Edit tour

Windows Analysis Report
Payment 23832 Proforma INV Bank Confirmation.exe

Overview

General Information

Sample name:	Payment 23832 Proforma INV Bank Confirmation.exe
Analysis ID:	1467151
MD5:	8b3b3ed278e65b96d71837e6f3eb929e
SHA1:	05c4b9758039065014ad6fc38b87f29cafa0c357
SHA256:	694510429baee227b94e5a0614b349c003acda14807ab07caaa2ec2a8562c465
Tags:	AgentTeslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Payment 23832 Proforma INV Bank Confirmation.exe (PID: 5492 cmdline: "C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe" MD5: 8B3B3ED278E65B96D71837E6F3EB929E)

RegSvcs.exe (PID: 6688 cmdline: "C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.kxnlaos.com", "Username": "khounxai@kxnlaos.com", "Password": "eDe~fz;Cy0{W"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.3227771380.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2001660401.00000000014D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2001660401.00000000014D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2001660401.00000000014D0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334e1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33553:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335dd:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3366f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336d9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3374b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337e1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33871:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000002.00000002.3227771380.0000000002AD9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3226977191.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3226977191.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3227771380.0000000002A61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3227771380.0000000002A61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Payment 23832 Proforma INV Bank Confirmation.exe PID: 5492	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Payment 23832 Proforma INV Bank Confirmation.exe PID: 5492	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 6688	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 6688	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Payment 23832 Proforma INV Bank Confirmation.exe.14d0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Payment 23832 Proforma INV Bank Confirmation.exe.14d0000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Payment 23832 Proforma INV Bank Confirmation.exe.14d0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334e1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33553:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335dd:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3366f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336d9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3374b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337e1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33871:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Payment 23832 Proforma INV Bank Confirmation.exe.14d0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Payment 23832 Proforma INV Bank Confirmation.exe.14d0000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Payment 23832 Proforma INV Bank Confirmation.exe.14d0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316e1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31753:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317dd:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3186f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318d9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3194b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319e1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a71:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334e1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33553:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335dd:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3366f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336d9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3374b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337e1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33871:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 4 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 192.185.113.233, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 6688, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.Payment 23832 Proforma INV Bank Confirmation.exe.14d0000.1.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.kxnlaos.com", "Username": "khounxai@kxnlaos.com", "Password": "eDe~fz;Cy0{W"}

Multi AV Scanner detection for submitted file

Source: Payment 23832 Proforma INV Bank Confirmation.exe

ReversingLabs: Detection: 32%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Payment 23832 Proforma INV Bank Confirmation.exe

Joe Sandbox ML: detected

Source: Payment 23832 Proforma INV Bank Confirmation.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: Payment 23832 Proforma INV Bank Confirmation.exe, 00000000.00000003.1998488731.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, Payment 23832 Proforma INV Bank Confirmation.exe, 00000000.00000003.1998972039.0000000003C50000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Payment 23832 Proforma INV Bank Confirmation.exe, 00000000.00000003.1998488731.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, Payment 23832 Proforma INV Bank Confirmation.exe, 00000000.00000003.1998972039.0000000003C50000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E54696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00E54696
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E5C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00E5C9C7
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E5C93C FindFirstFileW,FindClose,	0_2_00E5C93C
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E5F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00E5F200
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E5F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00E5F35D
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E5F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00E5F65E
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E53A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00E53A2B
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E53D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00E53D4E
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E5BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00E5BF27

Source: Joe Sandbox View

IP Address: 192.185.113.233 192.185.113.233

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe

Code function: 0_2_00E625E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00E625E2

Source: global traffic

DNS traffic detected: DNS query: mail.kxnlaos.com

Source: RegSvcs.exe, 00000002.00000002.3227771380.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://kxnlaos.com
Source: RegSvcs.exe, 00000002.00000002.3227771380.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.kxnlaos.com
Source: RegSvcs.exe, 00000002.00000002.3227421201.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3227771380.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3229205264.0000000005E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0%
Source: RegSvcs.exe, 00000002.00000002.3227421201.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3227771380.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3229205264.0000000005E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: RegSvcs.exe, 00000002.00000002.3227421201.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3227771380.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3229205264.0000000005E70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3229205264.0000000005ED3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: RegSvcs.exe, 00000002.00000002.3227421201.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3227771380.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3229205264.0000000005E70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3229205264.0000000005ED3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Payment 23832 Proforma INV Bank Confirmation.exe, 00000000.00000002.2001660401.00000000014D0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226977191.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.Payment 23832 Proforma INV Bank Confirmation.exe.14d0000.1.raw.unpack, SKTzxzsJw.cs

.Net Code: eu8qMsYVgZ

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe

Code function: 0_2_00E6425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalFix,CloseClipboard,GlobalUnWire,IsClipboardFormatAvailable,GetClipboardData,GlobalFix,GlobalUnWire,IsClipboardFormatAvailable,GetClipboardData,GlobalFix,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnWire,CountClipboardFormats,CloseClipboard,

0_2_00E6425A

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe

Code function: 0_2_00E64458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,_wcscpy,GlobalUnWire,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00E64458

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe

0_2_00E6425A

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe

Code function: 0_2_00E50219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00E50219

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe

Code function: 0_2_00E7CDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00E7CDAC

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Payment 23832 Proforma INV Bank Confirmation.exe.14d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Payment 23832 Proforma INV Bank Confirmation.exe.14d0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.2001660401.00000000014D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00DF3B4C
Source: Payment 23832 Proforma INV Bank Confirmation.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Payment 23832 Proforma INV Bank Confirmation.exe, 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b3d3ec0e-2
Source: Payment 23832 Proforma INV Bank Confirmation.exe, 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_0a6278f6-d

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Payment 23832 Proforma INV Bank Confirmation.exe

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00DF3633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	0_2_00DF3633
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E7C27C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	0_2_00E7C27C
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E7C220 NtdllDialogWndProc_W,	0_2_00E7C220
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E7C49C PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	0_2_00E7C49C
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E7C788 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	0_2_00E7C788
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E7C8EE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	0_2_00E7C8EE
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E7C86D SendMessageW,NtdllDialogWndProc_W,	0_2_00E7C86D
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E7CBF9 NtdllDialogWndProc_W,	0_2_00E7CBF9
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E7CBAE NtdllDialogWndProc_W,	0_2_00E7CBAE
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E7CB7F NtdllDialogWndProc_W,	0_2_00E7CB7F
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E7CB50 NtdllDialogWndProc_W,	0_2_00E7CB50
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E7CC2E ClientToScreen,NtdllDialogWndProc_W,	0_2_00E7CC2E
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E7CDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	0_2_00E7CDAC
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E7CD6C GetWindowLongW,NtdllDialogWndProc_W,	0_2_00E7CD6C
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00DF1290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,	0_2_00DF1290
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00DF1287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,745AC8D0,NtdllDialogWndProc_W,	0_2_00DF1287
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00DF16DE GetParent,NtdllDialogWndProc_W,	0_2_00DF16DE
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E7D6C6 NtdllDialogWndProc_W,	0_2_00E7D6C6
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00DF16B5 NtdllDialogWndProc_W,	0_2_00DF16B5
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00DF167D NtdllDialogWndProc_W,	0_2_00DF167D
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E7D74C GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	0_2_00E7D74C
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00DF189B NtdllDialogWndProc_W,	0_2_00DF189B
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E7DA9A NtdllDialogWndProc_W,	0_2_00E7DA9A
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E7BF4D NtdllDialogWndProc_W,CallWindowProcW,	0_2_00E7BF4D

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe

Code function: 0_2_00E540B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,

0_2_00E540B1

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe

Code function: 0_2_00E48858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,74B05590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,

0_2_00E48858

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe

Code function: 0_2_00E5545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00E5545F

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00DFE800	0_2_00DFE800
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E1DBB5	0_2_00E1DBB5
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E7804A	0_2_00E7804A
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00DFE060	0_2_00DFE060
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E04140	0_2_00E04140
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E12405	0_2_00E12405
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E26522	0_2_00E26522
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E70665	0_2_00E70665
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E2267E	0_2_00E2267E
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E06843	0_2_00E06843
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E1283A	0_2_00E1283A
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E289DF	0_2_00E289DF
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E70AE2	0_2_00E70AE2
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E26A94	0_2_00E26A94
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E08A0E	0_2_00E08A0E
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E4EB07	0_2_00E4EB07
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E58B13	0_2_00E58B13
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E1CD61	0_2_00E1CD61
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E27006	0_2_00E27006
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E03190	0_2_00E03190
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E0710E	0_2_00E0710E
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00DF1287	0_2_00DF1287
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E133C7	0_2_00E133C7
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E1F419	0_2_00E1F419
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E116C4	0_2_00E116C4
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E05680	0_2_00E05680
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E058C0	0_2_00E058C0
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E178D3	0_2_00E178D3
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E11BB8	0_2_00E11BB8
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E29D05	0_2_00E29D05
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00DFFE40	0_2_00DFFE40
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E1BFE6	0_2_00E1BFE6
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E11FD0	0_2_00E11FD0
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_014C35F0	0_2_014C35F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_01049378	2_2_01049378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_01049B38	2_2_01049B38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_01044A98	2_2_01044A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_01043E80	2_2_01043E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0104CEC8	2_2_0104CEC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_010441C8	2_2_010441C8

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: String function: 00E10D27 appears 70 times
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: String function: 00DF7F41 appears 35 times
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: String function: 00E18B40 appears 42 times

Source: Payment 23832 Proforma INV Bank Confirmation.exe, 00000000.00000003.1998266329.0000000003D3D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Payment 23832 Proforma INV Bank Confirmation.exe
Source: Payment 23832 Proforma INV Bank Confirmation.exe, 00000000.00000002.2001660401.00000000014D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename6dbae33d-1778-4128-aa7f-321a948e6032.exe4 vs Payment 23832 Proforma INV Bank Confirmation.exe
Source: Payment 23832 Proforma INV Bank Confirmation.exe, 00000000.00000003.1998146945.0000000003B93000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Payment 23832 Proforma INV Bank Confirmation.exe

Source: Payment 23832 Proforma INV Bank Confirmation.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.Payment 23832 Proforma INV Bank Confirmation.exe.14d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Payment 23832 Proforma INV Bank Confirmation.exe.14d0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.2001660401.00000000014D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 0.2.Payment 23832 Proforma INV Bank Confirmation.exe.14d0000.1.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Payment 23832 Proforma INV Bank Confirmation.exe.14d0000.1.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Payment 23832 Proforma INV Bank Confirmation.exe.14d0000.1.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Payment 23832 Proforma INV Bank Confirmation.exe.14d0000.1.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Payment 23832 Proforma INV Bank Confirmation.exe.14d0000.1.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Payment 23832 Proforma INV Bank Confirmation.exe.14d0000.1.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Payment 23832 Proforma INV Bank Confirmation.exe.14d0000.1.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Payment 23832 Proforma INV Bank Confirmation.exe.14d0000.1.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/4@1/1

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe

Code function: 0_2_00E5A2D5 GetLastError,FormatMessageW,

0_2_00E5A2D5

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E48713 AdjustTokenPrivileges,CloseHandle,		0_2_00E48713
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E48CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00E48CC3

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe

Code function: 0_2_00E5B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00E5B59E

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe

Code function: 0_2_00E6F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00E6F121

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe

Code function: 0_2_00DF4FE9 FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00DF4FE9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe

File created: C:\Users\user\AppData\Local\Temp\aut2F74.tmp

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Payment 23832 Proforma INV Bank Confirmation.exe

ReversingLabs: Detection: 32%

Source: unknown	Process created: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe "C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe"
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe"
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: Payment 23832 Proforma INV Bank Confirmation.exe, 00000000.00000003.1998488731.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, Payment 23832 Proforma INV Bank Confirmation.exe, 00000000.00000003.1998972039.0000000003C50000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Payment 23832 Proforma INV Bank Confirmation.exe, 00000000.00000003.1998488731.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, Payment 23832 Proforma INV Bank Confirmation.exe, 00000000.00000003.1998972039.0000000003C50000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe

Code function: 0_2_00EFA050 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_00EFA050

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E18B85 push ecx; ret		0_2_00E18B98
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E7F84D pushfd ; iretd		0_2_00E7F84E

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	File created: \payment 23832 proforma inv bank confirmation.exe
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	File created: \payment 23832 proforma inv bank confirmation.exe			Jump to behavior

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00DF4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00DF4A35
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E755FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00E755FD

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe

Code function: 0_2_00E133C7 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00E133C7

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe

API/Special instruction interceptor: Address: 14C3214

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 4845			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 741			Jump to behavior

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-99622

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe

API coverage: 4.8 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E54696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00E54696
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E5C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00E5C9C7
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E5C93C FindFirstFileW,FindClose,	0_2_00E5C93C
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E5F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00E5F200
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E5F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00E5F35D
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E5F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00E5F65E
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E53A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00E53A2B
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E53D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00E53D4E
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E5BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00E5BF27

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe

Code function: 0_2_00DF4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00DF4AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99192	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98385	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97841	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97729	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.3229205264.0000000005E70000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	API call chain: ExitProcess graph end node	graph_0-98361
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	API call chain: ExitProcess graph end node	graph_0-101298
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	API call chain: ExitProcess graph end node	graph_0-99218

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe

Code function: 0_2_00E641FD BlockInput,

0_2_00E641FD

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe

Code function: 0_2_00DF3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00DF3B4C

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe

Code function: 0_2_00E25CCC RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,

0_2_00E25CCC

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe

Code function: 0_2_00EFA050 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_00EFA050

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_014C34E0 mov eax, dword ptr fs:[00000030h]	0_2_014C34E0
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_014C3480 mov eax, dword ptr fs:[00000030h]	0_2_014C3480
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_014C1E70 mov eax, dword ptr fs:[00000030h]	0_2_014C1E70

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe

Code function: 0_2_00E481F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00E481F7

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E1A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00E1A395
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E1A364 SetUnhandledExceptionFilter,		0_2_00E1A364

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: B66008

Jump to behavior

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe

Code function: 0_2_00E48C93 LogonUserW,

0_2_00E48C93

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe

Code function: 0_2_00DF3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00DF3B4C

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe

Code function: 0_2_00DF4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00DF4A35

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe

Code function: 0_2_00E54EF5 mouse_event,

0_2_00E54EF5

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe

0_2_00E481F7

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe

Code function: 0_2_00E54C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00E54C03

Source: Payment 23832 Proforma INV Bank Confirmation.exe, 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Payment 23832 Proforma INV Bank Confirmation.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe

Code function: 0_2_00E1886B cpuid

0_2_00E1886B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe

Code function: 0_2_00E250D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00E250D7

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe

Code function: 0_2_00E32230 GetUserNameW,

0_2_00E32230

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe

Code function: 0_2_00E2418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00E2418A

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe

Code function: 0_2_00DF4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00DF4AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.Payment 23832 Proforma INV Bank Confirmation.exe.14d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment 23832 Proforma INV Bank Confirmation.exe.14d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3227771380.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2001660401.00000000014D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3227771380.0000000002AD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3226977191.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3227771380.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment 23832 Proforma INV Bank Confirmation.exe PID: 5492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6688, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Payment 23832 Proforma INV Bank Confirmation.exe	Binary or memory string: WIN_81
Source: Payment 23832 Proforma INV Bank Confirmation.exe	Binary or memory string: WIN_XP
Source: Payment 23832 Proforma INV Bank Confirmation.exe	Binary or memory string: WIN_XPe
Source: Payment 23832 Proforma INV Bank Confirmation.exe	Binary or memory string: WIN_VISTA
Source: Payment 23832 Proforma INV Bank Confirmation.exe	Binary or memory string: WIN_7
Source: Payment 23832 Proforma INV Bank Confirmation.exe	Binary or memory string: WIN_8
Source: Payment 23832 Proforma INV Bank Confirmation.exe, 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 0.2.Payment 23832 Proforma INV Bank Confirmation.exe.14d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment 23832 Proforma INV Bank Confirmation.exe.14d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2001660401.00000000014D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3226977191.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3227771380.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment 23832 Proforma INV Bank Confirmation.exe PID: 5492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6688, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.Payment 23832 Proforma INV Bank Confirmation.exe.14d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment 23832 Proforma INV Bank Confirmation.exe.14d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3227771380.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2001660401.00000000014D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3227771380.0000000002AD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3226977191.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3227771380.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment 23832 Proforma INV Bank Confirmation.exe PID: 5492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6688, type: MEMORYSTR

Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E66596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00E66596
Source: C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe	Code function: 0_2_00E66A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00E66A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	21 Obfuscated Files or Information	1 Credentials in Registry	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 Software Packing	NTDS	138 System Information Discovery	Distributed Component Object Model	121 Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 DLL Side-Loading	LSA Secrets	241 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	121 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	121 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Payment 23832 Proforma INV Bank Confirmation.exe	32%	ReversingLabs	Win32.Trojan.Strab
Payment 23832 Proforma INV Bank Confirmation.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://r3.o.lencr.org0	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://mail.kxnlaos.com	0%	Avira URL Cloud	safe
http://r3.i.lencr.org/0%	0%	Avira URL Cloud	safe
http://kxnlaos.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
kxnlaos.com	192.185.113.233	true	true		unknown
mail.kxnlaos.com	unknown	unknown	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://r3.o.lencr.org0	RegSvcs.exe, 00000002.00000002.3227421201.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3227771380.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3229205264.0000000005E70000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://kxnlaos.com	RegSvcs.exe, 00000002.00000002.3227771380.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://account.dyn.com/	Payment 23832 Proforma INV Bank Confirmation.exe, 00000000.00000002.2001660401.00000000014D0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226977191.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mail.kxnlaos.com	RegSvcs.exe, 00000002.00000002.3227771380.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	RegSvcs.exe, 00000002.00000002.3227421201.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3227771380.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3229205264.0000000005E70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3229205264.0000000005ED3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	RegSvcs.exe, 00000002.00000002.3227421201.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3227771380.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3229205264.0000000005E70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3229205264.0000000005ED3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://r3.i.lencr.org/0%	RegSvcs.exe, 00000002.00000002.3227421201.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3227771380.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3229205264.0000000005E70000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.185.113.233	kxnlaos.com	United States		46606	UNIFIEDLAYER-AS-1US	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1467151
Start date and time:	2024-07-03 19:03:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Payment 23832 Proforma INV Bank Confirmation.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/4@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 60 Number of non-executed functions: 271
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegSvcs.exe, PID 6688 because it is empty
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Payment 23832 Proforma INV Bank Confirmation.exe

Simulations

Behavior and APIs

Time	Type	Description
13:03:53	API Interceptor	27x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
192.185.113.233	PO#2356662.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Win32.PWSX-gen.32415.20698.exe	Get hash	malicious	AgentTesla	Browse
	RF301123-M1 Quotation.exe	Get hash	malicious	AgentTesla	Browse
	BID DOCUMENTS.exe	Get hash	malicious	AgentTesla	Browse
	BID DOCUMENTS.exe	Get hash	malicious	AgentTesla	Browse
	DHL Package Documents clearance.exe	Get hash	malicious	AgentTesla	Browse
	PO REF#70439 (RCP).exe	Get hash	malicious	AgentTesla	Browse
	Bank_Payment Confirmation Ref_287422.exe	Get hash	malicious	AgentTesla	Browse
	Bank_Payment Confirmation-pdf.exe	Get hash	malicious	AgentTesla	Browse
	Payment_Bank Comfirmation.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNIFIEDLAYER-AS-1US	#Uc804#Uc790(#Uc138#Uae08)#Uacc4#Uc0b0#Uc11c 2024-06-20.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	162.214.52.30
	Quotation.xls	Get hash	malicious	Remcos	Browse	192.185.89.92
	Cuentas bancarias y cdigo ##Swift incorrecto.xla.xlsx	Get hash	malicious	AgentTesla	Browse	192.185.89.92
	Art_Spec. 4008670601 AZTEK Order _ 7.3.2024.exe	Get hash	malicious	FormBook	Browse	192.185.208.8
	Ship particulars.xls	Get hash	malicious	Unknown	Browse	192.185.89.92
	spec 4008670601 AZTEK Order.exe	Get hash	malicious	FormBook	Browse	192.185.208.8
	https://mail.pfl.fyi/v1/messages/0190749a-2f6a-7c9f-b37a-88f0ae969ede/click?link_id=0190749a-2ffa-7f41-ad16-3ecda235df51&signature=3e892faf1c0137166fda82e5ff5c6a3150c2cec9	Get hash	malicious	HTMLPhisher	Browse	162.144.36.99
	GJRX21GBj3.exe	Get hash	malicious	FormBook	Browse	108.179.193.98
	MUdeeReQ5R.exe	Get hash	malicious	FormBook	Browse	162.240.81.18
	kZa81nzREg.exe	Get hash	malicious	AgentTesla	Browse	162.241.62.63

Process:	C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe
File Type:	data
Category:	dropped
Size (bytes):	142830
Entropy (8bit):	7.934564520965479
Encrypted:	false
SSDEEP:	3072:8LWvm7j8n5dxBD9WL4Tio/CfRtqtIr5ZHuuiOFMrwUkrC+:8V25dQuio/YRotIvliOFEwUkrC+
MD5:	752862748E9910EDC0CFF9FE279E7CC1
SHA1:	AD3AF62EEB034CC2EF80A3FDF00EC56C341D0E93
SHA-256:	2F6215C65806514FC555669D8D87E877D6A3C5237F8EC9BD8A9B8AAFADA6046C
SHA-512:	312AB37580E7C518456C9E5A9511EF5FAD192A57F0384B528A0A7798723940A88B8C470DB65EED45739BD889D3B2F4D808348DE36AE8EE97DCEC089031BCA371
Malicious:	false
Reputation:	low
Preview:	EA06......9S.=6mG..f.}..Z....I..aw.R(...nf...N..4.U..I....`h....9.....$..3..R.<.+.......4.K.....g.K..+...P..'f...Q...=7........Qg....H.Vf4J(....z-jcd.4?4 .r.F.D@.J,.4.4.$.su......."...+.j<..i.Q.R..\H.4;..M+Q....5...._7F.M...}...e.sA...v........O$r(.is..h...s#G....a.M.Vi...'...',@.!B..3t ._..."Z%.ID..G..@..5d..........A.~:.&....N4jl...L..k...2.'(........e}<.'..x.S/Tz...g.T;t...E....7ju.E....H\|.w..........Q23..g..w.8...E...=?...N.SZ.z)N.O...#.m.\".;.+.1.x.}.g..U..Ou....E......N.Z`[>....VeQy...6..!5......P.S`....y<X.6.."....]N.U...z}...H...mG.~..K.0...X..#...x.@..n....H..\.[1H..u...rX.h[........O..O.gB..Dh..v.W:...c.v..........\,.S#...+.......@..........=..U6.E"....H.P'.)....h..Z\|.<...u.%.z.m<VnU.c.......P.....n.n8....R7 ..4.4.....6.c..h.....&..+..m.Q...h.Y$....FlQx..X...boE.Qf....kZ......;..+S...GW..fT....O.Sf.8..a7..c..E.IE..f.z..@....bkX.P...%..y.<)S..B7Z..g.u.v.J...TJl..s..f.....1..m5.=.M...+%..<.3&.x-{q[...lF(..Z(...% ..*....

C:\Users\user\AppData\Local\Temp\aut2FF2.tmp

Download File

Process:	C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe
File Type:	data
Category:	dropped
Size (bytes):	9808
Entropy (8bit):	7.6012931767698
Encrypted:	false
SSDEEP:	192:65jwEiqEH1WgUJuzJkecGgJo7xocBkJLDPutbW7pvXyUCswX:I6qEHYV0eecGGo7xocBmLDPutqpLCBX
MD5:	74206FE77DDBAB5D9AE143A3CAEDE98A
SHA1:	901DE72C1D6C0A0663E71D3AE612539C22F7CD30
SHA-256:	B1FCF734BF1D7C2576849660D343CAF515A5996FE2297700963EBD299235B670
SHA-512:	655CB07F62C4E4A961FFA8413798B0C4AF413A89DBFAA1E44BDDD7D564310CC7298E49F29D9C2D677505004E5F1CB0C8D803DFFB67F8D0B8250B9C32EE36D406
Malicious:	false
Reputation:	low
Preview:	EA06..pT.Q&...8.M.z,.D.Lf....y9......o3.N&T...5...j..m1..f.Y..cD.L'.....3.N(s...m9...s.5..8.L/.Y...e..&6[...0.L..I..k7.N&. ..a0.M.....q4.Nf.P.....K..d.%...p.lY@.......c.Xf.0.o..b.L.`...,@. ...3+..d....s4.l&..........\|....sa...`.........Y&.K0.....-vs5.M..2...N&.I...@.>..........$.0...fx. ..$l...I...#..$6...... ..... .Z...a.5..&.).....L.j.;$....M.j.;$....X@j.;%....Y@j.;,.....j.e.\|f #^...j......l.....l.5....>0..Xf....M.^....$zn.....G..I....C...M.\|........}S{....7...\| l..P..........0...`>;..c7.6..{......=..7..............6,......b...,S ...i5.M.4.b..i\|v)....b.h.,@..%........9....c...\|3Y..h......._......@.>K...,v[..q5.M,.@..i7.X......9....2.......,.`....3.,.i8........}.k(.f..@..M&V....7.,.x....&.......0.......Fh...Fb.