefs: 006F01B7
#, xrefs: 006F01C0

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 8c5eb342829cc265d2651326f4ed9af14e3b4d498c1c95bb1174773cea7b6076
Instruction ID: 615de267f257f59ae20fd34d2f5af9a4312977c81acedbe0a663d70b1785551f
Opcode Fuzzy Hash: 8c5eb342829cc265d2651326f4ed9af14e3b4d498c1c95bb1174773cea7b6076
Instruction Fuzzy Hash: C75131B550422A9FDF25DF28D484AFABBA5EF19310F18405AFC819B3A1D7389D42CB60

Function 006E3297 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006E33D7
_memmove.LIBCMT ref: 006E3470
_free.LIBCMT ref: 006E3496
_memmove.LIBCMT ref: 006E3549

Strings

Oan, xrefs: 006E3482

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: _memmove$_free
String ID: Oan
API String ID: 2620147621-1382745430
Opcode ID: 8a984d74634c465774eed5a7bffb10a4f47d698cb30bcf25a78ee586faf020e2
Instruction ID: 2b4fb27554039a3a470ba0b20763fb6b5cb528c412d7fa73b32e9d6eb2959671
Opcode Fuzzy Hash: 8a984d74634c465774eed5a7bffb10a4f47d698cb30bcf25a78ee586faf020e2
Instruction Fuzzy Hash: DB516C716093919FDB64CF29C885B6ABBE2FF85314F04892DE98987351DB31DA41CB42

Function 006E62F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006E63A8
_memmove.LIBCMT ref: 006E6444
_memset.LIBCMT ref: 006E6468

Strings

ERCP, xrefs: 006E6313

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 333fcea0042efa87ad0f5fc7c33ddc4ea850f82fe77e74beefc51701d0ad7a75
Instruction ID: f759a4c2bb132f262766d63caf0ac9fc47da414b327e932fc5a87bc5053ae1ac
Opcode Fuzzy Hash: 333fcea0042efa87ad0f5fc7c33ddc4ea850f82fe77e74beefc51701d0ad7a75
Instruction Fuzzy Hash: D351C171901359DBDB24CF56C8817EAB7F5FF14344F20856EE94ACB281E374AA80CB80

Function 00757978 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0075F910,00000000,?,?,?,?), ref: 00757A11
GetWindowLongW.USER32 ref: 00757A2E
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00757A3E

Strings

SysTreeView32, xrefs: 007579E3

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: b51e59f0581a4ace5fdd6d85643b0672b995664a8606f01c7a33633f0821c0c6
Instruction ID: c11ab5f3123fbdeba674cd30ccd9bbd224185d3bfebc0407289fd910a749d726
Opcode Fuzzy Hash: b51e59f0581a4ace5fdd6d85643b0672b995664a8606f01c7a33633f0821c0c6
Instruction Fuzzy Hash: 0231FE71204606ABDB158E38DC41BEA7BA9EF04325F208725F875932E0C7B8E955CB60

Function 0075740B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00757493
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 007574A7
SendMessageW.USER32(?,00001002,00000000,?), ref: 007574CB

Strings

SysMonthCal32, xrefs: 0075745E

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 686ca15ab9f81e73ffb590968de253424d5f994d0274cebaabe731a34b62cc7b
Instruction ID: b242428fabd374ba38a3a1995786f2d275c96b4277d52e7a5dd6a5983658c133
Opcode Fuzzy Hash: 686ca15ab9f81e73ffb590968de253424d5f994d0274cebaabe731a34b62cc7b
Instruction Fuzzy Hash: 9F21E232500218BFDF258F90DC46FEA3B79EF48724F110214FE146B1D0D6B9A855CBA0

Function 00756CE2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00756D6D
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00756D7D
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00756DA2

Strings

Listbox, xrefs: 00756D3A

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 1f7369e423086149aa397b056e348bae848a08ca26b6caa0f48cba443da0bd65
Instruction ID: ee885241b7ef833f9c60bd3c4eaf07340873d37e50de5a7c9a13fd442723ed2f
Opcode Fuzzy Hash: 1f7369e423086149aa397b056e348bae848a08ca26b6caa0f48cba443da0bd65
Instruction Fuzzy Hash: 7521F532700218BFEF118F54DC84EFB3BBAEF89751F408524F9009B190C6B5AC5687A0

Function 00757740 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 007577A4
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 007577B9
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 007577C6

Strings

msctls_trackbar32, xrefs: 0075777B

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 79f409e1cd612cb5630807893983246fe9d26a2ba1f316f8c755a603c34bd1b1
Instruction ID: 55ce27791cc3a151c12fce1ae7831793ad960d171fa2c63523a4b54f23086e04
Opcode Fuzzy Hash: 79f409e1cd612cb5630807893983246fe9d26a2ba1f316f8c755a603c34bd1b1
Instruction Fuzzy Hash: 0611C172244208BAEB145F60EC45FEB7BA9EF89B25F014518FA41A60A0D6B6A811CB24

Function 006F6CEE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 006F6D10
__calloc_crt.LIBCMT ref: 006F6D29

Strings

@By, xrefs: 006F6D40
x, xrefs: 006F6D4E

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: __calloc_crt
String ID: x$@By
API String ID: 3494438863-866083994
Opcode ID: 7a23be47e023639209e4d80faf963618d665f2d8c3ffa254b891bf96b381b6cb
Instruction ID: 1f948000518843321af7ee010f717436e7c585f2d9779b5b76e689b8b1c54f1a
Opcode Fuzzy Hash: 7a23be47e023639209e4d80faf963618d665f2d8c3ffa254b891bf96b381b6cb
Instruction Fuzzy Hash: 96F062B1348B2A9AF7659F19FD126B12796FF51720B10452BF314CE294E77888824798

Function 006D4C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,006D4C2E), ref: 006D4CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 006D4CB5

Strings

GetNativeSystemInfo, xrefs: 006D4CAF
kernel32.dll, xrefs: 006D4C9E

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 574e90c62c8d1ec3aaa4a224a177882089b930c532c3a15d3dcfe5485467f52b
Instruction ID: 5d074fe12d92d0228ecf64f0f1340fe8e1c8826378c1f7b984dcf2d9bd0bd608
Opcode Fuzzy Hash: 574e90c62c8d1ec3aaa4a224a177882089b930c532c3a15d3dcfe5485467f52b
Instruction Fuzzy Hash: 9AD012B0911B27CFD7205F31DA18A8676D6AF05752B11C83AD885D6250EAB8D880C651

Function 006D4D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,006D4D2E,?,006D4F4F,?,007952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 006D4D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 006D4D81

Strings

Wow64DisableWow64FsRedirection, xrefs: 006D4D7B
kernel32.dll, xrefs: 006D4D6A

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 5e7f038a716e8a3442696ee34195a42a6aa8503aa22641b863f519e438a5b731
Instruction ID: 7cc4952e8ed154a46125b8dbd51d03e3661faa6fa0ea74b0551ed5ff4df875bf
Opcode Fuzzy Hash: 5e7f038a716e8a3442696ee34195a42a6aa8503aa22641b863f519e438a5b731
Instruction Fuzzy Hash: C4D01270910B13CFD7205F31D80869676DBAF15352B11C83AD486D6750EBB8D880CB61

Function 006D4D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,006D4CE1,?), ref: 006D4DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 006D4DB4

Strings

Wow64RevertWow64FsRedirection, xrefs: 006D4DAE
kernel32.dll, xrefs: 006D4D9D

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 83fd88367ac766fcddf48b8b83a8afa6d858f195b8dfbeb4b091e6e25e3dda52
Instruction ID: 63994ca578af2f0e7a232faf296d346a55fc22a9ac5fec0f98f75322ce7728f9
Opcode Fuzzy Hash: 83fd88367ac766fcddf48b8b83a8afa6d858f195b8dfbeb4b091e6e25e3dda52
Instruction Fuzzy Hash: 90D012B0950B13CFD7205F31D808AC676E7AF05356B11C83AD8C5D6650EBB8D880C650

Function 00750E72 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,007510C1), ref: 00750E80
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00750E92

Strings

advapi32.dll, xrefs: 00750E7B
RegDeleteKeyExW, xrefs: 00750E8C

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: e60330d8fa387b82a06ba2cec0ab85522bd4345d0aeb74357de2fb3e486c5b15
Instruction ID: f991bb0e6fb2621aa71842b35f8384248478ff2f5ae591d51831003248823265
Opcode Fuzzy Hash: e60330d8fa387b82a06ba2cec0ab85522bd4345d0aeb74357de2fb3e486c5b15
Instruction Fuzzy Hash: 81D01270550713CFD7206F35D9095D676D4AF04393B15CC39E985D2190D7B8C480C790

Function 007491F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00748E09,?,0075F910), ref: 00749203
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00749215

Strings

GetModuleHandleExW, xrefs: 0074920F
kernel32.dll, xrefs: 007491FE

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: c5c105d2d4bbb415d2cbed4d1018d0ae7904f8eb950492b46d35de05a5afbce8
Instruction ID: 9353afb18c233f190c5d7514e823b9f1f06eae1ebd1103b69ee505f3fd78b9ef
Opcode Fuzzy Hash: c5c105d2d4bbb415d2cbed4d1018d0ae7904f8eb950492b46d35de05a5afbce8
Instruction Fuzzy Hash: 0AD0E2B0594B16DFDB20AB31DD0968676E6AF05352B11C83AD986D6590EBB8C880CA91

Function 00711A6D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00711A71
__swprintf.LIBCMT ref: 00711AA2

Strings

%.3d, xrefs: 00711A7C
WIN_XPe, xrefs: 00711AE1

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 8d81756f1f0f0f1b7cc2abce1a9e5bf60820abeddc7606eb7941eb9cd31ffe5a
Instruction ID: e8b601c0cad7e2b38d4c18768e817c051e2a38b51c84cdcb4a175615199b267a
Opcode Fuzzy Hash: 8d81756f1f0f0f1b7cc2abce1a9e5bf60820abeddc7606eb7941eb9cd31ffe5a
Instruction Fuzzy Hash: 7ED012B1C4511DEACB4097D48C859FE777CAF08310F94C052F602A5180E26DDBC4DB25

Function 007274A5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b8fc58db09e5be44f66712eb11a7a41717349f40278a7f87023e8507b409b32
Instruction ID: e6dd1b6c48d6328f9be8df1401709030722e656bd7865a3802576390b0115ec7
Opcode Fuzzy Hash: 9b8fc58db09e5be44f66712eb11a7a41717349f40278a7f87023e8507b409b32
Instruction Fuzzy Hash: 2DC15E74A04226EFCB18CF98D984EAEB7B5FF48714B218598E805EB351D734ED81DB90

Function 0074E13E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0074E1D2
CharLowerBuffW.USER32(?,?), ref: 0074E215

Part of subcall function 0074D8B9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0074D8D9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0074E415
_memmove.LIBCMT ref: 0074E428

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 8b72cd871ad16d50b2527ef4c7acbe9db3fecbc5df733ccbecda73b0b677042a
Instruction ID: b6b459d37439e4941388118e161a17361ab9dcbfe41c4a17e51ebe96ac6235d8
Opcode Fuzzy Hash: 8b72cd871ad16d50b2527ef4c7acbe9db3fecbc5df733ccbecda73b0b677042a
Instruction Fuzzy Hash: 57C17A71A08311DFC754DF28C48096ABBE5FF88324F04896EF8999B352D774E945CB82

Function 007481A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 007481D8
CoUninitialize.OLE32 ref: 007481E3

Part of subcall function 0072D87B: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0072D8E3

VariantInit.OLEAUT32(?), ref: 007481EE
VariantClear.OLEAUT32(?), ref: 007484BF

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 75266b7dbf0e4a7e28feec099b029dac3b6cc31c6ffd6db7a55492e8ef6e028a
Instruction ID: 245ad930010cae4bbdbcd7c24cd67a993e1f96df75f1b3b6cf6594b7252e17fe
Opcode Fuzzy Hash: 75266b7dbf0e4a7e28feec099b029dac3b6cc31c6ffd6db7a55492e8ef6e028a
Instruction Fuzzy Hash: DDA146756047059FDB90DF18C491A2EB7E5BF88724F08844DF99A9B3A2CB38ED00CB56

Function 00726BD3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00726BE4
SysAllocString.OLEAUT32(00000000), ref: 00726C8D
VariantCopy.OLEAUT32 ref: 00726CBC
VariantClear.OLEAUT32(?), ref: 00726CE3

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 1f3b764a69ae7f5a0d4e2c138bf2650fd7198f74f40aa28382d314c9f3e69872
Instruction ID: 04fe5d31fc53d88778b2a22d0e406a37cae5988222470b4475c271c3a0b83398
Opcode Fuzzy Hash: 1f3b764a69ae7f5a0d4e2c138bf2650fd7198f74f40aa28382d314c9f3e69872
Instruction Fuzzy Hash: FE51C63070431ADBDF64AF65E895A79B3E5EF48310F20882FE596CB2D1DB789880CB15

Function 00759826 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0101F538,?), ref: 00759895
ScreenToClient.USER32(00000002,00000002), ref: 007598C8
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00759935

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: cda3c293edfdaa1b37d6c2588829c0663a83c6c101188ef3f779e4ca3349c6aa
Instruction ID: 7a134373baf7851b4e886bae7237c79f7c5bf1a0ed71fdca7eb1ccbdca8ef8f9
Opcode Fuzzy Hash: cda3c293edfdaa1b37d6c2588829c0663a83c6c101188ef3f779e4ca3349c6aa
Instruction Fuzzy Hash: 20514934A00209EFCF10DF64D880AEE7BB6EF85321F148169FD559B2A0D7B5AD85CB90

Function 00746AC0 Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00746AE7
WSAGetLastError.WSOCK32(00000000), ref: 00746AF7

Part of subcall function 006D9997: __itow.LIBCMT ref: 006D99C2
Part of subcall function 006D9997: __swprintf.LIBCMT ref: 006D9A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00746B5B
WSAGetLastError.WSOCK32(00000000), ref: 00746B67

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: b68be163098ac14d80d45e61cc0772ea22770e6fb577ffd151e6618ede81829e
Instruction ID: 0c24b1ed56d2b758c1794d599385360f3a8bdca6404ac536b1327fee57ff3df3
Opcode Fuzzy Hash: b68be163098ac14d80d45e61cc0772ea22770e6fb577ffd151e6618ede81829e
Instruction Fuzzy Hash: 7741C375B40210AFEB60AF24DC86F7A77EADB04B10F54841DFA199B3C2DB749C008B99

Function 00746530 Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0075F910), ref: 007465BD
_strlen.LIBCMT ref: 007465EF

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: b0c05b0f3b5f90a635a541352a54e5d17c8e39fda6d1223e70b9ddf28a6140bb
Instruction ID: 8189da308721cbe38677abe1a29c2f1ec05a5a39ee10427c508a4c0484cf8c95
Opcode Fuzzy Hash: b0c05b0f3b5f90a635a541352a54e5d17c8e39fda6d1223e70b9ddf28a6140bb
Instruction Fuzzy Hash: A441C431A00104AFCB14FB64ECD5EBEB3AAEF44310F15815AF81697392EB34AD00CB56

Function 0073B880 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0073B92A
GetLastError.KERNEL32(?,00000000), ref: 0073B950
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0073B975
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0073B9A1

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 2815dc51ab5d43ab674baf418caf4e1be4555529c37c3cd266dc551995ed9921
Instruction ID: f668ece2f58329b625130a018abcb4463fdf816d10c414f58d5931bf35d88132
Opcode Fuzzy Hash: 2815dc51ab5d43ab674baf418caf4e1be4555529c37c3cd266dc551995ed9921
Instruction Fuzzy Hash: 10411639A00610EFCB10EF15C495A59BBE2AF89314F098089E94A9F762CB34FD00CBA5

Function 00758883 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00758910

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 77ce01da17b0ba0fe9cca8a9e1595404e88a21e49cc3c4f6fd305b033661f24d
Instruction ID: 3a1e5ab8d5d3e263e6dcdc7d8621399d1c8a1be594ac6155f644f356e198a68e
Opcode Fuzzy Hash: 77ce01da17b0ba0fe9cca8a9e1595404e88a21e49cc3c4f6fd305b033661f24d
Instruction Fuzzy Hash: B831C134605108BFEFA19A54CC45BF83765EB05322F544116FE51F62E0CFB8B9889B93

Function 0075AB69 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0075AB92
GetWindowRect.USER32(?,?), ref: 0075AC08
PtInRect.USER32(?,?,0075C07E), ref: 0075AC18
MessageBeep.USER32(00000000), ref: 0075AC89

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: b308ede8a33a9d069e521ae335cd972216c71bf25035e49c685d2da4469913cf
Instruction ID: eebdba97a5c852f1a137790091e9b95ae30168ef3fdb02d480ed83151aebea09
Opcode Fuzzy Hash: b308ede8a33a9d069e521ae335cd972216c71bf25035e49c685d2da4469913cf
Instruction Fuzzy Hash: A1416170600215EFCF12CF58C884EE977F5FB49312F1482B9E9159B261D779A849CB62

Function 00730E07 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00730E58
SetKeyboardState.USER32(00000080,?,00000001), ref: 00730E74
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00730EDA
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00730F2C

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: d0bf04550eacdf42034e9c35b89e0807ae7ba6dcb1f65df4a711413fd07e6b7b
Instruction ID: c378ef714ded273c82e44f0fdde54e50f2519a36fa53955c4076438a89ddbd03
Opcode Fuzzy Hash: d0bf04550eacdf42034e9c35b89e0807ae7ba6dcb1f65df4a711413fd07e6b7b
Instruction Fuzzy Hash: 8A314870B80218AEFB34DB248C29BFE7B65EB48310F18465AF0D0521D3D37D895597D5

Function 00730F42 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 00730F97
SetKeyboardState.USER32(00000080,?,00008000), ref: 00730FB3
PostMessageW.USER32(00000000,00000101,00000000), ref: 00731012
SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 00731064

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 9a5d5e8ab774bebaa0ff43c521a5d785ccb5e66c2cd36b03718bf5134836f85c
Instruction ID: 748457e2cb426e5de72cd14bcc2a5a78b70188a67ec9d9268eb355080e634616
Opcode Fuzzy Hash: 9a5d5e8ab774bebaa0ff43c521a5d785ccb5e66c2cd36b03718bf5134836f85c
Instruction Fuzzy Hash: 2D313A30A40398DEFF388A648818BFABB65AB45311F44421AE495521D3D37D89D197A2

Function 00706345 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0070637B
__isleadbyte_l.LIBCMT ref: 007063A9
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 007063D7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0070640D

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: ab14775d657252236233f89dcd3217fcb9fa4b539c0738b7286e1c4e8564cbce
Instruction ID: 425de17adea1cac8f25d8ec32f65460d14637d255c8f53c7fb9b865a43695c1f
Opcode Fuzzy Hash: ab14775d657252236233f89dcd3217fcb9fa4b539c0738b7286e1c4e8564cbce
Instruction Fuzzy Hash: 0731903160029AEFDB218F65C854BBABBF6FF41310F158229F8548B1D1E739D960DB90

Function 00754F57 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00754F6B

Part of subcall function 00733685: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0073369F
Part of subcall function 00733685: GetCurrentThreadId.KERNEL32 ref: 007336A6
Part of subcall function 00733685: AttachThreadInput.USER32(00000000,?,007350AC), ref: 007336AD

GetCaretPos.USER32(?), ref: 00754F7C
ClientToScreen.USER32(00000000,?), ref: 00754FB7
GetForegroundWindow.USER32 ref: 00754FBD

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 0b9f177d3fdcc480f8ab5803f00305ca9683a470fc3766b43bb23d864fcee966
Instruction ID: 7dec911ef66a3c6cd63edde11debeabd490debc80a58da5a6c7c205df10abbca
Opcode Fuzzy Hash: 0b9f177d3fdcc480f8ab5803f00305ca9683a470fc3766b43bb23d864fcee966
Instruction Fuzzy Hash: EB312F72D00118AFDB50EFA5C845AEFB7F9EF98304F10406AE505E7341EA755E45CBA4

Function 0075C502 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006D2612: GetWindowLongW.USER32(?,000000EB), ref: 006D2623

GetCursorPos.USER32(?), ref: 0075C53C
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0070BB2B,?,?,?,?,?), ref: 0075C551
GetCursorPos.USER32(?), ref: 0075C59E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0070BB2B,?,?,?), ref: 0075C5D8

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: ad2ff8a9c4b2a71be4e71311d4824f001c15e39263aa1094f74d6bbecebd3296
Instruction ID: 7d8fd7199d6a8c3c1e81583a1cdfb69a3bee4accb79e64f4f84632c58d6b56f8
Opcode Fuzzy Hash: ad2ff8a9c4b2a71be4e71311d4824f001c15e39263aa1094f74d6bbecebd3296
Instruction Fuzzy Hash: 3331F636600618EFCB16CF94C858EEA7BF9EB49311F144069FD058B261E779AD60DFA0

Function 0072897E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00728432: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00728449
Part of subcall function 00728432: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00728453
Part of subcall function 00728432: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00728462
Part of subcall function 00728432: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00728469
Part of subcall function 00728432: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0072847F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 007289CB
_memcmp.LIBCMT ref: 007289EE
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00728A24
HeapFree.KERNEL32(00000000), ref: 00728A2B

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 1d2b1252ecf8dc803c4e4de8bfee34d3633027b14de6d21e089b1951f48b38dc
Instruction ID: 8cd25765dc4c6b365d36499a03a282c23a2a305bc063545c75fbe6b70317d149
Opcode Fuzzy Hash: 1d2b1252ecf8dc803c4e4de8bfee34d3633027b14de6d21e089b1951f48b38dc
Instruction Fuzzy Hash: 8F21B031E42218EFDB10DFA4D945BEEB7B8EF40351F14805AE454A7240EB3AAE45CF52

Function 006F0B0C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 006F0B2E

Part of subcall function 006D5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,0073793F,?,?,00000000), ref: 006D5B8C
Part of subcall function 006D5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,0073793F,?,?,00000000,?,?), ref: 006D5BB0

_fprintf.LIBCMT ref: 006F0B65
OutputDebugStringW.KERNEL32(?), ref: 00726111

Part of subcall function 006F4C1A: _flsall.LIBCMT ref: 006F4C33

__setmode.LIBCMT ref: 006F0B9A

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 2dcb00e919572fbdd57e650e7ba9ee97cd953e3dd1474ab608514acd19e705f0
Instruction ID: 44374bd34433229e5087810bbff564b12159ac5d60527895687b2961876dd531
Opcode Fuzzy Hash: 2dcb00e919572fbdd57e650e7ba9ee97cd953e3dd1474ab608514acd19e705f0
Instruction Fuzzy Hash: 37113A3290420C7EEB4477B49C46DBE7B6B9F41320F14401FF31597683DE65584287AD

Function 0074187D Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 007418B9

Part of subcall function 00741943: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00741962
Part of subcall function 00741943: InternetCloseHandle.WININET(00000000), ref: 007419FF

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 4721f17d6b2dd9944757d4f7bb52752be37571158d7d7517e58cfd54ba9de537
Instruction ID: b44350fcd41e32916d28f7abbce3df4011931ace5fa93fc7283721b0ca66bc66
Opcode Fuzzy Hash: 4721f17d6b2dd9944757d4f7bb52752be37571158d7d7517e58cfd54ba9de537
Instruction Fuzzy Hash: 9F212031200705FFEB11AF608C10FBABBADFF48700F90442AFA1596251DB79E86197A0

Function 00733A6E Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0075FAC0), ref: 00733AA8
GetLastError.KERNEL32 ref: 00733AB7
CreateDirectoryW.KERNEL32(?,00000000), ref: 00733AC6
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0075FAC0), ref: 00733B23

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: e922f693b2fd1aeaa5d8c9441bc22e7ddf901aa66c7ee6c0bb0df06b467e048c
Instruction ID: 48af7a1963df83a36321ccfae654e6bf6240f63eba305e3e32840e037d5389ad
Opcode Fuzzy Hash: e922f693b2fd1aeaa5d8c9441bc22e7ddf901aa66c7ee6c0bb0df06b467e048c
Instruction Fuzzy Hash: 0321D8B05083118F9310DF28C88089FB7E4FE45724F148A1EF499C72A2D735DE05CB86

Function 00705262 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00705281

Part of subcall function 006F588C: __FF_MSGBANNER.LIBCMT ref: 006F58A3
Part of subcall function 006F588C: __NMSG_WRITE.LIBCMT ref: 006F58AA
Part of subcall function 006F588C: RtlAllocateHeap.NTDLL(01000000,00000000,00000001,00000000,?,?,?,006F0F53,?), ref: 006F58CF

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: de1b556cb4ce2712132c78d588a60b102e88268f0e1fbf4109f18ae5c17e4c79
Instruction ID: 0cdbf1c8b1b196e4915101fd7eb82227600bda64fcdfaf59112e45984a6725e6
Opcode Fuzzy Hash: de1b556cb4ce2712132c78d588a60b102e88268f0e1fbf4109f18ae5c17e4c79
Instruction Fuzzy Hash: 4D11E372901A19EFDB602F70AC0967F37D9BF00361B20462DFA04DB190DE3889408BA9

Function 006D4531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006D4560

Part of subcall function 006D410D: _memset.LIBCMT ref: 006D418D
Part of subcall function 006D410D: _wcscpy.LIBCMT ref: 006D41E1
Part of subcall function 006D410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 006D41F1

KillTimer.USER32(?,00000001,?,?), ref: 006D45B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 006D45C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0070D5FE

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 77bae2abd5e2b564c918699ddf056220325db0348eaaf5124d8b47cd4ccb2f27
Instruction ID: ef7fa17be4fef2144d3bda27f6f31bbe2ab24c2357e8b3a2fe1e5a07de9baf72
Opcode Fuzzy Hash: 77bae2abd5e2b564c918699ddf056220325db0348eaaf5124d8b47cd4ccb2f27
Instruction Fuzzy Hash: 4E2107B0904784DFEB328B64DC55BE7BBEDAF01308F04009EE68A96381C7B81E848B51

Function 0074647F Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 006D5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,0073793F,?,?,00000000), ref: 006D5B8C
Part of subcall function 006D5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,0073793F,?,?,00000000,?,?), ref: 006D5BB0

gethostbyname.WSOCK32(?,?,?), ref: 007464AF
WSAGetLastError.WSOCK32(00000000), ref: 007464BA
_memmove.LIBCMT ref: 007464E7
inet_ntoa.WSOCK32(?), ref: 007464F2

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 38f896db51a22717d7a4952a41e508ebfa061b31874bcd33fd106e22f1bfbb61
Instruction ID: b74680f9b5160edf283bf22967d4227eaa4e60b62327e2ecd5adce669b57d70d
Opcode Fuzzy Hash: 38f896db51a22717d7a4952a41e508ebfa061b31874bcd33fd106e22f1bfbb61
Instruction Fuzzy Hash: 9F119031900608AFCB40FBA4DD86DEEB7B9AF04300B04802AF502A7261DF34AE04CBA5

Function 00728E03 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00728E23
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00728E35
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00728E4B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00728E66

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: da7dba4e4094627e586ada9bc22b24e548af10ef70bc34f4556080fd87238706
Instruction ID: 88df0f9ae463fa212efb8a888536b9645b3d3b03fde46e8ffc7cbbedd9e4d933
Opcode Fuzzy Hash: da7dba4e4094627e586ada9bc22b24e548af10ef70bc34f4556080fd87238706
Instruction Fuzzy Hash: B8112A79D01228FFEB11DFA5CC85E9EBBB8FB48710F214195E904B7290DA726E10DB94

Function 006D1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 006D2612: GetWindowLongW.USER32(?,000000EB), ref: 006D2623

DefDlgProcW.USER32(?,00000020,?), ref: 006D12D8
GetClientRect.USER32(?,?), ref: 0070B77B
GetCursorPos.USER32(?), ref: 0070B785
ScreenToClient.USER32(?,?), ref: 0070B790

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: f551872383f4bb565cbd0cfd46630c54d5a80c9c6e9184d9c16679d756801e9c
Instruction ID: 2143bb92e2ba612f11202bf8445e849f41097bea149fc4c72ccb87502843b693
Opcode Fuzzy Hash: f551872383f4bb565cbd0cfd46630c54d5a80c9c6e9184d9c16679d756801e9c
Instruction Fuzzy Hash: 6D113A35A00119FFCB10EFA4D8859EE77BAEB06301F504466F901EB250D7B5BB918BA9

Function 00731473 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0073001E,?,00731071,?,00008000), ref: 00731490
Sleep.KERNEL32(00000000,?,?,?,?,?,?,0073001E,?,00731071,?,00008000), ref: 007314B5
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0073001E,?,00731071,?,00008000), ref: 007314BF
Sleep.KERNEL32(?,?,?,?,?,?,?,0073001E,?,00731071,?,00008000), ref: 007314F2

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 36f702963b7d36114ce2342bcd7334ebbdaec59dafc104035d47ecdd38e947f4
Instruction ID: 425ea3283171e416f5127dc972a5e45e37f0b0dbacdfb75ff38fe6a357a22e39
Opcode Fuzzy Hash: 36f702963b7d36114ce2342bcd7334ebbdaec59dafc104035d47ecdd38e947f4
Instruction Fuzzy Hash: BE117C31C01A6DDBDF00AFA5D948AEEBB78FF09712F408155E940B6241CB7899608B95

Function 00707137 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0070715B

Part of subcall function 00707842: __fltout2.LIBCMT ref: 0070786B

__cftog_l.LIBCMT ref: 00707181
__cftoe_l.LIBCMT ref: 007071B3

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: ea917fa6c62423b39ade4275e6cd5945e49bb69a8c93ac0576e930ac3408f13e
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: C001603284814EFBCF1A5F84CC058ED3FA6BB58340B448615FA18541A0C23AE971EB81

Function 0075B2F9 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0075B318
ScreenToClient.USER32(?,?), ref: 0075B330
ScreenToClient.USER32(?,?), ref: 0075B354
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0075B36F

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 8fd6f07155ec163b8e4fb903223ccbf999a1b521d5133609a5e018300c52fbef
Instruction ID: e92c3ee8a2aee6841816bdbab6a4ce1db694373e4a5fae31054497c7f9e520f6
Opcode Fuzzy Hash: 8fd6f07155ec163b8e4fb903223ccbf999a1b521d5133609a5e018300c52fbef
Instruction Fuzzy Hash: C21143B9D00209EFDB41CFA8C8849EEBBB9FB08311F108166E914E3220D775AA558F94

Function 00736C83 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00736C8F

Part of subcall function 0073776D: _memset.LIBCMT ref: 007377A2

_memmove.LIBCMT ref: 00736CB2
_memset.LIBCMT ref: 00736CBF
LeaveCriticalSection.KERNEL32(?), ref: 00736CCF

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: aca5494e1b8e1eb4d4575435f0d2ea06926b005be34ecba673e162987653c091
Instruction ID: 7de865012b2967879a24369e950b5f1e4e3769981740ae53517de64fad4bf2ff
Opcode Fuzzy Hash: aca5494e1b8e1eb4d4575435f0d2ea06926b005be34ecba673e162987653c091
Instruction Fuzzy Hash: B5F0547A101204ABDF416F55DC85E8ABB2AFF45321F04C065FE096E21BCB75A911CBB4

Function 0072A15C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0072A179
GetWindowThreadProcessId.USER32(?,00000000), ref: 0072A18C
GetCurrentThreadId.KERNEL32 ref: 0072A193
AttachThreadInput.USER32(00000000), ref: 0072A19A

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: dba114018724858f78e92b657acd0d2de3846114e3c1484be23b0da4fbe749c0
Instruction ID: be307c78fcc1149d0e92324173ecbae1bff3d7d20b5e45ee721ccdf4fbe51d62
Opcode Fuzzy Hash: dba114018724858f78e92b657acd0d2de3846114e3c1484be23b0da4fbe749c0
Instruction Fuzzy Hash: 66E0ED3154532CBBEB205FA2EC0DED77F6CEF267B2F408025F50995060C6B98550CBA5

Function 006D2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 006D2231
SetTextColor.GDI32(?,000000FF), ref: 006D223B
SetBkMode.GDI32(?,00000001), ref: 006D2250
GetStockObject.GDI32(00000005), ref: 006D2258
GetWindowDC.USER32(?,00000000), ref: 0070C003
GetPixel.GDI32(00000000,00000000,00000000), ref: 0070C010
GetPixel.GDI32(00000000,?,00000000), ref: 0070C029
GetPixel.GDI32(00000000,00000000,?), ref: 0070C042
GetPixel.GDI32(00000000,?,?), ref: 0070C062
ReleaseDC.USER32(?,00000000), ref: 0070C06D

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: f79db710b68a09fe91a18b1a6bd8ca626f4bacc4429b9dc7c1b764d5b0bc402b
Instruction ID: 9e7cb11aaa3037f3454e54e7063eda24d70505b534318b9e6153f1000e28f1c3
Opcode Fuzzy Hash: f79db710b68a09fe91a18b1a6bd8ca626f4bacc4429b9dc7c1b764d5b0bc402b
Instruction Fuzzy Hash: 65E06D32500648EAEB215F74FC0DBD83B10EB15333F00C366FAA9980E187B64A90DB11

Function 00728A3A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00728A43
OpenThreadToken.ADVAPI32(00000000,?,?,?,0072860E), ref: 00728A4A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0072860E), ref: 00728A57
OpenProcessToken.ADVAPI32(00000000,?,?,?,0072860E), ref: 00728A5E

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 38be50b5fda35c585900c4e8aef1f068c4c598226695d58d8e7f2afcab4fe935
Instruction ID: b747bae5f751fd6b44e5f0117c650a9009150a39999ca5175ed2315c44f00495
Opcode Fuzzy Hash: 38be50b5fda35c585900c4e8aef1f068c4c598226695d58d8e7f2afcab4fe935
Instruction Fuzzy Hash: 9BE04F766023219FDB605FB06D0CB9B3BA8AF50793F04C828E246CA080DA6894818755

Function 007120B6 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 007120B6
GetDC.USER32(00000000), ref: 007120C0
GetDeviceCaps.GDI32(00000000,0000000C), ref: 007120E0
ReleaseDC.USER32(?), ref: 00712101

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: c6340c97a774780800ce4b5795e3fb8697823e6f1703a1a158a671f70fa8d56c
Instruction ID: dac6372df3632abb8e3f7c64d80abb51abd7291be58bbca63d467d3664235fee
Opcode Fuzzy Hash: c6340c97a774780800ce4b5795e3fb8697823e6f1703a1a158a671f70fa8d56c
Instruction Fuzzy Hash: 6AE0E575800208EFCB51AF60C80869E7BB2EB4C312F10C02AF85A97261DBB98182DF45

Function 007120CA Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 007120CA
GetDC.USER32(00000000), ref: 007120D4
GetDeviceCaps.GDI32(00000000,0000000C), ref: 007120E0
ReleaseDC.USER32(?), ref: 00712101

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: c424bc04145daa1c05f04e5f35abef71cc0808cb7da3aaf2f85c4c0e22a5d245
Instruction ID: 7a83520fdd4fd534c9b1c9331570917111ab3002f7622055ede4187663a7e55d
Opcode Fuzzy Hash: c424bc04145daa1c05f04e5f35abef71cc0808cb7da3aaf2f85c4c0e22a5d245
Instruction Fuzzy Hash: 20E0E575C00204AFCB519F60C80869D7BA2EB4C312F10C02AF95A97260DBB991419F44

Function 006D63A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%v, xrefs: 006D63AE

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID:
String ID: %v
API String ID: 0-3047460978
Opcode ID: e44e81cdef35726b508dc7bb7f8d3157166d51be6a797e713562a1a6b6f5b870
Instruction ID: c5bac791748a8303d328705b520e16fc1aea7f23bc72c77138b246da9ff4a512
Opcode Fuzzy Hash: e44e81cdef35726b508dc7bb7f8d3157166d51be6a797e713562a1a6b6f5b870
Instruction Fuzzy Hash: E5B17171D002099ACF24EF98C4919FDB7B6EF44310F54416BF502A7395EB349E86CB55

Function 0074AFB7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 0074B0C3

Strings

xby, xrefs: 0074B0F9
xby, xrefs: 0074B125

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: __itow_s
String ID: xby$xby
API String ID: 3653519197-4172655841
Opcode ID: 6c08308fef23b0188230101e215e791b8afe51858a4636f63668adc55a34ed54
Instruction ID: b47c9b9d4a1f980e335665fcb0c80bef9ac2f249323a4f12d599794a377e5bdd
Opcode Fuzzy Hash: 6c08308fef23b0188230101e215e791b8afe51858a4636f63668adc55a34ed54
Instruction Fuzzy Hash: 78B18F71A00209EFDB14DF55C890EAEB7BAFF58300F14815AF9459B292EB78ED41CB64

Function 0073B038 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 006EFE06: _wcscpy.LIBCMT ref: 006EFE29

Part of subcall function 006D9997: __itow.LIBCMT ref: 006D99C2
Part of subcall function 006D9997: __swprintf.LIBCMT ref: 006D9A0C

__wcsnicmp.LIBCMT ref: 0073B0B9
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0073B182

Strings

LPT, xrefs: 0073B0B3

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: a19bcd86667b61c308935b93cfda65780705dcedcff7e5d5bc4ca800b4068a23
Instruction ID: c1def09cbb0faab7605a692a30d7056d43fab2ded51e9330359024df545f0f47
Opcode Fuzzy Hash: a19bcd86667b61c308935b93cfda65780705dcedcff7e5d5bc4ca800b4068a23
Instruction Fuzzy Hash: 6561A275E00219AFDB14DF94C891EAEB7B5EF08310F14415EFA46AB352DB74AE40CB94

Function 007188DA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00718981
_memmove.LIBCMT ref: 007189DB

Strings

Oan, xrefs: 00718A55, 0071E332, 0071E34E

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: _memmove
String ID: Oan
API String ID: 4104443479-1382745430
Opcode ID: 4c13343b74a18aedabde52146293f75f745e93ac7a6ac0f40f3e62c82d3906ac
Instruction ID: 785bea6198ffaab08ed85593f8bd3ae094bf0bfcc3f09505974c7d8670a77107
Opcode Fuzzy Hash: 4c13343b74a18aedabde52146293f75f745e93ac7a6ac0f40f3e62c82d3906ac
Instruction Fuzzy Hash: 17514F70A01609DFDB64CF68C884AEEB7F1FF44314F148519E85AD7280EB35A995CB52

Function 006E2AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 006E2AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 006E2AE1

Strings

@, xrefs: 006E2AD5

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 7f72ed7da856d9e67e8b3e1be78f18ba7f7efe7d8f9d58c416f471a027bb6737
Instruction ID: b5d06371d1bc8a1f0d2947841b07d1dbf6ca9203079f4821d4048252a8b1ec28
Opcode Fuzzy Hash: 7f72ed7da856d9e67e8b3e1be78f18ba7f7efe7d8f9d58c416f471a027bb6737
Instruction Fuzzy Hash: B4516A728187449BD360AF10DC86BAFBBF8FF84314F41885DF2D9411A1DB349569CB6A

Function 007397DD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 006D506B: __fread_nolock.LIBCMT ref: 006D5089

_wcscmp.LIBCMT ref: 007398CD
_wcscmp.LIBCMT ref: 007398E0

Strings

FILE, xrefs: 00739819

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 42acb1cdb95f3bf7a7a6b36078c906fb000369457185ea679d2673c3e6ff2fc5
Instruction ID: 60658670d9004f16d836e3e89e9650f21f3aff0faddeb23cbf74ea57171f0e85
Opcode Fuzzy Hash: 42acb1cdb95f3bf7a7a6b36078c906fb000369457185ea679d2673c3e6ff2fc5
Instruction Fuzzy Hash: B441FB71A0061DBBDF209AA0CC85FEFB7BEDF45710F00046EBA01B7281DA75A94587A5

Function 007108CD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 007108D8

Strings

Ddy, xrefs: 006DA2B1
Ddy, xrefs: 006DA477

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: ClearVariant
String ID: Ddy$Ddy
API String ID: 1473721057-973355944
Opcode ID: 9b46727056b07ef41840e8c1adc6e13348929dbb03ca55d6dcc9cab9cdcc0597
Instruction ID: bd91c20fd13a69d1e175380e5a8f3ad446da01446193c09647da60868a34a1df
Opcode Fuzzy Hash: 9b46727056b07ef41840e8c1adc6e13348929dbb03ca55d6dcc9cab9cdcc0597
Instruction Fuzzy Hash: EA511574A08341CFD750CF59C480A6ABBF2BF98744F54895EE9858B361D375EC81CB82

Function 007426A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007426B4
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 007426EA

Strings

|, xrefs: 007426BB

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 79f3f04e6be3d48ed6162e1d58a233786a1a09a7e335bf1d02495b8fe97c323e
Instruction ID: eebdec90b39c28caed55f23921683ac8a86058395e199c607a8e26602c0aa4db
Opcode Fuzzy Hash: 79f3f04e6be3d48ed6162e1d58a233786a1a09a7e335bf1d02495b8fe97c323e
Instruction Fuzzy Hash: D8311671C00119AFCF41AFA4CC85EEEBFB9FF08310F10006AF915A6266EB355A56DB64

Function 00756A95 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00756B49
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00756B85

Strings

static, xrefs: 00756AE5

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 627948bf97cda5fcff06d61433446e03a0393010f7f848d527bb519274466680
Instruction ID: 4288e38fe5b6992ce559ce2f62e3987ab97f49adda438303780a2a09b0e944ea
Opcode Fuzzy Hash: 627948bf97cda5fcff06d61433446e03a0393010f7f848d527bb519274466680
Instruction Fuzzy Hash: 96319C71100604AAEB109F64CC81AFB73B9FF48721F50961EFDA5D7190DBB8AC85CB64

Function 00732B9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00732C09
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00732C44

Strings

0, xrefs: 00732C02

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: bc21da971c2c7e3ff5938c7e76a519b9cea7c9d58d9183225d0c852475ebe10c
Instruction ID: 0709c197a7067963ed627993ff64c94e065e95da82f81b42b6d2665dfcbbcfe5
Opcode Fuzzy Hash: bc21da971c2c7e3ff5938c7e76a519b9cea7c9d58d9183225d0c852475ebe10c
Instruction Fuzzy Hash: 6A31F7316003099FFB358F48D885BAEBBB5EF05350F244019E985961A3E7789E42CB20

Function 00756706 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00756793
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0075679E

Strings

Combobox, xrefs: 00756760

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 6cf144870cf535dca47d295b78945f6171a7e7d71b31794c2e9b1b2bdac04fc2
Instruction ID: 6dfda9481b41bec2598bcce9f3b168cfd63678781b65468666c493ee04ab3367
Opcode Fuzzy Hash: 6cf144870cf535dca47d295b78945f6171a7e7d71b31794c2e9b1b2bdac04fc2
Instruction Fuzzy Hash: 7A11C475700208BFEF21DF24CC80EFB376AEB98369F504529FD1497290E6B99C5587A0

Function 00756C39 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 006D1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 006D1D73
Part of subcall function 006D1D35: GetStockObject.GDI32(00000011), ref: 006D1D87
Part of subcall function 006D1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 006D1D91

GetWindowRect.USER32(00000000,?), ref: 00756CA3
GetSysColor.USER32(00000012), ref: 00756CBD

Strings

static, xrefs: 00756C80

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: f6b6fc0802259c02759e43b96defdad39bb3010a369e2352ae8d51b3eb4234df
Instruction ID: 41eff71d0f9015cf6a277be26ccc3dfff097c3b991c0c47d24012069268dbf86
Opcode Fuzzy Hash: f6b6fc0802259c02759e43b96defdad39bb3010a369e2352ae8d51b3eb4234df
Instruction Fuzzy Hash: 87212972510209AFDB04DFA8DC45AFA7BB8EB08315F004629FD55D3250E779F865DB60

Function 00756952 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 007569D4
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007569E3

Strings

edit, xrefs: 007569B8

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: a36a8ecb929233d988a42163195ecc8bf02337ce8729c746bb7ba4e6f3139d13
Instruction ID: 2baca566407f9996b3343b0b0f2a7c1908add73b0483d621a6dfab2b3577b43f
Opcode Fuzzy Hash: a36a8ecb929233d988a42163195ecc8bf02337ce8729c746bb7ba4e6f3139d13
Instruction Fuzzy Hash: 83116D71500204ABEB114E64DC44AFB3769EB05366F908728FEA4971D0C7B9EC559760

Function 00732CA7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00732D1A
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00732D39

Strings

0, xrefs: 00732D10

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: f63ad655a94dd043af67ec287a9a701007ff6a65a6ba61fc25c2bca6638de5d9
Instruction ID: ef19fd3b8a196c4b5cd083a418e5cf897f87d428403f6db492868506d1d6599e
Opcode Fuzzy Hash: f63ad655a94dd043af67ec287a9a701007ff6a65a6ba61fc25c2bca6638de5d9
Instruction Fuzzy Hash: FF110831E11134ABEB21DF58DC84B9D77B9AB05300F144166EC15AB2B3DB38AE07C795

Function 007422EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00742342
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0074236B

Strings

<local>, xrefs: 00742333

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: da7e7751fbc466da6a198cc52e863f8283121d4660a24e241c1a7a3b7c5bb567
Instruction ID: 7a6b5c522415f6fef16dd574ae093799989021d054b5c9be792b7c3b9194410b
Opcode Fuzzy Hash: da7e7751fbc466da6a198cc52e863f8283121d4660a24e241c1a7a3b7c5bb567
Instruction Fuzzy Hash: A311AC70541625FADB248F528C89EFBFBB8EF06751F90826AF94556001D3BC69A2C6F0

Function 006E0A8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,006D3C26,007952F8,?,?,?), ref: 006E0ACE

Part of subcall function 006D7D2C: _memmove.LIBCMT ref: 006D7D66

_wcscat.LIBCMT ref: 00715010

Strings

Sy, xrefs: 006E0B0E

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: Sy
API String ID: 257928180-1551782803
Opcode ID: f19c988e30caa83d1d8988c859e3b98fb712920526c5c7a095fa1bf05d8bdc38
Instruction ID: 6df3552d1b25c6980099748db4353a71b75561109c34b11f094c66aead5f014f
Opcode Fuzzy Hash: f19c988e30caa83d1d8988c859e3b98fb712920526c5c7a095fa1bf05d8bdc38
Instruction Fuzzy Hash: 2211A5309053189BCB51EBB4DC01AD973FAFF08344B0045AAF948D7291EAB49BC48B59

Function 007290C7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006D7F41: _memmove.LIBCMT ref: 006D7F82

Part of subcall function 0072AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 0072AEC7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00729135

Strings

ComboBox, xrefs: 007290D4
ListBox, xrefs: 007290FF

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 9023511ad6b07a343db064b37e6c93e0b6b93351c4d32291838b35e5e9549fd7
Instruction ID: a6e3f125683a1c5b0a42c2cfb361e6d2653d91db8c5a53c91c3b3d14afdfefd6
Opcode Fuzzy Hash: 9023511ad6b07a343db064b37e6c93e0b6b93351c4d32291838b35e5e9549fd7
Instruction Fuzzy Hash: 43012871A45229ABCB04FB64CC96CFE7369EF0A320B18061EF832573C2EE395808D750

Function 00738E3A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00738E55
__fread_nolock.LIBCMT ref: 00738E6A

Strings

EA06, xrefs: 00738E9C

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 3a065ac0b88f9c645112020d7e70d195cd4484743acd50ad9105a0e6e75ee39f
Instruction ID: 15d53d90d2fbdd5c1d6a771c96eb2f00302d80a4428cc3c8a212c5dfb23609cf
Opcode Fuzzy Hash: 3a065ac0b88f9c645112020d7e70d195cd4484743acd50ad9105a0e6e75ee39f
Instruction Fuzzy Hash: C401F9718442186EDB68D6A8CC16EFE7BF89B01301F00459EF652D2181E9B8EA048760

Function 00728FBF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006D7F41: _memmove.LIBCMT ref: 006D7F82

Part of subcall function 0072AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 0072AEC7

SendMessageW.USER32(?,00000180,00000000,?), ref: 0072902D

Strings

ComboBox, xrefs: 00728FCC
ListBox, xrefs: 00728FF7

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: cf8fbfdf83476c4b2d6e8f1a553fd1ea928eddb66d759805f40468cbcdcc32ee
Instruction ID: 59a53b29b583cc9c5ed95cab5a12edea728cc752cf28d0cb0c71291cf33908c4
Opcode Fuzzy Hash: cf8fbfdf83476c4b2d6e8f1a553fd1ea928eddb66d759805f40468cbcdcc32ee
Instruction Fuzzy Hash: 1601FC71E41219A7CB14E764DD96EFF73A9DF05300F14001AB90263281DE295E08D275

Function 00729044 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006D7F41: _memmove.LIBCMT ref: 006D7F82

Part of subcall function 0072AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 0072AEC7

SendMessageW.USER32(?,00000182,?,00000000), ref: 007290B0

Strings

ComboBox, xrefs: 00729051
ListBox, xrefs: 0072907C

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 9b8ee9346b42b855afc2e6cb2a4f284ace60a0e8c215ec3af50ac26052a27db7
Instruction ID: 7d01a34795ee7da97106c185c431d2653ec9bbec3e4abe6640e76f124039deed
Opcode Fuzzy Hash: 9b8ee9346b42b855afc2e6cb2a4f284ace60a0e8c215ec3af50ac26052a27db7
Instruction Fuzzy Hash: 4001DB71E45229B7DB14F764DD96EFF73AD9F15300F28001AB90263382DA2D9E0992B6

Function 0072C7AD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0072C7F6

Part of subcall function 0072CB06: _memmove.LIBCMT ref: 0072CB50
Part of subcall function 0072CB06: VariantInit.OLEAUT32(00000000), ref: 0072CB72
Part of subcall function 0072CB06: VariantCopy.OLEAUT32(00000000,?), ref: 0072CB7C

VariantClear.OLEAUT32(?), ref: 0072C818

Strings

d}x, xrefs: 0072C7D9

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: Variant$Init$ClearCopy_memmove
String ID: d}x
API String ID: 2932060187-1959806043
Opcode ID: e63cd875478b3b3737ffad7dca92b2b472bcd9e0d4e4b6574cc6317387ad56fa
Instruction ID: 1e705c9ddde7d51750b5a72c7ab330a9726a44a418b788dbd3adfbdf02a7e82a
Opcode Fuzzy Hash: e63cd875478b3b3737ffad7dca92b2b472bcd9e0d4e4b6574cc6317387ad56fa
Instruction Fuzzy Hash: 2B1130719007189FC720EFA6D88489AF7F8FF18310B50852FE54AC7611E774A944CBA4

Function 00734FCF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00734FED
_wcscmp.LIBCMT ref: 00734FFF

Strings

#32770, xrefs: 00734FF9

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: fd3d87bf018510829ecf0adfffc1007a6c7a11bef784047e370d986e13eca150
Instruction ID: 157d0d18b55ff14e0ed2638b4797c30ab3701155153f0c9a77a48a720a8de4e0
Opcode Fuzzy Hash: fd3d87bf018510829ecf0adfffc1007a6c7a11bef784047e370d986e13eca150
Instruction Fuzzy Hash: 9CE06872A0032D2BE720EBA9EC09FA7F7ACEB05771F01002BFD00D3151E9A49A1187E5

Function 0070B441 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0070B494: _memset.LIBCMT ref: 0070B4A1

Part of subcall function 006F0AC0: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0070B470,?,?,?,006D100A), ref: 006F0AC5

IsDebuggerPresent.KERNEL32(?,?,?,006D100A), ref: 0070B474
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,006D100A), ref: 0070B483

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0070B47E

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 85604f11870840b0917d432ad431b913261fb078966fdaccdc5647736ce87f0b
Instruction ID: bf39b857cf97fd9f971e948a97b91a97d3eb8f052f648cbd56a2e87bb2d10e11
Opcode Fuzzy Hash: 85604f11870840b0917d432ad431b913261fb078966fdaccdc5647736ce87f0b
Instruction Fuzzy Hash: 99E06DB0600B50CBE7209F34D8087467BE0AB00344F01CA6DE456C3782E7FCD645CBA1

Function 007559CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007559D7
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 007559EA

Part of subcall function 007352EB: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00735363

Strings

Shell_TrayWnd, xrefs: 007559D0

Memory Dump Source

Source File: 00000000.00000002.1448286925.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1448273880.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.000000000075F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448334141.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448366936.000000000078E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1448381229.0000000000797000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_z1PURCHASEORDER.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 9fe5212121537ae55604f2975cebb1baaa87ac0d8b2af1452b58596f006201f6
Instruction ID: 3dea27a00af6ee242c9a0c17b0f8b2d3c93591f686c26e27c22a50a5501f5524
Opcode Fuzzy Hash: 9fe5212121537ae55604f2975cebb1baaa87ac0d8b2af1452b58596f006201f6
Instruction Fuzzy Hash: 99D0C9753C4311B7E6A4BB709C0FFD76A14BB00B51F004869F355AB1D1D9E8A8108658

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report z1PURCHASEORDER.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut2D22.tmp

C:\Users\user\AppData\Local\Temp\nonplacental

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
z1PURCHASEORDER.exe

Function 006D3B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 006D4FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62
COMMON

Function 006D4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 007391FE Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 006D3019 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 006D3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 006D71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 006D3633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Function 006D3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 006D3778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Function 006DF8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Function 0138B628 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 006D39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 0138B3E8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147
fileCOMMON

Function 006D410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON