Edit tour

Windows Analysis Report
Purchase Confirmation 003-23 170204.exe

Overview

General Information

Sample name:	Purchase Confirmation 003-23 170204.exe
Analysis ID:	1432028
MD5:	baf61e5dbe33cf47ad6ddc4076a07af9
SHA1:	1fc141512c6a2a4715fd533d0adc1d8ce3c7842f
SHA256:	ea9deb59fc6309ddda6806eb4f7ce780eb54f1b0b7eca72b366bc8f110c5222a
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Purchase Confirmation 003-23 170204.exe (PID: 868 cmdline: "C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe" MD5: BAF61E5DBE33CF47AD6DDC4076A07AF9)

RegSvcs.exe (PID: 5276 cmdline: "C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.bezelety.top", "Username": "office11@bezelety.top", "Password": "KV?y1$dqdUzV                    "}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.2506684443.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2506684443.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.2509111644.0000000002CE8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.2509111644.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1286015462.0000000002210000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1286015462.0000000002210000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1286015462.0000000002210000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33535:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x335a7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33631:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x336c3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3372d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3379f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33835:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x338c5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000008.00000002.2509111644.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2509111644.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Purchase Confirmation 003-23 170204.exe PID: 868	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Purchase Confirmation 003-23 170204.exe PID: 868	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 5276	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 5276	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Purchase Confirmation 003-23 170204.exe.2210000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Purchase Confirmation 003-23 170204.exe.2210000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Purchase Confirmation 003-23 170204.exe.2210000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31735:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x317a7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31831:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x318c3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3192d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3199f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31a35:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31ac5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
8.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
8.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33535:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x335a7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33631:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x336c3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3372d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3379f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33835:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x338c5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Purchase Confirmation 003-23 170204.exe.2210000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Purchase Confirmation 003-23 170204.exe.2210000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Purchase Confirmation 003-23 170204.exe.2210000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33535:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x335a7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33631:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x336c3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3372d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3379f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33835:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x338c5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 4 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 194.36.191.196, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 5276, Protocol: tcp, SourceIp: 192.168.2.11, SourceIsIpv6: false, SourcePort: 49703

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://bezelety.top	Avira URL Cloud: Label: phishing
Source: http://mail.bezelety.top	Avira URL Cloud: Label: phishing

Found malware configuration

Source: 0.2.Purchase Confirmation 003-23 170204.exe.2210000.1.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.bezelety.top", "Username": "office11@bezelety.top", "Password": "KV?y1$dqdUzV "}

Multi AV Scanner detection for domain / URL

Source: bezelety.top	Virustotal: Detection: 13%	Perma Link
Source: mail.bezelety.top	Virustotal: Detection: 11%	Perma Link
Source: http://mail.bezelety.top	Virustotal: Detection: 11%	Perma Link
Source: http://bezelety.top	Virustotal: Detection: 13%	Perma Link

Multi AV Scanner detection for submitted file

Source: Purchase Confirmation 003-23 170204.exe	Virustotal: Detection: 46%			Perma Link
Source: Purchase Confirmation 003-23 170204.exe	ReversingLabs: Detection: 57%

Machine Learning detection for sample

Source: Purchase Confirmation 003-23 170204.exe

Joe Sandbox ML: detected

Source: Purchase Confirmation 003-23 170204.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: Purchase Confirmation 003-23 170204.exe, 00000000.00000003.1277205849.0000000003F00000.00000004.00001000.00020000.00000000.sdmp, Purchase Confirmation 003-23 170204.exe, 00000000.00000003.1279660815.0000000003DA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Purchase Confirmation 003-23 170204.exe, 00000000.00000003.1277205849.0000000003F00000.00000004.00001000.00020000.00000000.sdmp, Purchase Confirmation 003-23 170204.exe, 00000000.00000003.1279660815.0000000003DA0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00AA4696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00AA4696
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00AAC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00AAC9C7
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00AAC93C FindFirstFileW,FindClose,	0_2_00AAC93C
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00AAF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00AAF200
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00AAF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00AAF35D
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00AAF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00AAF65E
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00AA3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00AA3A2B
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00AA3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00AA3D4E
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00AABF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00AABF27

Source: global traffic

TCP traffic: 192.168.2.11:49703 -> 194.36.191.196:587

Source: Joe Sandbox View

IP Address: 194.36.191.196 194.36.191.196

Source: global traffic

TCP traffic: 192.168.2.11:49703 -> 194.36.191.196:587

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe

Code function: 0_2_00AB25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00AB25E2

Source: global traffic

DNS traffic detected: DNS query: mail.bezelety.top

Source: RegSvcs.exe, 00000008.00000002.2509111644.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bezelety.top
Source: RegSvcs.exe, 00000008.00000002.2509111644.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.bezelety.top
Source: RegSvcs.exe, 00000008.00000002.2507151222.0000000000F48000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2510640456.0000000005E30000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2507483866.0000000000FD0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2509111644.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0
Source: RegSvcs.exe, 00000008.00000002.2507151222.0000000000F48000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2510640456.0000000005E30000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2507483866.0000000000FD0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2509111644.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: RegSvcs.exe, 00000008.00000002.2510640456.0000000005E30000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2507483866.0000000000FD0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2509111644.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: RegSvcs.exe, 00000008.00000002.2510640456.0000000005E30000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2507483866.0000000000FD0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2509111644.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Purchase Confirmation 003-23 170204.exe, 00000000.00000002.1286015462.0000000002210000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2506684443.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.Purchase Confirmation 003-23 170204.exe.2210000.1.raw.unpack, J4qms1IPBw.cs

.Net Code: oow

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe

Code function: 0_2_00AB425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00AB425A

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe

Code function: 0_2_00AB4458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00AB4458

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe

0_2_00AB425A

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe

Code function: 0_2_00AA0219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00AA0219

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe

Code function: 0_2_00ACCDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00ACCDAC

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Purchase Confirmation 003-23 170204.exe.2210000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Purchase Confirmation 003-23 170204.exe.2210000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1286015462.0000000002210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00A43B4C
Source: Purchase Confirmation 003-23 170204.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Purchase Confirmation 003-23 170204.exe, 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_9c0fee7f-f
Source: Purchase Confirmation 003-23 170204.exe, 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_b06f2ab6-9
Source: Purchase Confirmation 003-23 170204.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_06a9a7ce-c
Source: Purchase Confirmation 003-23 170204.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_ff9aa24a-6

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Purchase Confirmation 003-23 170204.exe

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe

Code function: 0_2_00AA40B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,

0_2_00AA40B1

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe

Code function: 0_2_00A98858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00A98858

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe

Code function: 0_2_00AA545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00AA545F

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00A4E800	0_2_00A4E800
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00A6DBB5	0_2_00A6DBB5
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00A4E060	0_2_00A4E060
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00AC804A	0_2_00AC804A
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00A54140	0_2_00A54140
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00A62405	0_2_00A62405
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00A76522	0_2_00A76522
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00AC0665	0_2_00AC0665
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00A7267E	0_2_00A7267E
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00A6283A	0_2_00A6283A
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00A56843	0_2_00A56843
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00A789DF	0_2_00A789DF
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00A76A94	0_2_00A76A94
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00AC0AE2	0_2_00AC0AE2
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00A58A0E	0_2_00A58A0E
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00A9EB07	0_2_00A9EB07
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00AA8B13	0_2_00AA8B13
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00A6CD61	0_2_00A6CD61
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00A77006	0_2_00A77006
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00A53190	0_2_00A53190
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00A5710E	0_2_00A5710E
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00A41287	0_2_00A41287
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00A633C7	0_2_00A633C7
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00A6F419	0_2_00A6F419
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00A616C4	0_2_00A616C4
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00A558C0	0_2_00A558C0
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00A678D3	0_2_00A678D3
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00A61BB8	0_2_00A61BB8
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00A79D05	0_2_00A79D05
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00A4FE40	0_2_00A4FE40
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00A6BFE6	0_2_00A6BFE6
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00A61FD0	0_2_00A61FD0
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_014E3660	0_2_014E3660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F9B20	8_2_010F9B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F4A98	8_2_010F4A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F3E80	8_2_010F3E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010FCE98	8_2_010FCE98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_010F41C8	8_2_010F41C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_060956F0	8_2_060956F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_06093F58	8_2_06093F58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0609DD08	8_2_0609DD08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0609BD00	8_2_0609BD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_06099AE0	8_2_06099AE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_06092AF8	8_2_06092AF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_06098B9B	8_2_06098B9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_06090040	8_2_06090040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_06093243	8_2_06093243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_06095010	8_2_06095010

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: String function: 00A47F41 appears 35 times
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: String function: 00A60D27 appears 70 times
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: String function: 00A68B40 appears 42 times

Source: Purchase Confirmation 003-23 170204.exe, 00000000.00000003.1277205849.000000000402D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Purchase Confirmation 003-23 170204.exe
Source: Purchase Confirmation 003-23 170204.exe, 00000000.00000003.1279197630.0000000003EC3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Purchase Confirmation 003-23 170204.exe
Source: Purchase Confirmation 003-23 170204.exe, 00000000.00000002.1286015462.0000000002210000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename11704d33-910b-47d2-b12e-00e94b40b59a.exe4 vs Purchase Confirmation 003-23 170204.exe

Source: Purchase Confirmation 003-23 170204.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.Purchase Confirmation 003-23 170204.exe.2210000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Purchase Confirmation 003-23 170204.exe.2210000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.1286015462.0000000002210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 0.2.Purchase Confirmation 003-23 170204.exe.2210000.1.raw.unpack, Lds5plxAPDj.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Confirmation 003-23 170204.exe.2210000.1.raw.unpack, LZYJybC.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Purchase Confirmation 003-23 170204.exe.2210000.1.raw.unpack, wDxPSW1p.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Confirmation 003-23 170204.exe.2210000.1.raw.unpack, E0w8WLnyggK.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.Purchase Confirmation 003-23 170204.exe.2210000.1.raw.unpack, ZBSJHga2buE.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Confirmation 003-23 170204.exe.2210000.1.raw.unpack, M4oIYVa.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Confirmation 003-23 170204.exe.2210000.1.raw.unpack, kSS2HMsB8.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Confirmation 003-23 170204.exe.2210000.1.raw.unpack, kSS2HMsB8.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/4@1/1

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe

Code function: 0_2_00AAA2D5 GetLastError,FormatMessageW,

0_2_00AAA2D5

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00A98713 AdjustTokenPrivileges,CloseHandle,		0_2_00A98713
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00A98CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00A98CC3

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe

Code function: 0_2_00AAB59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00AAB59E

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe

Code function: 0_2_00ABF121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00ABF121

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe

Code function: 0_2_00AB86D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00AB86D0

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe

Code function: 0_2_00A44FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00A44FE9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe

File created: C:\Users\user\AppData\Local\Temp\autF49E.tmp

Jump to behavior

Source: Purchase Confirmation 003-23 170204.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Purchase Confirmation 003-23 170204.exe	Virustotal: Detection: 46%
Source: Purchase Confirmation 003-23 170204.exe	ReversingLabs: Detection: 57%

Source: unknown	Process created: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe "C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe"
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe"
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Purchase Confirmation 003-23 170204.exe

Static file information: File size 1116160 > 1048576

Source: Purchase Confirmation 003-23 170204.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Purchase Confirmation 003-23 170204.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Purchase Confirmation 003-23 170204.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Purchase Confirmation 003-23 170204.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Purchase Confirmation 003-23 170204.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Purchase Confirmation 003-23 170204.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Purchase Confirmation 003-23 170204.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: Purchase Confirmation 003-23 170204.exe, 00000000.00000003.1277205849.0000000003F00000.00000004.00001000.00020000.00000000.sdmp, Purchase Confirmation 003-23 170204.exe, 00000000.00000003.1279660815.0000000003DA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Purchase Confirmation 003-23 170204.exe, 00000000.00000003.1277205849.0000000003F00000.00000004.00001000.00020000.00000000.sdmp, Purchase Confirmation 003-23 170204.exe, 00000000.00000003.1279660815.0000000003DA0000.00000004.00001000.00020000.00000000.sdmp

Source: Purchase Confirmation 003-23 170204.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Purchase Confirmation 003-23 170204.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Purchase Confirmation 003-23 170204.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Purchase Confirmation 003-23 170204.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Purchase Confirmation 003-23 170204.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe

Code function: 0_2_00ABC304 LoadLibraryA,GetProcAddress,

0_2_00ABC304

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe

Code function: 0_2_00A68B85 push ecx; ret

0_2_00A68B98

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	File created: \purchase confirmation 003-23 170204.exe
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	File created: \purchase confirmation 003-23 170204.exe			Jump to behavior

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00A44A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00A44A35
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00AC55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00AC55FD

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe

Code function: 0_2_00A633C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00A633C7

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 6886			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 984			Jump to behavior

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-100444

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe

API coverage: 4.6 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00AA4696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00AA4696
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00AAC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00AAC9C7
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00AAC93C FindFirstFileW,FindClose,	0_2_00AAC93C
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00AAF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00AAF200
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00AAF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00AAF35D
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00AAF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00AAF65E
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00AA3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00AA3A2B
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00AA3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00AA3D4E
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00AABF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00AABF27

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe

Code function: 0_2_00A44AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A44AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98779	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RegSvcs.exe, 00000008.00000002.2510640456.0000000005E30000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllr

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	API call chain: ExitProcess graph end node			graph_0-98764
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	API call chain: ExitProcess graph end node			graph_0-98836

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe

Code function: 0_2_00AB41FD BlockInput,

0_2_00AB41FD

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe

Code function: 0_2_00A43B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00A43B4C

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe

Code function: 0_2_00A75CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00A75CCC

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe

Code function: 0_2_00ABC304 LoadLibraryA,GetProcAddress,

0_2_00ABC304

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_014E3550 mov eax, dword ptr fs:[00000030h]	0_2_014E3550
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_014E34F0 mov eax, dword ptr fs:[00000030h]	0_2_014E34F0
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_014E1ED0 mov eax, dword ptr fs:[00000030h]	0_2_014E1ED0

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe

Code function: 0_2_00A981F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00A981F7

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00A6A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00A6A395
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00A6A364 SetUnhandledExceptionFilter,		0_2_00A6A364

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: BE2008

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe

Code function: 0_2_00A98C93 LogonUserW,

0_2_00A98C93

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe

Code function: 0_2_00A43B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00A43B4C

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe

Code function: 0_2_00A44A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00A44A35

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe

Code function: 0_2_00AA4EF5 mouse_event,

0_2_00AA4EF5

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe

0_2_00A981F7

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe

Code function: 0_2_00AA4C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00AA4C03

Source: Purchase Confirmation 003-23 170204.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Purchase Confirmation 003-23 170204.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe

Code function: 0_2_00A6886B cpuid

0_2_00A6886B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe

Code function: 0_2_00A750D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00A750D7

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe

Code function: 0_2_00A82230 GetUserNameW,

0_2_00A82230

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe

Code function: 0_2_00A7418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00A7418A

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe

Code function: 0_2_00A44AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A44AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.Purchase Confirmation 003-23 170204.exe.2210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Confirmation 003-23 170204.exe.2210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2506684443.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2509111644.0000000002CE8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2509111644.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1286015462.0000000002210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2509111644.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Confirmation 003-23 170204.exe PID: 868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5276, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Purchase Confirmation 003-23 170204.exe	Binary or memory string: WIN_81
Source: Purchase Confirmation 003-23 170204.exe	Binary or memory string: WIN_XP
Source: Purchase Confirmation 003-23 170204.exe	Binary or memory string: WIN_XPe
Source: Purchase Confirmation 003-23 170204.exe	Binary or memory string: WIN_VISTA
Source: Purchase Confirmation 003-23 170204.exe	Binary or memory string: WIN_7
Source: Purchase Confirmation 003-23 170204.exe	Binary or memory string: WIN_8
Source: Purchase Confirmation 003-23 170204.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 0.2.Purchase Confirmation 003-23 170204.exe.2210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Confirmation 003-23 170204.exe.2210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2506684443.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1286015462.0000000002210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2509111644.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Confirmation 003-23 170204.exe PID: 868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5276, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.Purchase Confirmation 003-23 170204.exe.2210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Confirmation 003-23 170204.exe.2210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2506684443.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2509111644.0000000002CE8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2509111644.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1286015462.0000000002210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2509111644.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Confirmation 003-23 170204.exe PID: 868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5276, type: MEMORYSTR

Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00AB6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00AB6596
Source: C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe	Code function: 0_2_00AB6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00AB6A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	1 Credentials in Registry	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	38 System Information Discovery	Distributed Component Object Model	121 Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	141 Security Software Discovery	SSH	3 Clipboard Data	11 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	121 Virtualization/Sandbox Evasion	Cached Domain Credentials	121 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Purchase Confirmation 003-23 170204.exe	46%	Virustotal		Browse
Purchase Confirmation 003-23 170204.exe	58%	ReversingLabs	Win32.Worm.DorkBot
Purchase Confirmation 003-23 170204.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
bezelety.top	14%	Virustotal		Browse
mail.bezelety.top	12%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://r3.i.lencr.org/0	0%	URL Reputation	safe
http://bezelety.top	100%	Avira URL Cloud	phishing
http://mail.bezelety.top	100%	Avira URL Cloud	phishing
http://mail.bezelety.top	12%	Virustotal		Browse
http://bezelety.top	14%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bezelety.top	194.36.191.196	true	false	14%, Virustotal, Browse	unknown
mail.bezelety.top	unknown	unknown	true	12%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://r3.o.lencr.org0	RegSvcs.exe, 00000008.00000002.2507151222.0000000000F48000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2510640456.0000000005E30000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2507483866.0000000000FD0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2509111644.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://account.dyn.com/	Purchase Confirmation 003-23 170204.exe, 00000000.00000002.1286015462.0000000002210000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2506684443.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false		high
http://mail.bezelety.top	RegSvcs.exe, 00000008.00000002.2509111644.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp	false	12%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://x1.c.lencr.org/0	RegSvcs.exe, 00000008.00000002.2510640456.0000000005E30000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2507483866.0000000000FD0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2509111644.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	RegSvcs.exe, 00000008.00000002.2510640456.0000000005E30000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2507483866.0000000000FD0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2509111644.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://bezelety.top	RegSvcs.exe, 00000008.00000002.2509111644.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp	false	14%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://r3.i.lencr.org/0	RegSvcs.exe, 00000008.00000002.2507151222.0000000000F48000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2510640456.0000000005E30000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2507483866.0000000000FD0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2509111644.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.36.191.196	bezelety.top	Netherlands		60117	HSAE	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1432028
Start date and time:	2024-04-26 10:06:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Purchase Confirmation 003-23 170204.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/4@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 59 Number of non-executed functions: 265
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:07:07	API Interceptor	39x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
194.36.191.196	http://store.avast.com/store?SiteID=avast&Action=DisplayRedirectCustomPage&Locale=en_US&v=1&t=event&tid=UA-58120669-65&cid=725399894.1568213989&ec=Emailing_Digital%20River&aip=1&cm10=1&ds=Avast&ul=en_US&cs=Digital%20River&cm=email&cd2=Paid&cd3=725399894.1568213989&cd4=Business&cd5=BMG-00-001-36-AR&cd7=13306019910&cd6=22895593139&cd8=0&cd9=4871168000&cd10=USD&cd11=44&cd12=1659005853297&ea=Click&el=http://0gjysc.wildlifewalkabout.com/am9lbC5uYXNzaWZAYXJuLmFl	Get hash	malicious	Unknown	Browse	0gjysc.wildlifewalkabout.com/am9lbC5uYXNzaWZAYXJuLmFl
	#U6025-146102220896 BSIU2505935-Remitance Advise.xlsx	Get hash	malicious	FormBook	Browse	www.firstflightmdelivery.services/inug/?LJBd06wP=my5vzthd/gf6h+YfXGHF51EmCUBukXLQvdzfbkPp7mscRjHMsb7qcEfg2/kZIm7kG7WZ0g==&-ZcxnF=8p74g4BxA
	jun.exe	Get hash	malicious	AZORult	Browse	squerad.com/cgi-sys/suspendedpage.cgi
	Player offer.exe	Get hash	malicious	AZORult	Browse	squerad.com/frank/index.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bezelety.top	Order Enquiry MX-M754N_20240207_114441.exe	Get hash	malicious	AgentTesla	Browse	194.36.191.196
	z1RFQ20838_CMC_RITM50736681.exe	Get hash	malicious	AgentTesla	Browse	194.36.191.196
	PI-23-24-041 AEH-CIPL 6-202424-014 .exe	Get hash	malicious	AgentTesla	Browse	194.36.191.196
	vIgBIsAluf.exe	Get hash	malicious	AgentTesla	Browse	194.36.191.196
	PO MIU100011010 SKM0020240311.exe	Get hash	malicious	AgentTesla	Browse	194.36.191.196
	BOQ- AE20003 SWMT00946 20240403 Ref 00985398 for project.exe	Get hash	malicious	AgentTesla	Browse	194.36.191.196

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HSAE	RFQ-HL51L05.exe	Get hash	malicious	AgentTesla	Browse	194.36.191.196
	RFQ-HL51L05.exe	Get hash	malicious	AgentTesla	Browse	194.36.191.196
	RFQ-HL51L05.exe	Get hash	malicious	AgentTesla	Browse	194.36.191.196
	Order Enquiry MX-M754N_20240207_114441.exe	Get hash	malicious	AgentTesla	Browse	194.36.191.196
	PDT_7367027738832_789257820__________________________.exe	Get hash	malicious	AgentTesla	Browse	185.244.151.84
	SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.1274.17126.exe	Get hash	malicious	AgentTesla	Browse	194.36.191.196
	Arba Outstanding Statement.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	185.244.151.84
	WZM.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	185.244.151.84
	z1RFQ20838_CMC_RITM50736681.exe	Get hash	malicious	AgentTesla	Browse	194.36.191.196
	https://doggygangers.com/YfMv2QsjpCQl845BWSYNfNOQitweyze_Z6lIlrRr43MRjX_HrM/downloadsdownloadfile/dwnl_standart.php	Get hash	malicious	LummaC, PureLog Stealer, RedLine, SectopRAT, zgRAT	Browse	194.36.191.196

Process:	C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe
File Type:	data
Category:	dropped
Size (bytes):	155330
Entropy (8bit):	7.919843163113897
Encrypted:	false
SSDEEP:	3072:ObfBnDfJyZV3ef+QSkflAtjtstHYw0nUbkhA6LFy0ytxMC//u4ld:45Dfgzuf5SEytJwUUbQA6gFtxU4ld
MD5:	42A65DDD6A823BC0553FE1545228CE90
SHA1:	436BDA1C8660ADFC0C86B5A4550CB09004F560D6
SHA-256:	623EFDF259FEBBBBA6601B51FB5018FD19AC082CF6C711C7920AAE7FF8A5A832
SHA-512:	F59FE31B47C671D1704547A218EAF44860CDE4BEFF30EAD589FA41194F38893D020144C24F2A0CD968DB6DA833009FA00453CD5EDEE00D196A253FDF35EBE231
Malicious:	false
Reputation:	low
Preview:	EA06.....Z4.j\.P.V...~..K....Z..S.Pk3)...4P....V.K...f..5....^.~..=..c.....6.^..(r9..Q9.\&..-~y<..W9.._y..b...../..'...2...N.Z.Y.^.......4kQE.M..m....M....,K.T\...h}...Dfe7..A..j..i.`...sjD.......1..(.)8..I.M......hv...b....P.W.:.n..g].........P...n.F..@.;~..&tP......, ..Z....'z.S.Hn..%.V.h.NYP.B..4ej.._.b.P...5I..MB................\.-.9G..m.N4..R....0.%..2.4(sz.T......+...+.../....gW..7..[M..}...e....$Rm.N.u.dy.Lv.. ../.<.....MG.;C.......o2...-../..>...Z.P..........u..].....?h...1._;...Ue.xF..?.p.r.\|fe#.Kg..%^]R...u..`.q.h.y.>....bV...-..P.'....i0_.W[...h....t..H.4....^..%..D.....u.p..Un..E.........Bl.hpd.z.{..P..p....@....C...[y....a...%W.3.7.B.V....<....{S...x..&..e.Ul....m0.M.uz5f.d.G../-.A.L.5J......v.-.c\|..m=<.f.....4.4....y.G...vz.]......>....M..=uC...V`.....6.Le.y..k...Qh.....J.Si@..(...^.N..'5i..B.T.})Tn.1...).N.9.......T.V....4.4X...L~.F...y.0.......e....k...;......U+...w..mJ..(6....F...Sy.&g..o+t.=F....*t.}.n..G....m2..

C:\Users\user\AppData\Local\Temp\autF4DE.tmp

Download File

Process:	C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe
File Type:	data
Category:	dropped
Size (bytes):	9918
Entropy (8bit):	7.587192239652588
Encrypted:	false
SSDEEP:	192:C+cK50L02Jtyl2ftvwmziMVC6baopzBvq55Uz660tEXNzLrOOCyVqQE++:h750LRJtyl2ftLCghBmx60tEXBXOF02p
MD5:	5800D9A896F108DBA02CC41723C727FC
SHA1:	1F0C9B5EDE875FBB8709877A160BA447FAB5AD9A
SHA-256:	C70618D26D85F314E33C337654718668E79F1445D299F053A16F30D7232B7DA8
SHA-512:	FB4A3D12D0599F03318830ABBDEA4F7096EB71407303C434E48EA608B63149032D7B787CD9ABD9F6D67CE6E83418E297593E08E3EF55726F8687B5D19838DA64
Malicious:	false
Reputation:	low
Preview:	EA06..p0.M'.)..e4.N'.).......T9..l.0L.s.5..3..s.4.8.......k8.Yls....c..&S...k6...S....1.L&.i..i5.M,S....K.@...7...p. ....P.o...m.X.V........9....3...f....s2.Xf@.]..g3@..h.m.M.......8.l..6.....a........i4........g3Y...c ._..k4...d....H, ......Ac.H..g...(.F..=d....>....C`....@02..N@...u......Y..ab.M.]>.$....M.x>;$....N.j.;%....X.j.;%......j.;,....P'.b.5... .^..f./Z..@F.6.z..G......`......i..G../Z...zqd...l.;.........\|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i\|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&.X..B.a.Q...sp..X..9..o5..f.!...,vn......d...

C:\Users\user\AppData\Local\Temp\teer

Download File

Process:	C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe
File Type:	data
Category:	dropped
Size (bytes):	240128
Entropy (8bit):	6.731324055784085
Encrypted:	false
SSDEEP:	6144:mNQBQ/Epsk70OsGtfjOTKZkwCb+G9wR/dG:mNj/kDYNGZjRmt9M/Q
MD5:	C56B08D91141CA7DDF2666F3911190BF
SHA1:	DC2D855BFE3EA7A2B24D830EC3A0520A2591A42C
SHA-256:	74751E0E13C3FAA1AC5F4B34A580AB9B8CB365C5643089FCE30075AE99C53BB6
SHA-512:	EDD4BC671CBA5770B783462F92250D94A7972183F4059EE1E85CC5F57292C1604DF3832BF40A19BB5D3600DAB0C9D317DB62EA0493D03C0301085A84CD9A09DE
Malicious:	false
Reputation:	low
Preview:	.h.6K3QPFZXY..AK.SHEB7SS.AY276H3QPBZXYPUAK1SHEB7SSFAY276H3QP.ZXY^J.E1.A.c.R..`.Z^EhC#?%(94p6 %_<<e Rs!3/y[Y..\|.p/5<<~XLA.SHEB7SS..Y2{7K3x.?XYPUAK1S.E@6XRMAY.46H;QPBZXY..BK1sHEB.PSFA.27.H3QRBZ\YPUAK1SLEB7SSFAY236H1QPBZXYRU..1SXEB'SSFAI27&H3QPBZHYPUAK1SHEB7..EA.276H.RP._XYPUAK1SHEB7SSFAY27.K3]PBZXYPUAK1SHEB7SSFAY276H3QPBZXYPUAK1SHEB7SSFAY276H3QpBZPYPUAK1SHEB7[sFA.276H3QPBZXY~!$3ESHE.PSFaY27.K3QRBZXYPUAK1SHEB7sSF!w@DD+3QP._XYP.BK1UHEB.PSFAY276H3QPBZ.YP.o9T?'&B7_SFAY.46H1QPB.[YPUAK1SHEB7SS.AYp76H3QPBZXYPUAK1S(.A7SSFA.276J3TP..ZY.d@K2SHEC7SUFAY276H3QPBZXYPUAK1SHEB7SSFAY276H3QPBZXYPUAK1SHE_........Kv93W.\|.>.V.."..<.x\.S."&...u\....w G.xS.Jr..O...C.;T)C....y+:"F-.@\|\'.D..j..p$..._>.;...6w.YUw.h....k...U,....?..+/.2#6-<.dW.R#9.X.XPUAK....../9.h.5G-eB:....uYI....-SFA=276:3QP#ZXY.UAK^SHE,7SS8AY2I6H3.PBZ.YPUvK1SmEB7>SFA}27663QP.'WV.."B..EB7SSs....[....m..c0.O.}..7...h2e.<9.5.....O..8..Ue8Ue..560L6SWFYTd^....rJAF2QTBBU.9}..q.\|.i..@...M./FAY276.3Q.BZX..U.K1S.E.7..FAY..6.3.P...Y

C:\Users\user\AppData\Local\Temp\wherefore

Download File

Process:	C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe
File Type:	ASCII text, with very long lines (28720), with no line terminators
Category:	dropped
Size (bytes):	28720
Entropy (8bit):	3.597683173837778
Encrypted:	false
SSDEEP:	768:wiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNboE+I026c024vfF3if6g:wiTZ+2QoioGRk6ZklputwjpjBkCiw2Rb
MD5:	0ECDBC6BA5EEDE7F71CD803288AA896C
SHA1:	A383180B1268BC329EEC6A626C78BE27E0BAFEE2
SHA-256:	57CBA8E607187B38A7089FE75F1E929D6FC08A287DFFB7A7256F433B0429ED27
SHA-512:	7CB9C11C1679E32DB42C99F41ECCC35F73ED20B1204870109C4FC5C79202F81D33AB26DE7AD4592059F6AF5D23852B4138D0B57284001BEA5A80056D45220C35
Malicious:	false
Reputation:	low
Preview:	048B4C24088B008B093BC8760483C8FFC31BC0F7D8C38B0x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c0000006689957cffffffb86c00000066

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.961112371613167
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Purchase Confirmation 003-23 170204.exe
File size:	1'116'160 bytes
MD5:	baf61e5dbe33cf47ad6ddc4076a07af9
SHA1:	1fc141512c6a2a4715fd533d0adc1d8ce3c7842f
SHA256:	ea9deb59fc6309ddda6806eb4f7ce780eb54f1b0b7eca72b366bc8f110c5222a
SHA512:	2463f0c87870b5ddac391dcb88209cef983db246447fe1844c303d0d33c0eb1d3f70f9a7895b4fea00690862b268a36cfd69f19c18478d96c57afdf0fe11e59f
SSDEEP:	24576:+AHnh+eWsN3skA4RV1Hom2KXMmHa39eGsaq4QzOZIRE5:ph+ZkldoPK8Ya3QGa4Q+IY
TLSH:	11359C3263918336FFAB9D73DB5DB20D56BC6D250123852FD29C2F79A9F01B1122D262
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	1a5ada12a98c3689

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x662A0666 [Thu Apr 25 07:29:42 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FFAF8B6777Dh
jmp 00007FFAF8B5A534h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FFAF8B5A6BAh
cmp edi, eax
jc 00007FFAF8B5AA1Eh
bt dword ptr [004C41FCh], 01h
jnc 00007FFAF8B5A6B9h
rep movsb
jmp 00007FFAF8B5A9CCh
cmp ecx, 00000080h
jc 00007FFAF8B5A884h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FFAF8B5A6C0h
bt dword ptr [004BF324h], 01h
jc 00007FFAF8B5AB90h
bt dword ptr [004C41FCh], 00000000h
jnc 00007FFAF8B5A85Dh
test edi, 00000003h
jne 00007FFAF8B5A86Eh
test esi, 00000003h
jne 00007FFAF8B5A84Dh
bt edi, 02h
jnc 00007FFAF8B5A6BFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FFAF8B5A6C3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FFAF8B5A715h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x460d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10f000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x460d8	0x46200	897af0fb84a8ddf60c071b0f93d8a60d	False	0.7472739806149733	data	7.302090029934919	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10f000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc8458	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc8580	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc86a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc87d0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	Great Britain	0.046891636105524666
RT_MENU	0xd8ff8	0x50	data	English	Great Britain	0.9
RT_STRING	0xd9048	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xd95dc	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xd9c68	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xda0f8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xda6f4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdad50	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdb1b8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdb310	0x3287c	data			1.0003430415708405
RT_GROUP_ICON	0x10db8c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x10dba0	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x10dbb4	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x10dbc8	0x14	data	English	Great Britain	1.25
RT_VERSION	0x10dbdc	0x10c	data	English	Great Britain	0.5932835820895522
RT_MANIFEST	0x10dce8	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 10:07:09.011022091 CEST	49703	587	192.168.2.11	194.36.191.196
Apr 26, 2024 10:07:09.250386953 CEST	587	49703	194.36.191.196	192.168.2.11
Apr 26, 2024 10:07:09.250478983 CEST	49703	587	192.168.2.11	194.36.191.196
Apr 26, 2024 10:07:09.617316961 CEST	587	49703	194.36.191.196	192.168.2.11
Apr 26, 2024 10:07:09.657109976 CEST	49703	587	192.168.2.11	194.36.191.196
Apr 26, 2024 10:07:09.905616045 CEST	587	49703	194.36.191.196	192.168.2.11
Apr 26, 2024 10:07:09.905795097 CEST	49703	587	192.168.2.11	194.36.191.196
Apr 26, 2024 10:07:10.151628971 CEST	587	49703	194.36.191.196	192.168.2.11
Apr 26, 2024 10:07:10.159318924 CEST	49703	587	192.168.2.11	194.36.191.196
Apr 26, 2024 10:07:10.440906048 CEST	587	49703	194.36.191.196	192.168.2.11
Apr 26, 2024 10:07:10.464503050 CEST	587	49703	194.36.191.196	192.168.2.11
Apr 26, 2024 10:07:10.464523077 CEST	587	49703	194.36.191.196	192.168.2.11
Apr 26, 2024 10:07:10.464541912 CEST	587	49703	194.36.191.196	192.168.2.11
Apr 26, 2024 10:07:10.464581966 CEST	49703	587	192.168.2.11	194.36.191.196
Apr 26, 2024 10:07:10.503381014 CEST	49703	587	192.168.2.11	194.36.191.196
Apr 26, 2024 10:07:10.747061014 CEST	587	49703	194.36.191.196	192.168.2.11
Apr 26, 2024 10:07:10.747267962 CEST	587	49703	194.36.191.196	192.168.2.11
Apr 26, 2024 10:07:10.762582064 CEST	49703	587	192.168.2.11	194.36.191.196
Apr 26, 2024 10:07:11.002007008 CEST	587	49703	194.36.191.196	192.168.2.11
Apr 26, 2024 10:07:11.003112078 CEST	49703	587	192.168.2.11	194.36.191.196
Apr 26, 2024 10:07:11.254133940 CEST	587	49703	194.36.191.196	192.168.2.11
Apr 26, 2024 10:07:11.255067110 CEST	49703	587	192.168.2.11	194.36.191.196
Apr 26, 2024 10:07:11.528578043 CEST	587	49703	194.36.191.196	192.168.2.11
Apr 26, 2024 10:07:11.532766104 CEST	49703	587	192.168.2.11	194.36.191.196
Apr 26, 2024 10:07:11.784782887 CEST	587	49703	194.36.191.196	192.168.2.11
Apr 26, 2024 10:07:11.786983013 CEST	49703	587	192.168.2.11	194.36.191.196
Apr 26, 2024 10:07:12.036183119 CEST	587	49703	194.36.191.196	192.168.2.11
Apr 26, 2024 10:07:12.036602020 CEST	49703	587	192.168.2.11	194.36.191.196
Apr 26, 2024 10:07:12.276004076 CEST	587	49703	194.36.191.196	192.168.2.11
Apr 26, 2024 10:07:12.276690960 CEST	49703	587	192.168.2.11	194.36.191.196
Apr 26, 2024 10:07:12.276772022 CEST	49703	587	192.168.2.11	194.36.191.196
Apr 26, 2024 10:07:12.276798010 CEST	49703	587	192.168.2.11	194.36.191.196
Apr 26, 2024 10:07:12.276828051 CEST	49703	587	192.168.2.11	194.36.191.196
Apr 26, 2024 10:07:12.553673983 CEST	587	49703	194.36.191.196	192.168.2.11
Apr 26, 2024 10:07:12.553703070 CEST	587	49703	194.36.191.196	192.168.2.11
Apr 26, 2024 10:07:12.553718090 CEST	587	49703	194.36.191.196	192.168.2.11
Apr 26, 2024 10:07:12.553734064 CEST	587	49703	194.36.191.196	192.168.2.11
Apr 26, 2024 10:07:12.609863043 CEST	587	49703	194.36.191.196	192.168.2.11
Apr 26, 2024 10:07:12.662631989 CEST	49703	587	192.168.2.11	194.36.191.196
Apr 26, 2024 10:08:49.287990093 CEST	49703	587	192.168.2.11	194.36.191.196
Apr 26, 2024 10:08:49.530075073 CEST	587	49703	194.36.191.196	192.168.2.11
Apr 26, 2024 10:08:49.534236908 CEST	49703	587	192.168.2.11	194.36.191.196

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 10:07:08.392683029 CEST	65313	53	192.168.2.11	1.1.1.1
Apr 26, 2024 10:07:09.003490925 CEST	53	65313	1.1.1.1	192.168.2.11

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 26, 2024 10:07:08.392683029 CEST	192.168.2.11	1.1.1.1	0x27c6	Standard query (0)	mail.bezelety.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 26, 2024 10:07:09.003490925 CEST	1.1.1.1	192.168.2.11	0x27c6	No error (0)	mail.bezelety.top	bezelety.top		CNAME (Canonical name)	IN (0x0001)	false
Apr 26, 2024 10:07:09.003490925 CEST	1.1.1.1	192.168.2.11	0x27c6	No error (0)	bezelety.top		194.36.191.196	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Apr 26, 2024 10:07:09.617316961 CEST	587	49703	194.36.191.196	192.168.2.11	220-hosting1.nl.hostsailor.com ESMTP Exim 4.96.2 #2 Fri, 26 Apr 2024 10:07:09 +0200 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 26, 2024 10:07:09.657109976 CEST	49703	587	192.168.2.11	194.36.191.196	EHLO 374653
Apr 26, 2024 10:07:09.905616045 CEST	587	49703	194.36.191.196	192.168.2.11	250-hosting1.nl.hostsailor.com Hello 374653 [102.129.152.220] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Apr 26, 2024 10:07:09.905795097 CEST	49703	587	192.168.2.11	194.36.191.196	STARTTLS
Apr 26, 2024 10:07:10.151628971 CEST	587	49703	194.36.191.196	192.168.2.11	220 TLS go ahead

Target ID:	0
Start time:	10:07:05
Start date:	26/04/2024
Path:	C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe"
Imagebase:	0xa40000
File size:	1'116'160 bytes
MD5 hash:	BAF61E5DBE33CF47AD6DDC4076A07AF9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1286015462.0000000002210000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1286015462.0000000002210000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.1286015462.0000000002210000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:07:06
Start date:	26/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Purchase Confirmation 003-23 170204.exe"
Imagebase:	0x890000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2506684443.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2506684443.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2509111644.0000000002CE8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2509111644.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2509111644.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2509111644.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	2.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	54

Executed Functions

Function 00A43B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A43B7A
IsDebuggerPresent.KERNEL32 ref: 00A43B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,00B062F8,00B062E0,?,?), ref: 00A43BFD

Part of subcall function 00A47D2C: _memmove.LIBCMT ref: 00A47D66

Part of subcall function 00A50A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00A43C26,00B062F8,?,?,?), ref: 00A50ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00A43C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00AF93F0,00000010), ref: 00A7D4BC
SetCurrentDirectoryW.KERNEL32(?,00B062F8,?,?,?), ref: 00A7D4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00AF5D40,00B062F8,?,?,?), ref: 00A7D57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 00A7D581

Part of subcall function 00A43A58: GetSysColorBrush.USER32(0000000F), ref: 00A43A62
Part of subcall function 00A43A58: LoadCursorW.USER32(00000000,00007F00), ref: 00A43A71
Part of subcall function 00A43A58: LoadIconW.USER32(00000063), ref: 00A43A88
Part of subcall function 00A43A58: LoadIconW.USER32(000000A4), ref: 00A43A9A
Part of subcall function 00A43A58: LoadIconW.USER32(000000A2), ref: 00A43AAC
Part of subcall function 00A43A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00A43AD2
Part of subcall function 00A43A58: RegisterClassExW.USER32(?), ref: 00A43B28

Part of subcall function 00A439E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A43A15
Part of subcall function 00A439E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A43A36
Part of subcall function 00A439E7: ShowWindow.USER32(00000000,?,?), ref: 00A43A4A
Part of subcall function 00A439E7: ShowWindow.USER32(00000000,?,?), ref: 00A43A53

Part of subcall function 00A443DB: _memset.LIBCMT ref: 00A44401
Part of subcall function 00A443DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A444A6

Strings

runas, xrefs: 00A7D575
This is a third-party compiled AutoIt script., xrefs: 00A7D4B4

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: 7bf90a9ceed066c513dd2e1416ee6d716a42bd204a71fce27752f5ca8e565f08
Instruction ID: eac2f59377b36c893ce3d978b6d121cfc5ffa0a7ca4d3739ae54990a90079ca0
Opcode Fuzzy Hash: 7bf90a9ceed066c513dd2e1416ee6d716a42bd204a71fce27752f5ca8e565f08
Instruction Fuzzy Hash: DC51F439D04289AECF11EBB4DD45EFE7BB5AF94300B0081B5F455671A1DF705A1ACB21

Uniqueness

Uniqueness Score: -1.00%

Function 00A44AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00A44B2B

Part of subcall function 00A47D2C: _memmove.LIBCMT ref: 00A47D66

GetCurrentProcess.KERNEL32(?,00ACFAEC,00000000,00000000,?), ref: 00A44BF8
IsWow64Process.KERNEL32(00000000), ref: 00A44BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00A44C45
FreeLibrary.KERNEL32(00000000), ref: 00A44C50
GetSystemInfo.KERNEL32(00000000), ref: 00A44C81
GetSystemInfo.KERNEL32(00000000), ref: 00A44C8D

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 7662832f712736244ea9dcffac15b324f5baa349b36dd12e3cb716843863420b
Instruction ID: d5e7a6968c1ba9425907683a4ae29453df805f4226d504bd0cb6e3a1cf324925
Opcode Fuzzy Hash: 7662832f712736244ea9dcffac15b324f5baa349b36dd12e3cb716843863420b
Instruction Fuzzy Hash: EF91C53554A7C0DEC731DB7889916AAFFF5AF69301B488E9DD0CB93B01D220E948C719

Uniqueness

Uniqueness Score: -1.00%

Function 00A44FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00A44EEE,?,?,00000000,00000000), ref: 00A44FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00A44EEE,?,?,00000000,00000000), ref: 00A45010
LoadResource.KERNEL32(?,00000000,?,?,00A44EEE,?,?,00000000,00000000,?,?,?,?,?,?,00A44F8F), ref: 00A7DD60
SizeofResource.KERNEL32(?,00000000,?,?,00A44EEE,?,?,00000000,00000000,?,?,?,?,?,?,00A44F8F), ref: 00A7DD75
LockResource.KERNEL32(00A44EEE,?,?,00A44EEE,?,?,00000000,00000000,?,?,?,?,?,?,00A44F8F,00000000), ref: 00A7DD88

Strings

SCRIPT, xrefs: 00A45006

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: bd5fbf5762099100db721c9f74983e9487bef3ae2d9808367afacc39908fc23e
Instruction ID: f678f864ea9ebf35daafa01e37b4af43740768fcc342f941ecd212290b2936c9
Opcode Fuzzy Hash: bd5fbf5762099100db721c9f74983e9487bef3ae2d9808367afacc39908fc23e
Instruction Fuzzy Hash: 2E117C79640700BFE7218BA9DC58F677BBEEBC9B51F21856CF406C6260DB71EC018660

Uniqueness

Uniqueness Score: -1.00%

Function 00AA4696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00A7E7C1), ref: 00AA46A6
FindFirstFileW.KERNELBASE(?,?), ref: 00AA46B7
FindClose.KERNEL32(00000000), ref: 00AA46C7

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 749517414b65507b883173a15d6fa1f245e67197464a26bdd38f20888404fdd7
Instruction ID: 76ee07a876b5590298551cb40e549c0c6782f249f7a6aac4b91a97e269ab47e7
Opcode Fuzzy Hash: 749517414b65507b883173a15d6fa1f245e67197464a26bdd38f20888404fdd7
Instruction Fuzzy Hash: 01E0DF328148006F8210A778EC4D8EA779D9E8B335F100726F835C21E0EBF09960869A

Uniqueness

Uniqueness Score: -1.00%

Function 00A4E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00A8428C

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 9fe3be0ecd59829975f224fb83e0afe7acdc94514b02305c4a1a1b0be1f39fe3
Instruction ID: 21dbb3265eb93c496ab9515ef24506922bf830aef1612741d17c491bef3e60b0
Opcode Fuzzy Hash: 9fe3be0ecd59829975f224fb83e0afe7acdc94514b02305c4a1a1b0be1f39fe3
Instruction Fuzzy Hash: 7CA29C79E04206CFCB24DF98C580AAEB7B1FF99300F248169E916AB351D775ED42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A50B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A50BBB
timeGetTime.WINMM ref: 00A50E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A50FB3
TranslateMessage.USER32(?), ref: 00A50FC7
DispatchMessageW.USER32(?), ref: 00A50FD5
Sleep.KERNEL32(0000000A), ref: 00A50FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 00A5105A
DestroyWindow.USER32 ref: 00A51066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A51080
Sleep.KERNEL32(0000000A,?,?), ref: 00A852AD
TranslateMessage.USER32(?), ref: 00A8608A
DispatchMessageW.USER32(?), ref: 00A86098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A860AC

Strings

@COM_EVENTOBJ, xrefs: 00A8591A
@TRAY_ID, xrefs: 00A85BB9
@GUI_WINHANDLE, xrefs: 00A853B9
@GUI_CTRLHANDLE, xrefs: 00A8540E
@GUI_CTRLID, xrefs: 00A85364

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4003667617-3242690629
Opcode ID: 6820f4e3e1fdcdbd4d99d20897bed240d8dcd05b73f101852f47b6ede14fd840
Instruction ID: bfdfa6bc5ace93ccbddc29c4efb87a529bc6ec2fd8f81002110068c91a1099db
Opcode Fuzzy Hash: 6820f4e3e1fdcdbd4d99d20897bed240d8dcd05b73f101852f47b6ede14fd840
Instruction Fuzzy Hash: DFB2B370A08741DFDB24EF24C985FAEB7E5BF84304F18491DE89987291DB71E849CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00AA93DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00AA91E9: __time64.LIBCMT ref: 00AA91F3

Part of subcall function 00A45045: _fseek.LIBCMT ref: 00A4505D

__wsplitpath.LIBCMT ref: 00AA94BE

Part of subcall function 00A6432E: __wsplitpath_helper.LIBCMT ref: 00A6436E

_wcscpy.LIBCMT ref: 00AA94D1
_wcscat.LIBCMT ref: 00AA94E4
__wsplitpath.LIBCMT ref: 00AA9509
_wcscat.LIBCMT ref: 00AA951F
_wcscat.LIBCMT ref: 00AA9532

Part of subcall function 00AA922F: _memmove.LIBCMT ref: 00AA9268
Part of subcall function 00AA922F: _memmove.LIBCMT ref: 00AA9277

_wcscmp.LIBCMT ref: 00AA9479

Part of subcall function 00AA99BE: _wcscmp.LIBCMT ref: 00AA9AAE
Part of subcall function 00AA99BE: _wcscmp.LIBCMT ref: 00AA9AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00AA96DC
_wcsncpy.LIBCMT ref: 00AA974F
DeleteFileW.KERNEL32(?,?), ref: 00AA9785
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00AA979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00AA97AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00AA97BE

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: eb97bf75d05bf99d15b7bd4ec2169a93d7cd275fa684ac960ac1f3160d2e1a6c
Instruction ID: a3193a6263cde7d07173f6833d8d0fc20566b7b929ecfa1fa529ec6cd5f8d305
Opcode Fuzzy Hash: eb97bf75d05bf99d15b7bd4ec2169a93d7cd275fa684ac960ac1f3160d2e1a6c
Instruction Fuzzy Hash: 2EC11AB5D00229AEDF21DFA4CD85ADFB7BDAF85300F0040AAF609E7191DB709A448F65

Uniqueness

Uniqueness Score: -1.00%

Function 00A43015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00A43074
RegisterClassExW.USER32(00000030), ref: 00A4309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A430AF
InitCommonControlsEx.COMCTL32(?), ref: 00A430CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A430DC
LoadIconW.USER32(000000A9), ref: 00A430F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A43101

Strings

+, xrefs: 00A4305D
AutoIt v3 GUI, xrefs: 00A43090
TaskbarCreated, xrefs: 00A430A4
0, xrefs: 00A43056

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 301cdbdd9520d4ab9e037b4b39ebbd89157f6ce9c1bd66f29c5393441c09c861
Instruction ID: 9bf767b31fe9a7151f89698dde300f88b75d6a8bc4d2962a7de0f0cd8989ef5c
Opcode Fuzzy Hash: 301cdbdd9520d4ab9e037b4b39ebbd89157f6ce9c1bd66f29c5393441c09c861
Instruction Fuzzy Hash: BA3147B1941309EFDB50DFE4E889AC9BBF1FB19310F10852EE590E62A0E7B54596CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00A43041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00A43074
RegisterClassExW.USER32(00000030), ref: 00A4309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A430AF
InitCommonControlsEx.COMCTL32(?), ref: 00A430CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A430DC
LoadIconW.USER32(000000A9), ref: 00A430F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A43101

Strings

+, xrefs: 00A4305D
AutoIt v3 GUI, xrefs: 00A43090
TaskbarCreated, xrefs: 00A430A4
0, xrefs: 00A43056

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 2c8d5bef2f93c6f4e778d86df8f2b1e9dad58eb154459a41e51ec7afd813f1b9
Instruction ID: d996265689624c23ad84a1984979acf97e7f58267265c9762e930ab72bb2b78a
Opcode Fuzzy Hash: 2c8d5bef2f93c6f4e778d86df8f2b1e9dad58eb154459a41e51ec7afd813f1b9
Instruction Fuzzy Hash: E421C3B1D00318AFDB00DFE4E889B9DBBF5FB18700F01812AFA11A72A0EBB145558F95

Uniqueness

Uniqueness Score: -1.00%

Function 00A471EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A44864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00B062F8,?,00A437C0,?), ref: 00A44882

Part of subcall function 00A6074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00A472C5), ref: 00A60771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00A47308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00A7ECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00A7ED32
RegCloseKey.ADVAPI32(?), ref: 00A7ED70
_wcscat.LIBCMT ref: 00A7EDC9

Strings

Include, xrefs: 00A7ECE8, 00A7ED29
\, xrefs: 00A7EDEC
Software\AutoIt v3\AutoIt, xrefs: 00A472FE
\Include\, xrefs: 00A472C5

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: ae7976bdc2c0305efd69969694b4eccfce793fd35f4bd8ae73c6dc52c0f7bd33
Instruction ID: e3bafb35f38d31ebfac4669992971a09a18ec3ce8d2a8076c1653347fda3783b
Opcode Fuzzy Hash: ae7976bdc2c0305efd69969694b4eccfce793fd35f4bd8ae73c6dc52c0f7bd33
Instruction Fuzzy Hash: B4717B71848341AEC714EF25DD8599BBBF8FFA9340B44492EF445871A1EF30A948CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A43A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00A43A62
LoadCursorW.USER32(00000000,00007F00), ref: 00A43A71
LoadIconW.USER32(00000063), ref: 00A43A88
LoadIconW.USER32(000000A4), ref: 00A43A9A
LoadIconW.USER32(000000A2), ref: 00A43AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00A43AD2
RegisterClassExW.USER32(?), ref: 00A43B28

Part of subcall function 00A43041: GetSysColorBrush.USER32(0000000F), ref: 00A43074
Part of subcall function 00A43041: RegisterClassExW.USER32(00000030), ref: 00A4309E
Part of subcall function 00A43041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A430AF
Part of subcall function 00A43041: InitCommonControlsEx.COMCTL32(?), ref: 00A430CC
Part of subcall function 00A43041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A430DC
Part of subcall function 00A43041: LoadIconW.USER32(000000A9), ref: 00A430F2
Part of subcall function 00A43041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A43101

Strings

0, xrefs: 00A43B06
#, xrefs: 00A43B0D
AutoIt v3, xrefs: 00A43B17

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: e867668b85c71c40576f9af6b33ea970f5fe38d5b37f622f0bb81da81a185d8c
Instruction ID: 2606ebc1fc849ad889e80428ebe6e67d42bc0b42c988b2c32d5771c7ef125b1e
Opcode Fuzzy Hash: e867668b85c71c40576f9af6b33ea970f5fe38d5b37f622f0bb81da81a185d8c
Instruction Fuzzy Hash: BA214671E00308EFEB10DFA4EC09F9D7BB5FB18721F00812AE504A72A0DBB656648F84

Uniqueness

Uniqueness Score: -1.00%

Function 00A43633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00A436D2
KillTimer.USER32(?,00000001), ref: 00A436FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A4371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A4372A
CreatePopupMenu.USER32 ref: 00A4373E
PostQuitMessage.USER32(00000000), ref: 00A4375F

Strings

TaskbarCreated, xrefs: 00A43725

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: f029fa86f31687fda7202d3f49412db3c36add958b8e4fb34f276a31fa01dddc
Instruction ID: 2a0a318d83415b03c0ed9c663671410a5e1133c51aeeef28ee68b231f624d505
Opcode Fuzzy Hash: f029fa86f31687fda7202d3f49412db3c36add958b8e4fb34f276a31fa01dddc
Instruction Fuzzy Hash: A6415ABB200106BFDF149F68DD09B7A37A5EB94300F154129FA02872E2DF609E219771

Uniqueness

Uniqueness Score: -1.00%

Function 00A43778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3ExecuteLine, xrefs: 00A438B9
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00A437C0
/ErrorStdOut, xrefs: 00A4388F
CMDLINE, xrefs: 00A43834
/AutoIt3ExecuteScript, xrefs: 00A438CE
/AutoIt3OutputDebug, xrefs: 00A438A4
CMDLINERAW, xrefs: 00A4380D

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: e3b569df7667a4bd80afd19fae864c7563baf6ced96e20b6a63d4d9e421e39c6
Instruction ID: b7ba4ce673eaab81ca7b6b6ea84c7252da39c40227aa85240d0f8026efc13fc4
Opcode Fuzzy Hash: e3b569df7667a4bd80afd19fae864c7563baf6ced96e20b6a63d4d9e421e39c6
Instruction Fuzzy Hash: 40A1527AD102299ADF04EFA4CD96EEEB7B8BF94300F104529F416B7192DF745A09CB60

Uniqueness

Uniqueness Score: -1.00%

Function 014E2640 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 014E2711
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 014E2937

Memory Dump Source

Source File: 00000000.00000002.1285630358.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14e0000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
Instruction ID: 2b91a0d5ec7150b0259de209d57e48cf31a52f6b1d46da4c739bb2fdbf1709a0
Opcode Fuzzy Hash: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
Instruction Fuzzy Hash: C7A10A74E00209EBDB14CFA4C898FEEBBB9BF48305F10865AE505BB291D7B59A41CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00A439E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A43A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A43A36
ShowWindow.USER32(00000000,?,?), ref: 00A43A4A
ShowWindow.USER32(00000000,?,?), ref: 00A43A53

Strings

edit, xrefs: 00A43A30
AutoIt v3, xrefs: 00A43A0D, 00A43A12, 00A43A13

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 33ef17968b2de66dc6aea1874d50d403de40a0de86913c483e5bb299f7a85c28
Instruction ID: 28342b3e00fae668e7db0473b89d0c7b07e510d5733b2aedf96865e946e05dd3
Opcode Fuzzy Hash: 33ef17968b2de66dc6aea1874d50d403de40a0de86913c483e5bb299f7a85c28
Instruction Fuzzy Hash: 8EF01270600290BEEA205B23AC0CE272F7EE7D6F50B01406EB904E31A0CAA60821CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 014E2410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 144
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 014E2300: Sleep.KERNELBASE(000001F4), ref: 014E2311

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 014E252C

Strings

Y276H3QPBZXYPUAK1SHEB7SSFA, xrefs: 014E258F, 014E2592

Memory Dump Source

Source File: 00000000.00000002.1285630358.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14e0000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: CreateFileSleep
String ID: Y276H3QPBZXYPUAK1SHEB7SSFA
API String ID: 2694422964-3885471768
Opcode ID: 4337a50bac1333f0d85bbb39516958c00a8755fb6602be3dd96ba00e7acb4a11
Instruction ID: 59c73a6598b97880233b7d7f55ae99a495dd0d3d025950ca87a09f93613f5a03
Opcode Fuzzy Hash: 4337a50bac1333f0d85bbb39516958c00a8755fb6602be3dd96ba00e7acb4a11
Instruction Fuzzy Hash: 79519470D04289DAEF11D7B8CD18BEFBBB89F15305F044199E6497B2C1C6B90B49CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00A4410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00A7D5EC

Part of subcall function 00A47D2C: _memmove.LIBCMT ref: 00A47D66

_memset.LIBCMT ref: 00A4418D
_wcscpy.LIBCMT ref: 00A441E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A441F1

Strings

Line: , xrefs: 00A7D615

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: f0a0b8d8f5a343be32f962b9b653299858fb1005898c6aa894ff7d62d3f8d809
Instruction ID: c5dba4ab49deb7586e1c1c867eb5ca19e0a77293189fc2fd27ed94317b659a7e
Opcode Fuzzy Hash: f0a0b8d8f5a343be32f962b9b653299858fb1005898c6aa894ff7d62d3f8d809
Instruction Fuzzy Hash: CE31E275408354AFE721EB64DD86FDF77E8AF94300F10461AF185930A1EF70AA58C792

Uniqueness

Uniqueness Score: -1.00%

Function 00A6564D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00A656AB
_memcpy_s.LIBCMT ref: 00A6571D
__read_nolock.LIBCMT ref: 00A6577B
__filbuf.LIBCMT ref: 00A6579E
_memset.LIBCMT ref: 00A657E2

Part of subcall function 00A68D68: __getptd_noexit.LIBCMT ref: 00A68D68

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction ID: 7a0b56702d11da67212ebfedc631f7e90b8065a62b7427cb0af76d048957cca2
Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction Fuzzy Hash: 58518034E00B05DFDB289FB9C98466EB7B6AF41320F688B29F839962D0D7709D51DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A469CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00A44F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00B062F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A44F6F

_free.LIBCMT ref: 00A7E68C
_free.LIBCMT ref: 00A7E6D3

Part of subcall function 00A46BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00A46D0D

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00A7E462
Bad directive syntax error, xrefs: 00A7E6BB

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 6794f652727cc25a04896b9791f28df57cc9bc473829c796df4df05f22d8a6d1
Instruction ID: 8add4222959a0ee4aa5b30544bef8a8680bfb6aae6d1644d09c87bb753f71656
Opcode Fuzzy Hash: 6794f652727cc25a04896b9791f28df57cc9bc473829c796df4df05f22d8a6d1
Instruction Fuzzy Hash: 4A917C75910219AFCF04EFA4CD919EDB7B5FF19314F14846AF81AAB291EB30AD05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A435B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00A435A1,SwapMouseButtons,00000004,?), ref: 00A435D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00A435A1,SwapMouseButtons,00000004,?,?,?,?,00A42754), ref: 00A435F5
RegCloseKey.KERNELBASE(00000000,?,?,00A435A1,SwapMouseButtons,00000004,?,?,?,?,00A42754), ref: 00A43617

Strings

Control Panel\Mouse, xrefs: 00A435D2

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 79ab1e0bb513b6c25bb6d4b7ef4444fdde58e455caeb8c97e0ec0c28ce7ef587
Instruction ID: d9e6cde46691b6d32844f2701cb5dd5318b7b45a7870e69bb3c766d1ecd96424
Opcode Fuzzy Hash: 79ab1e0bb513b6c25bb6d4b7ef4444fdde58e455caeb8c97e0ec0c28ce7ef587
Instruction Fuzzy Hash: 0911487A510209BFDF20DFA4DC40DAFF7B9EF44740F128469E805D7210E2719E419760

Uniqueness

Uniqueness Score: -1.00%

Function 014E1300 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 014E1B2D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 014E1B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 014E1B73

Memory Dump Source

Source File: 00000000.00000002.1285630358.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14e0000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
Instruction ID: 45b2d46e4ed89208d494dfe900a95663cc9ba0c640f4a52ea7494d628888661b
Opcode Fuzzy Hash: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
Instruction Fuzzy Hash: 72622D30A14258DBEB24CFA4C844BDEB376EF58701F1091A9D10DEB3A0E7759E81CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00AA97E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00A45045: _fseek.LIBCMT ref: 00A4505D

Part of subcall function 00AA99BE: _wcscmp.LIBCMT ref: 00AA9AAE
Part of subcall function 00AA99BE: _wcscmp.LIBCMT ref: 00AA9AC1

_free.LIBCMT ref: 00AA992C
_free.LIBCMT ref: 00AA9933
_free.LIBCMT ref: 00AA999E

Part of subcall function 00A62F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00A69C64), ref: 00A62FA9
Part of subcall function 00A62F95: GetLastError.KERNEL32(00000000,?,00A69C64), ref: 00A62FBB

_free.LIBCMT ref: 00AA99A6

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 524c7517910f68098ecd1505304e53dc2ab353584dbe7d24e86b344c5f7c1620
Instruction ID: 0f7a8da11a9d8636ebe90636b5b797314500b22c27c8b9f1ea492f2c831475e9
Opcode Fuzzy Hash: 524c7517910f68098ecd1505304e53dc2ab353584dbe7d24e86b344c5f7c1620
Instruction Fuzzy Hash: 765173B5D04618AFDF249F64CC41A9EBBB9EF89310F1004AEF609A7281DB755E90CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00A6493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A649D0
__flush.LIBCMT ref: 00A649F0
__write.LIBCMT ref: 00A64A23
__flsbuf.LIBCMT ref: 00A64A51

Part of subcall function 00A68D68: __getptd_noexit.LIBCMT ref: 00A68D68

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction ID: 74af21e6ac22067039ee174c9889bbee5e17331d649dd8f98242b6713afd1ecf
Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction Fuzzy Hash: 9141C675640705AFDF28DFA9C9809AF7BBAEF983A0B24817DE855C7680D770DD408B44

Uniqueness

Uniqueness Score: -1.00%

Function 00A473E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A7EE62
GetOpenFileNameW.COMDLG32(?), ref: 00A7EEAC

Part of subcall function 00A448AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A448A1,?,?,00A437C0,?), ref: 00A448CE

Part of subcall function 00A609D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00A609F4

Strings

X, xrefs: 00A7EE7A

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 285d15ac13ad416ea456d28899c6b8401543ebbd6c1273ff7a9ae250a169f3d0
Instruction ID: c7a0763eeca8062e460c6ad6bf59ee2533a1d615958dc73b9b8d3fd091464244
Opcode Fuzzy Hash: 285d15ac13ad416ea456d28899c6b8401543ebbd6c1273ff7a9ae250a169f3d0
Instruction Fuzzy Hash: 0221C331A102989BCF05DF94CC45BEE7BF99F89300F00805AF508E7281DBB4598A8FA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AA901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AA9036
__fread_nolock.LIBCMT ref: 00AA904B

Strings

EA06, xrefs: 00AA907D

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: fadb3e77fdc5180d6b677eeb01d48ecca2ecefb764c28eabc707e4f9e14c4eaf
Instruction ID: 6eb7800b2aaeaa09cfc5a9aa26f6b1e50a56383022840a7286b1209c4fbfed29
Opcode Fuzzy Hash: fadb3e77fdc5180d6b677eeb01d48ecca2ecefb764c28eabc707e4f9e14c4eaf
Instruction Fuzzy Hash: 3601B972D042587EDB28C7A8CC56EFEBBF8DB15301F00459EF552D3581E575A60497A0

Uniqueness

Uniqueness Score: -1.00%

Function 00AA9B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00AA9B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00AA9B99

Strings

aut, xrefs: 00AA9B93

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 5d1456be31c6866d941f1bf610d20ce9256f8e0e5409608eef0b2618307b9d50
Instruction ID: 3a1536dfd45a09aebc74e79be0194b93c208f780a2777669238ac6ca17545f35
Opcode Fuzzy Hash: 5d1456be31c6866d941f1bf610d20ce9256f8e0e5409608eef0b2618307b9d50
Instruction Fuzzy Hash: 1FD05E7A54030DBFDB10DBD0DC0EFEABB2CE704701F0046A1BF54920A1DEB055998B91

Uniqueness

Uniqueness Score: -1.00%

Function 00ABCDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1c3d1c968c2d4c97e7202ad1cdc77d89ff32b674c8cd748d0f62c7e652076ea
Instruction ID: a8105248eac7755958fad43b65984cb2b473a603065abe2b54c40d27147df34c
Opcode Fuzzy Hash: b1c3d1c968c2d4c97e7202ad1cdc77d89ff32b674c8cd748d0f62c7e652076ea
Instruction Fuzzy Hash: A5F14B746083419FC714DF28C584AAABBE9FF88314F14892DF8999B352D731E945CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00A4F8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A603A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00A603D3
Part of subcall function 00A603A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00A603DB
Part of subcall function 00A603A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00A603E6
Part of subcall function 00A603A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00A603F1
Part of subcall function 00A603A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00A603F9
Part of subcall function 00A603A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00A60401

Part of subcall function 00A56259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00A4FA90), ref: 00A562B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00A4FB2D
OleInitialize.OLE32(00000000), ref: 00A4FBAA
CloseHandle.KERNEL32(00000000), ref: 00A849F2

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: bd06d87c97c034bffa321d4d21a43f156957ffb70ec2010006cca7541abf83c5
Instruction ID: 7bd820eea8ad06accae4e8c5aff85fdb4571123309706a78334d0466d5037cce
Opcode Fuzzy Hash: bd06d87c97c034bffa321d4d21a43f156957ffb70ec2010006cca7541abf83c5
Instruction Fuzzy Hash: 3B81AAB49012408ED788DF39EE956197BE5FBB9308710817AD419CB3B2EF318869CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00A443DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A44401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A444A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00A444C3

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 83c66443027759eadeee3f7039e3a4d0c74c1724c17904d0c9811de6e1dd40ec
Instruction ID: 8ace882ca776c390e13023cb4689445fafdca8fc34e744ad59622d5ee750902a
Opcode Fuzzy Hash: 83c66443027759eadeee3f7039e3a4d0c74c1724c17904d0c9811de6e1dd40ec
Instruction Fuzzy Hash: CD3182B55057018FD720DF74D884B9BBBF8FB99314F00092EF59A83251EB75A948CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A6594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00A65963

Part of subcall function 00A6A3AB: __NMSG_WRITE.LIBCMT ref: 00A6A3D2
Part of subcall function 00A6A3AB: __NMSG_WRITE.LIBCMT ref: 00A6A3DC

__NMSG_WRITE.LIBCMT ref: 00A6596A

Part of subcall function 00A6A408: GetModuleFileNameW.KERNEL32(00000000,00B043BA,00000104,?,00000001,00000000), ref: 00A6A49A
Part of subcall function 00A6A408: ___crtMessageBoxW.LIBCMT ref: 00A6A548

Part of subcall function 00A632DF: ___crtCorExitProcess.LIBCMT ref: 00A632E5
Part of subcall function 00A632DF: ExitProcess.KERNEL32 ref: 00A632EE

Part of subcall function 00A68D68: __getptd_noexit.LIBCMT ref: 00A68D68

RtlAllocateHeap.NTDLL(01520000,00000000,00000001,00000000,?,?,?,00A61013,?), ref: 00A6598F

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: cf82e6decb0bc9177630beed8b4d16ede0b27afd8025a30ae0d34f9f1a202a33
Instruction ID: 177c63152a2aaa888c0173c40fb610369e9ebc3dd6b04e68e17ce3cb0d1924a7
Opcode Fuzzy Hash: cf82e6decb0bc9177630beed8b4d16ede0b27afd8025a30ae0d34f9f1a202a33
Instruction Fuzzy Hash: 5401F133740B15DEEA253B74ED42A6E72B88F62730F10052AF601AB2C2DE709D428670

Uniqueness

Uniqueness Score: -1.00%

Function 00AA9B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00AA97D2,?,?,?,?,?,00000004), ref: 00AA9B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00AA97D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00AA9B5B
CloseHandle.KERNEL32(00000000,?,00AA97D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00AA9B62

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 654e1ada556fe5780cc296a1cd9a184870d233219cd2be6be596c9f5d76b8c7e
Instruction ID: c9b73761987304c1553993ac5b08af6373e41a8fa2ca291bd61c9f9942210ab1
Opcode Fuzzy Hash: 654e1ada556fe5780cc296a1cd9a184870d233219cd2be6be596c9f5d76b8c7e
Instruction Fuzzy Hash: F3E08632181214BBDB216B94EC09FCA7B19AB05761F154220FB246D0E0C7B125129798

Uniqueness

Uniqueness Score: -1.00%

Function 00AA8F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00AA8FA5

Part of subcall function 00A62F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00A69C64), ref: 00A62FA9
Part of subcall function 00A62F95: GetLastError.KERNEL32(00000000,?,00A69C64), ref: 00A62FBB

_free.LIBCMT ref: 00AA8FB6
_free.LIBCMT ref: 00AA8FC8

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7d3b2028e624efae88516297b2f19128b0b5a47fb3bf7ffb404a5919715f4e12
Instruction ID: aecd158016cbf726314a3814136b82f58963ee0ba19505568d5f9c886bd22d8e
Opcode Fuzzy Hash: 7d3b2028e624efae88516297b2f19128b0b5a47fb3bf7ffb404a5919715f4e12
Instruction Fuzzy Hash: 58E012A1A09B024ECA24A678AE44B9757FE5F49351718081DB40ADB182DF28E8518224

Uniqueness

Uniqueness Score: -1.00%

Function 00A4AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00A8002B

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 165051c6f134b18247f8075a4fffc9e583d61a1883e0f7187a69c0ed035c084d
Instruction ID: b29179f7e11b26a6e14198fcfce5b74c5a575a7d565d136284faa50f68681fbb
Opcode Fuzzy Hash: 165051c6f134b18247f8075a4fffc9e583d61a1883e0f7187a69c0ed035c084d
Instruction Fuzzy Hash: 5A224978608251CFCB64DF14C594B2ABBF1BF94300F15896DE89A8B362D731ED85CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A44DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A44E1A

Strings

EA06, xrefs: 00A7DCF5

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 6755f1cf032cddb742f7213847613567ef1938dbf04b89521bdef1f72485c3dd
Instruction ID: b3ac300a3bcab1c0298c1a706d02d75dac1c34f0f99720423ec0420a7a72c706
Opcode Fuzzy Hash: 6755f1cf032cddb742f7213847613567ef1938dbf04b89521bdef1f72485c3dd
Instruction Fuzzy Hash: 91415979E04158ABDF219F7489637FE7FB6AFC9300F284075F8829B283C6219D4483A1

Uniqueness

Uniqueness Score: -1.00%

Function 00A4492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00A44992

Part of subcall function 00A635AC: __lock.LIBCMT ref: 00A635B2
Part of subcall function 00A635AC: DecodePointer.KERNEL32(00000001,?,00A449A7,00A981BC), ref: 00A635BE
Part of subcall function 00A635AC: EncodePointer.KERNEL32(?,?,00A449A7,00A981BC), ref: 00A635C9

Part of subcall function 00A44A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00A44A73
Part of subcall function 00A44A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00A44A88

Part of subcall function 00A43B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A43B7A
Part of subcall function 00A43B4C: IsDebuggerPresent.KERNEL32 ref: 00A43B8C
Part of subcall function 00A43B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00B062F8,00B062E0,?,?), ref: 00A43BFD
Part of subcall function 00A43B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00A43C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00A449D2

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 494c6dd82cb358ded1f19d48551e3322c41dbf7c44dd80cdb9913180980ee494
Instruction ID: 2a96e7b2950d4de05accbc2b2807c57e42c72f355aba7e66bf6dc46a0b90ba95
Opcode Fuzzy Hash: 494c6dd82cb358ded1f19d48551e3322c41dbf7c44dd80cdb9913180980ee494
Instruction Fuzzy Hash: 2C118C719083119FC700DF28DD4590BFBF8EBA8750F00852EF045832A1DF709566CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A45DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00A45981,?,?,?,?), ref: 00A45E27
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00A45981,?,?,?,?), ref: 00A7E19C

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3eb6ff3cab2a95e2c904eaea8a64e6119f92f89f77f1adb7f836de2cdaec0eec
Instruction ID: 1a65a818e3b414f81a4f8a7d82c44fd4b4c8c8bb9418dbcbaf875a0521987d1d
Opcode Fuzzy Hash: 3eb6ff3cab2a95e2c904eaea8a64e6119f92f89f77f1adb7f836de2cdaec0eec
Instruction Fuzzy Hash: 35019E74644708BFF3254F24CC8BF663A9CAB05768F14C318BAE96A1E1C6B01E458B50

Uniqueness

Uniqueness Score: -1.00%

Function 00A60FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A6594C: __FF_MSGBANNER.LIBCMT ref: 00A65963
Part of subcall function 00A6594C: __NMSG_WRITE.LIBCMT ref: 00A6596A
Part of subcall function 00A6594C: RtlAllocateHeap.NTDLL(01520000,00000000,00000001,00000000,?,?,?,00A61013,?), ref: 00A6598F

std::exception::exception.LIBCMT ref: 00A6102C
__CxxThrowException@8.LIBCMT ref: 00A61041

Part of subcall function 00A687DB: RaiseException.KERNEL32(?,?,?,00AFBAF8,00000000,?,?,?,?,00A61046,?,00AFBAF8,?,00000001), ref: 00A68830

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 4f318d6f37c8cdeae6d04e2311e81c348f1e06c3b848be3b50725ea2a8d09f53
Instruction ID: 0685922de3fa9c25d0dca47ab5c5793bf2fbd521b9fa22a4d2d1248a3e26fdfb
Opcode Fuzzy Hash: 4f318d6f37c8cdeae6d04e2311e81c348f1e06c3b848be3b50725ea2a8d09f53
Instruction Fuzzy Hash: 11F0C83954021DA7CF20BBA8ED05ADF7BBC9F10351F140566F80596691EFB19A80D2E0

Uniqueness

Uniqueness Score: -1.00%

Function 00A6582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A6585C
__lock_file.LIBCMT ref: 00A6587D

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: f6671655f4df11a7cd20f153fe21d33e953cf54daf20f3fb14de2b3c6db0cb34
Instruction ID: ba6da830e00448fe6d9c68c33d6835af065af79245b6803ea616445cd53a278b
Opcode Fuzzy Hash: f6671655f4df11a7cd20f153fe21d33e953cf54daf20f3fb14de2b3c6db0cb34
Instruction Fuzzy Hash: D001A771C00608EBCF12AF79CD0159F7B75AF80760F148315F8145B1A1DB358A11EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A655D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A68D68: __getptd_noexit.LIBCMT ref: 00A68D68

__lock_file.LIBCMT ref: 00A6561B

Part of subcall function 00A66E4E: __lock.LIBCMT ref: 00A66E71

__fclose_nolock.LIBCMT ref: 00A65626

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: e50efc408c1fd724d667b8f27366bd128d7086ea15f28c163c3bee064a7002bd
Instruction ID: 1070318b62323c8e087e181d1f87bf4c3260594a7765fa829167fa8acb6bb964
Opcode Fuzzy Hash: e50efc408c1fd724d667b8f27366bd128d7086ea15f28c163c3bee064a7002bd
Instruction Fuzzy Hash: 22F0BE75C00A059ADB20AF79CA0276E7BF56F41734F698209B425AB1C1CF7C8A42DB55

Uniqueness

Uniqueness Score: -1.00%

Function 014E12FD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 014E1B2D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 014E1B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 014E1B73

Memory Dump Source

Source File: 00000000.00000002.1285630358.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14e0000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction ID: caf1038da7d66bfb4451e50b665174c73ba1ba1dfff44cb5e11473d1e355a011
Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction Fuzzy Hash: 1012ED24E24658C6EB24DF64D8507DEB272EF68301F1090E9910DEB7A4E77A4F81CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00A4F3F0 Relevance: 1.7, APIs: 1, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c502333a63c5187f5dfc21b216ee9bb08546162928b1d1484ba3039136a17fe
Instruction ID: 3ff8dd6b1bddf4e88fdf2f8f3db1a2e917116ddc67db826ad79180c5ffc19469
Opcode Fuzzy Hash: 8c502333a63c5187f5dfc21b216ee9bb08546162928b1d1484ba3039136a17fe
Instruction Fuzzy Hash: 76619C7860020A9FDB10EF64C981AABB7F5EF88300F24857DE9069B251EB71ED51CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00A52123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dcb027d4c1d96f301d58f449e56d401328e190629ef56539bb4ccd179894f9b
Instruction ID: bb783c396c42ec20d77f3c211d06b1c364a2cdd322fcdba07a912725429451b2
Opcode Fuzzy Hash: 5dcb027d4c1d96f301d58f449e56d401328e190629ef56539bb4ccd179894f9b
Instruction Fuzzy Hash: 43515E39A00604AFDF14EB64CA95FAE77B6BF85750F148168F946AB292CB30ED04CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A4766F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A4774A

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 137ddfd0232708e3b58a8764eb2c3eda55301eb74d4565348677704d51d6fb2f
Instruction ID: 8d4a47dadeadec64076be4a1b1f9fa9d95cd75c74e238d68d6ff69137416786a
Opcode Fuzzy Hash: 137ddfd0232708e3b58a8764eb2c3eda55301eb74d4565348677704d51d6fb2f
Instruction Fuzzy Hash: 5F31C17D608A42DFC724DF18C590E26F7B0FF88320B55C569E98A8B765E730E881CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00A45C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00A45CF6

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: c8df081e666f3f0245bbd74330a04d5eccf5ef796746c008f5be05eba2964f57
Instruction ID: fc00989a9224cbcbbb29d64afca9b13de3cfcb64b97a7616609b8dad103de9f6
Opcode Fuzzy Hash: c8df081e666f3f0245bbd74330a04d5eccf5ef796746c008f5be05eba2964f57
Instruction Fuzzy Hash: AB313975E00B0AAFCB18DF69C484AADB7B5FF88310F148629E81993711D771AD60DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A800D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00A800E1

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: fa917d1eeef47664691eafc2f22199cd2bf94cf2f72cde28703f8b90baf5994b
Instruction ID: 4218e19906379e7b4d27bbc69636128c6ade86e13438d7d21f3ae7347aeada1f
Opcode Fuzzy Hash: fa917d1eeef47664691eafc2f22199cd2bf94cf2f72cde28703f8b90baf5994b
Instruction Fuzzy Hash: 8241F578508351CFDB24DF14C584B1ABBE1BF85318F1989ACE8994B762C332E859CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00A4C707 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 00A4C73D

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: _wcscmp
String ID:
API String ID: 856254489-0
Opcode ID: 567a9ad9591763d0f9e57d0794c701499023c7811d2ed262c4b2a908c8283b1b
Instruction ID: dd360d62bf4a265be302daec2209feb72f026bfc0195f6ed821ab1ab064d2532
Opcode Fuzzy Hash: 567a9ad9591763d0f9e57d0794c701499023c7811d2ed262c4b2a908c8283b1b
Instruction Fuzzy Hash: CC116076D05219DBCB14EBA9DD819EEF778EF95360F104126E815A7190EB309D06CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A44F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A44D13: FreeLibrary.KERNEL32(00000000,?), ref: 00A44D4D

Part of subcall function 00A6548B: __wfsopen.LIBCMT ref: 00A65496

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00B062F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A44F6F

Part of subcall function 00A44CC8: FreeLibrary.KERNEL32(00000000), ref: 00A44D02

Part of subcall function 00A44DD0: _memmove.LIBCMT ref: 00A44E1A

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: d502f44c47d0e69f48abf84f9a25541637999abba1caecee853adad2fb13f38e
Instruction ID: 63b079d8e5dee902d1a3318104320253a0b45f921232c567d91faa3bbc15cd92
Opcode Fuzzy Hash: d502f44c47d0e69f48abf84f9a25541637999abba1caecee853adad2fb13f38e
Instruction Fuzzy Hash: E911E735A00705AFCB14EF70DD52FAE77B59FC8B00F10842DF541A61C2DEB19A059760

Uniqueness

Uniqueness Score: -1.00%

Function 00A801AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00A801BB

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 217ae741fa59efdaa4712f507f5a2c9c6aeadc1294a740cf47d90cbc6298cdaf
Instruction ID: 49b0730e48511d77d846f939511f39b2a6b1b14b2509ed0edccaffb1e278cb57
Opcode Fuzzy Hash: 217ae741fa59efdaa4712f507f5a2c9c6aeadc1294a740cf47d90cbc6298cdaf
Instruction Fuzzy Hash: DE2110B8508351DFCB24DF54C445B1BBBF1BF88304F098968E99A4B761D731E859CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A45D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00A45807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00A45D76

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: eaa50fb25369be2293039eafbcd1f4900aee0f015be891b6b742ac0ea9b272ac
Instruction ID: f300a4f3c27975c8a7e105d6f8fd64caeb07c55be869e9f6775a510ac9410ca5
Opcode Fuzzy Hash: eaa50fb25369be2293039eafbcd1f4900aee0f015be891b6b742ac0ea9b272ac
Instruction Fuzzy Hash: 96113A39A00B059FD730CF25C888B62B7F5EF85750F14C92EE5AA86A51D7B0E945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A4C6DC Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 00A4C73D

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: _wcscmp
String ID:
API String ID: 856254489-0
Opcode ID: 0424eb7d6315625d0720b2b8ae597d015624c452d5ace5889a8e5ecdcad9a985
Instruction ID: a5cb0a7f3f9403530b99133ee91270c68c2125e631602eb8e341e0b39987a07e
Opcode Fuzzy Hash: 0424eb7d6315625d0720b2b8ae597d015624c452d5ace5889a8e5ecdcad9a985
Instruction Fuzzy Hash: 2101283AD053955FEB05DB68C8916AEFF74DFD7360F15409AD850AB2A2D3349C42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A64A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00A64AD6

Part of subcall function 00A68D68: __getptd_noexit.LIBCMT ref: 00A68D68

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 38aaccadf9135fcdeea1d21bf837f0892f5ddfb4f444c129ebd22e469f43feac
Instruction ID: 035eaf8ebc4d8c197f5c94444e19734054ad03e6340bddc2f018a7a7cf304fdd
Opcode Fuzzy Hash: 38aaccadf9135fcdeea1d21bf837f0892f5ddfb4f444c129ebd22e469f43feac
Instruction Fuzzy Hash: F5F0C231980209EBDF61AFB4CD063AF36B5AF14765F048614F424AA1D1CB7C8A50DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00A44FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00B062F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A44FDE

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 59395e8f713c858027f9e02a029dfcaed80443da7ad89b65fc86e4c655c91ce4
Instruction ID: fddeeb501db5b283b0bbcd5daa5d0eb68d6f0a0381cc5ce65e74a5bbc3905ba3
Opcode Fuzzy Hash: 59395e8f713c858027f9e02a029dfcaed80443da7ad89b65fc86e4c655c91ce4
Instruction Fuzzy Hash: B6F06DB9509B12CFCB349F74E494912BBF1BF487293248A3EE5D782610C731A848DF40

Uniqueness

Uniqueness Score: -1.00%

Function 00A609D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00A609F4

Part of subcall function 00A47D2C: _memmove.LIBCMT ref: 00A47D66

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: a24d4a89ca007d2a170be75085d9ed0ab8fc346409668c1ccc43d9057679f50b
Instruction ID: 7b84a206a4c58e62245665e44ffa1df561785707a400bf941260e661c6bff0aa
Opcode Fuzzy Hash: a24d4a89ca007d2a170be75085d9ed0ab8fc346409668c1ccc43d9057679f50b
Instruction Fuzzy Hash: 06E0CD36D042285BC720D69C9C05FFA77EDDFC8791F0541B5FC0CD7204E9609C818690

Uniqueness

Uniqueness Score: -1.00%

Function 00AA9129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00AA914B

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction ID: da98149da2297c9acebeb4444a5d0eb504ca20a861062dd6a697086af6d5959f
Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction Fuzzy Hash: 0DE092B0504B005FD7748B24D8107E373E0AB06315F00091CF29A83341EB6278418759

Uniqueness

Uniqueness Score: -1.00%

Function 00A45DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00A7E16B,?,?,00000000), ref: 00A45DBF

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: b6964db9c224bc4e5dc7e1306728d48471963f910a84ff778fea7f939b7d3efd
Instruction ID: eb5a1383b2026934ed3a6f1b071920528ca15781093ed142778592a107ea2571
Opcode Fuzzy Hash: b6964db9c224bc4e5dc7e1306728d48471963f910a84ff778fea7f939b7d3efd
Instruction Fuzzy Hash: CBD0C77464020CBFE710DB80DC46FA9777DD705710F100294FE0456290D6B27D508795

Uniqueness

Uniqueness Score: -1.00%

Function 00A6548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00A65496

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 42fd946452add5b4cd7813f442eab479ae25475e164adae14c14262ba247f50c
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 8CB0927684020C77DE012E92EC02A593B2A9B40678F808060FB0C18162AA73E6A09689

Uniqueness

Uniqueness Score: -1.00%

Function 00AAD2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 00AAD46A

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 2ce62229de3f0b8660801b3a65b9aa7b4b8feefdb005b6a18b25d2cc350cc183
Instruction ID: 98c7638b73a4c434e71fe4bc91bf53499b5c0a45fb148c83a39f5ec0cfcc08b6
Opcode Fuzzy Hash: 2ce62229de3f0b8660801b3a65b9aa7b4b8feefdb005b6a18b25d2cc350cc183
Instruction Fuzzy Hash: DA715E346083428FCB14EF24C591A6EB7E0AF89754F04496DF8969B6A2DB30ED49CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00A60E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00A60EF7

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 1eb2c298fb4fcbe27c4f6cdbdc8c4483724de7f96b882f8917dd1ae31610a829
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: B131C371A00115DFC718DF58D48096AF7B6FF59300B688AA5E40ACB651EB32EDC1CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 014E2300 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 014E2311

Memory Dump Source

Source File: 00000000.00000002.1285630358.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14e0000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 8161d6ad788b21cdea1700c9e404b0683cfc076580ebfbd7bf85d9537df864b1
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: E7E0E67594010DDFDB00EFB4D64D6AE7FF4EF04302F100561FD01D2281D6709D508A62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00ACCDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00A42612: GetWindowLongW.USER32(?,000000EB), ref: 00A42623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00ACCE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00ACCE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00ACCED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00ACCF00
SendMessageW.USER32 ref: 00ACCF29
_wcsncpy.LIBCMT ref: 00ACCFA1
GetKeyState.USER32(00000011), ref: 00ACCFC2
GetKeyState.USER32(00000009), ref: 00ACCFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00ACCFE5
GetKeyState.USER32(00000010), ref: 00ACCFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00ACD018
SendMessageW.USER32 ref: 00ACD03F
SendMessageW.USER32(?,00001030,?,00ACB602), ref: 00ACD145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00ACD15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00ACD16E
SetCapture.USER32(?), ref: 00ACD177
ClientToScreen.USER32(?,?), ref: 00ACD1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00ACD1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00ACD203
ReleaseCapture.USER32 ref: 00ACD20E
GetCursorPos.USER32(?), ref: 00ACD248
ScreenToClient.USER32(?,?), ref: 00ACD255
SendMessageW.USER32(?,00001012,00000000,?), ref: 00ACD2B1
SendMessageW.USER32 ref: 00ACD2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 00ACD31C
SendMessageW.USER32 ref: 00ACD34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00ACD36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00ACD37B
GetCursorPos.USER32(?), ref: 00ACD39B
ScreenToClient.USER32(?,?), ref: 00ACD3A8
GetParent.USER32(?), ref: 00ACD3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 00ACD431
SendMessageW.USER32 ref: 00ACD462
ClientToScreen.USER32(?,?), ref: 00ACD4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00ACD4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 00ACD51A
SendMessageW.USER32 ref: 00ACD53D
ClientToScreen.USER32(?,?), ref: 00ACD58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00ACD5C3

Part of subcall function 00A425DB: GetWindowLongW.USER32(?,000000EB), ref: 00A425EC

GetWindowLongW.USER32(?,000000F0), ref: 00ACD65F

Strings

F, xrefs: 00ACD543
@GUI_DRAGID, xrefs: 00ACD1AA

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: e67abe7e7a7269cb6db14e008aab3b1a98969101d608b6589b627b3dd71718e1
Instruction ID: b9598fd849c555ea0bf128069900944dcdb4488ed68494852632dc06a8dbbc6f
Opcode Fuzzy Hash: e67abe7e7a7269cb6db14e008aab3b1a98969101d608b6589b627b3dd71718e1
Instruction Fuzzy Hash: 5A429C34204341AFD725CF68C844FAABBE6FF49324F16052DF699972A1DB31A851CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00AC804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00AC873F

Strings

%d/%02d/%02d, xrefs: 00AC8478

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: 699acc9fdd6d1ae1622acc2a23cab5d2ea17f2a5e1a6618fbb87abf004dba9b1
Instruction ID: 244556a1de8aa500d05fee9d2e6c22fa2b9d4e9bdc08198ce8f272c7fa31943a
Opcode Fuzzy Hash: 699acc9fdd6d1ae1622acc2a23cab5d2ea17f2a5e1a6618fbb87abf004dba9b1
Instruction Fuzzy Hash: CF12BF71500248AFEB258F64CC49FAB7BF9FB85710F26412DF915EA2A1EF789941CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00A5710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A575C2
_memset.LIBCMT ref: 00A576B1
_memmove.LIBCMT ref: 00A57C4B
_memmove.LIBCMT ref: 00A57E4F

Strings

\b(?=\w), xrefs: 00A93C34
\b(?<=\w), xrefs: 00A93C41
DEFINE, xrefs: 00A925AF
[:<:]], xrefs: 00A575F1
[:>:]], xrefs: 00A5760A
Q\E, xrefs: 00A581C1

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: d6e4415777ecd3f583d2da095751d1ed674f95a248fee386ed779ef36335e50a
Instruction ID: 8199032791d07539df7b1d27ed83d3d896541cbf6bc867009b45c1c7425c0b97
Opcode Fuzzy Hash: d6e4415777ecd3f583d2da095751d1ed674f95a248fee386ed779ef36335e50a
Instruction Fuzzy Hash: AD937F75B0421ADBDF24CF98D881BADB7F1FF48710F25816AE955AB280E7749E81CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00A44A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00A44A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A7DA8E
IsIconic.USER32(?), ref: 00A7DA97
ShowWindow.USER32(?,00000009), ref: 00A7DAA4
SetForegroundWindow.USER32(?), ref: 00A7DAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00A7DAC4
GetCurrentThreadId.KERNEL32 ref: 00A7DACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 00A7DAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 00A7DAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 00A7DAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 00A7DAF8
SetForegroundWindow.USER32(?), ref: 00A7DAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A7DB10
keybd_event.USER32(00000012,00000000), ref: 00A7DB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A7DB25
keybd_event.USER32(00000012,00000000), ref: 00A7DB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A7DB33
keybd_event.USER32(00000012,00000000), ref: 00A7DB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A7DB42
keybd_event.USER32(00000012,00000000), ref: 00A7DB47
SetForegroundWindow.USER32(?), ref: 00A7DB4A
AttachThreadInput.USER32(?,?,00000000), ref: 00A7DB71

Strings

Shell_TrayWnd, xrefs: 00A7DA89

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 80706ab7167240471ec6c912488bbe7627d73cd83a11a561c9d51e2d60b7940d
Instruction ID: f6a8226b02109261e51457968685e3d15701d16e79cefe1fc429472396231be5
Opcode Fuzzy Hash: 80706ab7167240471ec6c912488bbe7627d73cd83a11a561c9d51e2d60b7940d
Instruction Fuzzy Hash: BF313571A403187FEB21AFA19C49F7F7E7DEF84B50F128025FA04EA1D1D6705911AAA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A98858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00A98CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A98D0D
Part of subcall function 00A98CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A98D3A
Part of subcall function 00A98CC3: GetLastError.KERNEL32 ref: 00A98D47

_memset.LIBCMT ref: 00A9889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00A988ED
CloseHandle.KERNEL32(?), ref: 00A988FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00A98915
GetProcessWindowStation.USER32 ref: 00A9892E
SetProcessWindowStation.USER32(00000000), ref: 00A98938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00A98952

Part of subcall function 00A98713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00A98851), ref: 00A98728
Part of subcall function 00A98713: CloseHandle.KERNEL32(?,?,00A98851), ref: 00A9873A

Strings

winsta0, xrefs: 00A98910
default, xrefs: 00A9894D
, xrefs: 00A988AA

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 357a04135689b44d2a8ac1e27caf6f631c99edac96b18bed0f9574a4e9218adf
Instruction ID: b2776af5f26365727ca2b71c83c11745295bfeb48021a9f79a4253fa88c6765e
Opcode Fuzzy Hash: 357a04135689b44d2a8ac1e27caf6f631c99edac96b18bed0f9574a4e9218adf
Instruction Fuzzy Hash: FC817771A00249BFDF11DFA4CD45EEEBBB9EF05344F09412AF910A62A1DB398E15DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00AB425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00ACF910), ref: 00AB4284
IsClipboardFormatAvailable.USER32(0000000D), ref: 00AB4292
GetClipboardData.USER32(0000000D), ref: 00AB429A
CloseClipboard.USER32 ref: 00AB42A6
GlobalLock.KERNEL32(00000000), ref: 00AB42C2
CloseClipboard.USER32 ref: 00AB42CC
GlobalUnlock.KERNEL32(00000000,00000000), ref: 00AB42E1
IsClipboardFormatAvailable.USER32(00000001), ref: 00AB42EE
GetClipboardData.USER32(00000001), ref: 00AB42F6
GlobalLock.KERNEL32(00000000), ref: 00AB4303
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00AB4337
CloseClipboard.USER32 ref: 00AB4447

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: bdeed0e438ce67244811069deb11bc7ab35a57b5492b52ca229cca94ccc3ff6a
Instruction ID: d0b136eef0e34d9b1b5928365b8dfc36369418fb0b3768d659da49e18775b4cc
Opcode Fuzzy Hash: bdeed0e438ce67244811069deb11bc7ab35a57b5492b52ca229cca94ccc3ff6a
Instruction Fuzzy Hash: 34518C35204241AFD701EBA4ED86FAE77ADAF88B00F014529F596D61A3DF7099068A62

Uniqueness

Uniqueness Score: -1.00%

Function 00AAC9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00AAC9F8
FindClose.KERNEL32(00000000), ref: 00AACA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00AACA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00AACA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 00AACAAF
__swprintf.LIBCMT ref: 00AACAFB
__swprintf.LIBCMT ref: 00AACB3E

Part of subcall function 00A47F41: _memmove.LIBCMT ref: 00A47F82

__swprintf.LIBCMT ref: 00AACB92

Part of subcall function 00A638D8: __woutput_l.LIBCMT ref: 00A63931

__swprintf.LIBCMT ref: 00AACBE0

Part of subcall function 00A638D8: __flsbuf.LIBCMT ref: 00A63953
Part of subcall function 00A638D8: __flsbuf.LIBCMT ref: 00A6396B

__swprintf.LIBCMT ref: 00AACC2F
__swprintf.LIBCMT ref: 00AACC7E
__swprintf.LIBCMT ref: 00AACCCD

Strings

%02d, xrefs: 00AACB86, 00AACB90, 00AACBDE, 00AACC2D, 00AACC7C, 00AACCCB
%4d, xrefs: 00AACB38
%4d%02d%02d%02d%02d%02d, xrefs: 00AACAF5

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 1a34fca1f74aed38c434b8a5aa782ec4a533dde237fafd0db546a1c587a44ec8
Instruction ID: 58913a31869cde1486b96913436d8c0c07ed440ee9dcbb80b803681749e363de
Opcode Fuzzy Hash: 1a34fca1f74aed38c434b8a5aa782ec4a533dde237fafd0db546a1c587a44ec8
Instruction Fuzzy Hash: 0BA12EB6508344ABD700EFA4C985DAFB7ECEFD5700F404929B586D7192EB34DA09CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00AAF200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,756E8FB0,?,00000000), ref: 00AAF221
_wcscmp.LIBCMT ref: 00AAF236
_wcscmp.LIBCMT ref: 00AAF24D
GetFileAttributesW.KERNEL32(?), ref: 00AAF25F
SetFileAttributesW.KERNEL32(?,?), ref: 00AAF279
FindNextFileW.KERNEL32(00000000,?), ref: 00AAF291
FindClose.KERNEL32(00000000), ref: 00AAF29C
FindFirstFileW.KERNEL32(*.*,?), ref: 00AAF2B8
_wcscmp.LIBCMT ref: 00AAF2DF
_wcscmp.LIBCMT ref: 00AAF2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 00AAF308
SetCurrentDirectoryW.KERNEL32(00AFA5A0), ref: 00AAF326
FindNextFileW.KERNEL32(00000000,00000010), ref: 00AAF330
FindClose.KERNEL32(00000000), ref: 00AAF33D
FindClose.KERNEL32(00000000), ref: 00AAF34F

Strings

*.*, xrefs: 00AAF2B3

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: e5f3996a423b1faffbeae2722bef0dd9104c5761bb97cc8a983363c009fa1fb7
Instruction ID: d947711431f568807ddc02124338a09684817ec1ee9baf510eacf96eb913cbfb
Opcode Fuzzy Hash: e5f3996a423b1faffbeae2722bef0dd9104c5761bb97cc8a983363c009fa1fb7
Instruction Fuzzy Hash: 2B31BF765002196EDF14DBF4DC48EEE73ACAF4A361F104675E924D70E0EB70DA468A60

Uniqueness

Uniqueness Score: -1.00%

Function 00AC0AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AC0BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,00ACF910,00000000,?,00000000,?,?), ref: 00AC0C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00AC0C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00AC0D1D
RegCloseKey.ADVAPI32(?), ref: 00AC103D
RegCloseKey.ADVAPI32(00000000), ref: 00AC104A

Strings

REG_EXPAND_SZ, xrefs: 00AC0CBA
REG_DWORD, xrefs: 00AC0F0E
REG_SZ, xrefs: 00AC0D5B
REG_MULTI_SZ, xrefs: 00AC0E05
REG_QWORD, xrefs: 00AC0F8B
REG_BINARY, xrefs: 00AC0FD8

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 03f9605202a29b55ca50748badfd22dbdb48e876380925c540b9fc31a437144c
Instruction ID: 30fe5c918ff6acfad0b65089561ebb58dcc5bc843967c0183e30064d9c2741ed
Opcode Fuzzy Hash: 03f9605202a29b55ca50748badfd22dbdb48e876380925c540b9fc31a437144c
Instruction Fuzzy Hash: E20236752046119FCB14EF24C985E2AB7E5FF89714F05896DF88A9B362CB30ED41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00AAF35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,756E8FB0,?,00000000), ref: 00AAF37E
_wcscmp.LIBCMT ref: 00AAF393
_wcscmp.LIBCMT ref: 00AAF3AA

Part of subcall function 00AA45C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00AA45DC

FindNextFileW.KERNEL32(00000000,?), ref: 00AAF3D9
FindClose.KERNEL32(00000000), ref: 00AAF3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 00AAF400
_wcscmp.LIBCMT ref: 00AAF427
_wcscmp.LIBCMT ref: 00AAF43E
SetCurrentDirectoryW.KERNEL32(?), ref: 00AAF450
SetCurrentDirectoryW.KERNEL32(00AFA5A0), ref: 00AAF46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 00AAF478
FindClose.KERNEL32(00000000), ref: 00AAF485
FindClose.KERNEL32(00000000), ref: 00AAF497

Strings

*.*, xrefs: 00AAF3FB

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 66f72a54e39ec41598d35b73ef2dadee70d7217ea82d2efeef991497e35a675e
Instruction ID: 03a356b81cbe5e39c02903ba1516042b5a754a1240d9e15a49db700f3a73120e
Opcode Fuzzy Hash: 66f72a54e39ec41598d35b73ef2dadee70d7217ea82d2efeef991497e35a675e
Instruction Fuzzy Hash: 3E31B1725012196FCF14EBE4EC88EEE77ADAF4A360F104275E824A71E0DB70DE45CA64

Uniqueness

Uniqueness Score: -1.00%

Function 00A981F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A9874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A98766
Part of subcall function 00A9874A: GetLastError.KERNEL32(?,00A9822A,?,?,?), ref: 00A98770
Part of subcall function 00A9874A: GetProcessHeap.KERNEL32(00000008,?,?,00A9822A,?,?,?), ref: 00A9877F
Part of subcall function 00A9874A: HeapAlloc.KERNEL32(00000000,?,00A9822A,?,?,?), ref: 00A98786
Part of subcall function 00A9874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A9879D

Part of subcall function 00A987E7: GetProcessHeap.KERNEL32(00000008,00A98240,00000000,00000000,?,00A98240,?), ref: 00A987F3
Part of subcall function 00A987E7: HeapAlloc.KERNEL32(00000000,?,00A98240,?), ref: 00A987FA
Part of subcall function 00A987E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00A98240,?), ref: 00A9880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00A9825B
_memset.LIBCMT ref: 00A98270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00A9828F
GetLengthSid.ADVAPI32(?), ref: 00A982A0
GetAce.ADVAPI32(?,00000000,?), ref: 00A982DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00A982F9
GetLengthSid.ADVAPI32(?), ref: 00A98316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00A98325
HeapAlloc.KERNEL32(00000000), ref: 00A9832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00A9834D
CopySid.ADVAPI32(00000000), ref: 00A98354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00A98385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00A983AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00A983BF

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: c49ad1b024a1f06805d58155fd34eedf02517d3170d28f20eafde1e76adb3da4
Instruction ID: f5e5347cd04b7ff9d07b07f86f55082b589160416ae36062e9610204e37f1346
Opcode Fuzzy Hash: c49ad1b024a1f06805d58155fd34eedf02517d3170d28f20eafde1e76adb3da4
Instruction Fuzzy Hash: F3614D71A04209EFDF00DF94DD84EEEBBB9FF05700F148169E915AA291DB399A05DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A56843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON

Download Yara Rule

Strings

UCP), xrefs: 00A91546
BSR_ANYCRLF), xrefs: 00A91757
LF), xrefs: 00A916DD
ANY), xrefs: 00A91717
UTF), xrefs: 00A91533
LIMIT_MATCH=, xrefs: 00A915A9
ANYCRLF), xrefs: 00A91734
LIMIT_RECURSION=, xrefs: 00A91635
NO_AUTO_POSSESS), xrefs: 00A91567
CR), xrefs: 00A916C0
BSR_UNICODE), xrefs: 00A91771
UTF16), xrefs: 00A91508
CRLF), xrefs: 00A916FA
NO_START_OPT), xrefs: 00A91588

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: d1c1ba622a3af7e183b50dcc83aac507640b9dde02b979277d002adfd7df5bab
Instruction ID: 40d0de8369a4f90dcdb813517d75dd35454b955f0373f3cce5d1d895e6e1258f
Opcode Fuzzy Hash: d1c1ba622a3af7e183b50dcc83aac507640b9dde02b979277d002adfd7df5bab
Instruction Fuzzy Hash: 5A727075E0021A9BDF24CF98C8807AEB7F5FF48310F55816AE949EB290EB749D45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00AC0665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00AC0038,?,?), ref: 00AC10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AC0737

Part of subcall function 00A49997: __itow.LIBCMT ref: 00A499C2
Part of subcall function 00A49997: __swprintf.LIBCMT ref: 00A49A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00AC07D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00AC086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00AC0AAD
RegCloseKey.ADVAPI32(00000000), ref: 00AC0ABA

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 1c278cbb6eb136ca626c6a6111495bdb38faaa08b28e66b297f6a42385d3ac09
Instruction ID: 0efa86e4493cb00d213694d335e980864af68d534fbd27698f8b0843bd5c7e8f
Opcode Fuzzy Hash: 1c278cbb6eb136ca626c6a6111495bdb38faaa08b28e66b297f6a42385d3ac09
Instruction Fuzzy Hash: F7E14B35204210EFCB14DF24C985E6BBBF9FF89754B05896DF88ADB262DA30E905CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00AA0219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00AA0241
GetAsyncKeyState.USER32(000000A0), ref: 00AA02C2
GetKeyState.USER32(000000A0), ref: 00AA02DD
GetAsyncKeyState.USER32(000000A1), ref: 00AA02F7
GetKeyState.USER32(000000A1), ref: 00AA030C
GetAsyncKeyState.USER32(00000011), ref: 00AA0324
GetKeyState.USER32(00000011), ref: 00AA0336
GetAsyncKeyState.USER32(00000012), ref: 00AA034E
GetKeyState.USER32(00000012), ref: 00AA0360
GetAsyncKeyState.USER32(0000005B), ref: 00AA0378
GetKeyState.USER32(0000005B), ref: 00AA038A

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: f77944b1a39148f40a06907081a8962df2c58f30ea8d7c0dbe7b3c1b821fdf5d
Instruction ID: 4f137027c1d4224f1504b025be85c4610d2e7e0a88bf95697cb36e6e815408ab
Opcode Fuzzy Hash: f77944b1a39148f40a06907081a8962df2c58f30ea8d7c0dbe7b3c1b821fdf5d
Instruction Fuzzy Hash: 114189345047C96EFF319BA48808BF5BEA16F17344F08809DD7C64B1C2E79559C887B2

Uniqueness

Uniqueness Score: -1.00%

Function 00AB86D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A49997: __itow.LIBCMT ref: 00A499C2
Part of subcall function 00A49997: __swprintf.LIBCMT ref: 00A49A0C

CoInitialize.OLE32 ref: 00AB8718
CoUninitialize.OLE32 ref: 00AB8723
CoCreateInstance.OLE32(?,00000000,00000017,00AD2BEC,?), ref: 00AB8783
IIDFromString.OLE32(?,?), ref: 00AB87F6
VariantInit.OLEAUT32(?), ref: 00AB8890
VariantClear.OLEAUT32(?), ref: 00AB88F1

Strings

NULL Pointer assignment, xrefs: 00AB87C8
Invalid parameter, xrefs: 00AB880F
Failed to create object, xrefs: 00AB878E, 00AB8844

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 5436893a62872888c14e86c54b16cae165cddd341b7336267dc029b4443ff756
Instruction ID: da7ffb97465d6fb5db6a667107a05a561ddec91ed2d4d0580775b53bd07a1f7b
Opcode Fuzzy Hash: 5436893a62872888c14e86c54b16cae165cddd341b7336267dc029b4443ff756
Instruction Fuzzy Hash: 1D619074608301AFD710DFA8C944AABBBECAF89754F14481DF5859B292CB74ED44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00AB4458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00AB447F
EmptyClipboard.USER32 ref: 00AB4485
GlobalAlloc.KERNEL32(00000002,?), ref: 00AB449A
CloseClipboard.USER32 ref: 00AB4539

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 5036591a0a926da6b94536696da8c47a9a6c8746567571f0e70d76697ddab8e8
Instruction ID: 0a3afa5201ccad302dc162e7d7bca850ab6dd0ba62288b025bf1d48abecaea18
Opcode Fuzzy Hash: 5036591a0a926da6b94536696da8c47a9a6c8746567571f0e70d76697ddab8e8
Instruction Fuzzy Hash: FE21AE353006109FDB10EFA4EC09FAA77A9EF48711F11802AF946DB2B2CB30AC12CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00AA3A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A448AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A448A1,?,?,00A437C0,?), ref: 00A448CE

Part of subcall function 00AA4CD3: GetFileAttributesW.KERNEL32(?,00AA3947), ref: 00AA4CD4

FindFirstFileW.KERNEL32(?,?), ref: 00AA3ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00AA3B87
MoveFileW.KERNEL32(?,?), ref: 00AA3B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00AA3BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 00AA3BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00AA3BF5

Strings

\*.*, xrefs: 00AA3A8A, 00AA3A93, 00AA3AA8

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: c8c7e12a88a8949db2aedd5b70253f6bb82439b371ab018197bae9389eebe506
Instruction ID: 6932a8c03c8e36607d5ec6970378a95ede68300c2c0452ca445a17528a07b17d
Opcode Fuzzy Hash: c8c7e12a88a8949db2aedd5b70253f6bb82439b371ab018197bae9389eebe506
Instruction Fuzzy Hash: 78517036801258AFCF15EBA0CE929EDB779AF56300F644169F44277092DF316F09CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00AAF65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00A47F41: _memmove.LIBCMT ref: 00A47F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00AAF6AB
Sleep.KERNEL32(0000000A), ref: 00AAF6DB
_wcscmp.LIBCMT ref: 00AAF6EF
_wcscmp.LIBCMT ref: 00AAF70A
FindNextFileW.KERNEL32(?,?), ref: 00AAF7A8
FindClose.KERNEL32(00000000), ref: 00AAF7BE

Strings

*.*, xrefs: 00AAF690

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 23ebfa3ffbe7ed56df2b21a705a8463b56969c7327b9b091250f1e15a11a618e
Instruction ID: f37617b773c766f48aced5654677e5db7b101c0076fd344b5c005a526d2a32df
Opcode Fuzzy Hash: 23ebfa3ffbe7ed56df2b21a705a8463b56969c7327b9b091250f1e15a11a618e
Instruction Fuzzy Hash: 15419E7590021AAFCF15DFA4CC89EEEBBB4FF06310F14456AE815A31A0EB319E44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A54140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00A87B0C
VUUU, xrefs: 00A544ED
ERCP, xrefs: 00A5421F
VUUU, xrefs: 00A544DB
VUUU, xrefs: 00A54520

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: ef1b2e360de5db5745769a6c0a455504ca09d868fa09390c3c483d2630469c9c
Instruction ID: c2d89927e5bbc9b289e0ca01542ae3c29e80e43eb32da7c6c13d6aa3a5182c6a
Opcode Fuzzy Hash: ef1b2e360de5db5745769a6c0a455504ca09d868fa09390c3c483d2630469c9c
Instruction Fuzzy Hash: 1FA27F70E0421ACBDF24DF58C9807ADB7B1BB58319F2481A9DC5AA7680E7349EC9DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00A558C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A55A05
_memmove.LIBCMT ref: 00A55A55
_memmove.LIBCMT ref: 00A55ABB

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: f599014433dfc1721be811a61d0f1c4ab81153bf9313e3bf3333df8e866bfbcd
Instruction ID: ffe6407d2b4d003be69c023fd70852a2b5178c9306ba9bd0cd2850f075290fda
Opcode Fuzzy Hash: f599014433dfc1721be811a61d0f1c4ab81153bf9313e3bf3333df8e866bfbcd
Instruction Fuzzy Hash: 55129870E00609EFDF04DFA9DA95AAEB7F5FF48340F204269E806A7251EB35AD15CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00AA545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00A98CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A98D0D
Part of subcall function 00A98CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A98D3A
Part of subcall function 00A98CC3: GetLastError.KERNEL32 ref: 00A98D47

ExitWindowsEx.USER32(?,00000000), ref: 00AA549B

Strings

, xrefs: 00AA5489
SeShutdownPrivilege, xrefs: 00AA546B
@, xrefs: 00AA548E

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 6cb44922f2c6aab197571f11ed442cefcc2929f4ebbedfe64de0de2a89fad156
Instruction ID: be3a00e30c93b3eaea07bc63a911910dbea2a2030de1349e31326f4b6b229a5c
Opcode Fuzzy Hash: 6cb44922f2c6aab197571f11ed442cefcc2929f4ebbedfe64de0de2a89fad156
Instruction Fuzzy Hash: D5014732F54A052FEB2893B4EC4AFBA726AEB0B352F200525FD06D30C2DB544C8081A8

Uniqueness

Uniqueness Score: -1.00%

Function 00AB6596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00AB65EF
WSAGetLastError.WSOCK32(00000000), ref: 00AB65FE
bind.WSOCK32(00000000,?,00000010), ref: 00AB661A
listen.WSOCK32(00000000,00000005), ref: 00AB6629
WSAGetLastError.WSOCK32(00000000), ref: 00AB6643
closesocket.WSOCK32(00000000,00000000), ref: 00AB6657

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: b81ca5eb59177f6d0fc97c0e47ce4e874ba8978ffd57e14ddae186eabbf59a36
Instruction ID: e0fdf1f58d053e708d1326402bc563c3de16e9ac5d42b48f30215f371871f8a1
Opcode Fuzzy Hash: b81ca5eb59177f6d0fc97c0e47ce4e874ba8978ffd57e14ddae186eabbf59a36
Instruction Fuzzy Hash: EE219C342002049FCB14EF64C995FAEB7BAEF88320F158169E956A73D2CB74AD02CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A41287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00A42612: GetWindowLongW.USER32(?,000000EB), ref: 00A42623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00A419FA
GetSysColor.USER32(0000000F), ref: 00A41A4E
SetBkColor.GDI32(?,00000000), ref: 00A41A61

Part of subcall function 00A41290: DefDlgProcW.USER32(?,00000020,?), ref: 00A412D8

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 63345f1f5be76dcb2e4161bcf8258897f5117940b0ba908a31c237ad222f5be4
Instruction ID: f803e64bf4aadc05be8ecad533483215b63b79a5ff0e230947abdd0f2bd5835b
Opcode Fuzzy Hash: 63345f1f5be76dcb2e4161bcf8258897f5117940b0ba908a31c237ad222f5be4
Instruction Fuzzy Hash: 1AA17AB9111544BEE628AF288D48FBF3AADDFC53D5F15C12AF406D6192CF24CD8192B2

Uniqueness

Uniqueness Score: -1.00%

Function 00AB6A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00AB80CB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00AB6AB1
WSAGetLastError.WSOCK32(00000000), ref: 00AB6ADA
bind.WSOCK32(00000000,?,00000010), ref: 00AB6B13
WSAGetLastError.WSOCK32(00000000), ref: 00AB6B20
closesocket.WSOCK32(00000000,00000000), ref: 00AB6B34

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 6c7fc30682cab0cba5b6a0efe42e2529dbb08c49897e4442f619d594e7e920ab
Instruction ID: 797b6f1df30326a31cb7d9b9d2de4b0ef173dfd2da9442d67bf2d7361f6cf193
Opcode Fuzzy Hash: 6c7fc30682cab0cba5b6a0efe42e2529dbb08c49897e4442f619d594e7e920ab
Instruction Fuzzy Hash: 6C419079700210AFEB10BF64DD86F6F77A9DB88750F048058F91AAB3D3DA749D018791

Uniqueness

Uniqueness Score: -1.00%

Function 00AC55FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00AC564C
IsWindowEnabled.USER32 ref: 00AC565A
GetForegroundWindow.USER32(?,?,00000001), ref: 00AC5667
IsIconic.USER32 ref: 00AC5675
IsZoomed.USER32 ref: 00AC5683

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: cdf46f4125b2d5a6f3d896001ca01864ae429f868070a770526d2a0553b9ddda
Instruction ID: b3f6254cbb14747ef6df4465af83d0fd5fcbbcdf38724901a594c9b1d906f7c9
Opcode Fuzzy Hash: cdf46f4125b2d5a6f3d896001ca01864ae429f868070a770526d2a0553b9ddda
Instruction Fuzzy Hash: 9A11C431B009106FEB215F76DC44F2FBB99EF84761B8A443DF846D7241CB70E9428AA4

Uniqueness

Uniqueness Score: -1.00%

Function 00ABC304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00A81D88,?), ref: 00ABC312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00ABC324

Strings

kernel32.dll, xrefs: 00ABC30D
GetSystemWow64DirectoryW, xrefs: 00ABC31E

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: f6de36cd878da8c9f54dbe2eb0d1658695925420753c7b4893937e7272557e88
Instruction ID: 2f18793d38b586701301fdbac935367755e7ffe941e3205c67861c422156b051
Opcode Fuzzy Hash: f6de36cd878da8c9f54dbe2eb0d1658695925420753c7b4893937e7272557e88
Instruction Fuzzy Hash: 37E01274610713DFDB208F65D804F96B6E8FF08765BC5C839E996DA261E770D841CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A53190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: d80af31ea8b2d903c46d5f0da2f888bd18e33319ee9d6d73df9b5699b75ca538
Instruction ID: ab5147d6063740ec6a42fd871d7321934a12d3ec984f74f23e5fd3e800160693
Opcode Fuzzy Hash: d80af31ea8b2d903c46d5f0da2f888bd18e33319ee9d6d73df9b5699b75ca538
Instruction Fuzzy Hash: 6A2258726083019FCB24EF24C991B6FB7E5BF84754F14491DF89697291EB70EA08CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00ABF121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00ABF151
Process32FirstW.KERNEL32(00000000,?), ref: 00ABF15F

Part of subcall function 00A47F41: _memmove.LIBCMT ref: 00A47F82

Process32NextW.KERNEL32(00000000,?), ref: 00ABF21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00ABF22E

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 0f93db1307e102cc898641c5c72fec205b59834a31fe0cc43ed9ded0ff62f60b
Instruction ID: 78e20e84e0a299b9f6038f7d5295cdb499b81b1f331a6bb64b476d96f6eaf19d
Opcode Fuzzy Hash: 0f93db1307e102cc898641c5c72fec205b59834a31fe0cc43ed9ded0ff62f60b
Instruction Fuzzy Hash: B2517D75504300AFD310EF24DC85EABB7E8EF98750F14492DF59597252EB70D905CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00AA40B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00AA40D1
_memset.LIBCMT ref: 00AA40F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00AA4144
CloseHandle.KERNEL32(00000000), ref: 00AA414D

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 30ef5b6b88dea0bc5412bf4bec0f8ed7dc8793c01ed70ab385b0989c26f164b3
Instruction ID: 8798e4a1ff85c2ece05f370b2e31288c19fcac657a1908030d44c3a4818e5144
Opcode Fuzzy Hash: 30ef5b6b88dea0bc5412bf4bec0f8ed7dc8793c01ed70ab385b0989c26f164b3
Instruction Fuzzy Hash: 6D11EB759012287AD7309BA5AC4DFABBB7CEF85760F104296F908D7180D6744E808BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A9EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00A9EB19

Strings

(, xrefs: 00A9EB5F
|, xrefs: 00A9EB49

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: d5e5fba89be61d9e025534300cc33e16df9f292daf15d20c010d84862068afef
Instruction ID: 5b4a7eecd9dfecb11ab7d90ea8b70bd0c027ef7c4b185a2f43193474ff42dafd
Opcode Fuzzy Hash: d5e5fba89be61d9e025534300cc33e16df9f292daf15d20c010d84862068afef
Instruction Fuzzy Hash: 8E322775A007059FDB28DF19C481A6AB7F1FF48320B15C56EE49ADB3A2E770E981CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00AB25E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00AB26D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00AB270C

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 63b0eb41a07b62ef9afbe164647ba8c36e74c4142776becf675f46edf8e5ff4f
Instruction ID: 94bef2dd4e4fdb20a28085c7e92929e1abe70571e538dfec5fb375ab94944e18
Opcode Fuzzy Hash: 63b0eb41a07b62ef9afbe164647ba8c36e74c4142776becf675f46edf8e5ff4f
Instruction Fuzzy Hash: 4E41D371900209BFEB20DF94DD95FFBB7BCEB40724F10406BF605A6142EA759E819764

Uniqueness

Uniqueness Score: -1.00%

Function 00AAB59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00AAB5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00AAB608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00AAB655

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: f34ec2fe58ace7d66aea5600e892396f92845d9fc3f4d9f6b8b79ee9aaeb866c
Instruction ID: 9113840fda78f41669bc3073b5457a14b7b86fe74155218adcb45fd24554047d
Opcode Fuzzy Hash: f34ec2fe58ace7d66aea5600e892396f92845d9fc3f4d9f6b8b79ee9aaeb866c
Instruction Fuzzy Hash: 70217135A10118EFCB00EFA5D984EEEFBB8FF89310F1580A9E905AB351DB319916CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A98CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00A60FF6: std::exception::exception.LIBCMT ref: 00A6102C
Part of subcall function 00A60FF6: __CxxThrowException@8.LIBCMT ref: 00A61041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A98D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A98D3A
GetLastError.KERNEL32 ref: 00A98D47

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 4a8dcf024ffe12d398d155be71c79de668232b7df01d666fd3d5510ca013f827
Instruction ID: 7fe5d0062473d31089bde489fb45d37c0face0f35f1da6526883ac12e26cf26f
Opcode Fuzzy Hash: 4a8dcf024ffe12d398d155be71c79de668232b7df01d666fd3d5510ca013f827
Instruction Fuzzy Hash: 4211C1B2514208AFDB28DF68DC85D6BBBFDFB04710B20852EF85683241EF30AC418A60

Uniqueness

Uniqueness Score: -1.00%

Function 00AA4C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00AA4C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00AA4C43
FreeSid.ADVAPI32(?), ref: 00AA4C53

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 21b56f81b8423c2ed5f3bfe706c25378aa4f7cebf09cf905a27df834c47d99e2
Instruction ID: 3f0c78bad7ef5c52a4b9585793d922539a52d8dcac0ce4b19f352ab5748c8515
Opcode Fuzzy Hash: 21b56f81b8423c2ed5f3bfe706c25378aa4f7cebf09cf905a27df834c47d99e2
Instruction Fuzzy Hash: F5F04975A5130CBFDF04DFF0DC89EAEBBBDEF08611F0044A9A901E2181E7706A048B50

Uniqueness

Uniqueness Score: -1.00%

Function 00A4E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a66a873c44115738ed6d2b35f6becefb69951818a400c8e6ef4ef3e79fbad38f
Instruction ID: 5d8455c688559f0c8a86702a495247411c141d2f202166f0dfd0772ea013703f
Opcode Fuzzy Hash: a66a873c44115738ed6d2b35f6becefb69951818a400c8e6ef4ef3e79fbad38f
Instruction Fuzzy Hash: 6A22AD79A00216CFDF24DF58C580AAEBBF0FF98300F148569E856AB341E775AD85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AAC93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00AAC966
FindClose.KERNEL32(00000000), ref: 00AAC996

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f8e9dd63c321ec096dd3e95903ec506139f52fc449cccaca98126d56444a6100
Instruction ID: 24fcbb6ef0de8f7c6a3c4416f7b0dcafb3fccf5f85337fb1aa72fd549223c751
Opcode Fuzzy Hash: f8e9dd63c321ec096dd3e95903ec506139f52fc449cccaca98126d56444a6100
Instruction Fuzzy Hash: 7B1152756106009FDB10DF29D84592BF7E5EF85324F01851EF8A5D73A1DB34AC11CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00AAA2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00AB977D,?,00ACFB84,?), ref: 00AAA302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00AB977D,?,00ACFB84,?), ref: 00AAA314

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: cb1c812a97ab34890423ccbb4c4d308ef5946ea673221941e94d9aa4d7067702
Instruction ID: 31061f98d096a9e3ba1541f7fd44cbbe3b7f5d67e0bdb538c8921707841ec14c
Opcode Fuzzy Hash: cb1c812a97ab34890423ccbb4c4d308ef5946ea673221941e94d9aa4d7067702
Instruction Fuzzy Hash: D2F0823564422DBBDB109FA4CC48FEA77ADBF09761F008165B918D7181DB309944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A98713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00A98851), ref: 00A98728
CloseHandle.KERNEL32(?,?,00A98851), ref: 00A9873A

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 1e684b9c433bed0dafddd28444090f08aeddab366dc9b21d5052d2b638ef84b8
Instruction ID: 95c7389003724df376c781c6bab1c402773c99af20537f87fd71181290718425
Opcode Fuzzy Hash: 1e684b9c433bed0dafddd28444090f08aeddab366dc9b21d5052d2b638ef84b8
Instruction Fuzzy Hash: 49E0B676010650EEEF252BA4ED09D777BEAEB04750725883AB89680470DB62AC91DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A6A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00A68F97,?,?,?,00000001), ref: 00A6A39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00A6A3A3

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 3f87e6c769d82440616ce3015f45a999bd889dead0fe6d2e99b464c1429cd384
Instruction ID: b575883745350ac7a1c8c00f9d28a733e591dabd330bf124529558c62156e2e6
Opcode Fuzzy Hash: 3f87e6c769d82440616ce3015f45a999bd889dead0fe6d2e99b464c1429cd384
Instruction Fuzzy Hash: D2B09231054248BFCA006BD1EC09F883F6AEB84AA2F414020FA1D88260CB6256528A91

Uniqueness

Uniqueness Score: -1.00%

Function 00A6F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bec9dfbe8da665c7312242fff476238aa3f414bb6075e0f8361559ed3da3c3fd
Instruction ID: 6f0d3f03e5c8eae16dadc698440de1c08136202d32452a336bf8792c584d7ff3
Opcode Fuzzy Hash: bec9dfbe8da665c7312242fff476238aa3f414bb6075e0f8361559ed3da3c3fd
Instruction Fuzzy Hash: 72320422D6AF014DD7279634E832339A369EFB73C4F55D737E81AB59A6EB28C4834100

Uniqueness

Uniqueness Score: -1.00%

Function 00A7267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 536f720e4002f8c39616cab707ecdcab2b582a598dc3a5e30ad7364b72e14e34
Instruction ID: a54ef8f8f9eb7d031a5c87b5290a0aaf0b23ab51c7e1507e771784c62ac7183a
Opcode Fuzzy Hash: 536f720e4002f8c39616cab707ecdcab2b582a598dc3a5e30ad7364b72e14e34
Instruction Fuzzy Hash: A7B1DD20E2AF414DD62396798831336BB5CAFBB6D5B52D71BFC2B74D22EB2185834241

Uniqueness

Uniqueness Score: -1.00%

Function 00AA8B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00AA8B25

Part of subcall function 00A6543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00AA91F8,00000000,?,?,?,?,00AA93A9,00000000,?), ref: 00A65443
Part of subcall function 00A6543A: __aulldiv.LIBCMT ref: 00A65463

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 900fbdbc326b34c573167329949fdd5dee5e2fe252ff3f10b9868d5a253a47ac
Instruction ID: 55c81db1ac44a0f882d1ac84487caeed334f9c3f15f632684ee2c0808d1e03fb
Opcode Fuzzy Hash: 900fbdbc326b34c573167329949fdd5dee5e2fe252ff3f10b9868d5a253a47ac
Instruction Fuzzy Hash: F32172726355108BC729CF25D841A52B7E1EBB5311B288E6CD1E5CB2D0CE74BD45CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00AB41FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00AB4218

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: d14376560d812570ee0deed48b206934bf8f8cc2ed3d4cabf17d1fe7bb1d0d34
Instruction ID: 136e9df4478de01bfa72034db11bbc7e12b0cf7b78ed0094a037a0221fba3cc2
Opcode Fuzzy Hash: d14376560d812570ee0deed48b206934bf8f8cc2ed3d4cabf17d1fe7bb1d0d34
Instruction Fuzzy Hash: BEE01A752402149FC710EF59D944A9BB7ECAF987A0F018026F849CB352DA70A8419BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AA4EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00AA4F18

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 0afed0c0037a971afe2dd202033b12859f10f8a74ed677544f5d13043d8135a3
Instruction ID: 39c54147f705f88674726219d29ca200216b22245c0f15e2c14bc3beb6b9d561
Opcode Fuzzy Hash: 0afed0c0037a971afe2dd202033b12859f10f8a74ed677544f5d13043d8135a3
Instruction Fuzzy Hash: BAD05EB01A42093CFC684B24AC0FF7E0509E3CAF81F8469893301874C1EBE56C01A034

Uniqueness

Uniqueness Score: -1.00%

Function 00A98C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00A988D1), ref: 00A98CB3

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 04f0bc2a5afcaaa5b371c16644020df1272f81f7e67cd29d8ed1f198c91d027a
Instruction ID: 42870116de2e7a8a21e5bc990a70926c5855afe0bebeaf40733228016b959350
Opcode Fuzzy Hash: 04f0bc2a5afcaaa5b371c16644020df1272f81f7e67cd29d8ed1f198c91d027a
Instruction Fuzzy Hash: A6D05E3226050EAFEF018EA4DC01EAE3B6AEB04B01F408111FE15C50A1C775D835AB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A82230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00A82242

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 288ac9c57635b8d1cc346b2478c62f230464c7e53400b8186d29001c6239853e
Instruction ID: 1fed97863682f117a6c1035713c319e052f166ce5b7c1b01b3208257a1c73a38
Opcode Fuzzy Hash: 288ac9c57635b8d1cc346b2478c62f230464c7e53400b8186d29001c6239853e
Instruction Fuzzy Hash: 4BC048F1801109DBDB05EBA0DA88DEEB7BDAB08305F2140A6A102F2100E7749B458B71

Uniqueness

Uniqueness Score: -1.00%

Function 00A6A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00A6A36A

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: cbf299ac551e9d134a683ca6a1ffcc3324e2cad59c05d9265c2533515c928869
Instruction ID: e587c9961824bf4830c36c8a057778f7d24f5f5f19d228dbb1c8bae18b8ed3df
Opcode Fuzzy Hash: cbf299ac551e9d134a683ca6a1ffcc3324e2cad59c05d9265c2533515c928869
Instruction Fuzzy Hash: 68A0123000010CBB8A001B81EC048447F5DD6401907004020F40C44121C73255114580

Uniqueness

Uniqueness Score: -1.00%

Function 00A58A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c4437038b6c3e60ac42874d512603ba9ad0df299ec7fb03b6550b869e8f07d2
Instruction ID: 364cd12c75d198a20f627bcb9cbe8f048076c6558bc4aca01ab0393512eddb87
Opcode Fuzzy Hash: 3c4437038b6c3e60ac42874d512603ba9ad0df299ec7fb03b6550b869e8f07d2
Instruction Fuzzy Hash: 26223730A01616CBDF29CB68C49567D77F1FF41342F29846ADC52AB292DB3C9D89CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A62405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 1977b8e6d186aa3bcc5141c1ef8e783793d1f63a485bccf66bd37a2c1d7de1bc
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 59C17E362055930ADB2D8739D43423EBEF15BA27B131A076EE8B3CB5C4EF20D525A720

Uniqueness

Uniqueness Score: -1.00%

Function 00A6283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: a952263f17049d59cb47182815026dfd9e3bcb1d15a7871d47d2371020106fd1
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 0EC16E322055930ADB2D473A943423FBEF15BA27B131A076EE8B2DB5D5EF20D525A720

Uniqueness

Uniqueness Score: -1.00%

Function 00A61BB8 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: c897b51ef2b13875b95f5321f907ea8d06b7f7fed3aac64af5da38cba1f32b3a
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 59C15F3220919349DB6D473A943413FBEF19BA27B131E0B6EE4B2CB5D4EF20D525E620

Uniqueness

Uniqueness Score: -1.00%

Function 00AC37F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00ACF910), ref: 00AC38AF
IsWindowVisible.USER32(?), ref: 00AC38D3

Strings

GETCURRENTLINE, xrefs: 00AC3B75
DELSTRING, xrefs: 00AC39D1
CHECK, xrefs: 00AC3AF5
GETSELECTED, xrefs: 00AC3B2B
GETCURRENTSELECTION, xrefs: 00AC3A6B
ISENABLED, xrefs: 00AC38F3
ISCHECKED, xrefs: 00AC3AC1
SENDCOMMANDID, xrefs: 00AC3C62
GETCURRENTCOL, xrefs: 00AC3BB0
GETLINECOUNT, xrefs: 00AC3B4E
TABLEFT, xrefs: 00AC390F
GETLINE, xrefs: 00AC3C23
ISVISIBLE, xrefs: 00AC38BF
SHOWDROPDOWN, xrefs: 00AC3968
ADDSTRING, xrefs: 00AC399E
FINDSTRING, xrefs: 00AC39FE
EDITPASTE, xrefs: 00AC3BE7
SELECTSTRING, xrefs: 00AC3A8E
SETCURRENTSELECTION, xrefs: 00AC3A3E
HIDEDROPDOWN, xrefs: 00AC3988
TABRIGHT, xrefs: 00AC3925
UNCHECK, xrefs: 00AC3B0B
CURRENTTAB, xrefs: 00AC3945

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: cd143909b6a0365ca58f671254c7c232cb8269c2d5c7beee667c6ebcf310db21
Instruction ID: bd019448864caf79b338c521ee77a505c75093fc59825a467adede00e9bcba7d
Opcode Fuzzy Hash: cd143909b6a0365ca58f671254c7c232cb8269c2d5c7beee667c6ebcf310db21
Instruction Fuzzy Hash: E3D15935204205DFCF14EF50C651E6EB7B5AF94384F11855CB9865B2A2CB31EE4ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 00ACA849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00ACA89F
GetSysColorBrush.USER32(0000000F), ref: 00ACA8D0
GetSysColor.USER32(0000000F), ref: 00ACA8DC
SetBkColor.GDI32(?,000000FF), ref: 00ACA8F6
SelectObject.GDI32(?,?), ref: 00ACA905
InflateRect.USER32(?,000000FF,000000FF), ref: 00ACA930
GetSysColor.USER32(00000010), ref: 00ACA938
CreateSolidBrush.GDI32(00000000), ref: 00ACA93F
FrameRect.USER32(?,?,00000000), ref: 00ACA94E
DeleteObject.GDI32(00000000), ref: 00ACA955
InflateRect.USER32(?,000000FE,000000FE), ref: 00ACA9A0
FillRect.USER32(?,?,?), ref: 00ACA9D2
GetWindowLongW.USER32(?,000000F0), ref: 00ACA9FD

Part of subcall function 00ACAB60: GetSysColor.USER32(00000012), ref: 00ACAB99
Part of subcall function 00ACAB60: SetTextColor.GDI32(?,?), ref: 00ACAB9D
Part of subcall function 00ACAB60: GetSysColorBrush.USER32(0000000F), ref: 00ACABB3
Part of subcall function 00ACAB60: GetSysColor.USER32(0000000F), ref: 00ACABBE
Part of subcall function 00ACAB60: GetSysColor.USER32(00000011), ref: 00ACABDB
Part of subcall function 00ACAB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00ACABE9
Part of subcall function 00ACAB60: SelectObject.GDI32(?,00000000), ref: 00ACABFA
Part of subcall function 00ACAB60: SetBkColor.GDI32(?,00000000), ref: 00ACAC03
Part of subcall function 00ACAB60: SelectObject.GDI32(?,?), ref: 00ACAC10
Part of subcall function 00ACAB60: InflateRect.USER32(?,000000FF,000000FF), ref: 00ACAC2F
Part of subcall function 00ACAB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00ACAC46
Part of subcall function 00ACAB60: GetWindowLongW.USER32(00000000,000000F0), ref: 00ACAC5B

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 346bab97636f6738de54f70f7c3ca6a4e01c7a40ad8955c010f188d92cf48032
Instruction ID: 86adbf7516730f52fecd178fab5bbede45b07c270099857a112f26e73df9d8ec
Opcode Fuzzy Hash: 346bab97636f6738de54f70f7c3ca6a4e01c7a40ad8955c010f188d92cf48032
Instruction Fuzzy Hash: DCA18072008305AFD710DFA4DC08E6B7BAAFF88325F164B2DFA62961A0D731D945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00A42C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00A42CA2
DeleteObject.GDI32(00000000), ref: 00A42CE8
DeleteObject.GDI32(00000000), ref: 00A42CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00A42CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00A42D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00A7C68B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00A7C6C4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00A7CAED

Part of subcall function 00A41B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A42036,?,00000000,?,?,?,?,00A416CB,00000000,?), ref: 00A41B9A

SendMessageW.USER32(?,00001053), ref: 00A7CB2A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00A7CB41
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00A7CB57
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00A7CB62

Strings

0, xrefs: 00A7C981

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 25286641cb88200d746c2d71f73db65b09b9f9a43255dd3921ef3fd60619978a
Instruction ID: e34e7fe771e904ba19d2008fe9da697e2ada7eea169a56c46d6ff5c137d3301e
Opcode Fuzzy Hash: 25286641cb88200d746c2d71f73db65b09b9f9a43255dd3921ef3fd60619978a
Instruction Fuzzy Hash: 3F127B34604201EFDB24CF24C984BA9BBE5BF85321F54C56DF999DB262CB71E842CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AB77BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00AB77F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00AB78B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00AB78EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00AB7900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00AB7946
GetClientRect.USER32(00000000,?), ref: 00AB7952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00AB7996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00AB79A5
GetStockObject.GDI32(00000011), ref: 00AB79B5
SelectObject.GDI32(00000000,00000000), ref: 00AB79B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00AB79C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00AB79D2
DeleteDC.GDI32(00000000), ref: 00AB79DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00AB7A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 00AB7A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00AB7A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00AB7A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 00AB7A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00AB7AAE
GetStockObject.GDI32(00000011), ref: 00AB7AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00AB7AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00AB7ACE

Strings

DISPLAY, xrefs: 00AB799B
static, xrefs: 00AB7990, 00AB7AA8
msctls_progress32, xrefs: 00AB7A4F
AutoIt v3, xrefs: 00AB793E

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: f8088a7c82efc088f888776b917168f5b01ad5f0bbed6f345caf85589a5d52a6
Instruction ID: 2d725329f78f68a28da7adb312babda265af6edcb9b65bc6461e10e34cec347b
Opcode Fuzzy Hash: f8088a7c82efc088f888776b917168f5b01ad5f0bbed6f345caf85589a5d52a6
Instruction Fuzzy Hash: 6AA16471A40219BFEB14DBA4DD4AFAF7BB9EB48710F014114FA15A72E1DBB0AD11CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00AAAF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00AAAF89
GetDriveTypeW.KERNEL32(?,00ACFAC0,?,\\.\,00ACF910), ref: 00AAB066
SetErrorMode.KERNEL32(00000000,00ACFAC0,?,\\.\,00ACF910), ref: 00AAB1C4

Strings

FileBackedVirtual, xrefs: 00AAB193
Fixed, xrefs: 00AAB0AE
RAID, xrefs: 00AAB162
CDROM, xrefs: 00AAB09A
Network, xrefs: 00AAB0A4
1394, xrefs: 00AAB146
RAMDisk, xrefs: 00AAB090
SAS, xrefs: 00AAB170
SCSI, xrefs: 00AAB131
\\.\, xrefs: 00AAAFDB
Removable, xrefs: 00AAB0B8
USB, xrefs: 00AAB15B
Unknown, xrefs: 00AAB086, 00AAB12A
ATAPI, xrefs: 00AAB138
PhysicalDrive, xrefs: 00AAB012
SSD, xrefs: 00AAB0F1
Virtual, xrefs: 00AAB18C
Fibre, xrefs: 00AAB154
MMC, xrefs: 00AAB185
ATA, xrefs: 00AAB13F
SATA, xrefs: 00AAB177
SSA, xrefs: 00AAB14D
iSCSI, xrefs: 00AAB169

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: e0c875c99ba7c3da654383525c95f8bc8abfadeffb027ec7d4bd807eb7773db5
Instruction ID: 8201fb6b02a3b45a74e4ad98bdb355a2f5403c5ad473e4489ee9d4fae3cc4d50
Opcode Fuzzy Hash: e0c875c99ba7c3da654383525c95f8bc8abfadeffb027ec7d4bd807eb7773db5
Instruction Fuzzy Hash: 5151C274690309EF8B04EB90CA92CBDB7B1FB663417204615F50AE72D2C736AD41DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A46A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00A46A91
__wcsnicmp.LIBCMT ref: 00A46AA9
__wcsnicmp.LIBCMT ref: 00A46AC1
__wcsnicmp.LIBCMT ref: 00A46AD9
__wcsnicmp.LIBCMT ref: 00A46AF1
__wcsnicmp.LIBCMT ref: 00A46B09
__wcsnicmp.LIBCMT ref: 00A46B21
__wcsnicmp.LIBCMT ref: 00A46B35
__wcsnicmp.LIBCMT ref: 00A46B76
__wcsnicmp.LIBCMT ref: 00A46B8A
__wcsnicmp.LIBCMT ref: 00A46B9E
__wcsnicmp.LIBCMT ref: 00A46BB2

Strings

Unterminated group of comments, xrefs: 00A7E82C
#cs, xrefs: 00A46B2F, 00A46B84
#notrayicon, xrefs: 00A46AA3
#include, xrefs: 00A46B03
#ce, xrefs: 00A46BAC
#requireadmin, xrefs: 00A46ABB
Cannot parse #include, xrefs: 00A7E819
#comments-start, xrefs: 00A46B1B, 00A46B70
#include-once, xrefs: 00A46AEB
#comments-end, xrefs: 00A46B98
#OnAutoItStartRegister, xrefs: 00A46AD3
#pragma compile, xrefs: 00A46A8B
Bad directive syntax error, xrefs: 00A7E743

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 55d70733e3992cc310ceeb3130e15bcc077caf83dbeec79c27898fa9be50cb7f
Instruction ID: 2760fb98680a517b3ef76906387a43548c0ee5b8a410af62ac3decd9d221acb3
Opcode Fuzzy Hash: 55d70733e3992cc310ceeb3130e15bcc077caf83dbeec79c27898fa9be50cb7f
Instruction Fuzzy Hash: 08812A75640245BFCF24EB60CE82FAE7778FF66740F048125F945AB182EB61DA42D292

Uniqueness

Uniqueness Score: -1.00%

Function 00ACAB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00ACAB99
SetTextColor.GDI32(?,?), ref: 00ACAB9D
GetSysColorBrush.USER32(0000000F), ref: 00ACABB3
GetSysColor.USER32(0000000F), ref: 00ACABBE
CreateSolidBrush.GDI32(?), ref: 00ACABC3
GetSysColor.USER32(00000011), ref: 00ACABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00ACABE9
SelectObject.GDI32(?,00000000), ref: 00ACABFA
SetBkColor.GDI32(?,00000000), ref: 00ACAC03
SelectObject.GDI32(?,?), ref: 00ACAC10
InflateRect.USER32(?,000000FF,000000FF), ref: 00ACAC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00ACAC46
GetWindowLongW.USER32(00000000,000000F0), ref: 00ACAC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00ACACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00ACACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 00ACACEC
DrawFocusRect.USER32(?,?), ref: 00ACACF7
GetSysColor.USER32(00000011), ref: 00ACAD05
SetTextColor.GDI32(?,00000000), ref: 00ACAD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00ACAD21
SelectObject.GDI32(?,00ACA869), ref: 00ACAD38
DeleteObject.GDI32(?), ref: 00ACAD43
SelectObject.GDI32(?,?), ref: 00ACAD49
DeleteObject.GDI32(?), ref: 00ACAD4E
SetTextColor.GDI32(?,?), ref: 00ACAD54
SetBkColor.GDI32(?,?), ref: 00ACAD5E

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 87eec1ecf60190e1fa0c9619418c163dc579fc8881ff916ebee0d1c0b18b742a
Instruction ID: 8978ba12a5513946383d63793cb9f86838239d42423888d4077406b8c2dabd20
Opcode Fuzzy Hash: 87eec1ecf60190e1fa0c9619418c163dc579fc8881ff916ebee0d1c0b18b742a
Instruction Fuzzy Hash: 2E615171900218EFDF11DFE4DC48EAE7B7AEB08324F164225FA15AB2A1D7719D41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00AC8C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00AC8D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00AC8D45
CharNextW.USER32(0000014E), ref: 00AC8D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00AC8DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00AC8DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00AC8DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00AC8DF9
SetWindowTextW.USER32(?,0000014E), ref: 00AC8E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00AC8E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 00AC8E8C
_memset.LIBCMT ref: 00AC8EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00AC8EFA
_memset.LIBCMT ref: 00AC8F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00AC8F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 00AC8FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 00AC9088
InvalidateRect.USER32(?,00000000,00000001), ref: 00AC90AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00AC90F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00AC9121
DrawMenuBar.USER32(?), ref: 00AC9130
SetWindowTextW.USER32(?,0000014E), ref: 00AC9158

Strings

0, xrefs: 00AC90C2

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: a21268020c29cc7583abe7c7d86774768a67d23f98ef3604b874e64e16b02f7e
Instruction ID: 4423dff12730ac2683852ce3193fd187b8ed7c1adf07be05e9aac202b413ce51
Opcode Fuzzy Hash: a21268020c29cc7583abe7c7d86774768a67d23f98ef3604b874e64e16b02f7e
Instruction Fuzzy Hash: F1E16B70900219AEDF21DFA4CC89FEE7BB9FF05710F158159F916AA290DB748A81DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00AC4B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00AC4C51
GetDesktopWindow.USER32 ref: 00AC4C66
GetWindowRect.USER32(00000000), ref: 00AC4C6D
GetWindowLongW.USER32(?,000000F0), ref: 00AC4CCF
DestroyWindow.USER32(?), ref: 00AC4CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00AC4D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00AC4D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00AC4D68
SendMessageW.USER32(?,00000421,?,?), ref: 00AC4D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00AC4D90
IsWindowVisible.USER32(?), ref: 00AC4DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00AC4DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00AC4DDF
GetWindowRect.USER32(?,?), ref: 00AC4DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 00AC4E1D
GetMonitorInfoW.USER32(00000000,?), ref: 00AC4E37
CopyRect.USER32(?,?), ref: 00AC4E4E
SendMessageW.USER32(?,00000412,00000000), ref: 00AC4EB9

Strings

tooltips_class32, xrefs: 00AC4D1D
(, xrefs: 00AC4E2A
0, xrefs: 00AC4BFC

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 94fdb4a30878cf2227823a6af4dee0603950a7212d872c4ad67fc9e072bd6b5b
Instruction ID: f0629f3fed44037bd2b3f18801c7e677395bd7eed805eba950086a5e1d3e204b
Opcode Fuzzy Hash: 94fdb4a30878cf2227823a6af4dee0603950a7212d872c4ad67fc9e072bd6b5b
Instruction Fuzzy Hash: EAB14671608340AFDB04DF64C998F6BBBE5BB88314F01891CF599AB2A1DB71EC05CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00AA46D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00AA46E8
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00AA470E
_wcscpy.LIBCMT ref: 00AA473C
_wcscmp.LIBCMT ref: 00AA4747
_wcscat.LIBCMT ref: 00AA475D
_wcsstr.LIBCMT ref: 00AA4768
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00AA4784
_wcscat.LIBCMT ref: 00AA47CD
_wcscat.LIBCMT ref: 00AA47D4
_wcsncpy.LIBCMT ref: 00AA47FF

Strings

04090000, xrefs: 00AA47BA
%u.%u.%u.%u, xrefs: 00AA4862
DefaultLangCodepage, xrefs: 00AA47E7
\VarFileInfo\Translation, xrefs: 00AA477C
StringFileInfo\, xrefs: 00AA4757

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 21ca1012f520246897d75376031718cac62c3ada1f27d1676f49648427a11b40
Instruction ID: 25eac8069deca81a4cf65159f7d486d447d53fe9979e7cfc5d4c8bb784cc727d
Opcode Fuzzy Hash: 21ca1012f520246897d75376031718cac62c3ada1f27d1676f49648427a11b40
Instruction Fuzzy Hash: 75410672A00204BBDB11A7749D43FBF77BCEF8A710F04056AF905E7182EB759A0197A5

Uniqueness

Uniqueness Score: -1.00%

Function 00A427D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A428BC
GetSystemMetrics.USER32(00000007), ref: 00A428C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A428EF
GetSystemMetrics.USER32(00000008), ref: 00A428F7
GetSystemMetrics.USER32(00000004), ref: 00A4291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00A42939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00A42949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00A4297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00A42990
GetClientRect.USER32(00000000,000000FF), ref: 00A429AE
GetStockObject.GDI32(00000011), ref: 00A429CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00A429D5

Part of subcall function 00A42344: GetCursorPos.USER32(?), ref: 00A42357
Part of subcall function 00A42344: ScreenToClient.USER32(00B067B0,?), ref: 00A42374
Part of subcall function 00A42344: GetAsyncKeyState.USER32(00000001), ref: 00A42399
Part of subcall function 00A42344: GetAsyncKeyState.USER32(00000002), ref: 00A423A7

SetTimer.USER32(00000000,00000000,00000028,00A41256), ref: 00A429FC

Strings

AutoIt v3 GUI, xrefs: 00A42974

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: fcbc15e7c0c8d0915439418ca812f56024ccc6bbcc97f9aa62fcd83a360aa376
Instruction ID: ae095f07e5c214ec1b180a267df2a9efd908e60f65540f73e9645d4172618b18
Opcode Fuzzy Hash: fcbc15e7c0c8d0915439418ca812f56024ccc6bbcc97f9aa62fcd83a360aa376
Instruction Fuzzy Hash: 03B18E75A0020AEFDB14DFA8DC45FAE7BB5FB48314F118229FA15EB2A0DB749851CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00AC4069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00AC40F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00AC41B6

Strings

ISSELECTED, xrefs: 00AC41C1
GETSELECTED, xrefs: 00AC42E4
SELECTCLEAR, xrefs: 00AC4235
SELECTALL, xrefs: 00AC421D
SELECT, xrefs: 00AC4250
DESELECT, xrefs: 00AC42A4
GETTEXT, xrefs: 00AC415F
GETSUBITEMCOUNT, xrefs: 00AC4141
GETSELECTEDCOUNT, xrefs: 00AC4199
SELECTINVERT, xrefs: 00AC4286
VIEWCHANGE, xrefs: 00AC4375
FINDITEM, xrefs: 00AC4329
GETITEMCOUNT, xrefs: 00AC4128

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 527bf313ef200f75114704f6fa8d88e232559d4889588c715ada0f3a76dc4461
Instruction ID: 0b1ef9358a9c085583ccaab2c8930e6504d20de5b89448685ea88b829bca2849
Opcode Fuzzy Hash: 527bf313ef200f75114704f6fa8d88e232559d4889588c715ada0f3a76dc4461
Instruction Fuzzy Hash: 77A17C342142459FCB14EF60CA62F6BB3F5AF88314F15496CB9969B392DB30EC06CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00AB52F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00AB5309
LoadCursorW.USER32(00000000,00007F8A), ref: 00AB5314
LoadCursorW.USER32(00000000,00007F00), ref: 00AB531F
LoadCursorW.USER32(00000000,00007F03), ref: 00AB532A
LoadCursorW.USER32(00000000,00007F8B), ref: 00AB5335
LoadCursorW.USER32(00000000,00007F01), ref: 00AB5340
LoadCursorW.USER32(00000000,00007F81), ref: 00AB534B
LoadCursorW.USER32(00000000,00007F88), ref: 00AB5356
LoadCursorW.USER32(00000000,00007F80), ref: 00AB5361
LoadCursorW.USER32(00000000,00007F86), ref: 00AB536C
LoadCursorW.USER32(00000000,00007F83), ref: 00AB5377
LoadCursorW.USER32(00000000,00007F85), ref: 00AB5382
LoadCursorW.USER32(00000000,00007F82), ref: 00AB538D
LoadCursorW.USER32(00000000,00007F84), ref: 00AB5398
LoadCursorW.USER32(00000000,00007F04), ref: 00AB53A3
LoadCursorW.USER32(00000000,00007F02), ref: 00AB53AE
GetCursorInfo.USER32(?), ref: 00AB53BE
GetLastError.KERNEL32(00000001,00000000), ref: 00AB53E9

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: f574549df8236822c2fd767210526c5262da4fa768ba8d0e0df098d55e427ff7
Instruction ID: 22ad17834909aade692bd95cc9031543d16b13863c8bdc25984de646202ef36d
Opcode Fuzzy Hash: f574549df8236822c2fd767210526c5262da4fa768ba8d0e0df098d55e427ff7
Instruction Fuzzy Hash: 73415170E043196ADB109FBA8C49DAFFFFDEF51B50B10452FE509E7291DAB8A4018E61

Uniqueness

Uniqueness Score: -1.00%

Function 00A9AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00A9AAA5
__swprintf.LIBCMT ref: 00A9AB46
_wcscmp.LIBCMT ref: 00A9AB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00A9ABAE
_wcscmp.LIBCMT ref: 00A9ABEA
GetClassNameW.USER32(?,?,00000400), ref: 00A9AC21
GetDlgCtrlID.USER32(?), ref: 00A9AC73
GetWindowRect.USER32(?,?), ref: 00A9ACA9
GetParent.USER32(?), ref: 00A9ACC7
ScreenToClient.USER32(00000000), ref: 00A9ACCE
GetClassNameW.USER32(?,?,00000100), ref: 00A9AD48
_wcscmp.LIBCMT ref: 00A9AD5C
GetWindowTextW.USER32(?,?,00000400), ref: 00A9AD82
_wcscmp.LIBCMT ref: 00A9AD96

Part of subcall function 00A6386C: _iswctype.LIBCMT ref: 00A63874

Strings

%s%u, xrefs: 00A9AB40

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 0f9e749fb9a43a2cfe1769155b92871f269a9a63aeee3268564c5367e2618436
Instruction ID: ea6b26cd3e2846a4827ec28e96d79c1f91ad0a9798471cb65334a86a0fc74ddc
Opcode Fuzzy Hash: 0f9e749fb9a43a2cfe1769155b92871f269a9a63aeee3268564c5367e2618436
Instruction Fuzzy Hash: 57A1BD71304606AFDB14DF64C984FAAB7E8FF24355F10862AF999C2590DB30E946CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 00A9B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00A9B3DB
_wcscmp.LIBCMT ref: 00A9B3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 00A9B414
CharUpperBuffW.USER32(?,00000000), ref: 00A9B431
_wcscmp.LIBCMT ref: 00A9B44F
_wcsstr.LIBCMT ref: 00A9B460
GetClassNameW.USER32(00000018,?,00000400), ref: 00A9B498
_wcscmp.LIBCMT ref: 00A9B4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 00A9B4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 00A9B518
_wcscmp.LIBCMT ref: 00A9B528
GetClassNameW.USER32(00000010,?,00000400), ref: 00A9B550
GetWindowRect.USER32(00000004,?), ref: 00A9B5B9

Strings

@, xrefs: 00A9B3BC
ThumbnailClass, xrefs: 00A9B4A3, 00A9B523

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 4a20a5a516689c82fa215c401740329942cbc166be173f17a3651deec83db4bb
Instruction ID: fa53f535c7aeb84f5ca2c8813d3b2e7139de9e6177958ea8d3d9544548fec9e0
Opcode Fuzzy Hash: 4a20a5a516689c82fa215c401740329942cbc166be173f17a3651deec83db4bb
Instruction Fuzzy Hash: 598180722143459FDF04DF10EA85FAA7BE8EF84314F048569FD859A092DB34ED46CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A9B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00A9B23F

Strings

[LAST, xrefs: 00A9B2EC
[HANDLE:, xrefs: 00A9B24B
CLASSNAME=, xrefs: 00A9B27C
ACTIVE, xrefs: 00A9B21A
[ACTIVE, xrefs: 00A9B22C
LAST, xrefs: 00A9B204
HANDLE=, xrefs: 00A9B238
[CLASS:, xrefs: 00A9B28F
ALL, xrefs: 00A9B2D3
REGEXP=, xrefs: 00A9B254
[ALL, xrefs: 00A9B2E5
[REGEXPTITLE:, xrefs: 00A9B267

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 96aa17f1cf1edec6ab5d70abfe2266734d6a208613da27b403189b118b242751
Instruction ID: 88de69c8f0b657289fcad24f13ce047e25a840a9e700a71d3a4dd31b65ac9163
Opcode Fuzzy Hash: 96aa17f1cf1edec6ab5d70abfe2266734d6a208613da27b403189b118b242751
Instruction Fuzzy Hash: 69318D35A14209A6DF14FBA0DF83FFE77B8AF20750F600525B551B20D2EF626E04C961

Uniqueness

Uniqueness Score: -1.00%

Function 00A9C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00A9C4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00A9C4E6
SetWindowTextW.USER32(?,?), ref: 00A9C4FD
GetDlgItem.USER32(?,000003EA), ref: 00A9C512
SetWindowTextW.USER32(00000000,?), ref: 00A9C518
GetDlgItem.USER32(?,000003E9), ref: 00A9C528
SetWindowTextW.USER32(00000000,?), ref: 00A9C52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00A9C54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00A9C569
GetWindowRect.USER32(?,?), ref: 00A9C572
SetWindowTextW.USER32(?,?), ref: 00A9C5DD
GetDesktopWindow.USER32 ref: 00A9C5E3
GetWindowRect.USER32(00000000), ref: 00A9C5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00A9C636
GetClientRect.USER32(?,?), ref: 00A9C643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00A9C668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00A9C693

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 023069a778bb28d52a8508596feb45e4391464070bc47569d64cde2f200e425f
Instruction ID: 956a676c1fe09d0a2dc516985514771e3ff7b8e1da60268d0a73827c985a0ed3
Opcode Fuzzy Hash: 023069a778bb28d52a8508596feb45e4391464070bc47569d64cde2f200e425f
Instruction Fuzzy Hash: 30515071A00B09AFDF20DFA8DE89F6EBBF5FF04715F014528E686A25A0D774A905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00ACA428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00ACA4C8
DestroyWindow.USER32(?,?), ref: 00ACA542

Part of subcall function 00A47D2C: _memmove.LIBCMT ref: 00A47D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00ACA5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00ACA5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00ACA5F1
DestroyWindow.USER32(00000000), ref: 00ACA613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00A40000,00000000), ref: 00ACA64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00ACA663
GetDesktopWindow.USER32 ref: 00ACA67C
GetWindowRect.USER32(00000000), ref: 00ACA683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00ACA69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00ACA6B3

Part of subcall function 00A425DB: GetWindowLongW.USER32(?,000000EB), ref: 00A425EC

Strings

tooltips_class32, xrefs: 00ACA5B5, 00ACA643
0, xrefs: 00ACA4DE

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 2c6a584981bf05fbd1bffe3f2ba2f1f073a966b473147fe27d33f41e644cd161
Instruction ID: 7c91f3e2a96406d2af006cd3dae0a7d6fe125e99a1b8b0dabb914afad55c4726
Opcode Fuzzy Hash: 2c6a584981bf05fbd1bffe3f2ba2f1f073a966b473147fe27d33f41e644cd161
Instruction Fuzzy Hash: 83719B75140249AFD720CF28DC49F7A7BE6FBA8308F09452DF985872A0DB70E906DB16

Uniqueness

Uniqueness Score: -1.00%

Function 00ACC8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A42612: GetWindowLongW.USER32(?,000000EB), ref: 00A42623

DragQueryPoint.SHELL32(?,?), ref: 00ACC917

Part of subcall function 00ACADF1: ClientToScreen.USER32(?,?), ref: 00ACAE1A
Part of subcall function 00ACADF1: GetWindowRect.USER32(?,?), ref: 00ACAE90
Part of subcall function 00ACADF1: PtInRect.USER32(?,?,00ACC304), ref: 00ACAEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 00ACC980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00ACC98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00ACC9AE
_wcscat.LIBCMT ref: 00ACC9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00ACC9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 00ACCA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 00ACCA25
SendMessageW.USER32(?,000000B1,?,?), ref: 00ACCA47
DragFinish.SHELL32(?), ref: 00ACCA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00ACCB41

Strings

@GUI_DRAGFILE, xrefs: 00ACCAF0
@GUI_DRAGID, xrefs: 00ACCAB9
@GUI_DROPID, xrefs: 00ACCA6E

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 72726165937069eaf0ba6d15ef8531dd6b24f2f209aae034d14de823e0fc4323
Instruction ID: ac01fd64a3c8b98e60da60d515f22b82874db812dc20146d466256de09d4356e
Opcode Fuzzy Hash: 72726165937069eaf0ba6d15ef8531dd6b24f2f209aae034d14de823e0fc4323
Instruction Fuzzy Hash: 49616971108301AFC701DFA4CD85EAFBBE9EFD8750F00092EF595962A1DB309A4ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 00AC4619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00AC46AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00AC46F6

Strings

GETTOTALCOUNT, xrefs: 00AC46DD
CHECK, xrefs: 00AC4716
GETTEXT, xrefs: 00AC4849
GETSELECTED, xrefs: 00AC4806
ISCHECKED, xrefs: 00AC4879
SELECT, xrefs: 00AC48A7
EXPAND, xrefs: 00AC47A8
COLLAPSE, xrefs: 00AC473C
UNCHECK, xrefs: 00AC48D2
GETITEMCOUNT, xrefs: 00AC47D8
EXISTS, xrefs: 00AC475F

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: a91a028e0e7b64da3e3070df0f683455e5eb2a9128502a6c5ed1ef74558a1476
Instruction ID: fbe07e49b356a30a980179104246bcd86772b567849f65e98939dc1cb2f38655
Opcode Fuzzy Hash: a91a028e0e7b64da3e3070df0f683455e5eb2a9128502a6c5ed1ef74558a1476
Instruction Fuzzy Hash: C9916C342043159FCB14EF20C561F6BB7E1AF98354F05886DB8965B3A2CB30ED5ACB85

Uniqueness

Uniqueness Score: -1.00%

Function 00ACBAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00ACBB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00AC9431), ref: 00ACBBCA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00ACBC03
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00ACBC46
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00ACBC7D
FreeLibrary.KERNEL32(?), ref: 00ACBC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00ACBC99
DestroyIcon.USER32(?,?,?,?,?,00AC9431), ref: 00ACBCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00ACBCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00ACBCD1

Part of subcall function 00A6313D: __wcsicmp_l.LIBCMT ref: 00A631C6

Strings

.icl, xrefs: 00ACBAE4
.dll, xrefs: 00ACBB27
.exe, xrefs: 00ACBB04

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 6f790923833d12d714980a01db06c180b772ec8971bfc363a76216e9df6e5494
Instruction ID: 0d8f040821a2ac92b5ef8a187b996af878f2fac470d5ec902d239d9fbac56a89
Opcode Fuzzy Hash: 6f790923833d12d714980a01db06c180b772ec8971bfc363a76216e9df6e5494
Instruction Fuzzy Hash: 5B61DE71A10619BEEB14DF64CD82FBE7BB8EB08710F104219F915D61D0DB76AA91CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00AAA5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00A49997: __itow.LIBCMT ref: 00A499C2
Part of subcall function 00A49997: __swprintf.LIBCMT ref: 00A49A0C

CharLowerBuffW.USER32(?,?), ref: 00AAA636
GetDriveTypeW.KERNEL32 ref: 00AAA683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AAA6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AAA702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AAA730

Part of subcall function 00A47D2C: _memmove.LIBCMT ref: 00A47D66

Strings

type cdaudio alias cd wait, xrefs: 00AAA6AE
close cd wait, xrefs: 00AAA71B
open , xrefs: 00AAA692
wait, xrefs: 00AAA6ED
open, xrefs: 00AAA65D
set cd door , xrefs: 00AAA6D1
closed, xrefs: 00AAA64A, 00AAA653
close, xrefs: 00AAA63C

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: e881dd8613fd986bef5e9ee8cd8421d1611b2c20b0bfde24140941807ee308c0
Instruction ID: 1d93b8e6a595fb923397fc4426a61c1403fe826c1c1f2c008b266df65a775006
Opcode Fuzzy Hash: e881dd8613fd986bef5e9ee8cd8421d1611b2c20b0bfde24140941807ee308c0
Instruction Fuzzy Hash: 76515B751043459FC740EF20CA8186BB7F4FF98758F14496DF89A972A1DB31AE0ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 00AAA45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00AAA47A
__swprintf.LIBCMT ref: 00AAA49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 00AAA4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00AAA4FE
_memset.LIBCMT ref: 00AAA51D
_wcsncpy.LIBCMT ref: 00AAA559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00AAA58E
CloseHandle.KERNEL32(00000000), ref: 00AAA599
RemoveDirectoryW.KERNEL32(?), ref: 00AAA5A2
CloseHandle.KERNEL32(00000000), ref: 00AAA5AC

Strings

\??\%s, xrefs: 00AAA496
:, xrefs: 00AAA4BD
\, xrefs: 00AAA4B2

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: cdb448bd10051b58dd80be2a9162a305c0901f5039e5762da25d533e0dab5d08
Instruction ID: 21ba970caa888c9f52ba60a03ed0e29c3c9dcb14086dcf7feed6ff98bfa8b592
Opcode Fuzzy Hash: cdb448bd10051b58dd80be2a9162a305c0901f5039e5762da25d533e0dab5d08
Instruction Fuzzy Hash: F63172B690011AABDB21DFA0DC49FEB77BDEF89701F1041B6F908D6190E7709645CB25

Uniqueness

Uniqueness Score: -1.00%

Function 00AADB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00AADC7B
_wcscat.LIBCMT ref: 00AADC93
_wcscat.LIBCMT ref: 00AADCA5
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00AADCBA
SetCurrentDirectoryW.KERNEL32(?), ref: 00AADCCE
GetFileAttributesW.KERNEL32(?), ref: 00AADCE6
SetFileAttributesW.KERNEL32(?,00000000), ref: 00AADD00
SetCurrentDirectoryW.KERNEL32(?), ref: 00AADD12

Strings

*.*, xrefs: 00AADD51

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: b3b4ad524f630b88eacf89f3d66b1c5bc478f79a0f1b652f98777d5f085ed8fb
Instruction ID: 2e334c4b04c230347c6436cafa8850b9f0009ec08ccb0b5fe8884d98f22db096
Opcode Fuzzy Hash: b3b4ad524f630b88eacf89f3d66b1c5bc478f79a0f1b652f98777d5f085ed8fb
Instruction Fuzzy Hash: E68182755043419FCB64EF24C9459ABB7E8BB8A310F15882EF8CACB691E730D945CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00ACC49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A42612: GetWindowLongW.USER32(?,000000EB), ref: 00A42623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00ACC4EC
GetFocus.USER32 ref: 00ACC4FC
GetDlgCtrlID.USER32(00000000), ref: 00ACC507
_memset.LIBCMT ref: 00ACC632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00ACC65D
GetMenuItemCount.USER32(?), ref: 00ACC67D
GetMenuItemID.USER32(?,00000000), ref: 00ACC690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00ACC6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00ACC70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00ACC744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00ACC779

Strings

0, xrefs: 00ACC62A

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: a6a84389dd39bc9ec016ee20a1505a869eba39f678241e52f596f5ae5b5c5b5c
Instruction ID: d30fee3168853dc8abc316fa8ad4be5c3b6de37e99f9a587b632775bf67784b1
Opcode Fuzzy Hash: a6a84389dd39bc9ec016ee20a1505a869eba39f678241e52f596f5ae5b5c5b5c
Instruction Fuzzy Hash: 76815C712083159FDB10CF24C984F6BBBE9EB88724F02452DF99997291D770D905CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A983F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A9874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A98766
Part of subcall function 00A9874A: GetLastError.KERNEL32(?,00A9822A,?,?,?), ref: 00A98770
Part of subcall function 00A9874A: GetProcessHeap.KERNEL32(00000008,?,?,00A9822A,?,?,?), ref: 00A9877F
Part of subcall function 00A9874A: HeapAlloc.KERNEL32(00000000,?,00A9822A,?,?,?), ref: 00A98786
Part of subcall function 00A9874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A9879D

Part of subcall function 00A987E7: GetProcessHeap.KERNEL32(00000008,00A98240,00000000,00000000,?,00A98240,?), ref: 00A987F3
Part of subcall function 00A987E7: HeapAlloc.KERNEL32(00000000,?,00A98240,?), ref: 00A987FA
Part of subcall function 00A987E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00A98240,?), ref: 00A9880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00A98458
_memset.LIBCMT ref: 00A9846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00A9848C
GetLengthSid.ADVAPI32(?), ref: 00A9849D
GetAce.ADVAPI32(?,00000000,?), ref: 00A984DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00A984F6
GetLengthSid.ADVAPI32(?), ref: 00A98513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00A98522
HeapAlloc.KERNEL32(00000000), ref: 00A98529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00A9854A
CopySid.ADVAPI32(00000000), ref: 00A98551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00A98582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00A985A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00A985BC

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 45ff7e8e588039d3b730e2e72221ee20a7d1c2746648b0d9730d502cd7569e6d
Instruction ID: 011f834ebd128b55a726145642ce6c653aaa60387aef67f6a43a2106e97b779a
Opcode Fuzzy Hash: 45ff7e8e588039d3b730e2e72221ee20a7d1c2746648b0d9730d502cd7569e6d
Instruction Fuzzy Hash: FE613971A00209EFDF00DFA4DD45EAEBBB9FF05700F14816AE915A7291EB359A05CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00AB762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00AB76A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00AB76AE
CreateCompatibleDC.GDI32(?), ref: 00AB76BA
SelectObject.GDI32(00000000,?), ref: 00AB76C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00AB771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00AB7757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00AB777B
SelectObject.GDI32(00000006,?), ref: 00AB7783
DeleteObject.GDI32(?), ref: 00AB778C
DeleteDC.GDI32(00000006), ref: 00AB7793
ReleaseDC.USER32(00000000,?), ref: 00AB779E

Strings

(, xrefs: 00AB7723

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 1565e7a5a143f5726e0276f31762cab9072492d1846259ae867ee0254f169f19
Instruction ID: 1b429b2492b697f6ea3814f5ce14dfa55a32d59bb41ee84eeebdae679a3d9f97
Opcode Fuzzy Hash: 1565e7a5a143f5726e0276f31762cab9072492d1846259ae867ee0254f169f19
Instruction Fuzzy Hash: E8516875904209EFCB15CFA8CC84EEEBBB9EF48710F14852DF99A97211D771A841CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00AAA0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00ACFB78), ref: 00AAA0FC

Part of subcall function 00A47F41: _memmove.LIBCMT ref: 00A47F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 00AAA11E
__swprintf.LIBCMT ref: 00AAA177
__swprintf.LIBCMT ref: 00AAA190
_wprintf.LIBCMT ref: 00AAA246
_wprintf.LIBCMT ref: 00AAA264

Strings

"%s" (%d) : ==> %s:, xrefs: 00AAA25F
Line %d (File "%s"):, xrefs: 00AAA171, 00AAA18A
^ ERROR, xrefs: 00AAA1E8
Error: , xrefs: 00AAA20E
"%s" (%d) : ==> %s:%s%s, xrefs: 00AAA241

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: 9134767778a7ec2c42add666105ee99513210892a0eb2eb5e396b2cb2404ee16
Instruction ID: 81ee2880f255bb9ae39cbc2268899ece6c24b374590d4435f4c728f78de3922e
Opcode Fuzzy Hash: 9134767778a7ec2c42add666105ee99513210892a0eb2eb5e396b2cb2404ee16
Instruction Fuzzy Hash: F4518C72900259BBCF15EBE0CE86EEEB7B8AF64300F104165F505630A2EB316F58CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A46BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00A60B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00A46C6C,?,00008000), ref: 00A60BB7

Part of subcall function 00A448AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A448A1,?,?,00A437C0,?), ref: 00A448CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00A46D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00A46E5A

Part of subcall function 00A459CD: _wcscpy.LIBCMT ref: 00A45A05

Part of subcall function 00A6387D: _iswctype.LIBCMT ref: 00A63885

Strings

Unterminated string, xrefs: 00A7EC0D
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00A7E84A
AU3!, xrefs: 00A46CC1
>>>AUTOIT SCRIPT<<<, xrefs: 00A7E8BF
Error opening the file, xrefs: 00A7E866, 00A7E8E1
EA06, xrefs: 00A7E87B
Bad directive syntax error, xrefs: 00A7EBC6

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: dd4845a75fb9a0eb70270bd55e44b458e81d5b2ff5bb226e708db1d72b376af6
Instruction ID: 313f514eb8b56ed09c5585e82c1a56effcec523fbf15ad18cdc7bcf12e860380
Opcode Fuzzy Hash: dd4845a75fb9a0eb70270bd55e44b458e81d5b2ff5bb226e708db1d72b376af6
Instruction Fuzzy Hash: 5B026C355083419FC724EF24C981AAFBBE5BFD9354F14892DF48A972A2DB30D949CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00A445DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A445F9
GetMenuItemCount.USER32(00B06890), ref: 00A7D7CD
GetMenuItemCount.USER32(00B06890), ref: 00A7D87D
GetCursorPos.USER32(?), ref: 00A7D8C1
SetForegroundWindow.USER32(00000000), ref: 00A7D8CA
TrackPopupMenuEx.USER32(00B06890,00000000,?,00000000,00000000,00000000), ref: 00A7D8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00A7D8E9

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 0f1a36ad9df7546402a9e0908a836c03267f7e506d9848d066ef2fc4a2478bff
Instruction ID: e259e147734ad011b54cfd808741ac3d0712e439640f103dfedc9a718ddb856c
Opcode Fuzzy Hash: 0f1a36ad9df7546402a9e0908a836c03267f7e506d9848d066ef2fc4a2478bff
Instruction Fuzzy Hash: 70710574601209BFEB249F64DC85FAAFF75FF45364F208216F519AA1E0C7B16820DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AC10A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00AC0038,?,?), ref: 00AC10BC

Strings

HKLM, xrefs: 00AC113A
HKCU, xrefs: 00AC11AC
HKU, xrefs: 00AC11CE
HKEY_CLASSES_ROOT, xrefs: 00AC114F
HKEY_CURRENT_CONFIG, xrefs: 00AC1179
HKEY_LOCAL_MACHINE, xrefs: 00AC1125
HKEY_USERS, xrefs: 00AC11BD
HKCR, xrefs: 00AC1164
HKCC, xrefs: 00AC118A
HKEY_CURRENT_USER, xrefs: 00AC119B

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 68715e4cfa230f03c6e4629275e652809571e84db91f890254b3c8262383a55c
Instruction ID: 37c4b2dcb17d5097689f03f622ad6e374cb281e68edaf07719746190627c7015
Opcode Fuzzy Hash: 68715e4cfa230f03c6e4629275e652809571e84db91f890254b3c8262383a55c
Instruction Fuzzy Hash: 48412A3425024EDFCF10EF90DA91EEA3734AF52340F554668FE915B292DB30AD5ACB60

Uniqueness

Uniqueness Score: -1.00%

Function 00AA5569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00A47D2C: _memmove.LIBCMT ref: 00A47D66

Part of subcall function 00A47A84: _memmove.LIBCMT ref: 00A47B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00AA55D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00AA55E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AA55F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00AA560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00AA561C

Strings

status PlayMe mode, xrefs: 00AA55CD
play PlayMe wait, xrefs: 00AA5606
open , xrefs: 00AA5581
play PlayMe, xrefs: 00AA5617
alias PlayMe, xrefs: 00AA55AB
close PlayMe, xrefs: 00AA55E3, 00AA5610

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: c3911a7eda1bd41ae7b5022bf24bfcb20d7f02b3a417c8ec833bff6ff4112976
Instruction ID: 605631c3a9b092ab03d77d0a0b8b3efe4a32412ddaf143a5468c7c71bc4ca9f4
Opcode Fuzzy Hash: c3911a7eda1bd41ae7b5022bf24bfcb20d7f02b3a417c8ec833bff6ff4112976
Instruction Fuzzy Hash: C6116068D501AD79D720A7B1CC8ADFFBA7CFFE2B40F440969B505A70D1DB601D05C5A1

Uniqueness

Uniqueness Score: -1.00%

Function 00AA48F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00AA490E
gethostname.WSOCK32(?,00000100), ref: 00AA4928
gethostbyname.WSOCK32(?), ref: 00AA4935
_wcscpy.LIBCMT ref: 00AA495D
_memmove.LIBCMT ref: 00AA4970
inet_ntoa.WSOCK32(?), ref: 00AA497B
_strcat.LIBCMT ref: 00AA4989
_wcscpy.LIBCMT ref: 00AA49A0
WSACleanup.WSOCK32 ref: 00AA49AE
_wcscpy.LIBCMT ref: 00AA49BC

Strings

0.0.0.0, xrefs: 00AA4957

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: f07ce18c2d93284eaa53c671cce0fbd756cf0a8cb4671161b39c0edef9e887d0
Instruction ID: a045d9a98d9537ea9055e4f347fa62d385b35bd7a48c90b904c31c25cb8497bb
Opcode Fuzzy Hash: f07ce18c2d93284eaa53c671cce0fbd756cf0a8cb4671161b39c0edef9e887d0
Instruction Fuzzy Hash: E211D231904114AFCF20EB64DD0AEEB77BCDB46720F0541B6F409A70D1EFB19A9287A1

Uniqueness

Uniqueness Score: -1.00%

Function 00AA5217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00AA521C

Part of subcall function 00A60719: timeGetTime.WINMM(?,7608B400,00A50FF9), ref: 00A6071D

Sleep.KERNEL32(0000000A), ref: 00AA5248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 00AA526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00AA528E
SetActiveWindow.USER32 ref: 00AA52AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00AA52BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 00AA52DA
Sleep.KERNEL32(000000FA), ref: 00AA52E5
IsWindow.USER32 ref: 00AA52F1
EndDialog.USER32(00000000), ref: 00AA5302

Strings

BUTTON, xrefs: 00AA5280

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 4c8f6b7364f1bde43ef733d349731ad9e5699b6a687594c3bc7865e093891208
Instruction ID: d3254af8e6a99f3141cdc9339de754133a6fc7667eeed8985a2129aa25c14494
Opcode Fuzzy Hash: 4c8f6b7364f1bde43ef733d349731ad9e5699b6a687594c3bc7865e093891208
Instruction Fuzzy Hash: 1C21C270644744BFEB009BB0ED98FB67B6AEB66346B051428F101831F1DFB1AC458B25

Uniqueness

Uniqueness Score: -1.00%

Function 00AAD7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A49997: __itow.LIBCMT ref: 00A499C2
Part of subcall function 00A49997: __swprintf.LIBCMT ref: 00A49A0C

CoInitialize.OLE32(00000000), ref: 00AAD855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00AAD8E8
SHGetDesktopFolder.SHELL32(?), ref: 00AAD8FC
CoCreateInstance.OLE32(00AD2D7C,00000000,00000001,00AFA89C,?), ref: 00AAD948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00AAD9B7
CoTaskMemFree.OLE32(?,?), ref: 00AADA0F
_memset.LIBCMT ref: 00AADA4C
SHBrowseForFolderW.SHELL32(?), ref: 00AADA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00AADAAB
CoTaskMemFree.OLE32(00000000), ref: 00AADAB2
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00AADAE9
CoUninitialize.OLE32(00000001,00000000), ref: 00AADAEB

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 94fd74b5f7a792594dc0271b68a52953dd54c9f1aeaa669cba0bafd8800e5068
Instruction ID: f62c5e03f429b64307555626698cdeaa90effe8cdf321992f0896fc7682569f2
Opcode Fuzzy Hash: 94fd74b5f7a792594dc0271b68a52953dd54c9f1aeaa669cba0bafd8800e5068
Instruction Fuzzy Hash: F7B1FE75A00109AFDB04DFA4C988DAEBBF9FF89304B148469F54AEB261DB30ED45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00AA052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00AA05A7
SetKeyboardState.USER32(?), ref: 00AA0612
GetAsyncKeyState.USER32(000000A0), ref: 00AA0632
GetKeyState.USER32(000000A0), ref: 00AA0649
GetAsyncKeyState.USER32(000000A1), ref: 00AA0678
GetKeyState.USER32(000000A1), ref: 00AA0689
GetAsyncKeyState.USER32(00000011), ref: 00AA06B5
GetKeyState.USER32(00000011), ref: 00AA06C3
GetAsyncKeyState.USER32(00000012), ref: 00AA06EC
GetKeyState.USER32(00000012), ref: 00AA06FA
GetAsyncKeyState.USER32(0000005B), ref: 00AA0723
GetKeyState.USER32(0000005B), ref: 00AA0731

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: d6c7434ed9a9dbe24b8cf00883a6231125fc7b91c20808e6323f69d3c8274c74
Instruction ID: f25383f1bdfb0c73a27104b844394e0b1fe1ad1abff53a18fe8783bec299c688
Opcode Fuzzy Hash: d6c7434ed9a9dbe24b8cf00883a6231125fc7b91c20808e6323f69d3c8274c74
Instruction Fuzzy Hash: 7B51CB60E0478929FB35DBA08954FEABFB59F13380F08859DD5C25B1C2DBA4AA4CCB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A9C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00A9C746
GetWindowRect.USER32(00000000,?), ref: 00A9C758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00A9C7B6
GetDlgItem.USER32(?,00000002), ref: 00A9C7C1
GetWindowRect.USER32(00000000,?), ref: 00A9C7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00A9C827
GetDlgItem.USER32(?,000003E9), ref: 00A9C835
GetWindowRect.USER32(00000000,?), ref: 00A9C846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00A9C889
GetDlgItem.USER32(?,000003EA), ref: 00A9C897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00A9C8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 00A9C8C1

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: c6f504f8dd44ebbd91c9d188c97472b29ef186636d9a9cd6cd7219f24b99a22c
Instruction ID: 83d70ec468c1468065b9e757b72320a9618362866e6396043544c8d336d4c805
Opcode Fuzzy Hash: c6f504f8dd44ebbd91c9d188c97472b29ef186636d9a9cd6cd7219f24b99a22c
Instruction Fuzzy Hash: 08512E71B00605AFDF18CFA9DD99EAEBBBAEB88311F14812DF516D7290D7709E018B50

Uniqueness

Uniqueness Score: -1.00%

Function 00A4201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A41B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A42036,?,00000000,?,?,?,?,00A416CB,00000000,?), ref: 00A41B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00A420D3
KillTimer.USER32(-00000001,?,?,?,?,00A416CB,00000000,?,?,00A41AE2,?,?), ref: 00A4216E
DestroyAcceleratorTable.USER32(00000000), ref: 00A7BEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00A416CB,00000000,?,?,00A41AE2,?,?), ref: 00A7BF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00A416CB,00000000,?,?,00A41AE2,?,?), ref: 00A7BF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00A416CB,00000000,?,?,00A41AE2,?,?), ref: 00A7BF5A
DeleteObject.GDI32(00000000), ref: 00A7BF6C

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: ccb6a2e526d9d02d7ef89f70b1000fce9c92a7f15bdd9df5085e7d033809c3d4
Instruction ID: 60c85dbbc623b459d2429ed53febfb7195322d26f74d80f1f00b6d9fedb4882d
Opcode Fuzzy Hash: ccb6a2e526d9d02d7ef89f70b1000fce9c92a7f15bdd9df5085e7d033809c3d4
Instruction Fuzzy Hash: 65615539110610DFCB259F18DD48B2AB7F2FBA0716F50C529E5468BAA0CB71ACA1DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A421A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00A425DB: GetWindowLongW.USER32(?,000000EB), ref: 00A425EC

GetSysColor.USER32(0000000F), ref: 00A421D3

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: e5f8334f10a68cfcc2e797714e6d85c703dec07544f76d2da199bd8193531415
Instruction ID: c2d2804a34d69ad847384ac8479187c739736a736f735231d08b737320a2d6cd
Opcode Fuzzy Hash: e5f8334f10a68cfcc2e797714e6d85c703dec07544f76d2da199bd8193531415
Instruction Fuzzy Hash: 8741C3350001509FDB219F68EC88BF93B66EB86331F998375FE658A1E2C7718C42DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00AAAB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00ACF910), ref: 00AAAB76
GetDriveTypeW.KERNEL32(00000061,00AFA620,00000061), ref: 00AAAC40
_wcscpy.LIBCMT ref: 00AAAC6A

Strings

unknown, xrefs: 00AAAC01
cdrom, xrefs: 00AAAB92
ramdisk, xrefs: 00AAABEA
network, xrefs: 00AAABD4
fixed, xrefs: 00AAABBE
removable, xrefs: 00AAABA8
all, xrefs: 00AAAB7C

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 42e22f19d72d741702b0e5c789b6a4d9bff40bdf7c91a1ea455e8f5a407ffca2
Instruction ID: c983df7f7fc9fef40277406bdcb0741b8d672c676a47671fa77c22a752eccc5f
Opcode Fuzzy Hash: 42e22f19d72d741702b0e5c789b6a4d9bff40bdf7c91a1ea455e8f5a407ffca2
Instruction Fuzzy Hash: D7519934108301AFC710EF58C981AAFB7E6EFA1300F10482DF586972E2DB319D4ACA53

Uniqueness

Uniqueness Score: -1.00%

Function 00A49997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00A499C2
__swprintf.LIBCMT ref: 00A49A0C
__i64tow.LIBCMT ref: 00A7FA0F

Strings

%.15g, xrefs: 00A49A06
False, xrefs: 00A7F9D7
0x%p, xrefs: 00A7F9F1
True, xrefs: 00A7F9D0

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: dc9099c2e4e5cfcb4da9f3466f045fbc04fcf6a780089a19242e10f0abea45b4
Instruction ID: 6db8fb7167bca9c3deb144762c6e2ce0a2f9674783229a4fb348867f2e03ab60
Opcode Fuzzy Hash: dc9099c2e4e5cfcb4da9f3466f045fbc04fcf6a780089a19242e10f0abea45b4
Instruction Fuzzy Hash: 6E41B276604205AFDB24DB78DD42F7B77F8EB84300F20886EE64DD7292EA719942CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00AC73C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AC73D9
CreateMenu.USER32 ref: 00AC73F4
SetMenu.USER32(?,00000000), ref: 00AC7403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AC7490
IsMenu.USER32(?), ref: 00AC74A6
CreatePopupMenu.USER32 ref: 00AC74B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00AC74DD
DrawMenuBar.USER32 ref: 00AC74E5

Strings

0, xrefs: 00AC73CF
F, xrefs: 00AC74D1

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 70b5390de6f53648beb30ccd2b9e72cd6418fd55a6cf0f8aa538303ba7fcf0b8
Instruction ID: f1a1e537030ad96a851b8d6179863bb15736c39c3d41e96eb03acf553397e54d
Opcode Fuzzy Hash: 70b5390de6f53648beb30ccd2b9e72cd6418fd55a6cf0f8aa538303ba7fcf0b8
Instruction Fuzzy Hash: 6341F579A01209EFDB24DFA4D984F9ABBF9FF49310F164029EA5597360DB31A920CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00AC772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00AC77CD
CreateCompatibleDC.GDI32(00000000), ref: 00AC77D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00AC77E7
SelectObject.GDI32(00000000,00000000), ref: 00AC77EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 00AC77FA
DeleteDC.GDI32(00000000), ref: 00AC7803
GetWindowLongW.USER32(?,000000EC), ref: 00AC780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00AC7821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00AC782D

Strings

static, xrefs: 00AC7765

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: b10f7b7c1a1f0c69082ab796381647c0873de870e8317b117c67558795b54671
Instruction ID: 564d04e74a3898d61c7bcfb45de3b6f191b4c6d40e6e2522e5bcc6a448b3fe3a
Opcode Fuzzy Hash: b10f7b7c1a1f0c69082ab796381647c0873de870e8317b117c67558795b54671
Instruction Fuzzy Hash: C2316D31105119BFDF119FA4DC09FDA3B6AFF09724F120229FA15A61A0DB31D862DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A67040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A6707B

Part of subcall function 00A68D68: __getptd_noexit.LIBCMT ref: 00A68D68

__gmtime64_s.LIBCMT ref: 00A67114
__gmtime64_s.LIBCMT ref: 00A6714A
__gmtime64_s.LIBCMT ref: 00A67167
__allrem.LIBCMT ref: 00A671BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A671D9
__allrem.LIBCMT ref: 00A671F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A6720E
__allrem.LIBCMT ref: 00A67225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A67243
__invoke_watson.LIBCMT ref: 00A672B4

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: 405ed3c0c415ed3b67f80d4dc94f893c5a4e000e5e41f893d6bf1676a5499260
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: 67712A72A14717ABEB149F79CD51BAEB3B8AF15328F14823AF514E7281E770DD408B90

Uniqueness

Uniqueness Score: -1.00%

Function 00AA2A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AA2A31
GetMenuItemInfoW.USER32(00B06890,000000FF,00000000,00000030), ref: 00AA2A92
SetMenuItemInfoW.USER32(00B06890,00000004,00000000,00000030), ref: 00AA2AC8
Sleep.KERNEL32(000001F4), ref: 00AA2ADA
GetMenuItemCount.USER32(?), ref: 00AA2B1E
GetMenuItemID.USER32(?,00000000), ref: 00AA2B3A
GetMenuItemID.USER32(?,-00000001), ref: 00AA2B64
GetMenuItemID.USER32(?,?), ref: 00AA2BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00AA2BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AA2C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AA2C24

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 9555cbdca145cb28f2a78507baedc0db914ae48f31b1d4a0f43c8f9d3e3aef1a
Instruction ID: 7a730810a211e7d72eaf9654237a20a065ec12703c69e8a55dceb27104a78c12
Opcode Fuzzy Hash: 9555cbdca145cb28f2a78507baedc0db914ae48f31b1d4a0f43c8f9d3e3aef1a
Instruction Fuzzy Hash: C261B2B0900249AFDB21CFA8CD88FBEBBB9EB46354F144559E84197291D731AD26DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00AC7192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00AC7214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00AC7217
GetWindowLongW.USER32(?,000000F0), ref: 00AC723B
_memset.LIBCMT ref: 00AC724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00AC725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00AC72D6

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 1833d0289687bbc2e5873c73ea8ea5c418917621e67bf3649e1cc01288a13891
Instruction ID: ba9d0e0bf7d97a52427c4fd07c61c81bff1239ec61565f9f519aeeb533425d2c
Opcode Fuzzy Hash: 1833d0289687bbc2e5873c73ea8ea5c418917621e67bf3649e1cc01288a13891
Instruction Fuzzy Hash: 46616871A00248AFDB10DFA4CD81FEE77F8AB09710F15415AFA14AB2A1D770AE41DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A9710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00A97135
SafeArrayAllocData.OLEAUT32(?), ref: 00A9718E
VariantInit.OLEAUT32(?), ref: 00A971A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 00A971C0
VariantCopy.OLEAUT32(?,?), ref: 00A97213
SafeArrayUnaccessData.OLEAUT32(?), ref: 00A97227
VariantClear.OLEAUT32(?), ref: 00A9723C
SafeArrayDestroyData.OLEAUT32(?), ref: 00A97249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00A97252
VariantClear.OLEAUT32(?), ref: 00A97264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00A9726F

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 7faef15a6c1ae9bda4fa340ec6cf69a92b31d3e5cd9b1e048524976f4330a088
Instruction ID: 0985d8353abc234b7bef5436e689f672c21fb02c0e765299006e5565b3d3b809
Opcode Fuzzy Hash: 7faef15a6c1ae9bda4fa340ec6cf69a92b31d3e5cd9b1e048524976f4330a088
Instruction Fuzzy Hash: 31415F75A10219AFCF04DFA8D944DEEBBF9FF48354F018069F915A7261CB30A946CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AB5A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00AB5AA6
inet_addr.WSOCK32(?,?,?), ref: 00AB5AEB
gethostbyname.WSOCK32(?), ref: 00AB5AF7
IcmpCreateFile.IPHLPAPI ref: 00AB5B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00AB5B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00AB5B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00AB5C00
WSACleanup.WSOCK32 ref: 00AB5C06

Strings

Ping, xrefs: 00AB5B29

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: c207695b15c2f5d7db0c140ceaae6dceabcc557fe745fc127ae72f6be8b8d1b8
Instruction ID: 22608f97cdf1296231c1457dd17675af36165b54c662f7921a0a61166878ef02
Opcode Fuzzy Hash: c207695b15c2f5d7db0c140ceaae6dceabcc557fe745fc127ae72f6be8b8d1b8
Instruction Fuzzy Hash: 42516E31A047009FDB10EF74CD89B6ABBE9EF88750F148929F555DB2A2EB70E841DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00AAB72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00AAB73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00AAB7B1
GetLastError.KERNEL32 ref: 00AAB7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 00AAB828

Strings

READONLY, xrefs: 00AAB7F3
UNKNOWN, xrefs: 00AAB7E0
READY, xrefs: 00AAB801
INVALID, xrefs: 00AAB7FA
NOTREADY, xrefs: 00AAB7E7

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: e85d7fb029b49daf6969ea20f267eff89eeb33be0ba5743889d63a4c5e583b84
Instruction ID: 2538febadcf2a931a20505d2a541689ae7c01a0a143489b130aa493c9d76d76e
Opcode Fuzzy Hash: e85d7fb029b49daf6969ea20f267eff89eeb33be0ba5743889d63a4c5e583b84
Instruction Fuzzy Hash: 6B318535A01209AFDB10EFA4C985ABE7BB4FF96740F144025F506D72D2DBB19942C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00A99471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A47F41: _memmove.LIBCMT ref: 00A47F82

Part of subcall function 00A9B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00A9B0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00A994F6
GetDlgCtrlID.USER32 ref: 00A99501
GetParent.USER32 ref: 00A9951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00A99520
GetDlgCtrlID.USER32(?), ref: 00A99529
GetParent.USER32(?), ref: 00A99545
SendMessageW.USER32(00000000,?,?,00000111), ref: 00A99548

Strings

ComboBox, xrefs: 00A9947E
ListBox, xrefs: 00A994B3

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 7b12a3f3dab92b8987bca310eceeb05e7fd3bdf1f9f993715631aa6152a64e00
Instruction ID: 541f30842f1c150b7a5552a0d8c81fd71797ab1443929ba2f4212e7f709070d5
Opcode Fuzzy Hash: 7b12a3f3dab92b8987bca310eceeb05e7fd3bdf1f9f993715631aa6152a64e00
Instruction Fuzzy Hash: 5321C174A00208BFDF05EBA4CC85EFEBBB5EF89300F114129B961972A2DB755919DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00A9955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A47F41: _memmove.LIBCMT ref: 00A47F82

Part of subcall function 00A9B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00A9B0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00A995DF
GetDlgCtrlID.USER32 ref: 00A995EA
GetParent.USER32 ref: 00A99606
SendMessageW.USER32(00000000,?,00000111,?), ref: 00A99609
GetDlgCtrlID.USER32(?), ref: 00A99612
GetParent.USER32(?), ref: 00A9962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00A99631

Strings

ComboBox, xrefs: 00A99569
ListBox, xrefs: 00A9959E

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 030e71b67dfaa5e6f2c070f5f8e3d5ce62e31465e7677a9809237442f581a283
Instruction ID: 4ab99baddd7dc729eb1609e0ff8640131e35f033638b538ae7fc6077acab3bde
Opcode Fuzzy Hash: 030e71b67dfaa5e6f2c070f5f8e3d5ce62e31465e7677a9809237442f581a283
Instruction Fuzzy Hash: 1621B374A00248BFDF05EBA4CD85EFFBBB9EF98300F114019BA51972A1DB759919DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00A99645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00A99651
GetClassNameW.USER32(00000000,?,00000100), ref: 00A99666
_wcscmp.LIBCMT ref: 00A99678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00A996F3

Strings

largeicons, xrefs: 00A99687
smallicons, xrefs: 00A996BB
SHELLDLL_DefView, xrefs: 00A99672
details, xrefs: 00A996A1
list, xrefs: 00A996D5

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 29d706807baaf21527e9e5415b4b9a39538bfbc32713fc617f3a199189692bf9
Instruction ID: c58ec52cd7117273e147909ec1b29ddb92d914180f3f828c940d5541983548c9
Opcode Fuzzy Hash: 29d706807baaf21527e9e5415b4b9a39538bfbc32713fc617f3a199189692bf9
Instruction Fuzzy Hash: F811E977348317BAFE052768DC07EB777EC9F05760F20016AFB00A50D1FEA169569A58

Uniqueness

Uniqueness Score: -1.00%

Function 00AB8BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00AB8BEC
CoInitialize.OLE32(00000000), ref: 00AB8C19
CoUninitialize.OLE32 ref: 00AB8C23
GetRunningObjectTable.OLE32(00000000,?), ref: 00AB8D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00AB8E50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00AD2C0C), ref: 00AB8E84
CoGetObject.OLE32(?,00000000,00AD2C0C,?), ref: 00AB8EA7
SetErrorMode.KERNEL32(00000000), ref: 00AB8EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00AB8F3A
VariantClear.OLEAUT32(?), ref: 00AB8F4A

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: fbf35b8ef4db686f18f6df9e47c880dee1bc7a984c91a90a6127e4206a3485d5
Instruction ID: cb969da72f46c91ec529b7bcd69e0b19dd37df21fe7ee049766752ef06886ec4
Opcode Fuzzy Hash: fbf35b8ef4db686f18f6df9e47c880dee1bc7a984c91a90a6127e4206a3485d5
Instruction Fuzzy Hash: 15C124B1208305AFC700DF68C98496BB7EDBF89748F00491DF58A9B252DB75ED06CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00AA4189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00AA419D
__swprintf.LIBCMT ref: 00AA41AA

Part of subcall function 00A638D8: __woutput_l.LIBCMT ref: 00A63931

FindResourceW.KERNEL32(?,?,0000000E), ref: 00AA41D4
LoadResource.KERNEL32(?,00000000), ref: 00AA41E0
LockResource.KERNEL32(00000000), ref: 00AA41ED
FindResourceW.KERNEL32(?,?,00000003), ref: 00AA420D
LoadResource.KERNEL32(?,00000000), ref: 00AA421F
SizeofResource.KERNEL32(?,00000000), ref: 00AA422E
LockResource.KERNEL32(?), ref: 00AA423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00AA429B

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: c507ecc5cc5191071953d82c363a352717278a0ef9afba90df2b67e8b8a845ea
Instruction ID: 50d4561727faec738468a3c5562e5ce81560d8dac1c5794429773de352e6e09c
Opcode Fuzzy Hash: c507ecc5cc5191071953d82c363a352717278a0ef9afba90df2b67e8b8a845ea
Instruction Fuzzy Hash: 74319DB1A0520AAFDB119FA0DC44EFBBBADEF59301F004525F905D3190EBB0DA568BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AA16DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00AA1700
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00AA0778,?,00000001), ref: 00AA1714
GetWindowThreadProcessId.USER32(00000000), ref: 00AA171B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00AA0778,?,00000001), ref: 00AA172A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00AA173C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00AA0778,?,00000001), ref: 00AA1755
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00AA0778,?,00000001), ref: 00AA1767
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00AA0778,?,00000001), ref: 00AA17AC
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00AA0778,?,00000001), ref: 00AA17C1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00AA0778,?,00000001), ref: 00AA17CC

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: c7c70e31abe36c7b2aaca166c232313c1556f6f3fa5b9631bc67019a73de7206
Instruction ID: 01ae5c10aa6dd786af8c8ea29db1129cb91d23bcf5fb097cc3a031d288a34ebf
Opcode Fuzzy Hash: c7c70e31abe36c7b2aaca166c232313c1556f6f3fa5b9631bc67019a73de7206
Instruction Fuzzy Hash: 4A31BD75A40245BFEB12DF64DC88F69BBEAAB26751F114024F900C72E0DF70AD418FA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A4FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00A4FC06
OleUninitialize.OLE32(?,00000000), ref: 00A4FCA5
UnregisterHotKey.USER32(?), ref: 00A4FDFC
DestroyWindow.USER32(?), ref: 00A84A00
FreeLibrary.KERNEL32(?), ref: 00A84A65
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00A84A92

Strings

close all, xrefs: 00A4FC01

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 138603dda23a062aee514844282f6b8acb70d870ccf4286fcb21fb73aa5eff25
Instruction ID: 42387e2423e5e270821438859d727f2032859a98883e656809110a71f6939bf9
Opcode Fuzzy Hash: 138603dda23a062aee514844282f6b8acb70d870ccf4286fcb21fb73aa5eff25
Instruction Fuzzy Hash: D0A16C34B01212CFCB29EF54C595E6AF7B4BF48740F1542ADE90AAB262DB30AD16CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00A9A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00A9AA64), ref: 00A9A9A2

Strings

INSTANCE, xrefs: 00A9A8B0
CLASS, xrefs: 00A9A721
TEXT, xrefs: 00A9A8D9
CLASSNN, xrefs: 00A9A744
NAME, xrefs: 00A9A7D4
REGEXPCLASS, xrefs: 00A9A767

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: f4ee810400f61d010ed9f9f464db07ac3adfd26a1b127b75bb57853cc243fbf4
Instruction ID: 7c6078c0564e7037c05bd4086586ceecd0df399236008171dd5c95a1c2330d47
Opcode Fuzzy Hash: f4ee810400f61d010ed9f9f464db07ac3adfd26a1b127b75bb57853cc243fbf4
Instruction Fuzzy Hash: 9F917230B00506EBDF58DFA0C581BEAFBB5BF14304F50811AE99AA7151DB306A9ACBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00A42E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00A42EAE

Part of subcall function 00A41DB3: GetClientRect.USER32(?,?), ref: 00A41DDC
Part of subcall function 00A41DB3: GetWindowRect.USER32(?,?), ref: 00A41E1D
Part of subcall function 00A41DB3: ScreenToClient.USER32(?,?), ref: 00A41E45

GetDC.USER32 ref: 00A7CF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00A7CF95
SelectObject.GDI32(00000000,00000000), ref: 00A7CFA3
SelectObject.GDI32(00000000,00000000), ref: 00A7CFB8
ReleaseDC.USER32(?,00000000), ref: 00A7CFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00A7D04B

Strings

U, xrefs: 00A7CF20

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 47c6b55bd6a6bc5bc90024574b00a7642a60f45a22851604900daba6d24c7f40
Instruction ID: a961aa1e1ae39c52788565ea3c28391c438b35ba37835cc5f19853288e6269ff
Opcode Fuzzy Hash: 47c6b55bd6a6bc5bc90024574b00a7642a60f45a22851604900daba6d24c7f40
Instruction Fuzzy Hash: C471B434500205DFCF21CF64CD85AAA7BB6FF89360F14C26AFD5A5A2A6C7318C52DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00ACC27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A42612: GetWindowLongW.USER32(?,000000EB), ref: 00A42623

Part of subcall function 00A42344: GetCursorPos.USER32(?), ref: 00A42357
Part of subcall function 00A42344: ScreenToClient.USER32(00B067B0,?), ref: 00A42374
Part of subcall function 00A42344: GetAsyncKeyState.USER32(00000001), ref: 00A42399
Part of subcall function 00A42344: GetAsyncKeyState.USER32(00000002), ref: 00A423A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00ACC2E4
ImageList_EndDrag.COMCTL32 ref: 00ACC2EA
ReleaseCapture.USER32 ref: 00ACC2F0
SetWindowTextW.USER32(?,00000000), ref: 00ACC39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00ACC3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00ACC48F

Strings

@GUI_DRAGFILE, xrefs: 00ACC424
@GUI_DROPID, xrefs: 00ACC3E1

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: dd076c455a69d2517c422f1fdadf432e6d1f47e7c78ebf1dde191edadcd909b5
Instruction ID: 132cfed8b1329d38c399625f8588453ce337868425960354f57abfe8b6b62206
Opcode Fuzzy Hash: dd076c455a69d2517c422f1fdadf432e6d1f47e7c78ebf1dde191edadcd909b5
Instruction Fuzzy Hash: D051BD74204304AFDB04EF24CD56F6A7BE5FB98310F00892DF5958B2E1DB30A959CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00AB8F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00ACF910), ref: 00AB903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00ACF910), ref: 00AB9071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00AB91EB
SysFreeString.OLEAUT32(?), ref: 00AB9215

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: fa4c39e06b5b69991f5b05ed5b49f68d6c832b42b656a62fabf50bc8088519b2
Instruction ID: d0a0e75f9155811c6f928e058fdb8e486de611231b692fc7a97463dd9c718fd5
Opcode Fuzzy Hash: fa4c39e06b5b69991f5b05ed5b49f68d6c832b42b656a62fabf50bc8088519b2
Instruction Fuzzy Hash: 8DF10775A00109EFDB04DF98C888EEEB7B9BF89314F108559F615AB252DB31AE46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00ABF9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00ABF9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00ABFB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00ABFB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00ABFBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00ABFBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00ABFD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00ABFD90
CloseHandle.KERNEL32(?), ref: 00ABFDBF
CloseHandle.KERNEL32(?), ref: 00ABFE36

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 975caf8942e79cb91afbddc989b612fa8f5829fb44cdf520fb1b38903696da5c
Instruction ID: aa926bd443b51dd5910d9aaf619e282e0031b7d4ea97ddd4307c241255f39603
Opcode Fuzzy Hash: 975caf8942e79cb91afbddc989b612fa8f5829fb44cdf520fb1b38903696da5c
Instruction Fuzzy Hash: 07E1A1312043419FCB14EF24C991BABBBE5BF85354F18896DF8999B2A2CB31DC45CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00AA4F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00AA38D3,?), ref: 00AA48C7

Part of subcall function 00AA48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00AA38D3,?), ref: 00AA48E0

Part of subcall function 00AA4CD3: GetFileAttributesW.KERNEL32(?,00AA3947), ref: 00AA4CD4

lstrcmpiW.KERNEL32(?,?), ref: 00AA4FE2
_wcscmp.LIBCMT ref: 00AA4FFC
MoveFileW.KERNEL32(?,?), ref: 00AA5017

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 4ae77f6792f9a3ed2a26b2aaff4dbcb4bfb6f59ea8ef63389a64533bf2981f26
Instruction ID: d4a3435eb94b20f9b4bd38b22fe48494a29c03a823650bbbc0c7c46ceb13b8fa
Opcode Fuzzy Hash: 4ae77f6792f9a3ed2a26b2aaff4dbcb4bfb6f59ea8ef63389a64533bf2981f26
Instruction Fuzzy Hash: 5A5185B24087849FC724EB60CD819DFB3ECAFC5341F00492EB189C3191EF75A5888766

Uniqueness

Uniqueness Score: -1.00%

Function 00AC88B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00AC896E

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 746e9ca93043fcd2e117bcb804ec54e7a2c6895b2c544ba4a421ffa500fa622d
Instruction ID: aace88c12d0bf7c1653719d07c8cfe7ef1bc06f13403f5e567de50f6da765560
Opcode Fuzzy Hash: 746e9ca93043fcd2e117bcb804ec54e7a2c6895b2c544ba4a421ffa500fa622d
Instruction Fuzzy Hash: 6851B330600209BFDF20DF28CC85FAA3BA5FB05390F62411BF515EA5A5DF79AD908B51

Uniqueness

Uniqueness Score: -1.00%

Function 00A42B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00A7C547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00A7C569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00A7C581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00A7C59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00A7C5C0
DestroyIcon.USER32(00000000), ref: 00A7C5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00A7C5EC
DestroyIcon.USER32(?), ref: 00A7C5FB

Part of subcall function 00ACA71E: DeleteObject.GDI32(00000000), ref: 00ACA757

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 0b2ba7cd7258a10bf78c57882707296212e81b8913fee1194fd893195a752126
Instruction ID: 37f3b34eda706992f895d5156329f500b3fb9ab50f312b3ab113464f736e9c1b
Opcode Fuzzy Hash: 0b2ba7cd7258a10bf78c57882707296212e81b8913fee1194fd893195a752126
Instruction Fuzzy Hash: 4C516974640209AFDB24DF64CC85FAA7BB5EB98320F108529F906D72A0DB71ED91DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A98E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00A98A84,00000B00,?,?), ref: 00A98E0C
HeapAlloc.KERNEL32(00000000,?,00A98A84,00000B00,?,?), ref: 00A98E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00A98A84,00000B00,?,?), ref: 00A98E28
GetCurrentProcess.KERNEL32(?,00000000,?,00A98A84,00000B00,?,?), ref: 00A98E30
DuplicateHandle.KERNEL32(00000000,?,00A98A84,00000B00,?,?), ref: 00A98E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00A98A84,00000B00,?,?), ref: 00A98E43
GetCurrentProcess.KERNEL32(00A98A84,00000000,?,00A98A84,00000B00,?,?), ref: 00A98E4B
DuplicateHandle.KERNEL32(00000000,?,00A98A84,00000B00,?,?), ref: 00A98E4E
CreateThread.KERNEL32(00000000,00000000,00A98E74,00000000,00000000,00000000), ref: 00A98E68

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: c5c783c04a0eccf2889d56f3295b4a66267c36512863c1b7364741b64602d781
Instruction ID: 2ea20ccf627ee3159819e7f8e10bce51ea06f6d1c373e5965f569ab26cd21c2b
Opcode Fuzzy Hash: c5c783c04a0eccf2889d56f3295b4a66267c36512863c1b7364741b64602d781
Instruction Fuzzy Hash: B401A4B9240308FFEA10EBA5DC49F6B7BADEB89711F054521FB05DB2A1CA7498018A20

Uniqueness

Uniqueness Score: -1.00%

Function 00AB9428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AB947C
VariantInit.OLEAUT32(?), ref: 00AB954D
VariantInit.OLEAUT32(?), ref: 00AB964E
VariantClear.OLEAUT32(?), ref: 00AB9658
VariantClear.OLEAUT32(?), ref: 00AB96B5

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00AB9631
Null Object assignment in FOR..IN loop, xrefs: 00AB94DD, 00AB960B, 00AB96C3

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 2763e9aab957b0d039e79622c219097e4a43f538faabd2ff8b1c55f1d013011f
Instruction ID: bfa81a5d54fbc55546e0507beb0e701e8359b6b4158041e4c535dd35ab7cd1fe
Opcode Fuzzy Hash: 2763e9aab957b0d039e79622c219097e4a43f538faabd2ff8b1c55f1d013011f
Instruction Fuzzy Hash: 8A91AC71A00219ABDF24DFA5C858FEFBBB8EF45710F108559F609AB282D7709945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AB9A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00A97652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A9758C,80070057,?,?,?,00A9799D), ref: 00A9766F
Part of subcall function 00A97652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A9758C,80070057,?,?), ref: 00A9768A
Part of subcall function 00A97652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A9758C,80070057,?,?), ref: 00A97698
Part of subcall function 00A97652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A9758C,80070057,?), ref: 00A976A8

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00AB9B1B
_memset.LIBCMT ref: 00AB9B28
_memset.LIBCMT ref: 00AB9C6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00AB9C97
CoTaskMemFree.OLE32(?), ref: 00AB9CA2

Strings

NULL Pointer assignment, xrefs: 00AB9CF0

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 97b7ee01f169ac0b533fa5263306037ce5bfe4cd3ed697f7a48e765e9a7b984d
Instruction ID: 4d99c8610f29d7643f182392d909274395a968fdbb2e1a2d7d0336a302f1a3a7
Opcode Fuzzy Hash: 97b7ee01f169ac0b533fa5263306037ce5bfe4cd3ed697f7a48e765e9a7b984d
Instruction Fuzzy Hash: 1F914871D00228EFDF10DFA5DD84ADEBBB9AF49310F20416AF519A7282DB715A45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AC6FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00AC7093
SendMessageW.USER32(?,00001036,00000000,?), ref: 00AC70A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00AC70C1
_wcscat.LIBCMT ref: 00AC711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 00AC7133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00AC7161

Strings

SysListView32, xrefs: 00AC7065

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: b617e42cd20e2a913d9ac462c5f8ce27f5f3987e46498cf15458cf8d98c742ec
Instruction ID: c51feee8a4c7caba8d13785629c0935c63f1f5bdd08fe29e8ec0b6e704418793
Opcode Fuzzy Hash: b617e42cd20e2a913d9ac462c5f8ce27f5f3987e46498cf15458cf8d98c742ec
Instruction Fuzzy Hash: 40418E71A04308AFDB219FA4CC85FEE77F9EB08350F11452EF984A7292D6729D858B60

Uniqueness

Uniqueness Score: -1.00%

Function 00ABEC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00AA3E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00AA3EB6
Part of subcall function 00AA3E91: Process32FirstW.KERNEL32(00000000,?), ref: 00AA3EC4
Part of subcall function 00AA3E91: CloseHandle.KERNEL32(00000000), ref: 00AA3F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00ABECB8
GetLastError.KERNEL32 ref: 00ABECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00ABECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 00ABED77
GetLastError.KERNEL32(00000000), ref: 00ABED82
CloseHandle.KERNEL32(00000000), ref: 00ABEDB7

Strings

SeDebugPrivilege, xrefs: 00ABECD6

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: dfb80339d6af4fc1d2ecda7e07c506782a7b1d86563f36572f53629b1b037558
Instruction ID: 37bf1935d7946f6d9166323db834da523945256b75f09ca55db1c0c250fad0bf
Opcode Fuzzy Hash: dfb80339d6af4fc1d2ecda7e07c506782a7b1d86563f36572f53629b1b037558
Instruction Fuzzy Hash: D641AB71200200AFDB14EF24CD95FAEB7A5AF80714F188469F9429B3D3DBB5A815CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00AA3226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00AA32C5

Strings

blank, xrefs: 00AA3247
stop, xrefs: 00AA3296
question, xrefs: 00AA327E
info, xrefs: 00AA3266
warning, xrefs: 00AA32AE

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 621169bfc5342bead9f035455eaa888560d457bd82cda1ed53f434de2a52140a
Instruction ID: b2a3027db10ac0c3f9c537108ef5877fba4de20baaa1ef36f0c05eb310c44db6
Opcode Fuzzy Hash: 621169bfc5342bead9f035455eaa888560d457bd82cda1ed53f434de2a52140a
Instruction Fuzzy Hash: 7111E73370834ABAAF015B94DC43EEAB7ACEF3B370F20006AF504A71C1E7656B4545A5

Uniqueness

Uniqueness Score: -1.00%

Function 00AA4534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00AA454E
LoadStringW.USER32(00000000), ref: 00AA4555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00AA456B
LoadStringW.USER32(00000000), ref: 00AA4572
_wprintf.LIBCMT ref: 00AA4598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00AA45B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00AA4593

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 473d08eb91cf7a10bd71f5e97a4c4e16e365557c613ced5fbb0e15f8a6d382d3
Instruction ID: 8c4cc79df565e3f929cc48eaba96a19b872524ff2618af2b487febf6a8aa8084
Opcode Fuzzy Hash: 473d08eb91cf7a10bd71f5e97a4c4e16e365557c613ced5fbb0e15f8a6d382d3
Instruction Fuzzy Hash: 200162F2900208BFE710E7E0DD89EF7776DE708301F0005A5BB49D2051EA749E868B74

Uniqueness

Uniqueness Score: -1.00%

Function 00ACD74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A42612: GetWindowLongW.USER32(?,000000EB), ref: 00A42623

GetSystemMetrics.USER32(0000000F), ref: 00ACD78A
GetSystemMetrics.USER32(0000000F), ref: 00ACD7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00ACD9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00ACDA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00ACDA24
ShowWindow.USER32(00000003,00000000), ref: 00ACDA43
InvalidateRect.USER32(?,00000000,00000001), ref: 00ACDA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 00ACDA8B

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 700028630a0d5c139127816c58e1bc1d7e489c4a2e36c661b5e37a736a9f9770
Instruction ID: 9eca92d4498bdcf0b4c305095822ac0b5f1fb508f69609fc9248c75fcaa06bfb
Opcode Fuzzy Hash: 700028630a0d5c139127816c58e1bc1d7e489c4a2e36c661b5e37a736a9f9770
Instruction Fuzzy Hash: 98B16875600225EFDF14CF68C985BBD7BB1BF48701F0A8179EC48AB695DB34A950CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A42A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00A7C417,00000004,00000000,00000000,00000000), ref: 00A42ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00A7C417,00000004,00000000,00000000,00000000,000000FF), ref: 00A42B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00A7C417,00000004,00000000,00000000,00000000), ref: 00A7C46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00A7C417,00000004,00000000,00000000,00000000), ref: 00A7C4D6

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: d9c5e2dfb6eb4495f7dfa313ce3e36090db89bdd7fc806fc0928b5b5b27bec26
Instruction ID: c23203b1b69d4e3f70682b2dd1d4869165e7c37057f2d1d545b0c71d0f1c5f88
Opcode Fuzzy Hash: d9c5e2dfb6eb4495f7dfa313ce3e36090db89bdd7fc806fc0928b5b5b27bec26
Instruction Fuzzy Hash: FB415A392087809EDB758B28CC9CB7B7BA2EBC5350F99C83DF84B87560C6759846D710

Uniqueness

Uniqueness Score: -1.00%

Function 00AA7368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00AA737F

Part of subcall function 00A60FF6: std::exception::exception.LIBCMT ref: 00A6102C
Part of subcall function 00A60FF6: __CxxThrowException@8.LIBCMT ref: 00A61041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00AA73B6
EnterCriticalSection.KERNEL32(?), ref: 00AA73D2
_memmove.LIBCMT ref: 00AA7420
_memmove.LIBCMT ref: 00AA743D
LeaveCriticalSection.KERNEL32(?), ref: 00AA744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00AA7461
InterlockedExchange.KERNEL32(?,000001F6), ref: 00AA7480

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: d23bd92034b5a47526511a459b791f53c0e327e3a4084d2e16d60e82cdf23b20
Instruction ID: 1ad4a1a4624190ddb2344b84cd9a7f56515ce6e84af97b1cd5e8ca33619788fc
Opcode Fuzzy Hash: d23bd92034b5a47526511a459b791f53c0e327e3a4084d2e16d60e82cdf23b20
Instruction Fuzzy Hash: 13319C71904205EFCF10EFA4DD85EAFBBB8EF45710B1541B5F904AB286DB309A51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AC6442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00AC645A
GetDC.USER32(00000000), ref: 00AC6462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00AC646D
ReleaseDC.USER32(00000000,00000000), ref: 00AC6479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00AC64B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00AC64C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00AC9299,?,?,000000FF,00000000,?,000000FF,?), ref: 00AC6500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00AC6520

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: b9c6285907edbd2a7e640992e214fb845b5cf7a74e694b266cff9c0e9bebd98b
Instruction ID: 0d86237f1a7fd92e6d3c77a90414eb6709bdbafe455fed7fedf91e5c1cde21e0
Opcode Fuzzy Hash: b9c6285907edbd2a7e640992e214fb845b5cf7a74e694b266cff9c0e9bebd98b
Instruction Fuzzy Hash: 12316D72201214BFEB118F50CC4AFEA3FAAEF09761F054065FE089A291D6759842CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00A9C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00A9C087
_memcmp.LIBCMT ref: 00A9C0A9
_memcmp.LIBCMT ref: 00A9C0C1
_memcmp.LIBCMT ref: 00A9C0D4
_memcmp.LIBCMT ref: 00A9C0EE
_memcmp.LIBCMT ref: 00A9C101
_memcmp.LIBCMT ref: 00A9C119
_memcmp.LIBCMT ref: 00A9C134

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: cebe5dc57e07c6e0ebe9ac134159ad79d9061d147d5fd7059293bc157627a9cb
Instruction ID: be360837679ad6d55a6c6afd3b44facb699c7e3910ebb356f5b140b6b0b2ff57
Opcode Fuzzy Hash: cebe5dc57e07c6e0ebe9ac134159ad79d9061d147d5fd7059293bc157627a9cb
Instruction Fuzzy Hash: F2219579701A05B7EA14A6219E46FAB37EDAF203B4F184021FD0696383E795DE12C2B5

Uniqueness

Uniqueness Score: -1.00%

Function 00AAED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00A49997: __itow.LIBCMT ref: 00A499C2
Part of subcall function 00A49997: __swprintf.LIBCMT ref: 00A49A0C

Part of subcall function 00A5FEC6: _wcscpy.LIBCMT ref: 00A5FEE9

_wcstok.LIBCMT ref: 00AAEEFF
_wcscpy.LIBCMT ref: 00AAEF8E
_memset.LIBCMT ref: 00AAEFC1

Strings

X, xrefs: 00AAEFFE

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 2afa145b327f7f5c191c5aabd9888b69370779d7228b7215945dd9a4f9cd58bd
Instruction ID: 49f7f26677e9132699a4045a31f75aeeb88b3dd12defe491f06c3fd9ece7ec74
Opcode Fuzzy Hash: 2afa145b327f7f5c191c5aabd9888b69370779d7228b7215945dd9a4f9cd58bd
Instruction Fuzzy Hash: 41C13B755083409FC724EF64CA85A6FB7E4EF85310F04496DF9999B2A2DB30ED45CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00AB6E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00AB6F14
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00AB6F35
WSAGetLastError.WSOCK32(00000000), ref: 00AB6F48
htons.WSOCK32(?,?,?,00000000,?), ref: 00AB6FFE
inet_ntoa.WSOCK32(?), ref: 00AB6FBB

Part of subcall function 00A9AE14: _strlen.LIBCMT ref: 00A9AE1E
Part of subcall function 00A9AE14: _memmove.LIBCMT ref: 00A9AE40

_strlen.LIBCMT ref: 00AB7058
_memmove.LIBCMT ref: 00AB70C1

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: a1d568ee7d0cd2d4a62bf067278864edaf3b4b9edc9b4b322828a4141464acd1
Instruction ID: 9abeb51e8a6c7f1d57946053af0db48f6f7b6e5e0fb9fc8473537ffa236cd783
Opcode Fuzzy Hash: a1d568ee7d0cd2d4a62bf067278864edaf3b4b9edc9b4b322828a4141464acd1
Instruction Fuzzy Hash: B781CD75608300AFC710EB24CD86EAFB3E9AFC4714F104929F5559B2A2DAB0ED01CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A41424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4663b1ede071aa51953a08212fd8d9406b55c964ca5f7facd75350fb93326341
Instruction ID: 17afcb905fbec5aecf03ab5f6250a8740e4b772a6a5e2a34446f918c1ebf4163
Opcode Fuzzy Hash: 4663b1ede071aa51953a08212fd8d9406b55c964ca5f7facd75350fb93326341
Instruction Fuzzy Hash: 00715874900109EFCB04CF98CC89EBEBB79FF85310F24C159F915AA251C774AA92CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00ACB60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01535720), ref: 00ACB6A5
IsWindowEnabled.USER32(01535720), ref: 00ACB6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00ACB795
SendMessageW.USER32(01535720,000000B0,?,?), ref: 00ACB7CC
IsDlgButtonChecked.USER32(?,?), ref: 00ACB809
GetWindowLongW.USER32(01535720,000000EC), ref: 00ACB82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00ACB843

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 12695315d2a556023cdafcaf075ef749aca3182bf73479e3f539bd4f593a27d7
Instruction ID: 57a758425a4b42cb89ebad3eccd367fc1936996bb1f7313da402f6cc3df56910
Opcode Fuzzy Hash: 12695315d2a556023cdafcaf075ef749aca3182bf73479e3f539bd4f593a27d7
Instruction Fuzzy Hash: 76719C34611204EFDB21DFA4C896FAA7BF9EF49300F16406DE945A73A1C732AC51CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00ABF732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00ABF75C
_memset.LIBCMT ref: 00ABF825
ShellExecuteExW.SHELL32(?), ref: 00ABF86A

Part of subcall function 00A49997: __itow.LIBCMT ref: 00A499C2
Part of subcall function 00A49997: __swprintf.LIBCMT ref: 00A49A0C

Part of subcall function 00A5FEC6: _wcscpy.LIBCMT ref: 00A5FEE9

GetProcessId.KERNEL32(00000000), ref: 00ABF8E1
CloseHandle.KERNEL32(00000000), ref: 00ABF910

Strings

@, xrefs: 00ABF839

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 64835ab2905a77af7792a90e3b8d00dee6d21a09b861e1e403cfc3fca7109c29
Instruction ID: 2a159103326fe876cb2af43927dd336ecc4c26293c021f5b259f21fed43f4f37
Opcode Fuzzy Hash: 64835ab2905a77af7792a90e3b8d00dee6d21a09b861e1e403cfc3fca7109c29
Instruction Fuzzy Hash: 08619175A00619DFCF14DFA4C9859AEBBF5FF88310F158469E856AB352CB30AE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00AA145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00AA149C
GetKeyboardState.USER32(?), ref: 00AA14B1
SetKeyboardState.USER32(?), ref: 00AA1512
PostMessageW.USER32(?,00000101,00000010,?), ref: 00AA1540
PostMessageW.USER32(?,00000101,00000011,?), ref: 00AA155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00AA15A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00AA15C8

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: b744e5e8804343d07706befef2f406f8e9c21e38298a70ad761a29a5dc9b6fe3
Instruction ID: 21641da6647be6aaab86d1331bdd022a5aebdf12080c00dc0701b0c063b79243
Opcode Fuzzy Hash: b744e5e8804343d07706befef2f406f8e9c21e38298a70ad761a29a5dc9b6fe3
Instruction Fuzzy Hash: F451B2A0A047D63EFB364778CC45BBABEA95B47304F0C8589E1D6978D2D398EC84DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00AA1276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00AA12B5
GetKeyboardState.USER32(?), ref: 00AA12CA
SetKeyboardState.USER32(?), ref: 00AA132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00AA1357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00AA1374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00AA13B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00AA13D9

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: e97dfe98b4e834e027fb6224ccfd21e83024b4d7528030f1856c123b78fdaa5b
Instruction ID: de0f47e79f60aa7fb2ab7aff050d4ec2f6aef0781ae3c84a87c8db707b08b2d6
Opcode Fuzzy Hash: e97dfe98b4e834e027fb6224ccfd21e83024b4d7528030f1856c123b78fdaa5b
Instruction Fuzzy Hash: 4E51C4A0A047D53EFB3287248C55BBABFA95F07300F088989E1D55B8C2D395EC98D761

Uniqueness

Uniqueness Score: -1.00%

Function 00AA589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00AA58AC
_wcsncpy.LIBCMT ref: 00AA58E1
_wcsncpy.LIBCMT ref: 00AA5913
_wcsncpy.LIBCMT ref: 00AA5946
_wcsncpy.LIBCMT ref: 00AA5988
_wcsncpy.LIBCMT ref: 00AA59C2
_wcsncpy.LIBCMT ref: 00AA59F1

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: a0c315e0cb1818659f0b1221cc666f5bc49d32aa9bddce957c5c83cb9c985a66
Instruction ID: 3178b4b4a2e4a86507a09019fc2fd86519fcfdeea8315d35c43a8a2739b65d91
Opcode Fuzzy Hash: a0c315e0cb1818659f0b1221cc666f5bc49d32aa9bddce957c5c83cb9c985a66
Instruction Fuzzy Hash: FA4181A6D2062876CB10EBB4898AACFB7BCAF05310F508566F518E3161F734E715C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 00AA38AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00AA38D3,?), ref: 00AA48C7

Part of subcall function 00AA48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00AA38D3,?), ref: 00AA48E0

lstrcmpiW.KERNEL32(?,?), ref: 00AA38F3
_wcscmp.LIBCMT ref: 00AA390F
MoveFileW.KERNEL32(?,?), ref: 00AA3927
_wcscat.LIBCMT ref: 00AA396F
SHFileOperationW.SHELL32(?), ref: 00AA39DB

Strings

\*.*, xrefs: 00AA3969

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 030e8bb516e92cace9525804b9ac250994288d58e94d0dd9ab9028ecd498c026
Instruction ID: 40c9c1540309847fe9fb223f5dc33023a981bb5194173533e8e4a0d78312990b
Opcode Fuzzy Hash: 030e8bb516e92cace9525804b9ac250994288d58e94d0dd9ab9028ecd498c026
Instruction Fuzzy Hash: C641A2B250C3849ECB51EF64C591AEFB7ECAF89340F14092EB489C3291EB74D649C752

Uniqueness

Uniqueness Score: -1.00%

Function 00AC7500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AC7519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AC75C0
IsMenu.USER32(?), ref: 00AC75D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00AC7620
DrawMenuBar.USER32 ref: 00AC7633

Strings

0, xrefs: 00AC750D

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: d2d081e88a1e4715af0a9163d9bc92839b67d4ca8101a04b259652ac2dca5ee4
Instruction ID: 434fafd13c4ccbbd703f7852fedebbb2d4bd6194811f437d472091aa8eb6e515
Opcode Fuzzy Hash: d2d081e88a1e4715af0a9163d9bc92839b67d4ca8101a04b259652ac2dca5ee4
Instruction Fuzzy Hash: 49412975A04649EFDB10DF58D884E9EBBF9FB04310F058129E9159B250DB30AD51CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00AC122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00AC125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00AC1286
FreeLibrary.KERNEL32(00000000), ref: 00AC133D

Part of subcall function 00AC122D: RegCloseKey.ADVAPI32(?), ref: 00AC12A3
Part of subcall function 00AC122D: FreeLibrary.KERNEL32(?), ref: 00AC12F5
Part of subcall function 00AC122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00AC1318

RegDeleteKeyW.ADVAPI32(?,?), ref: 00AC12E0

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: e981a109c48ac7079649cdcfd6585fa0dfab41d1eed720ff6e2ae88818c7b4ad
Instruction ID: b9b769244a1ea3cebeeec6609ab936cd86a0d3b625fad21fb2ab714356b45052
Opcode Fuzzy Hash: e981a109c48ac7079649cdcfd6585fa0dfab41d1eed720ff6e2ae88818c7b4ad
Instruction Fuzzy Hash: BA314BB1A01109BFDB14DBD0DC89EFEBBBCEF09304F014179E511E6242EA749E459AA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AC653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00AC655B
GetWindowLongW.USER32(01535720,000000F0), ref: 00AC658E
GetWindowLongW.USER32(01535720,000000F0), ref: 00AC65C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00AC65F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00AC661F
GetWindowLongW.USER32(00000000,000000F0), ref: 00AC6630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00AC664A

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 39a5ffb47279fb37ac00caaff19d56954cc90da95247d9866056235f0d197294
Instruction ID: 81a7c1ad6aed7287735a2b15811908f894a2b21e2a694b313f5155f8d3c5e56e
Opcode Fuzzy Hash: 39a5ffb47279fb37ac00caaff19d56954cc90da95247d9866056235f0d197294
Instruction Fuzzy Hash: 33311130604259AFDB20CF68DC84F653BE2FB5A314F2A41A9F5119B2B6CB71AC51DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00AB6486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00AB80CB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00AB64D9
WSAGetLastError.WSOCK32(00000000), ref: 00AB64E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00AB6521
connect.WSOCK32(00000000,?,00000010), ref: 00AB652A
WSAGetLastError.WSOCK32 ref: 00AB6534
closesocket.WSOCK32(00000000), ref: 00AB655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00AB6576

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: d808308306dec25120919bdae36ab4246a06be558ba6e6ebff0a2a7732804b6a
Instruction ID: dd9602fc771d77c9987b43e7c370a7c334af3e00e9465b2bfc2a9c77397c2de4
Opcode Fuzzy Hash: d808308306dec25120919bdae36ab4246a06be558ba6e6ebff0a2a7732804b6a
Instruction Fuzzy Hash: 09319E31600218AFDB10AF64CD85FBA7BADEB44750F048169F90997292CB78AD15CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A9E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A9E0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A9E120
SysAllocString.OLEAUT32(00000000), ref: 00A9E123
SysAllocString.OLEAUT32 ref: 00A9E144
SysFreeString.OLEAUT32 ref: 00A9E14D
StringFromGUID2.OLE32(?,?,00000028), ref: 00A9E167
SysAllocString.OLEAUT32(?), ref: 00A9E175

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 9ee5a3138719c4964e965c079530df2a1b0f77e577e192f660aa502c946be89c
Instruction ID: 3196dc835c819249ba384a7bdc17bde4136dbb78a8e9517dda336befc0ae2b42
Opcode Fuzzy Hash: 9ee5a3138719c4964e965c079530df2a1b0f77e577e192f660aa502c946be89c
Instruction Fuzzy Hash: 8C216035704208AFDF10DFA8DC88DAB77EDEB19760B118225F915CB261DA71DC81CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00AC783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A41D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A41D73
Part of subcall function 00A41D35: GetStockObject.GDI32(00000011), ref: 00A41D87
Part of subcall function 00A41D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A41D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00AC78A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00AC78AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00AC78B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00AC78C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00AC78D4

Strings

Msctls_Progress32, xrefs: 00AC7872

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: d647e57f8d9529b8a8b663611547961f289f41f6ece51b8de9a21879ab732a3c
Instruction ID: 7e317cbf455231dc67cf729e0cefad65fcaa0caa75940ec993761cffab7aa6bb
Opcode Fuzzy Hash: d647e57f8d9529b8a8b663611547961f289f41f6ece51b8de9a21879ab732a3c
Instruction Fuzzy Hash: D71190B6510219BFEF159F60CC85EEB7F6DEF08758F014114BB04A2090CB729C61DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A641C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00A64292,?), ref: 00A641E3
GetProcAddress.KERNEL32(00000000), ref: 00A641EA
EncodePointer.KERNEL32(00000000), ref: 00A641F6
DecodePointer.KERNEL32(00000001,00A64292,?), ref: 00A64213

Strings

RoInitialize, xrefs: 00A641D2
combase.dll, xrefs: 00A641DE

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: d51ef84de7a174c30a8296c145ee7f1e8380dccc61cb0952fb39f5dc228e02da
Instruction ID: 7553f0c8086692319d95e216a059d7fc3912c9e5fecb446e57f7e52fd40d8956
Opcode Fuzzy Hash: d51ef84de7a174c30a8296c145ee7f1e8380dccc61cb0952fb39f5dc228e02da
Instruction Fuzzy Hash: EFE012F4590340AEEB10ABB0EC09F443DA6B775B02F114425B661E61A0DBB54096CF00

Uniqueness

Uniqueness Score: -1.00%

Function 00A6429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00A641B8), ref: 00A642B8
GetProcAddress.KERNEL32(00000000), ref: 00A642BF
EncodePointer.KERNEL32(00000000), ref: 00A642CA
DecodePointer.KERNEL32(00A641B8), ref: 00A642E5

Strings

combase.dll, xrefs: 00A642B3
RoUninitialize, xrefs: 00A642A7

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 84a04c9f1a0022a76decb7bae8d5528aa4a62199b5946960561943d0db448acb
Instruction ID: 0abb7123651a63fdd1b318776769775f9db0e0445329aa1c09ec9a75cacd06b5
Opcode Fuzzy Hash: 84a04c9f1a0022a76decb7bae8d5528aa4a62199b5946960561943d0db448acb
Instruction Fuzzy Hash: FCE092BC581300AFEB109BA1EE09F453EA6B738742F214426F252E62A0CBB44545CB14

Uniqueness

Uniqueness Score: -1.00%

Function 00AA675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AA68AD
_memmove.LIBCMT ref: 00AA67E8

Part of subcall function 00A49997: __itow.LIBCMT ref: 00A499C2
Part of subcall function 00A49997: __swprintf.LIBCMT ref: 00A49A0C

_memmove.LIBCMT ref: 00AA685B
_memmove.LIBCMT ref: 00AA6942
_memmove.LIBCMT ref: 00AA695B
_memmove.LIBCMT ref: 00AA6977

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 9878d26070b011936cad77e1676243b9e2a31e5d9705435f175891a5af6f413f
Instruction ID: dd9df7eb4a72c9e7b23ec23bced5c5dfe8ed6580ffa51abe573b5d4c4ac547d8
Opcode Fuzzy Hash: 9878d26070b011936cad77e1676243b9e2a31e5d9705435f175891a5af6f413f
Instruction Fuzzy Hash: D761AD3450469A9BCF11EF60CE81EFF7BA8AF89308F094519F8565B2D2DB349951CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00AC046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A47F41: _memmove.LIBCMT ref: 00A47F82

Part of subcall function 00AC10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00AC0038,?,?), ref: 00AC10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AC0548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00AC0588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00AC05AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00AC05D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00AC0617
RegCloseKey.ADVAPI32(00000000), ref: 00AC0624

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 0ce364f5ec802c361b6819a83866626d352999a068fa920a4c23affb386e15db
Instruction ID: fa1d4c73da9fc2a95b0412c70ea8cd874a3724ba26e8f88aa1ba893e893d88a5
Opcode Fuzzy Hash: 0ce364f5ec802c361b6819a83866626d352999a068fa920a4c23affb386e15db
Instruction Fuzzy Hash: A3514335208240EFCB14EF64C985E6BBBE9FF89714F04892DF485972A2DB71E905CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00AC5A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00AC5A82
GetMenuItemCount.USER32(00000000), ref: 00AC5AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00AC5AE1
GetMenuItemID.USER32(?,?), ref: 00AC5B50
GetSubMenu.USER32(?,?), ref: 00AC5B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 00AC5BAF

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: f61d7724688ec1a95500987a7c20dde04b63dc5698af5edc8265822dd66eb8c1
Instruction ID: 0dfa984c4bd514df9dad7efd2fe37d3b5f7c98eff07fa4da4a88f3b755dbf05c
Opcode Fuzzy Hash: f61d7724688ec1a95500987a7c20dde04b63dc5698af5edc8265822dd66eb8c1
Instruction Fuzzy Hash: 47516B35E00615AFCF15EFA5C945EAEBBB5EF48310F154469F802AB351DB70BE818B90

Uniqueness

Uniqueness Score: -1.00%

Function 00A9F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A9F3F7
VariantClear.OLEAUT32(00000013), ref: 00A9F469
VariantClear.OLEAUT32(00000000), ref: 00A9F4C4
_memmove.LIBCMT ref: 00A9F4EE
VariantClear.OLEAUT32(?), ref: 00A9F53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00A9F569

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 547c5fff6b8c9df4e2cba475d23e01b3fe3e6298469b0e7f020a3c72ba0a47f9
Instruction ID: 083b8a31de528e77b7fb94987e3c37e72904da918584df57580aa72b6f564450
Opcode Fuzzy Hash: 547c5fff6b8c9df4e2cba475d23e01b3fe3e6298469b0e7f020a3c72ba0a47f9
Instruction Fuzzy Hash: 15513AB5A00209DFCF14CF58D884AAAB7F9FF48354B158569ED59DB310D730E911CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AA26F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AA2747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AA2792
IsMenu.USER32(00000000), ref: 00AA27B2
CreatePopupMenu.USER32 ref: 00AA27E6
GetMenuItemCount.USER32(000000FF), ref: 00AA2844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00AA2875

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 937da1a84fda7d634e9734a5c7d9faef6230fc26736101c0e09926f3b12ce698
Instruction ID: 9a421bff4ccda33af00fce75ed27b3255db23a31c007cd33985e36c05ba46791
Opcode Fuzzy Hash: 937da1a84fda7d634e9734a5c7d9faef6230fc26736101c0e09926f3b12ce698
Instruction Fuzzy Hash: 6C519E70A00209EFDF25CF6CC988BAEBBF5AF4A314F104169F8119B2D0D7748924CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A41765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00A42612: GetWindowLongW.USER32(?,000000EB), ref: 00A42623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00A4179A
GetWindowRect.USER32(?,?), ref: 00A417FE
ScreenToClient.USER32(?,?), ref: 00A4181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00A4182C
EndPaint.USER32(?,?), ref: 00A41876

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: e0041061732587ccf4b18aaae38c4024e92c5e615f5fbdcb02aa9bd8acb73bae
Instruction ID: da85b810a8eee320230bdd673ae28b17a88b8a6c9e3aa59f6c841fce8453cc8b
Opcode Fuzzy Hash: e0041061732587ccf4b18aaae38c4024e92c5e615f5fbdcb02aa9bd8acb73bae
Instruction Fuzzy Hash: 8041CF74200301AFD710DF24CC84FBB7BF9EB99724F048629F994872A1CB319885DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00ACB958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00B067B0,00000000,01535720,?,?,00B067B0,?,00ACB862,?,?), ref: 00ACB9CC
EnableWindow.USER32(00000000,00000000), ref: 00ACB9F0
ShowWindow.USER32(00B067B0,00000000,01535720,?,?,00B067B0,?,00ACB862,?,?), ref: 00ACBA50
ShowWindow.USER32(00000000,00000004,?,00ACB862,?,?), ref: 00ACBA62
EnableWindow.USER32(00000000,00000001), ref: 00ACBA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00ACBAA9

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 0357a20c9f3aefd533667d351859aaf002d40d17ccfc5eaf8d5f011cf83bcab3
Instruction ID: b876daa7a492a64cb043162c428110f5eed307d59948c8c1c4ed2b2e84121d4d
Opcode Fuzzy Hash: 0357a20c9f3aefd533667d351859aaf002d40d17ccfc5eaf8d5f011cf83bcab3
Instruction Fuzzy Hash: BB416230610241AFDB25CF54C88AF957BE1FF05350F1A41BDEA489F2A2C733A846CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00AB73B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00AB5134,?,?,00000000,00000001), ref: 00AB73BF

Part of subcall function 00AB3C94: GetWindowRect.USER32(?,?), ref: 00AB3CA7

GetDesktopWindow.USER32 ref: 00AB73E9
GetWindowRect.USER32(00000000), ref: 00AB73F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00AB7422

Part of subcall function 00AA54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00AA555E

GetCursorPos.USER32(?), ref: 00AB744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00AB74AC

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 945bd1bb05b3134084324501366d0f41276180baf5fe4ed0fb9e619fc64a1948
Instruction ID: 6d12985ffb58f64e09286c2ca9c594637eb6b3c4767f47742725a999559db261
Opcode Fuzzy Hash: 945bd1bb05b3134084324501366d0f41276180baf5fe4ed0fb9e619fc64a1948
Instruction Fuzzy Hash: 4A31B272508315AFD720DF54D849E9FBBAAFF89314F000929F58997192DB70EA09CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A98D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A985F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00A98608
Part of subcall function 00A985F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00A98612
Part of subcall function 00A985F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00A98621
Part of subcall function 00A985F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00A98628
Part of subcall function 00A985F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00A9863E

GetLengthSid.ADVAPI32(?,00000000,00A98977), ref: 00A98DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00A98DB8
HeapAlloc.KERNEL32(00000000), ref: 00A98DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 00A98DD8
GetProcessHeap.KERNEL32(00000000,00000000,00A98977), ref: 00A98DEC
HeapFree.KERNEL32(00000000), ref: 00A98DF3

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 77c17b7b317181e268eac0dfca73550d69126b8f9936980e72ae4e0f3e76c8e4
Instruction ID: 24116e1115c335e222b143ff1f5a99e2cb7df0c8c07bf1eacc77fc48af38a37e
Opcode Fuzzy Hash: 77c17b7b317181e268eac0dfca73550d69126b8f9936980e72ae4e0f3e76c8e4
Instruction Fuzzy Hash: AD11EB32602604FFDF10CFA4CC08FAE7BBAEF42315F14412AE84993251DB3AA901CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A98AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00A98B2A
OpenProcessToken.ADVAPI32(00000000), ref: 00A98B31
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00A98B40
CloseHandle.KERNEL32(00000004), ref: 00A98B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00A98B7A
DestroyEnvironmentBlock.USERENV(00000000), ref: 00A98B8E

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 6ae6fa4a39cf181aa328f3d0a7969b7b781764a818d6d525dc2e842f339eae6c
Instruction ID: 54cb98cda1fdb2c710f4e95f667589d6491c74c516870f5785c17f79966bd97c
Opcode Fuzzy Hash: 6ae6fa4a39cf181aa328f3d0a7969b7b781764a818d6d525dc2e842f339eae6c
Instruction Fuzzy Hash: 32114AB2600209AFDF01CFA4DD49FDE7BA9EF09304F094065FE04A6160C6768D619B60

Uniqueness

Uniqueness Score: -1.00%

Function 00ACC19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00A412F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A4134D
Part of subcall function 00A412F3: SelectObject.GDI32(?,00000000), ref: 00A4135C
Part of subcall function 00A412F3: BeginPath.GDI32(?), ref: 00A41373
Part of subcall function 00A412F3: SelectObject.GDI32(?,00000000), ref: 00A4139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00ACC1C4
LineTo.GDI32(00000000,00000003,?), ref: 00ACC1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00ACC1E6
LineTo.GDI32(00000000,00000000,?), ref: 00ACC1F6
EndPath.GDI32(00000000), ref: 00ACC206
StrokePath.GDI32(00000000), ref: 00ACC216

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 7b198121c1c34e8dbcd1362365753b505d47f7af6ba5fc28004d8730c0d1ca1d
Instruction ID: 54c0a50058631afac2a5f3f570bd016f7aedf3c028965ed3a0139c5b7080cc62
Opcode Fuzzy Hash: 7b198121c1c34e8dbcd1362365753b505d47f7af6ba5fc28004d8730c0d1ca1d
Instruction Fuzzy Hash: C511097640010CBFDB119F90DC88FEA7FADEB08364F058025FA189A161D7719D55DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A603A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00A603D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 00A603DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00A603E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00A603F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00A603F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A60401

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 03dbff51c1be348145e3c1f8cb721217d213fdbbee5a82cca56bb2963564b68e
Instruction ID: 56af3ea0737e4e6754854b9caf2b69addf8b11548b2430505cc4c168657cc1cc
Opcode Fuzzy Hash: 03dbff51c1be348145e3c1f8cb721217d213fdbbee5a82cca56bb2963564b68e
Instruction Fuzzy Hash: 87016CB09017597DE3008F5A8C85B52FFE8FF19354F00411BA15C47941C7F5A864CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00AA568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00AA569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00AA56B1
GetWindowThreadProcessId.USER32(?,?), ref: 00AA56C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00AA56CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00AA56D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00AA56E0

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 19c41daee8ceb62538de8bbbb4f062e016f1233a885a13df1ab5b69ba872ee10
Instruction ID: 62244e107906b339da5243a0284ab9d22a929ea1e5121a1edf257436a4676c86
Opcode Fuzzy Hash: 19c41daee8ceb62538de8bbbb4f062e016f1233a885a13df1ab5b69ba872ee10
Instruction Fuzzy Hash: 43F03032641558BFE7219BE2DC0DEEF7B7DEFC6B11F050169FA04D1090D7A11A0286B5

Uniqueness

Uniqueness Score: -1.00%

Function 00AA74D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00AA74E5
EnterCriticalSection.KERNEL32(?,?,00A51044,?,?), ref: 00AA74F6
TerminateThread.KERNEL32(00000000,000001F6,?,00A51044,?,?), ref: 00AA7503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00A51044,?,?), ref: 00AA7510

Part of subcall function 00AA6ED7: CloseHandle.KERNEL32(00000000,?,00AA751D,?,00A51044,?,?), ref: 00AA6EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 00AA7523
LeaveCriticalSection.KERNEL32(?,?,00A51044,?,?), ref: 00AA752A

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 63935a77fd89e6c9254e1ec3fd9af9493c12ef4769d9e36f253ed3546ae6245b
Instruction ID: 0407d146525778fad73b9d461c596f347dec4b0b303dce5dd5bf2f6e58f6ad90
Opcode Fuzzy Hash: 63935a77fd89e6c9254e1ec3fd9af9493c12ef4769d9e36f253ed3546ae6245b
Instruction Fuzzy Hash: 1BF03A7A540612EFDB125BA4ED88DEB772AEF45702B060532F202910A0CB755802CA50

Uniqueness

Uniqueness Score: -1.00%

Function 00A98E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00A98E7F
UnloadUserProfile.USERENV(?,?), ref: 00A98E8B
CloseHandle.KERNEL32(?), ref: 00A98E94
CloseHandle.KERNEL32(?), ref: 00A98E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 00A98EA5
HeapFree.KERNEL32(00000000), ref: 00A98EAC

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 5f0720ee423c824d14744904acba8f434890dba3de533a07ecc146d3f21cd2ac
Instruction ID: 2583cdc89f3f9e9d46e41263176b1abc436c4438e12cd6d4ea80ce8068961111
Opcode Fuzzy Hash: 5f0720ee423c824d14744904acba8f434890dba3de533a07ecc146d3f21cd2ac
Instruction Fuzzy Hash: 05E0C236004401FFDA019FE2EC0CD0ABB6AFB89322B168232F32985170CB329422DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00AB8902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00AB8928
CharUpperBuffW.USER32(?,?), ref: 00AB8A37
VariantClear.OLEAUT32(?), ref: 00AB8BAF

Part of subcall function 00AA7804: VariantInit.OLEAUT32(00000000), ref: 00AA7844
Part of subcall function 00AA7804: VariantCopy.OLEAUT32(00000000,?), ref: 00AA784D
Part of subcall function 00AA7804: VariantClear.OLEAUT32(00000000), ref: 00AA7859

Strings

AUTOIT.ERROR, xrefs: 00AB8A3D
Incorrect Parameter format, xrefs: 00AB8960, 00AB8B22

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 5e8f9c481cce2978d179e66c4cf34f2b15f52614ea09b53f0f206350ce422d31
Instruction ID: 6c8d9812eb0d08766fd2f66bc556b40480b5feb9066f1f5586c441e6b8ddaa85
Opcode Fuzzy Hash: 5e8f9c481cce2978d179e66c4cf34f2b15f52614ea09b53f0f206350ce422d31
Instruction Fuzzy Hash: 71916D756043019FCB10DF28C58499BBBF8EF89754F04896EF89A8B362DB30E945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00AA2F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A5FEC6: _wcscpy.LIBCMT ref: 00A5FEE9

_memset.LIBCMT ref: 00AA3077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00AA30A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00AA3159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00AA3187

Strings

0, xrefs: 00AA3063

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 55a0e91ccc03fe44d7ca5409170dcdadc454a390682c7c16a8f2d946861f1ef4
Instruction ID: 7e141e483d268b6031340deaa629f7ebeaa2f00f8bf7b6f6b9a6d116579e9440
Opcode Fuzzy Hash: 55a0e91ccc03fe44d7ca5409170dcdadc454a390682c7c16a8f2d946861f1ef4
Instruction Fuzzy Hash: F851BE726083009FDF259F28D945A6BBBE4EF96320F044A2EF895D71E1DB71CE448792

Uniqueness

Uniqueness Score: -1.00%

Function 00A9DA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00A9DAC5
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00A9DAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00A9DB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00A9DB8E

Strings

DllGetClassObject, xrefs: 00A9DB01

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 65b499a51498426fd9fa3a39e0bdbb0adea0c843972701e2de3f54e5daccc71a
Instruction ID: b9b2c5305490a347c0cc85fb958301e54bab4d8f82619a6f074034ab8f625d89
Opcode Fuzzy Hash: 65b499a51498426fd9fa3a39e0bdbb0adea0c843972701e2de3f54e5daccc71a
Instruction Fuzzy Hash: FC416FB1700208EFDF15CF65C984AAA7BF9EF44350F1685AAAD059F205D7B1DD84CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AA2C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AA2CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00AA2CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 00AA2D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00B06890,00000000), ref: 00AA2D5A

Strings

0, xrefs: 00AA2CA4

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 242edce209fc415cea7320e8fc998e8e8553c0827cc8df8bb683f55ddd3e08f4
Instruction ID: 1542fe952f4132e1c829d4ad69d42bb40fa83f93b6daf6764a57a55d5880b6fb
Opcode Fuzzy Hash: 242edce209fc415cea7320e8fc998e8e8553c0827cc8df8bb683f55ddd3e08f4
Instruction Fuzzy Hash: 7541BF302043029FD720DF28C945B6ABBE8EF86320F14462DF966972E2D770E915CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00ABDAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00ABDAD9

Part of subcall function 00A479AB: _memmove.LIBCMT ref: 00A479F9

Strings

cdecl, xrefs: 00ABDB30
none, xrefs: 00ABDBB4
winapi, xrefs: 00ABDB4A
stdcall, xrefs: 00ABDB5B

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 3f1502fbde5b1e2d70649792d3e32810d7b850277f303c66b56465fe86beb034
Instruction ID: 802bde7205da9d871e34db41a2161ff2553073f9d92c72d64b629c1bd3406d6b
Opcode Fuzzy Hash: 3f1502fbde5b1e2d70649792d3e32810d7b850277f303c66b56465fe86beb034
Instruction Fuzzy Hash: 2B31B275500619EFCF00EF94CD819FEB7B8FF45310B108A29E965A76D2DB71A906CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00A99372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A47F41: _memmove.LIBCMT ref: 00A47F82

Part of subcall function 00A9B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00A9B0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00A993F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00A99409
SendMessageW.USER32(?,00000189,?,00000000), ref: 00A99439

Part of subcall function 00A47D2C: _memmove.LIBCMT ref: 00A47D66

Strings

ComboBox, xrefs: 00A99380
ListBox, xrefs: 00A993B5

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 21461bf8f2eebb6df94dfd9917d6290777a7e0f89021b739c1f7fedd8d419c82
Instruction ID: 0bf9906590bbb2725c15fa62e322cb577209b6e3bd5fc06cc0520068faade94e
Opcode Fuzzy Hash: 21461bf8f2eebb6df94dfd9917d6290777a7e0f89021b739c1f7fedd8d419c82
Instruction Fuzzy Hash: 7C21E175A00108BFDF14ABB4DD85DFFB7B8DF85360B14812DF925972E1DB350A0A9A20

Uniqueness

Uniqueness Score: -1.00%

Function 00AB1B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00AB1B40
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00AB1B66
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00AB1B96
InternetCloseHandle.WININET(00000000), ref: 00AB1BDD

Part of subcall function 00AB2777: GetLastError.KERNEL32(?,?,00AB1B0B,00000000,00000000,00000001), ref: 00AB278C
Part of subcall function 00AB2777: SetEvent.KERNEL32(?,?,00AB1B0B,00000000,00000000,00000001), ref: 00AB27A1

Strings

, xrefs: 00AB1B87

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: ee0a56fe978badc51439a239396df99f9f7ea7974884929c893b70fcb1474b80
Instruction ID: c2a4b59f6a9b25d18be5d6364ad1a40dac7eb63e686821fbf3887d200ecf8893
Opcode Fuzzy Hash: ee0a56fe978badc51439a239396df99f9f7ea7974884929c893b70fcb1474b80
Instruction Fuzzy Hash: EF219DB2600208BFEB11DF609C95EFF76FDEB49744F10452AF505A6241EA249E0697A1

Uniqueness

Uniqueness Score: -1.00%

Function 00AC6656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A41D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A41D73
Part of subcall function 00A41D35: GetStockObject.GDI32(00000011), ref: 00A41D87
Part of subcall function 00A41D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A41D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00AC66D0
LoadLibraryW.KERNEL32(?), ref: 00AC66D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00AC66EC
DestroyWindow.USER32(?), ref: 00AC66F4

Strings

SysAnimate32, xrefs: 00AC66AB

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: e13b599bae2abd52c30842953cdf1b27fda386d00632dfd171b10a7e4edbc157
Instruction ID: 09aa8cd368789ec663db91ae9e82d885c13b916b4c0196d65eaf682fa5c14552
Opcode Fuzzy Hash: e13b599bae2abd52c30842953cdf1b27fda386d00632dfd171b10a7e4edbc157
Instruction Fuzzy Hash: 05218B71200206AFEF148FA4EC80FBB37ADEF59368F124A2DFA1092190D771CC519761

Uniqueness

Uniqueness Score: -1.00%

Function 00AA703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00AA705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00AA7091
GetStdHandle.KERNEL32(0000000C), ref: 00AA70A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00AA70DD

Strings

nul, xrefs: 00AA70D8

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 35bfc63d53dbf0018d4d3dc735fbd50c5258343378a2bb5e84b9c86e36b8d21c
Instruction ID: 6e745d7e9899f70805d86d59f99de0d536f6cdc5b79ef5b477153db59221336a
Opcode Fuzzy Hash: 35bfc63d53dbf0018d4d3dc735fbd50c5258343378a2bb5e84b9c86e36b8d21c
Instruction Fuzzy Hash: 0A215E74604209AFDB209F69DC05A9FBBB8BF56721F204A29FDA1D72D0E77098518B50

Uniqueness

Uniqueness Score: -1.00%

Function 00AA710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00AA712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00AA715D
GetStdHandle.KERNEL32(000000F6), ref: 00AA716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00AA71A8

Strings

nul, xrefs: 00AA71A3

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 527f699df8b1223fd4fc813529404fd946048ff3828fcd379ea405f086dcdbb2
Instruction ID: d059fd5e51ba467d6f5e9f009298236832647568de8e1763e7248268dce6fd5a
Opcode Fuzzy Hash: 527f699df8b1223fd4fc813529404fd946048ff3828fcd379ea405f086dcdbb2
Instruction Fuzzy Hash: 80215375604215AFDB209F69DC44EAFB7E8AF56720F200B19FDA1D72E0EB709841CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00AAAEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00AAAEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00AAAF13
__swprintf.LIBCMT ref: 00AAAF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,00ACF910), ref: 00AAAF6A

Strings

%lu, xrefs: 00AAAF26

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 7c6098eb5b79d8f9897a20e3b1422f2738357af312461aafbdc4f3a2622fa228
Instruction ID: 79dbff69ef36614b8b5853b1a92e33ed88777447eb15215360332df05b03d612
Opcode Fuzzy Hash: 7c6098eb5b79d8f9897a20e3b1422f2738357af312461aafbdc4f3a2622fa228
Instruction Fuzzy Hash: 58213035A00109AFDB10DFA5C985DAEBBF9EF89704B104069F909EB251DB71EA42CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A9A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A47D2C: _memmove.LIBCMT ref: 00A47D66

Part of subcall function 00A9A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00A9A399
Part of subcall function 00A9A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A9A3AC
Part of subcall function 00A9A37C: GetCurrentThreadId.KERNEL32 ref: 00A9A3B3
Part of subcall function 00A9A37C: AttachThreadInput.USER32(00000000), ref: 00A9A3BA

GetFocus.USER32 ref: 00A9A554

Part of subcall function 00A9A3C5: GetParent.USER32(?), ref: 00A9A3D3

GetClassNameW.USER32(?,?,00000100), ref: 00A9A59D
EnumChildWindows.USER32(?,00A9A615), ref: 00A9A5C5
__swprintf.LIBCMT ref: 00A9A5DF

Strings

%s%d, xrefs: 00A9A5D9

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: da5cfab08e1bbbc1ece6d113e92858a12400634ffa906d97b6ccc0a99f7ab0ea
Instruction ID: cb482e79023cae3c240786e28a05d72fdc97ea7ca38032ef29155a4036338359
Opcode Fuzzy Hash: da5cfab08e1bbbc1ece6d113e92858a12400634ffa906d97b6ccc0a99f7ab0ea
Instruction Fuzzy Hash: 01117F79700209BBDF11BFB4DD85FEA37B9AF58700F04407ABA08AA152CB7059469BB5

Uniqueness

Uniqueness Score: -1.00%

Function 00AA2017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00AA2048

Strings

APPEND, xrefs: 00AA2081
KEYS, xrefs: 00AA205F
REMOVE, xrefs: 00AA204E
EXISTS, xrefs: 00AA2070

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 089be60a38411f3ec495113698b2a86f07ffa5deaebbebe30ca687c62e9989c4
Instruction ID: 383c310205b131a2938a5f23cdf05dc08d11f8c40e256b6c6a68d979169db23c
Opcode Fuzzy Hash: 089be60a38411f3ec495113698b2a86f07ffa5deaebbebe30ca687c62e9989c4
Instruction Fuzzy Hash: 1B115B74940109DFCF00EFA8D9419FEB7B4FF26304B108669E965A7292EB336D1ACB50

Uniqueness

Uniqueness Score: -1.00%

Function 00ABEE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00ABEF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00ABEF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00ABF07E
CloseHandle.KERNEL32(?), ref: 00ABF0FF

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: f8e39d31174a11a9784af4b4e07fd2394b3a4453c9e1a5f1bd641f59a98166a8
Instruction ID: 34b735eb1249f434af9d23f7d23a4475a94fe18b45017e944848321cba20f5fd
Opcode Fuzzy Hash: f8e39d31174a11a9784af4b4e07fd2394b3a4453c9e1a5f1bd641f59a98166a8
Instruction Fuzzy Hash: 2C814E756043019FD720EF28D986B6BB7E5AF88710F14882DF5999B392DBB0AC418B51

Uniqueness

Uniqueness Score: -1.00%

Function 00AC02C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A47F41: _memmove.LIBCMT ref: 00A47F82

Part of subcall function 00AC10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00AC0038,?,?), ref: 00AC10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AC0388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00AC03C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00AC040E
RegCloseKey.ADVAPI32(?,?), ref: 00AC043A
RegCloseKey.ADVAPI32(00000000), ref: 00AC0447

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 435ca8f451981b225edc42c624c968aaa5c31e634687261a3be94af70ca6ae97
Instruction ID: 41b3f148c1cad57e6e558628dc8b90686146d583a9ab985f1d747a843158538d
Opcode Fuzzy Hash: 435ca8f451981b225edc42c624c968aaa5c31e634687261a3be94af70ca6ae97
Instruction Fuzzy Hash: 0C514831208244EFDB04EB64C985F6FB7E9FF88704F44892DB5959B2A2DB30E905CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00ABDBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00A49997: __itow.LIBCMT ref: 00A499C2
Part of subcall function 00A49997: __swprintf.LIBCMT ref: 00A49A0C

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00ABDC3B
GetProcAddress.KERNEL32(00000000,?), ref: 00ABDCBE
GetProcAddress.KERNEL32(00000000,00000000), ref: 00ABDCDA
GetProcAddress.KERNEL32(00000000,?), ref: 00ABDD1B
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00ABDD35

Part of subcall function 00A45B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00AA7B20,?,?,00000000), ref: 00A45B8C
Part of subcall function 00A45B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00AA7B20,?,?,00000000,?,?), ref: 00A45BB0

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: ccbddd9da9577eabdd7a629f47c0b7cc1148d6ac7cb7059f172ad7fbd4f426cb
Instruction ID: 81a18038e5f559e84b29d2b07d8a94b190181f991bf2b2aa8e3f54b87b452713
Opcode Fuzzy Hash: ccbddd9da9577eabdd7a629f47c0b7cc1148d6ac7cb7059f172ad7fbd4f426cb
Instruction Fuzzy Hash: 38512B79A00605DFCB00EFA8C584DAEBBF9FF49310B058069E955AB312D731AD45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00AAE7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00AAE88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00AAE8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00AAE8F2

Part of subcall function 00A49997: __itow.LIBCMT ref: 00A499C2
Part of subcall function 00A49997: __swprintf.LIBCMT ref: 00A49A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00AAE917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00AAE91F

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: b9711a842ae4d014aec80f32f31559e21623b8060443094c48e250f9726ffddf
Instruction ID: 0bb8caa7fb53f12526fd25230261c4f7765500ab806c4c3cd675a244416e97d7
Opcode Fuzzy Hash: b9711a842ae4d014aec80f32f31559e21623b8060443094c48e250f9726ffddf
Instruction Fuzzy Hash: E151FC39A00205DFCF05EF64CA819AEBBF5EF49314B1480A9E849AB362DB31ED51DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00ACA2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56b5f953400e26a5edb027c1c6e6f84960df897e021b6626647a02e9c4c3edae
Instruction ID: baf7e91281bcd7914ef396334db7ee1a83fc410abac23bdaedc4425fbae88330
Opcode Fuzzy Hash: 56b5f953400e26a5edb027c1c6e6f84960df897e021b6626647a02e9c4c3edae
Instruction Fuzzy Hash: C641263990024CAFCB10DF68CC58FB9BBA5EB19314F064169F916AB3E0C7309D41DA51

Uniqueness

Uniqueness Score: -1.00%

Function 00A42344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00A42357
ScreenToClient.USER32(00B067B0,?), ref: 00A42374
GetAsyncKeyState.USER32(00000001), ref: 00A42399
GetAsyncKeyState.USER32(00000002), ref: 00A423A7

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 0035c9b4e7ce1df19e1bd9c902fa96b2d770ece5095cc89d499287d7ee031e65
Instruction ID: 05b72933d9e61c1b9b671b46f67140b5c5adc3ecea59d7656ebd1270da05619a
Opcode Fuzzy Hash: 0035c9b4e7ce1df19e1bd9c902fa96b2d770ece5095cc89d499287d7ee031e65
Instruction Fuzzy Hash: 99417E35604119FFDF159FA8CC44FE9BB75FB45320F60836AF8289A2A1C734A990DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A96920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A9695D
TranslateAcceleratorW.USER32(?,?,?), ref: 00A969A9
TranslateMessage.USER32(?), ref: 00A969D2
DispatchMessageW.USER32(?), ref: 00A969DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A969EB

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: e8967905e890aafc1557d50c6a2640a427cc4d6fc7ab9ed506a6856f21637779
Instruction ID: 0973d9aa5aca863082622d8383df7461d1690248e16daf9bbb835e123e20404e
Opcode Fuzzy Hash: e8967905e890aafc1557d50c6a2640a427cc4d6fc7ab9ed506a6856f21637779
Instruction Fuzzy Hash: 0D31CF31A01246AEDF20CFB48C84FB6BBFCAF11344F104569E422D71A1EB34D896DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A98F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00A98F12
PostMessageW.USER32(?,00000201,00000001), ref: 00A98FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00A98FC4
PostMessageW.USER32(?,00000202,00000000), ref: 00A98FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00A98FDA

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: df1f3b774d91575e149ff3ec9e651dfd2b6ebac9fd507d9c67c657591d1eab08
Instruction ID: a1d45223bb37d23c365d9ae213fea2d947301ca3e610f0f98f4102d81fac1205
Opcode Fuzzy Hash: df1f3b774d91575e149ff3ec9e651dfd2b6ebac9fd507d9c67c657591d1eab08
Instruction Fuzzy Hash: F631CE71600219EFDF14CFA8D94CAAE7BB6EB05315F114229F925EA2D0C7B89A14DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A9B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00A9B6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00A9B6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00A9B71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00A9B742
_wcsstr.LIBCMT ref: 00A9B74C

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: b9529d373c4ede86ac38521716cde17b06cb2a984e6ec11b1a7a387954d01295
Instruction ID: 971d2316e147e23df5a9abb1e34c613e5bf98d045a03fd477c5e499240ed0ddd
Opcode Fuzzy Hash: b9529d373c4ede86ac38521716cde17b06cb2a984e6ec11b1a7a387954d01295
Instruction Fuzzy Hash: 87213732305244BBEF249BB9AE49E7B7BE9DF85710F014039F805CA1A1EF61DC4183A0

Uniqueness

Uniqueness Score: -1.00%

Function 00ACB405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00A42612: GetWindowLongW.USER32(?,000000EB), ref: 00A42623

GetWindowLongW.USER32(?,000000F0), ref: 00ACB44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00ACB471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00ACB489
GetSystemMetrics.USER32(00000004), ref: 00ACB4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00AB1184,00000000), ref: 00ACB4D0

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 3809696283416bd35539f5024a288e23f0dfdb6737caefd683a5c71eaddc949a
Instruction ID: 93ae7136c121f630963053264bb9d425cad5a2bd54bb0316dd82cf8bbc6b413c
Opcode Fuzzy Hash: 3809696283416bd35539f5024a288e23f0dfdb6737caefd683a5c71eaddc949a
Instruction Fuzzy Hash: C021B131928215AFCB188F78CD05F6A3BA4EB04720F128739F926C71E1E7319811DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A997E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00A99802

Part of subcall function 00A47D2C: _memmove.LIBCMT ref: 00A47D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00A99834
__itow.LIBCMT ref: 00A9984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00A99874
__itow.LIBCMT ref: 00A99885

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: fa454b8ad7ad771733a0e2e882a0ac914f0224cc05b1e7b30a9e732dfd6f3660
Instruction ID: 89676ba0b38f5a09c1234304d6cbfc189a86126f13ef8903b08305276101dafc
Opcode Fuzzy Hash: fa454b8ad7ad771733a0e2e882a0ac914f0224cc05b1e7b30a9e732dfd6f3660
Instruction Fuzzy Hash: 2221B075B00248BBDF10ABA98D8AEEF7BE9EF4A710F04802DF9049B291D7708D459791

Uniqueness

Uniqueness Score: -1.00%

Function 00A412F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A4134D
SelectObject.GDI32(?,00000000), ref: 00A4135C
BeginPath.GDI32(?), ref: 00A41373
SelectObject.GDI32(?,00000000), ref: 00A4139C

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 726b0248b7ea7a98357a2d3d802c4968ed257f39c32b1cee83090e32f6bd7645
Instruction ID: d55c15b9cce6a00bd7c027aeddf0c77369ad8d2c55efa9b0401cbfdea222ba12
Opcode Fuzzy Hash: 726b0248b7ea7a98357a2d3d802c4968ed257f39c32b1cee83090e32f6bd7645
Instruction Fuzzy Hash: FE214F74900308EFDB11DF65EC08BA97BF9FB60761F14C226F8149B1A0DB71A9A1DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A9C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00A9C176
_memcmp.LIBCMT ref: 00A9C194
_memcmp.LIBCMT ref: 00A9C1A7
_memcmp.LIBCMT ref: 00A9C1BF
_memcmp.LIBCMT ref: 00A9C1D7

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: cb8f3ab984662aaa18d565b6f46f803e94f93936101bd3e3ca28c8b48b2ee9b8
Instruction ID: 5ba283bdd1aa565d1e7cc6f3e0599c182978a14a4d9e192b52f5b80cbd6dffb9
Opcode Fuzzy Hash: cb8f3ab984662aaa18d565b6f46f803e94f93936101bd3e3ca28c8b48b2ee9b8
Instruction Fuzzy Hash: 8D01B9757045057BEA04A6219D42FABB7ECAB213B4F584112FD0597383E690DF11C3F8

Uniqueness

Uniqueness Score: -1.00%

Function 00AA4D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00AA4D5C
__beginthreadex.LIBCMT ref: 00AA4D7A
MessageBoxW.USER32(?,?,?,?), ref: 00AA4D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00AA4DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00AA4DAC

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 35ff273f78fd164423ac7d88e24da7ab9250cf9112c3e41a8d7904e7cb808910
Instruction ID: edf4563f10527b63dccc21ff1cddda2ef3de8feee182cf385ad4a414ca1d9697
Opcode Fuzzy Hash: 35ff273f78fd164423ac7d88e24da7ab9250cf9112c3e41a8d7904e7cb808910
Instruction Fuzzy Hash: B6110876904244BFC701DBB89C08EDA7FADEB89320F154369F914D3390D7B58D0487A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A9874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A98766
GetLastError.KERNEL32(?,00A9822A,?,?,?), ref: 00A98770
GetProcessHeap.KERNEL32(00000008,?,?,00A9822A,?,?,?), ref: 00A9877F
HeapAlloc.KERNEL32(00000000,?,00A9822A,?,?,?), ref: 00A98786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A9879D

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 7f5069e71bd99575e8be52300ac7a95fd6883f9c23e8a259b688bf0a01d9d3f0
Instruction ID: 10e4409cec5f8c9ece6c3c944c5da713d61fb874f27ff3592bde27eb10493b53
Opcode Fuzzy Hash: 7f5069e71bd99575e8be52300ac7a95fd6883f9c23e8a259b688bf0a01d9d3f0
Instruction Fuzzy Hash: D8014671200204FFDB208FE6DC88D6B7FAEEF8A355B200529F949C2260DA318C01DA60

Uniqueness

Uniqueness Score: -1.00%

Function 00AA54E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00AA5502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00AA5510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00AA5518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00AA5522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00AA555E

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 75432ad939849978f10c6893af99e1012d1877c6cd1ab50c51cdc46d97a61485
Instruction ID: 042bb3b032c97e7c1b7e8b03c205ac08d63ebc8541cd9b2fcc2d785591c0f60b
Opcode Fuzzy Hash: 75432ad939849978f10c6893af99e1012d1877c6cd1ab50c51cdc46d97a61485
Instruction Fuzzy Hash: FD015B71D00A1ADBCF00EFF9E888AEDBB79BF0A701F050156E905B3180DB315554CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A97652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A9758C,80070057,?,?,?,00A9799D), ref: 00A9766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A9758C,80070057,?,?), ref: 00A9768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A9758C,80070057,?,?), ref: 00A97698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A9758C,80070057,?), ref: 00A976A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A9758C,80070057,?,?), ref: 00A976B4

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: e7389572e6b23435f44259a9ffc7e4b6a83df1f55d5a3112aa58f6b8a055d3f3
Instruction ID: c461993f63f052521b80e45b32f3d875d4fcdab81b0008052f75b70348a2bc75
Opcode Fuzzy Hash: e7389572e6b23435f44259a9ffc7e4b6a83df1f55d5a3112aa58f6b8a055d3f3
Instruction Fuzzy Hash: DC015E72615604AFDB119F58DC44EAE7BFDEB44751F150028FE04D2211E731DD4197B0

Uniqueness

Uniqueness Score: -1.00%

Function 00A985F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00A98608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00A98612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00A98621
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00A98628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00A9863E

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: e30a1c00db3a1d442b6eebf97fe217f8ac371786ca6abd1418c102f938ae4acf
Instruction ID: 146921e994fd6b53bce23b38fb570db2e654bf1bd55e8104630a64289318c4d4
Opcode Fuzzy Hash: e30a1c00db3a1d442b6eebf97fe217f8ac371786ca6abd1418c102f938ae4acf
Instruction Fuzzy Hash: 1EF04F35201204AFEB104FE9DC89E6B3FADFF8AB54B050525FA45CA150EB659C42DA60

Uniqueness

Uniqueness Score: -1.00%

Function 00A98652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00A98669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00A98673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A98682
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00A98689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A9869F

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 4a9a6a8a1fbae0f2fecfcccabb272a7c70d8490ee42e811d3c2722ed50af5de7
Instruction ID: bd65b772f78de0fa2365d9d6993f755312daf36261649e5e57eb9d8f68597da3
Opcode Fuzzy Hash: 4a9a6a8a1fbae0f2fecfcccabb272a7c70d8490ee42e811d3c2722ed50af5de7
Instruction Fuzzy Hash: DCF0AF74300204AFEB115FA5EC88E673FBDFF8A754B140026FA05CA150DA649802EA60

Uniqueness

Uniqueness Score: -1.00%

Function 00A9C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00A9C6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 00A9C6D1
MessageBeep.USER32(00000000), ref: 00A9C6E9
KillTimer.USER32(?,0000040A), ref: 00A9C705
EndDialog.USER32(?,00000001), ref: 00A9C71F

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 0646259e09938dc8dc022b9aeaad7e29bc7c8671ceb28092fd826fea871fdc57
Instruction ID: 410d5ea7ce75058afb97ff887a52b57fc5ba44db90f9954c7a14ebc32003f17a
Opcode Fuzzy Hash: 0646259e09938dc8dc022b9aeaad7e29bc7c8671ceb28092fd826fea871fdc57
Instruction Fuzzy Hash: 53018630500704ABEF219BA0DD4EF9677B9FF00715F000669F682A14E1EBF0A9558F80

Uniqueness

Uniqueness Score: -1.00%

Function 00A413B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00A413BF
StrokeAndFillPath.GDI32(?,?,00A7BAD8,00000000,?), ref: 00A413DB
SelectObject.GDI32(?,00000000), ref: 00A413EE
DeleteObject.GDI32 ref: 00A41401
StrokePath.GDI32(?), ref: 00A4141C

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: fe97992573b7679649a106a2639695bf32c5d36c16b434785739a474ee721cd5
Instruction ID: abd32ffec5361e3189f0ce1d0f381995b30863c47607f6e7271215f88913d053
Opcode Fuzzy Hash: fe97992573b7679649a106a2639695bf32c5d36c16b434785739a474ee721cd5
Instruction Fuzzy Hash: 66F0E774004308EFDB159FA6EC0CB583FA5AB61726F04C226F4698A0F1DB3189A6DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00AAC602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00AAC69D
CoCreateInstance.OLE32(00AD2D6C,00000000,00000001,00AD2BDC,?), ref: 00AAC6B5

Part of subcall function 00A47F41: _memmove.LIBCMT ref: 00A47F82

CoUninitialize.OLE32 ref: 00AAC922

Strings

.lnk, xrefs: 00AAC631, 00AAC659, 00AAC663

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 957c86e20935c62c5ec9580b318953eb453078461cf75b22a3cff8a74fc3b4fa
Instruction ID: 398f8abe1cf9933f753090e155e719260f7380cfc48edcc86ec2f004ae2979ea
Opcode Fuzzy Hash: 957c86e20935c62c5ec9580b318953eb453078461cf75b22a3cff8a74fc3b4fa
Instruction Fuzzy Hash: BCA13C75104205AFD700EF64C981EAFB7E8EFD5754F00492DF1969B2A2EB70EA09CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00A52E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00A60FF6: std::exception::exception.LIBCMT ref: 00A6102C
Part of subcall function 00A60FF6: __CxxThrowException@8.LIBCMT ref: 00A61041

Part of subcall function 00A47F41: _memmove.LIBCMT ref: 00A47F82

Part of subcall function 00A47BB1: _memmove.LIBCMT ref: 00A47C0B

__swprintf.LIBCMT ref: 00A5302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00A52EC6

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 579efa57e957af7c91b1c882017ec721baff44f1ad714207c820862e49d76881
Instruction ID: 729b3a7ed20e917cd6972a8ca4bf321466ba470b9240b8498d172c49bfabb635
Opcode Fuzzy Hash: 579efa57e957af7c91b1c882017ec721baff44f1ad714207c820862e49d76881
Instruction Fuzzy Hash: 719158765083419FCB18EF24DA95C6EB7B4EF85740F04491DF9829B2A2DB30EE49CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00AABBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A448AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A448A1,?,?,00A437C0,?), ref: 00A448CE

CoInitialize.OLE32(00000000), ref: 00AABC26
CoCreateInstance.OLE32(00AD2D6C,00000000,00000001,00AD2BDC,?), ref: 00AABC3F
CoUninitialize.OLE32 ref: 00AABC5C

Part of subcall function 00A49997: __itow.LIBCMT ref: 00A499C2
Part of subcall function 00A49997: __swprintf.LIBCMT ref: 00A49A0C

Strings

.lnk, xrefs: 00AABC08, 00AABC16

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: bf469e5d1e515dadf874d5f3d0be522a274791e775b3e7715e1e58ec7fbc7936
Instruction ID: 01a1a2aa1a1a085b5d51d39afa57d373710573480f998bdac223c19b0220b24d
Opcode Fuzzy Hash: bf469e5d1e515dadf874d5f3d0be522a274791e775b3e7715e1e58ec7fbc7936
Instruction Fuzzy Hash: 77A136756043419FCB10DF24C584E6ABBE5FF89314F148998F89A9B3A2CB31ED45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A6524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00A652DD

Part of subcall function 00A70340: __87except.LIBCMT ref: 00A7037B

Strings

pow, xrefs: 00A652B5, 00A652D2

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 3dfcb855ac99d195ada3fc44b6859a4c173da53a1af7f1fd78e3bc28c1bcae6a
Instruction ID: bb8501bbd28fa528bebb2220e796f60d18b4ae81c40e245ab052cc184dca699c
Opcode Fuzzy Hash: 3dfcb855ac99d195ada3fc44b6859a4c173da53a1af7f1fd78e3bc28c1bcae6a
Instruction Fuzzy Hash: 5A515A31E1D601C7CB15B734CE61BBE7BB49B00B50F20C95AE0DA8A2E5EF748CD49A46

Uniqueness

Uniqueness Score: -1.00%

Function 00A6023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

+, xrefs: 00A60277
#, xrefs: 00A60280

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: d8fbf6895b9f3729930f0f3200c5283ead4b8b4482b707c57fe3d7a40141d47a
Instruction ID: 2002ea3d16089d9f63cb45022942e7033e1b0874027fe107d9b9a32b4fe3fb53
Opcode Fuzzy Hash: d8fbf6895b9f3729930f0f3200c5283ead4b8b4482b707c57fe3d7a40141d47a
Instruction Fuzzy Hash: B5512179A046868FDF16DF78C48AAFA7BB4EF5A310F144055E8919F2A0D7349C86CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A562F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A563A8
_memmove.LIBCMT ref: 00A56446
_memset.LIBCMT ref: 00A5646A

Strings

ERCP, xrefs: 00A56313

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: aecf25fc3e3dda03406552532d910477fbcc61451ca6c1ce208f8554b9345cc8
Instruction ID: b99960ad6acb0247f41a9b46300aa40c7ae324dc7bcda96be030b08976bd90a2
Opcode Fuzzy Hash: aecf25fc3e3dda03406552532d910477fbcc61451ca6c1ce208f8554b9345cc8
Instruction Fuzzy Hash: 0251B171A003099FDB24CF65C981BAABBF4FF04355F60856EEA4ACB241E771D689CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00AC7BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00ACF910,00000000,?,?,?,?), ref: 00AC7C4E
GetWindowLongW.USER32 ref: 00AC7C6B
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00AC7C7B

Strings

SysTreeView32, xrefs: 00AC7C20

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 2fd6b58c984bad7fc68d3d6380922bdbdd87b01cd127cef647b4c05627fa9379
Instruction ID: 44962aac8f9b2d4b2933c42e123f63dc5440b54df923392403ff70271f05b476
Opcode Fuzzy Hash: 2fd6b58c984bad7fc68d3d6380922bdbdd87b01cd127cef647b4c05627fa9379
Instruction Fuzzy Hash: A6318D3160820AAEDB118F78CC41FEA7BA9EB45324F254729F975A22E0D731EC519B60

Uniqueness

Uniqueness Score: -1.00%

Function 00AC7648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00AC76D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00AC76E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 00AC7708

Strings

SysMonthCal32, xrefs: 00AC769B

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: f5512bbe030a7908f9b676f7f2c78c248412c7228bc841fe4dbfdc859c9c19c7
Instruction ID: c5e6401441541c60c7349044aa2791ae48029ab4cc045e485754541d4e35f40a
Opcode Fuzzy Hash: f5512bbe030a7908f9b676f7f2c78c248412c7228bc841fe4dbfdc859c9c19c7
Instruction Fuzzy Hash: A8219F32510219BBDF15CFA4CC46FEE3B79EB48714F120218FE156B1D0DAB1A8519BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AC6F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00AC6FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00AC6FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00AC6FDF

Strings

Listbox, xrefs: 00AC6F77

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: f7be45c855f3d7725aa3d7cc7973ff11f40e75a32c59c9f66e421aa6d75c64ff
Instruction ID: 79758ea6d2c24976c9c9e634f654b916a744e493686c77cd924ecc2b1d052064
Opcode Fuzzy Hash: f7be45c855f3d7725aa3d7cc7973ff11f40e75a32c59c9f66e421aa6d75c64ff
Instruction Fuzzy Hash: 85218032610118BFDF11CF54DC85FAB37AAEF89754F02812CFA549B190CA71AC518BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AC797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00AC79E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00AC79F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00AC7A03

Strings

msctls_trackbar32, xrefs: 00AC79B8

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 34886e4412a4c3e217c336c7eb3a8cc3e9f353fc80027667b27f6987e746b9da
Instruction ID: 6b0d7a2c15e37cfc99cee5712e228e7d1e40ca2d7c43441e590e77c2b6ebcb7f
Opcode Fuzzy Hash: 34886e4412a4c3e217c336c7eb3a8cc3e9f353fc80027667b27f6987e746b9da
Instruction Fuzzy Hash: 0A11E372254208BFEF149F61CC05FEF7BA9EF89B64F02051DFA41A6090D6729851CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A44C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00A44C2E), ref: 00A44CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00A44CB5

Strings

kernel32.dll, xrefs: 00A44C9E
GetNativeSystemInfo, xrefs: 00A44CAF

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 3a0014079ed3f8eda53391a3f6203f41b7ebbf070fa7ed31d5eefd542fec1f29
Instruction ID: cc9504b1963ca2c8f912643f03caacd0bd52e64f4e5ff1ef832f4fa1e3ca88d1
Opcode Fuzzy Hash: 3a0014079ed3f8eda53391a3f6203f41b7ebbf070fa7ed31d5eefd542fec1f29
Instruction Fuzzy Hash: C2D01274510723DFD7209F71D958B0676D6AF05751B1ACC3E9886D6150D770D880C650

Uniqueness

Uniqueness Score: -1.00%

Function 00A44D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00A44CE1,?), ref: 00A44DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00A44DB4

Strings

kernel32.dll, xrefs: 00A44D9D
Wow64RevertWow64FsRedirection, xrefs: 00A44DAE

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: a8e2b1edb67e21a4f98b6821a6415cabe3cd647c0fa798aca2d57906c5ee6a66
Instruction ID: aabd3eef59e17cbd33ef23923dd3d0faa8b7b2df95a1fd56659396450141c96e
Opcode Fuzzy Hash: a8e2b1edb67e21a4f98b6821a6415cabe3cd647c0fa798aca2d57906c5ee6a66
Instruction Fuzzy Hash: 8CD01735950713DFEB209FB1D808B4AB6E5AF09356B16CC3EE9C6D6150EB70D880CA50

Uniqueness

Uniqueness Score: -1.00%

Function 00A44D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00A44D2E,?,00A44F4F,?,00B062F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A44D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00A44D81

Strings

kernel32.dll, xrefs: 00A44D6A
Wow64DisableWow64FsRedirection, xrefs: 00A44D7B

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: b7584429fc934ce48a7ed4c8fb68d3d5d6c0b972b4d65754f9b14eed673dc7cb
Instruction ID: e728a9070395998aaf2360a46639829332831db5bb15dbac2fc7dfb84faa16d0
Opcode Fuzzy Hash: b7584429fc934ce48a7ed4c8fb68d3d5d6c0b972b4d65754f9b14eed673dc7cb
Instruction Fuzzy Hash: AED01734910713DFDB209FB1D808B26B6E9BF19352B16CD3EA597D6250EB70D880CA50

Uniqueness

Uniqueness Score: -1.00%

Function 00AC1072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00AC12C1), ref: 00AC1080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00AC1092

Strings

advapi32.dll, xrefs: 00AC107B
RegDeleteKeyExW, xrefs: 00AC108C

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: a67e8645553a4d61c1f6d7f9be57a513cf78cf6157e90645038a612eeea311e9
Instruction ID: c59efc6c0fb668826e52f072da08f6409c23424f2ccb66e9d742d4a2c76d6b1e
Opcode Fuzzy Hash: a67e8645553a4d61c1f6d7f9be57a513cf78cf6157e90645038a612eeea311e9
Instruction Fuzzy Hash: B4D01730620712DFD720DFB5D818E6A76F5AF06361F1A8D3EA58ADA190E770C8C0CA60

Uniqueness

Uniqueness Score: -1.00%

Function 00AB93F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00AB9009,?,00ACF910), ref: 00AB9403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00AB9415

Strings

kernel32.dll, xrefs: 00AB93FE
GetModuleHandleExW, xrefs: 00AB940F

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: b1dc69d79c2689309291c7de386e98eb43921d1c0377be2d8110f0107c8eb9fc
Instruction ID: 2c8017b5d4a4ebab39d0b0e6177f2bf0dabdd9c8a146488a999632cfba482fff
Opcode Fuzzy Hash: b1dc69d79c2689309291c7de386e98eb43921d1c0377be2d8110f0107c8eb9fc
Instruction Fuzzy Hash: F8D02E30540723DFCB208FB0CA08A83BAEABF00342B06CC3EE686D2550E770C881CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00A81B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00A81B42
__swprintf.LIBCMT ref: 00A81B73

Strings

%.3d, xrefs: 00A81B4D
WIN_XPe, xrefs: 00A81BB2

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 195616274aead8fe843a612914b828b55ef9b7ec5fb410898f81a33cb30b8d38
Instruction ID: 5a85bfa3b3578b284e572ff252368040a047eeefaa86ce971f1771c44978ee24
Opcode Fuzzy Hash: 195616274aead8fe843a612914b828b55ef9b7ec5fb410898f81a33cb30b8d38
Instruction Fuzzy Hash: 3FD017B6804118EACB44BBD08C88DFA737CAB08311F5005A2B90AA2000F2349B86AB21

Uniqueness

Uniqueness Score: -1.00%

Function 00A976C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be16a7b239d82a8d7596bba0f2596d870c70dbe3ff69d042ca6553a9deaed764
Instruction ID: a3ce8dffd52aef677e43d2a5b49b982ebaa97f2e5e48cfc72b13158de4917018
Opcode Fuzzy Hash: be16a7b239d82a8d7596bba0f2596d870c70dbe3ff69d042ca6553a9deaed764
Instruction Fuzzy Hash: 90C11975A14216EFCF14CF98C884AAEBBF5FF48714B158599E805EB251D730EE81CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00ABE33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00ABE3D2
CharLowerBuffW.USER32(?,?), ref: 00ABE415

Part of subcall function 00ABDAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00ABDAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00ABE615
_memmove.LIBCMT ref: 00ABE628

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 7d7b9299f2a3b5115e8d1c1ab968eb4bb3fa558825bca31d3bc87827aaa4599a
Instruction ID: 33518b4b110303eab6585e7dd1cf42b9ad95dcae28521d45134837f67b457181
Opcode Fuzzy Hash: 7d7b9299f2a3b5115e8d1c1ab968eb4bb3fa558825bca31d3bc87827aaa4599a
Instruction Fuzzy Hash: C3C15B756083419FC714DF28C5809AABBF4FF88714F14896DF8999B352D731E946CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00AB83A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00AB83D8
CoUninitialize.OLE32 ref: 00AB83E3

Part of subcall function 00A9DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00A9DAC5

VariantInit.OLEAUT32(?), ref: 00AB83EE
VariantClear.OLEAUT32(?), ref: 00AB86BF

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 78c261d9b9c5e972f0a99027e4e8219990db28331532515109ef90a57185557b
Instruction ID: c25f47f186b2af62f53d36f5cdc43300481872e72865b3eab4c199fecffb0060
Opcode Fuzzy Hash: 78c261d9b9c5e972f0a99027e4e8219990db28331532515109ef90a57185557b
Instruction Fuzzy Hash: 0EA147792047019FCB10DF28C991B6AB7E8BF88354F04495DF99A9B3A2CB34ED51CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00A97A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00AD2C7C,?), ref: 00A97C32
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00AD2C7C,?), ref: 00A97C4A
CLSIDFromProgID.OLE32(?,?,00000000,00ACFB80,000000FF,?,00000000,00000800,00000000,?,00AD2C7C,?), ref: 00A97C6F
_memcmp.LIBCMT ref: 00A97C90

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: de82313cecce997c4dad812ca899e61b1049a94e5fdd23110a9a323089a9fe72
Instruction ID: 6499f198501619d5e34ad90d0b4ed19d61330e431e1663d1f6d942df251b6861
Opcode Fuzzy Hash: de82313cecce997c4dad812ca899e61b1049a94e5fdd23110a9a323089a9fe72
Instruction Fuzzy Hash: DF81F875A10109EFCF04DF94C984EEEB7B9FF89315F204598E506AB250DB71AE06CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A96DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A96E04
SysAllocString.OLEAUT32(00000000), ref: 00A96EAD
VariantCopy.OLEAUT32 ref: 00A96EDC
VariantClear.OLEAUT32(?), ref: 00A96F03

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 802e4fa6c69e2785321bc063de79ad4b84c6cea336999d67e707922152b6effc
Instruction ID: d019190a111940aae9888ca17a545a114bc3ed50c0e4e9a0da851a489ffbc115
Opcode Fuzzy Hash: 802e4fa6c69e2785321bc063de79ad4b84c6cea336999d67e707922152b6effc
Instruction Fuzzy Hash: 815183747183029EDF24AF65D995A7EB3F5AF48310F20881FE596CB291DB709880DB21

Uniqueness

Uniqueness Score: -1.00%

Function 00AC9A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0153E068,?), ref: 00AC9AD2
ScreenToClient.USER32(00000002,00000002), ref: 00AC9B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00AC9B72

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: e104057ce4ba2bd652938fe5c870515739d1ff36033a099ae8da2d09a4776321
Instruction ID: eb9bd750db3c028a397d377a803605c2e48796c22006790fefc539f8d15d6807
Opcode Fuzzy Hash: e104057ce4ba2bd652938fe5c870515739d1ff36033a099ae8da2d09a4776321
Instruction Fuzzy Hash: F5512C35A00209EFCF14DF68D985EAE7BB6FB54360F11815DF8259B2A0D730AD91CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00AB6CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00AB6CE4
WSAGetLastError.WSOCK32(00000000), ref: 00AB6CF4

Part of subcall function 00A49997: __itow.LIBCMT ref: 00A499C2
Part of subcall function 00A49997: __swprintf.LIBCMT ref: 00A49A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00AB6D58
WSAGetLastError.WSOCK32(00000000), ref: 00AB6D64

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 71297f1e6bfa92e38605e3cb12d9876e9cd974a536b0cc9111b2802a0c12d995
Instruction ID: 70dd56a4adefe975c0392b9f43ddcc909faf934074dd2da03e11f47588d725ac
Opcode Fuzzy Hash: 71297f1e6bfa92e38605e3cb12d9876e9cd974a536b0cc9111b2802a0c12d995
Instruction Fuzzy Hash: E4418278740200AFEB10AF24DD87F7B77E99B88B10F448018FA599B2D3DAB59D018791

Uniqueness

Uniqueness Score: -1.00%

Function 00AB672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00ACF910), ref: 00AB67BA
_strlen.LIBCMT ref: 00AB67EC

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 38875a87e8040a5fe72fcf6d6bacbd95c0218b520fe5eac0c3c8469bf3b1902c
Instruction ID: 390c7d045b41b0de92a4b5fae0e3c1c2d0ba80bdcfbf7af1b0d373beee2ceec3
Opcode Fuzzy Hash: 38875a87e8040a5fe72fcf6d6bacbd95c0218b520fe5eac0c3c8469bf3b1902c
Instruction Fuzzy Hash: EA41B135A00104AFCB14EBA4DED5EEEB7BDEF48310F148169F8169B292DB34AD41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00AABA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00AABB09
GetLastError.KERNEL32(?,00000000), ref: 00AABB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00AABB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00AABB80

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 69bab4eaa1f92eaf6b961d5de5ba3748c5ac5510aaa89cb809455d0233d39fd5
Instruction ID: fa4c15e7790d15ca5554566d1b4e33c8ebac6fa65785f5cdb512c9372f27ab84
Opcode Fuzzy Hash: 69bab4eaa1f92eaf6b961d5de5ba3748c5ac5510aaa89cb809455d0233d39fd5
Instruction Fuzzy Hash: 9C411A39200610DFCB11EF15C685A5EBBE1EF89310B198498FC4A9B7A2CB35FD11CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AC8AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00AC8B4D

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 521e761e5291150781e666c4b9a646d21b0f12db36cd2b4eec52bc1e6d55d82f
Instruction ID: 254f4c77051c813dddde66514161049b6246602e76aa4e9a29e6d4c41b045447
Opcode Fuzzy Hash: 521e761e5291150781e666c4b9a646d21b0f12db36cd2b4eec52bc1e6d55d82f
Instruction Fuzzy Hash: 0E31B0B4601208BEEF209B58CC85FAE77A5FB05350F26851EFA51DB2A0CF38AD509B51

Uniqueness

Uniqueness Score: -1.00%

Function 00ACADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00ACAE1A
GetWindowRect.USER32(?,?), ref: 00ACAE90
PtInRect.USER32(?,?,00ACC304), ref: 00ACAEA0
MessageBeep.USER32(00000000), ref: 00ACAF11

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: a68eac3ff1d7686e92a3c3e3f96922e4507f61d8dc6d4c0729aad8d36db62a78
Instruction ID: 140237c37c8f06cca7be67c20e99dbdefa837d685f262c6bd3b87aedfbd083f4
Opcode Fuzzy Hash: a68eac3ff1d7686e92a3c3e3f96922e4507f61d8dc6d4c0729aad8d36db62a78
Instruction Fuzzy Hash: A2417C71A0022DDFCB11CF58C884F69BBF5FB68744F1681ADE4148B261D730A942CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00AA0FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00AA1037
SetKeyboardState.USER32(00000080,?,00000001), ref: 00AA1053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00AA10B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00AA110B

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 4532e96679f3bdfcfcd183128b35bff0cbaac74c8733398c76fd6117ae6fc40a
Instruction ID: db9c9d2337a432f97757dfd6d136a38a9c4c21ed55403a3d5cf8b1996776605c
Opcode Fuzzy Hash: 4532e96679f3bdfcfcd183128b35bff0cbaac74c8733398c76fd6117ae6fc40a
Instruction Fuzzy Hash: CA312430E44698BEFB31CB698C05BFABBBAAB4A320F08431AE591531D1C3758DC59765

Uniqueness

Uniqueness Score: -1.00%

Function 00AA1121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7608C0D0,?,00008000), ref: 00AA1176
SetKeyboardState.USER32(00000080,?,00008000), ref: 00AA1192
PostMessageW.USER32(00000000,00000101,00000000), ref: 00AA11F1
SendInput.USER32(00000001,?,0000001C,7608C0D0,?,00008000), ref: 00AA1243

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: c7150d1a105bd98322dd111540b4fb16f8ce28a2ad57669a51b0fd8af115cb4e
Instruction ID: d45551ab8d500259b3f57238dfd8325d7c9ccba9168e9b80b3732fa55bce1888
Opcode Fuzzy Hash: c7150d1a105bd98322dd111540b4fb16f8ce28a2ad57669a51b0fd8af115cb4e
Instruction Fuzzy Hash: F0312630A4071C7EEF21CBA58C04BFABBBAAB4B310F04432FE691931D1D33589959791

Uniqueness

Uniqueness Score: -1.00%

Function 00A76415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00A7644B
__isleadbyte_l.LIBCMT ref: 00A76479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00A764A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00A764DD

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 3f1d59e51bb38118150b7d800515961605f3a55dc1c2f2ce88d5021c4acb5ca3
Instruction ID: 28f395d24143690b61fb7a63e1c8f7676fd6d143a4f589e4be1d9e020e6b1e15
Opcode Fuzzy Hash: 3f1d59e51bb38118150b7d800515961605f3a55dc1c2f2ce88d5021c4acb5ca3
Instruction Fuzzy Hash: 9031DE31600A46AFDB218F65CE44BAA7BB9FF40310F19C129E858871A0EB31D851DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00AC5175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00AC5189

Part of subcall function 00AA387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00AA3897
Part of subcall function 00AA387D: GetCurrentThreadId.KERNEL32 ref: 00AA389E
Part of subcall function 00AA387D: AttachThreadInput.USER32(00000000,?,00AA52A7), ref: 00AA38A5

GetCaretPos.USER32(?), ref: 00AC519A
ClientToScreen.USER32(00000000,?), ref: 00AC51D5
GetForegroundWindow.USER32 ref: 00AC51DB

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: df7274d377d4394110115d5db142f44e25ce1eff06025ddffa2435553afe39d7
Instruction ID: 50c82d0f5c0cfded02a7b4b7e3f8a4e92df4fdc9dad7d8bb47ff1afab6397f01
Opcode Fuzzy Hash: df7274d377d4394110115d5db142f44e25ce1eff06025ddffa2435553afe39d7
Instruction Fuzzy Hash: 49310C76900108AFDB00EFA5C985EEFB7F9EF98300F11406AE415E7241EA75AE45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00ACC788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A42612: GetWindowLongW.USER32(?,000000EB), ref: 00A42623

GetCursorPos.USER32(?), ref: 00ACC7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00A7BBFB,?,?,?,?,?), ref: 00ACC7D7
GetCursorPos.USER32(?), ref: 00ACC824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00A7BBFB,?,?,?), ref: 00ACC85E

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 47555e2b1e18f2a239eaf3eedb9b545650851d154ea54d98b0c2e5556e73e4e3
Instruction ID: 3dcc6d59dcab82ffe8932dfb7e34c42c9efdc8260d8e4357ce9494722d31a84a
Opcode Fuzzy Hash: 47555e2b1e18f2a239eaf3eedb9b545650851d154ea54d98b0c2e5556e73e4e3
Instruction Fuzzy Hash: EE317135600118AFCB15CF98C898FEB7BFAEB49720F454169F9098B261CB359D61DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A98B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A98652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00A98669
Part of subcall function 00A98652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00A98673
Part of subcall function 00A98652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A98682
Part of subcall function 00A98652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00A98689
Part of subcall function 00A98652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A9869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00A98BEB
_memcmp.LIBCMT ref: 00A98C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A98C44
HeapFree.KERNEL32(00000000), ref: 00A98C4B

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: b1257484a6fd60a0e571dd39f8b7cf7edb0745e9a093fcd4fc21f58be48095c8
Instruction ID: 82126982d871619cc72dc3dbb44ec6889a39890ca0822d2442072c1531a26cc2
Opcode Fuzzy Hash: b1257484a6fd60a0e571dd39f8b7cf7edb0745e9a093fcd4fc21f58be48095c8
Instruction Fuzzy Hash: F7218971E01208EFCF00DFA4C944BAEB7F8EF41341F09405AE954AB240EB38AA06CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A60BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00A60BF2

Part of subcall function 00A45B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00AA7B20,?,?,00000000), ref: 00A45B8C
Part of subcall function 00A45B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00AA7B20,?,?,00000000,?,?), ref: 00A45BB0

_fprintf.LIBCMT ref: 00A60C29
OutputDebugStringW.KERNEL32(?), ref: 00A96331

Part of subcall function 00A64CDA: _flsall.LIBCMT ref: 00A64CF3

__setmode.LIBCMT ref: 00A60C5E

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 9a160194f639125ce4dc68eb1e54feecd69a6aa1c0cc048eefad41db8c89aeec
Instruction ID: fceef5da4500da107c39755cddf659fb01600e9e1edef95ead171e45c88db089
Opcode Fuzzy Hash: 9a160194f639125ce4dc68eb1e54feecd69a6aa1c0cc048eefad41db8c89aeec
Instruction Fuzzy Hash: 8511E132A042087BCB04B7B4AE86DBF7B79DF89320F14011AF204972D2EF215D969795

Uniqueness

Uniqueness Score: -1.00%

Function 00AB1A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00AB1A97

Part of subcall function 00AB1B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00AB1B40
Part of subcall function 00AB1B21: InternetCloseHandle.WININET(00000000), ref: 00AB1BDD

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 0af4d6499457befd4f2c1ed1234ee153a36f0bb61c42228ce4d37a0a74dae96f
Instruction ID: bb0e8c72ef6ffa42f1ce1c9d16b42615a20b3894a101bd66338692c30285adee
Opcode Fuzzy Hash: 0af4d6499457befd4f2c1ed1234ee153a36f0bb61c42228ce4d37a0a74dae96f
Instruction Fuzzy Hash: AE21A135200605BFEB119F608C15FFBB7BEFF48701F51401AFA1196662EB71E821ABA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A9E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A9F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00A9E1C4,?,?,?,00A9EFB7,00000000,000000EF,00000119,?,?), ref: 00A9F5BC
Part of subcall function 00A9F5AD: lstrcpyW.KERNEL32(00000000,?), ref: 00A9F5E2
Part of subcall function 00A9F5AD: lstrcmpiW.KERNEL32(00000000,?,00A9E1C4,?,?,?,00A9EFB7,00000000,000000EF,00000119,?,?), ref: 00A9F613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00A9EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00A9E1DD
lstrcpyW.KERNEL32(00000000,?), ref: 00A9E203
lstrcmpiW.KERNEL32(00000002,cdecl,?,00A9EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00A9E237

Strings

cdecl, xrefs: 00A9E22E

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 7af48ff9c6c6ae99eb5afb804f69278f927856b785ccfdbe1bb1d69022e26db1
Instruction ID: 2ced0cd88282a98a8c675af6f08f3831696123cf1607e27f05d260743c7ca230
Opcode Fuzzy Hash: 7af48ff9c6c6ae99eb5afb804f69278f927856b785ccfdbe1bb1d69022e26db1
Instruction Fuzzy Hash: 0211AC3A200245EFCF25EF64D845EBA77F9FF84350B45402AF906CB260EB71D85187A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A75332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00A75351

Part of subcall function 00A6594C: __FF_MSGBANNER.LIBCMT ref: 00A65963
Part of subcall function 00A6594C: __NMSG_WRITE.LIBCMT ref: 00A6596A
Part of subcall function 00A6594C: RtlAllocateHeap.NTDLL(01520000,00000000,00000001,00000000,?,?,?,00A61013,?), ref: 00A6598F

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 89b2567eeb1918d93d7c5d041c1a013c50d8e5626c6b8fc8e9e665a11c0908e7
Instruction ID: 30221885225a14492719738f27eb4a6432d16719f51f518d1d6fc16c37f356ed
Opcode Fuzzy Hash: 89b2567eeb1918d93d7c5d041c1a013c50d8e5626c6b8fc8e9e665a11c0908e7
Instruction Fuzzy Hash: BF119132D04A15AECF212F70AD6565A3BA89F113A0F10C52AF9499E1A1DEF9C94197A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A44531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A44560

Part of subcall function 00A4410D: _memset.LIBCMT ref: 00A4418D
Part of subcall function 00A4410D: _wcscpy.LIBCMT ref: 00A441E1
Part of subcall function 00A4410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A441F1

KillTimer.USER32(?,00000001,?,?), ref: 00A445B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A445C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A7D6CE

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 7f312a8ef2043f19d00dd1025e6dc8a1fa90e693c4eb9a653bc8de45c8639d4f
Instruction ID: 1d1e620a207cb81827aab605a8c3a42983970405d528baadd9214cb00257f630
Opcode Fuzzy Hash: 7f312a8ef2043f19d00dd1025e6dc8a1fa90e693c4eb9a653bc8de45c8639d4f
Instruction Fuzzy Hash: 28210474904784AFEB328B24CC45BE7BBFC9F55308F00809EE29E56281C7745E858B52

Uniqueness

Uniqueness Score: -1.00%

Function 00AB667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A45B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00AA7B20,?,?,00000000), ref: 00A45B8C
Part of subcall function 00A45B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00AA7B20,?,?,00000000,?,?), ref: 00A45BB0

gethostbyname.WSOCK32(?,?,?), ref: 00AB66AC
WSAGetLastError.WSOCK32(00000000), ref: 00AB66B7
_memmove.LIBCMT ref: 00AB66E4
inet_ntoa.WSOCK32(?), ref: 00AB66EF

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: be62fc612fe2094c09294b538b9d4e5842add53d14d84680291f10da2401939f
Instruction ID: b4e842ff581491a379d75b9479227e4b41319dd1caca5422892ec5460518a560
Opcode Fuzzy Hash: be62fc612fe2094c09294b538b9d4e5842add53d14d84680291f10da2401939f
Instruction Fuzzy Hash: 07116335900504AFCF04EBA4DE86DEE77BDEF44310B144065F502A7162DF309E15DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A99023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00A99043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A99055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A9906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A99086

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7297716099d22e394f633e5c38fba2d577d9a3213904c58bf3d4bbb3d72fe0a9
Instruction ID: dc6cdf609398477057116efcfe8d1a984eaa15fecd29bc57f17f340d7d2563c4
Opcode Fuzzy Hash: 7297716099d22e394f633e5c38fba2d577d9a3213904c58bf3d4bbb3d72fe0a9
Instruction Fuzzy Hash: 9A115E79A01218FFDF10DFA9CD84E9EBBB4FB48310F204095E914B7250D6726E10DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A41290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00A42612: GetWindowLongW.USER32(?,000000EB), ref: 00A42623

DefDlgProcW.USER32(?,00000020,?), ref: 00A412D8
GetClientRect.USER32(?,?), ref: 00A7B84B
GetCursorPos.USER32(?), ref: 00A7B855
ScreenToClient.USER32(?,?), ref: 00A7B860

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 957d5a00a2e353d8edc96b30836b2fe51c3e1e3c6ce4313773a2bbb5f9d0896d
Instruction ID: 515a91edec1535f12daddcff56d5652ebbb0409011f7aa34b5037b958d460c6a
Opcode Fuzzy Hash: 957d5a00a2e353d8edc96b30836b2fe51c3e1e3c6ce4313773a2bbb5f9d0896d
Instruction Fuzzy Hash: 09114839A00119EFCB00EFA8D985DFE77B9FB45300F104466FA01E7250D770BA928BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00AA1652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00AA01FD,?,00AA1250,?,00008000), ref: 00AA166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00AA01FD,?,00AA1250,?,00008000), ref: 00AA1694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00AA01FD,?,00AA1250,?,00008000), ref: 00AA169E
Sleep.KERNEL32(?,?,?,?,?,?,?,00AA01FD,?,00AA1250,?,00008000), ref: 00AA16D1

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 3bf57d493c3b950b9ca3e62fe95de6f69614b62d4d0b0ea218ebe5886fcc9f13
Instruction ID: 687b1bb2fc3662883862d2cc7ddfc2109c962963d289662b21d48acb1fe3f1e6
Opcode Fuzzy Hash: 3bf57d493c3b950b9ca3e62fe95de6f69614b62d4d0b0ea218ebe5886fcc9f13
Instruction Fuzzy Hash: 1B111831C00919EBCF00DFE5D948AEEBB78FF0A751F094556EA44F7280CB3095618B96

Uniqueness

Uniqueness Score: -1.00%

Function 00A77207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00A7722B

Part of subcall function 00A77912: __fltout2.LIBCMT ref: 00A7793B

__cftog_l.LIBCMT ref: 00A77251
__cftoe_l.LIBCMT ref: 00A77283

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: dd143dede4959ad2de7cf9ad3fdcb0c8bf20f493db5f7552da0a6eb57ac738f2
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: D3018C7214814ABBCF125F84CC018EE3F22BF29340B08C625FA2C58032C637C9B1AB81

Uniqueness

Uniqueness Score: -1.00%

Function 00ACB57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00ACB59E
ScreenToClient.USER32(?,?), ref: 00ACB5B6
ScreenToClient.USER32(?,?), ref: 00ACB5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00ACB5F5

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: d4a73e0d6d3f6238e94192ebbdfa2e25119188bbb605a8f8804cf71355678342
Instruction ID: 3c28802edea332cd4b455ee6372cb01c4d84d0a07991b285c6d4ba01ebf88cd8
Opcode Fuzzy Hash: d4a73e0d6d3f6238e94192ebbdfa2e25119188bbb605a8f8804cf71355678342
Instruction Fuzzy Hash: B31146B5D00249EFDB41CFD9C444AEEFBB5FB08310F104166E955E3220D735AA558F50

Uniqueness

Uniqueness Score: -1.00%

Function 00ACB8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00ACB8FE
_memset.LIBCMT ref: 00ACB90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00B07F20,00B07F64), ref: 00ACB93C
CloseHandle.KERNEL32 ref: 00ACB94E

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: f6d13604bfc3fede9866895670b38f022fd8ff0caa63ac04f7ad29159aff8d9c
Instruction ID: 9db38e55510b98d342edfe1b03a544cf994afa6af34318d16c2a011a12addadc
Opcode Fuzzy Hash: f6d13604bfc3fede9866895670b38f022fd8ff0caa63ac04f7ad29159aff8d9c
Instruction Fuzzy Hash: F4F082B29883817FF6106761AC06FBBBA9CEB18354F014061BB08DA292DF716D0187B8

Uniqueness

Uniqueness Score: -1.00%

Function 00AA6E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00AA6E88

Part of subcall function 00AA794E: _memset.LIBCMT ref: 00AA7983

_memmove.LIBCMT ref: 00AA6EAB
_memset.LIBCMT ref: 00AA6EB8
LeaveCriticalSection.KERNEL32(?), ref: 00AA6EC8

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 3e0ddada6597497a3f412e11d51db8e66af5bdb488205fc3d03796fb3d56e9be
Instruction ID: 9a4f8821ece53708c8eb0c60cc2f69c1ece8c45a96425188603af01a359496c7
Opcode Fuzzy Hash: 3e0ddada6597497a3f412e11d51db8e66af5bdb488205fc3d03796fb3d56e9be
Instruction Fuzzy Hash: 67F0543A104210ABCF416F55DD85E8ABB2AEF45320B04C061FE085F266C731A911CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 00ACC00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00A412F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A4134D
Part of subcall function 00A412F3: SelectObject.GDI32(?,00000000), ref: 00A4135C
Part of subcall function 00A412F3: BeginPath.GDI32(?), ref: 00A41373
Part of subcall function 00A412F3: SelectObject.GDI32(?,00000000), ref: 00A4139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00ACC030
LineTo.GDI32(00000000,?,?), ref: 00ACC03D
EndPath.GDI32(00000000), ref: 00ACC04D
StrokePath.GDI32(00000000), ref: 00ACC05B

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: ee18db31db2dc9f932ddedb93cbf7e0f08568af4d589c97666b8febef4d8b687
Instruction ID: 0417c5627f6e367334a9e2d892d17f2c7f4003dd7b75ffdc4ca702aff5a5ce27
Opcode Fuzzy Hash: ee18db31db2dc9f932ddedb93cbf7e0f08568af4d589c97666b8febef4d8b687
Instruction Fuzzy Hash: 44F0BE31001219BFDB12AF90AC0AFCE3F5AAF15720F058010FA11610E2C7B50562CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 00A9A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00A9A399
GetWindowThreadProcessId.USER32(?,00000000), ref: 00A9A3AC
GetCurrentThreadId.KERNEL32 ref: 00A9A3B3
AttachThreadInput.USER32(00000000), ref: 00A9A3BA

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: beb00895be417a8fdf4f5898ee4835d01af3c45aae89600e419cf7f4534965db
Instruction ID: d3ab2f59b88001f6f12daa0ee564d9a81689697e1f1f5ea10e54b966a3f175f8
Opcode Fuzzy Hash: beb00895be417a8fdf4f5898ee4835d01af3c45aae89600e419cf7f4534965db
Instruction Fuzzy Hash: F7E03935241268BEDB209BA2DC0CED77FADEF267A1F018026FA0888060C6718541DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00A42218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00A42231
SetTextColor.GDI32(?,000000FF), ref: 00A4223B
SetBkMode.GDI32(?,00000001), ref: 00A42250
GetStockObject.GDI32(00000005), ref: 00A42258
GetWindowDC.USER32(?,00000000), ref: 00A7C0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 00A7C0E0
GetPixel.GDI32(00000000,?,00000000), ref: 00A7C0F9
GetPixel.GDI32(00000000,00000000,?), ref: 00A7C112
GetPixel.GDI32(00000000,?,?), ref: 00A7C132
ReleaseDC.USER32(?,00000000), ref: 00A7C13D

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: a08b4313b69829e8ac3c86a2a4e5d94fba3ea79983250102d016fe00568eeb60
Instruction ID: b594ef5e5da3779ec372fbf8b64b759e17276f3daf4c9724b7ede6f2a6642147
Opcode Fuzzy Hash: a08b4313b69829e8ac3c86a2a4e5d94fba3ea79983250102d016fe00568eeb60
Instruction Fuzzy Hash: 55E03932100244EEDB219FA8FC09BD83B11AB05332F04C37AFB69480E1C7714982DB11

Uniqueness

Uniqueness Score: -1.00%

Function 00A98C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00A98C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,00A9882E), ref: 00A98C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00A9882E), ref: 00A98C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,00A9882E), ref: 00A98C7E

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 0876ad7bcaa9e80fffac097708744f1c3cce31926188810b5f37ea3f770ca8e0
Instruction ID: 09166b0010005eabd860d172115844854ce8b03bbad30a8a0efe812f64708823
Opcode Fuzzy Hash: 0876ad7bcaa9e80fffac097708744f1c3cce31926188810b5f37ea3f770ca8e0
Instruction Fuzzy Hash: 06E08676742211EFDB609FF46D0CF963BADEF51B92F064828B645CD040EA388446CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A82187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00A82187
GetDC.USER32(00000000), ref: 00A82191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00A821B1
ReleaseDC.USER32(?), ref: 00A821D2

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: f11459980ab6e14b78afa4e0b8e7f941281b4018c26d6b418212558431deb2a4
Instruction ID: 0f58e903e4c97465cb2036302210a3dd0e3ee3689b903538f5d5a4fae8401917
Opcode Fuzzy Hash: f11459980ab6e14b78afa4e0b8e7f941281b4018c26d6b418212558431deb2a4
Instruction Fuzzy Hash: 8CE01AB5800214EFDB01DFA0C808AAEBFF2EB4C350F128425F95A97360DB3891429F40

Uniqueness

Uniqueness Score: -1.00%

Function 00A8219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00A8219B
GetDC.USER32(00000000), ref: 00A821A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00A821B1
ReleaseDC.USER32(?), ref: 00A821D2

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: f538e6614e0427a5677477a9e0a59a63ac3c50f054bf9e96e9b16f0dc0a48d6c
Instruction ID: 98a52bf904fda6807a4fd6971a7dcdaf00684dcd4dcd873bb5abf06fefbdc79c
Opcode Fuzzy Hash: f538e6614e0427a5677477a9e0a59a63ac3c50f054bf9e96e9b16f0dc0a48d6c
Instruction Fuzzy Hash: 2AE01AB5800204AFCB01DFB0C808A9EBFF2EB4C350F128025F95A97320DB3891429F40

Uniqueness

Uniqueness Score: -1.00%

Function 00A9B7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00A9B981

Strings

Container, xrefs: 00A9B8FE
AutoIt3GUI, xrefs: 00A9B8F9

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: d3cbad646790f273a9f08a1145b3041149f324f95eb893eb839953579108597d
Instruction ID: 4743122b6cc0aaa59e44a7b2ae6337162b3de723800099ee5fa67f3d017ce390
Opcode Fuzzy Hash: d3cbad646790f273a9f08a1145b3041149f324f95eb893eb839953579108597d
Instruction Fuzzy Hash: 1D915B74610201AFDB24DF68D984B6ABBF9FF48710F14856EF94ACB691DB70E841CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00AAB217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00A5FEC6: _wcscpy.LIBCMT ref: 00A5FEE9

Part of subcall function 00A49997: __itow.LIBCMT ref: 00A499C2
Part of subcall function 00A49997: __swprintf.LIBCMT ref: 00A49A0C

__wcsnicmp.LIBCMT ref: 00AAB298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00AAB361

Strings

LPT, xrefs: 00AAB292

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 4532ba61889124f108d7ce24512f97ce3d7ba34c15df6e59416f2c0dd2c6acf0
Instruction ID: 4c0a43f9fb664c5bfe09998da314b14fa1b109fca89d720830ac2f800008d4a0
Opcode Fuzzy Hash: 4532ba61889124f108d7ce24512f97ce3d7ba34c15df6e59416f2c0dd2c6acf0
Instruction Fuzzy Hash: E9618E75A10215AFCF14DF94C981EAEB7B4EF49310F11446AF946AB392DB70AE44CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A52AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00A52AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00A52AE1

Strings

@, xrefs: 00A52AD5

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: dc9dc0a07c818c0139b2abe8733f688c5793f755a4402dbc31383e479542a207
Instruction ID: 64ff4fe46e0236cf3e7265d0995c92e851558bc7cfce8d901270afe3f347b954
Opcode Fuzzy Hash: dc9dc0a07c818c0139b2abe8733f688c5793f755a4402dbc31383e479542a207
Instruction Fuzzy Hash: E55145724187449BD320AF50DC86BABBBE8FFC8310F52885DF1D9811A1DB30853ACB26

Uniqueness

Uniqueness Score: -1.00%

Function 00AA99BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00A4506B: __fread_nolock.LIBCMT ref: 00A45089

_wcscmp.LIBCMT ref: 00AA9AAE
_wcscmp.LIBCMT ref: 00AA9AC1

Strings

FILE, xrefs: 00AA99FA

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 11cbb1c0aa40339e4d2e3c4866062ee1ad4b7eb0336f7f0a2a36e73093ca2b38
Instruction ID: f690d8a9b13591ab43c3e98922daa9b6faafd871aad67cdd1e6b7febc3f15c14
Opcode Fuzzy Hash: 11cbb1c0aa40339e4d2e3c4866062ee1ad4b7eb0336f7f0a2a36e73093ca2b38
Instruction Fuzzy Hash: AE41C475A00619BBDF209BA4DC45FEFBBB9DF8A710F00047AB904AB1C1DB759A0587A1

Uniqueness

Uniqueness Score: -1.00%

Function 00AB2882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AB2892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00AB28C8

Strings

|, xrefs: 00AB2899

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 832d4637081110eb43309d6baddca2f8a85813eec511de0c55f3895e0c33d1a3
Instruction ID: f4dacf3d8300e738fd19f32ef89b00e1e7bc975c3cb5fb860f481e6505745bf7
Opcode Fuzzy Hash: 832d4637081110eb43309d6baddca2f8a85813eec511de0c55f3895e0c33d1a3
Instruction Fuzzy Hash: 05314B75800119AFCF01EFA1CD85EEEBFB9FF08350F10402AF815A6166EB715A56DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AC6CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00AC6D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00AC6DC2

Strings

static, xrefs: 00AC6D22

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 10f839590cc9dc23185c1c74b1f4a6b1709179266d91f3daea5a64ff3245ae5b
Instruction ID: 73ed551c4b1153f21cceffdcca4a7431ce6506525687207d9e81c1e4644e1196
Opcode Fuzzy Hash: 10f839590cc9dc23185c1c74b1f4a6b1709179266d91f3daea5a64ff3245ae5b
Instruction Fuzzy Hash: 2C316D71210604AEDB11DF68CC81FFB77A9FF48764F11861DF9A697190DA31AC92CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00AA2D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AA2E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00AA2E3B

Strings

0, xrefs: 00AA2DF9

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 460841d6e1f4327975890615eb385d40bf5c88ca25865b93df47cee67f8ae633
Instruction ID: b9708677ae944f684010c566eac6a377fb2abcbee35af4cc628e74b803bef380
Opcode Fuzzy Hash: 460841d6e1f4327975890615eb385d40bf5c88ca25865b93df47cee67f8ae633
Instruction Fuzzy Hash: D031A531A00309ABEB348F5CD945BAEBFB9EF06350F14446AE985971E1D77099A4CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00AC6943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00AC69D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00AC69DB

Strings

Combobox, xrefs: 00AC699D

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: d4f24f24d04637f160d1467bdc05a0ab047abafd6adcf0795243337b63e942fe
Instruction ID: 91d59dfabe55f13de267514dc9370278a5fb2f1f36f0e07a8f3cb9a927f8cd12
Opcode Fuzzy Hash: d4f24f24d04637f160d1467bdc05a0ab047abafd6adcf0795243337b63e942fe
Instruction Fuzzy Hash: 8411B271600208AFEF11DF54CC80FFB37AAEB993A4F120128F9589B290D6719C9187A0

Uniqueness

Uniqueness Score: -1.00%

Function 00AC6E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00A41D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A41D73
Part of subcall function 00A41D35: GetStockObject.GDI32(00000011), ref: 00A41D87
Part of subcall function 00A41D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A41D91

GetWindowRect.USER32(00000000,?), ref: 00AC6EE0
GetSysColor.USER32(00000012), ref: 00AC6EFA

Strings

static, xrefs: 00AC6EBD

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: db7492476bb961fbaadaf9f80a1fc47e768d101bffc44bc77eaa381e660201f5
Instruction ID: 316b9bc6ecc6c9379777e2bb9e4778dbba6f5fa5993ac2ffb65b205d9366f85d
Opcode Fuzzy Hash: db7492476bb961fbaadaf9f80a1fc47e768d101bffc44bc77eaa381e660201f5
Instruction Fuzzy Hash: 84212672A1020AAFDB04DFA8DD45EEA7BB9FB08314F01462DFD55E3250E635E8619B60

Uniqueness

Uniqueness Score: -1.00%

Function 00AC6B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00AC6C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00AC6C20

Strings

edit, xrefs: 00AC6BF5

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 5481392884dfd69e698cfddd4b1b1aaf241a8be31fad0c1dc038968cb38b1018
Instruction ID: 2b4d0eafae8405e3fe20a2fb63f6a7eeb83bd5a8550f08740725b15f18a479b3
Opcode Fuzzy Hash: 5481392884dfd69e698cfddd4b1b1aaf241a8be31fad0c1dc038968cb38b1018
Instruction Fuzzy Hash: A3116671544208AFEB108F649C81FEB3BAAEB14378F224728F965D71E0C775DC91AB60

Uniqueness

Uniqueness Score: -1.00%

Function 00AA2E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AA2F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00AA2F30

Strings

0, xrefs: 00AA2F07

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 09976e020036c48ee8808b12f9a613f3ff11551264ea13db10cc490f7bf99434
Instruction ID: 9d1c231e84fa25a7fa475dcd130a66dfce50f4d010724eac841cf4fdd0cdc6b8
Opcode Fuzzy Hash: 09976e020036c48ee8808b12f9a613f3ff11551264ea13db10cc490f7bf99434
Instruction Fuzzy Hash: 0F11B236901214AFDB21EB5CDC44B9D77B9EB16310F1980A5E854A72E0DBB0AD34C791

Uniqueness

Uniqueness Score: -1.00%

Function 00AB24CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00AB2520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00AB2549

Strings

<local>, xrefs: 00AB2511

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: c826ae19fa38e1941f70480b88b50260fa43c72c6d99f8658216c98a3a642f3b
Instruction ID: 0d8a0c2298fc5dd70df3c6cb7d362d8be8d424ceb8e4d1309fc88cd9a1ec0863
Opcode Fuzzy Hash: c826ae19fa38e1941f70480b88b50260fa43c72c6d99f8658216c98a3a642f3b
Instruction Fuzzy Hash: 1011CEB0100225BADB348F518C98FFBFFACFB06351F10822BF90552041D2746941DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00AB80A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00AB80C8,?,00000000,?,?), ref: 00AB8322

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00AB80CB
htons.WSOCK32(00000000,?,00000000), ref: 00AB8108

Strings

255.255.255.255, xrefs: 00AB80E3

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: 6b294314cb7e82e062a6a0cbf65f5ae32d7ed49b8aa01263cd64377c42c627c7
Instruction ID: 76fb0d1d17786a5d476f7bd52c437ce1b9750707915ae929df12c18398cb130e
Opcode Fuzzy Hash: 6b294314cb7e82e062a6a0cbf65f5ae32d7ed49b8aa01263cd64377c42c627c7
Instruction Fuzzy Hash: 6311E534600205ABCB10EFA8DC86FFDB379FF04350F108526F91197292DB71A811C691

Uniqueness

Uniqueness Score: -1.00%

Function 00A992E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A47F41: _memmove.LIBCMT ref: 00A47F82

Part of subcall function 00A9B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00A9B0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00A99355

Strings

ComboBox, xrefs: 00A992F4
ListBox, xrefs: 00A9931F

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 7f6a3f14d126593b7d499bb4a5ae352f0290f4861e3313be28f2f6ab6caf5fbc
Instruction ID: 86f9e0aef23905cbd6c8dcaefd558b649ff2cb1b1efa6452fe83c737386da681
Opcode Fuzzy Hash: 7f6a3f14d126593b7d499bb4a5ae352f0290f4861e3313be28f2f6ab6caf5fbc
Instruction Fuzzy Hash: EB019275A05228BB8F04EFA4CD928FF77A9BF46360B14061DB9725B2D2DB31590C8660

Uniqueness

Uniqueness Score: -1.00%

Function 00A991DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A47F41: _memmove.LIBCMT ref: 00A47F82

Part of subcall function 00A9B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00A9B0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 00A9924D

Strings

ComboBox, xrefs: 00A991EC
ListBox, xrefs: 00A99217

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 12fb64b32b773de4cfb7f55c2ca9bebaf15c68de091c3b41d720b771a3d9d783
Instruction ID: c25284ad610c536e49255eab5a1db5d168aae13c98d1018c981eba9edc751464
Opcode Fuzzy Hash: 12fb64b32b773de4cfb7f55c2ca9bebaf15c68de091c3b41d720b771a3d9d783
Instruction Fuzzy Hash: 25018475B411187BCF14EBA4CA96EFF77EC9F55340F240029B91267282EB115E0C9672

Uniqueness

Uniqueness Score: -1.00%

Function 00A99264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A47F41: _memmove.LIBCMT ref: 00A47F82

Part of subcall function 00A9B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00A9B0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 00A992D0

Strings

ComboBox, xrefs: 00A99271
ListBox, xrefs: 00A9929C

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 06444cba6ed46d2262c9b5cdb8c5811af5a8c99322dc5f586b928c5ab14f498d
Instruction ID: c6c2829c3696f80292bcd3bab99f70a69545e1790f988d97c1b6d9ee75289ec0
Opcode Fuzzy Hash: 06444cba6ed46d2262c9b5cdb8c5811af5a8c99322dc5f586b928c5ab14f498d
Instruction Fuzzy Hash: 9E016D75B412187BDF04EBA4CA86EFF77ECAF15340F240129B95667282DB215E0C9672

Uniqueness

Uniqueness Score: -1.00%

Function 00AA51CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00AA51E8
_wcscmp.LIBCMT ref: 00AA51FA

Strings

#32770, xrefs: 00AA51F4

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 8e40ad1e9da3bc9b23ac0a3311dfd0861b87c58a9f6dcb515d4cdcba61a1ad91
Instruction ID: ea35db4248b802401763cd1565021c7bc062402734c1ead0346f6f9732971d01
Opcode Fuzzy Hash: 8e40ad1e9da3bc9b23ac0a3311dfd0861b87c58a9f6dcb515d4cdcba61a1ad91
Instruction Fuzzy Hash: FFE09B72A0422D2AD710D7959C45FE7F7ACEB55761F000166F914D3050E96099458BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00A981BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00A981CA

Part of subcall function 00A63598: _doexit.LIBCMT ref: 00A635A2

Strings

AutoIt, xrefs: 00A981BE
Error allocating memory., xrefs: 00A981C3

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 947fdb9f8a148f341203dfce357fc5a3c8e183c864500083454c9688e65244b5
Instruction ID: d47b1acb2acb63935c2923e44956d5eac41495ede5a6ddfda751032f723b9bd6
Opcode Fuzzy Hash: 947fdb9f8a148f341203dfce357fc5a3c8e183c864500083454c9688e65244b5
Instruction Fuzzy Hash: 35D02B323C035836D61033E42D07FC639884B05F12F000422BB09951D38DD5489242D9

Uniqueness

Uniqueness Score: -1.00%

Function 00A7B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00A7B564: _memset.LIBCMT ref: 00A7B571

Part of subcall function 00A60B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00A7B540,?,?,?,00A4100A), ref: 00A60B89

IsDebuggerPresent.KERNEL32(?,?,?,00A4100A), ref: 00A7B544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00A4100A), ref: 00A7B553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00A7B54E

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: a55a871ce3155a2d7ed999caba909231825499acdec92d3cecf8c352b99968e3
Instruction ID: 1748b477f0bceb8095d217d4f5e612ca2e721d70839212e3f6267cb5f6d7b85d
Opcode Fuzzy Hash: a55a871ce3155a2d7ed999caba909231825499acdec92d3cecf8c352b99968e3
Instruction Fuzzy Hash: BEE06DB02107508FD320DF69E904B427BE4AF00708F00C92CE44AC7250DBB8D445CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AC5BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00AC5BF5
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00AC5C08

Part of subcall function 00AA54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00AA555E

Strings

Shell_TrayWnd, xrefs: 00AC5BEE

Memory Dump Source

Source File: 00000000.00000002.1284872708.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000000.00000002.1284532617.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285016062.0000000000AF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285078926.0000000000AFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B0A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285099614.0000000000B18000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a40000_Purchase Confirmation 003-23 170204.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 3195e327320041cf8ff624912a7e9662381d359ba212e70f45cd3a3835f8f07a
Instruction ID: ce536006f1d5268d8971375374d55c619c501b7d7be60d12c2e8e6a26050fafa
Opcode Fuzzy Hash: 3195e327320041cf8ff624912a7e9662381d359ba212e70f45cd3a3835f8f07a
Instruction Fuzzy Hash: B1D01231788315BBE774FBB0AC0FFE76A15BB15B51F020C35B759AA1D0DAE85801C658

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Purchase Confirmation 003-23 170204.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\autF49E.tmp

C:\Users\user\AppData\Local\Temp\autF4DE.tmp

C:\Users\user\AppData\Local\Temp\teer

C:\Users\user\AppData\Local\Temp\wherefore

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
Purchase Confirmation 003-23 170204.exe

Function 00A43B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00A44AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00A44FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00AA93DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00A43015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Function 00A43041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00A471EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00A43A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00A43633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00A43778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 014E2640 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00A439E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 014E2410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 144
fileCOMMON

Function 00A4410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Function 00A6564D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre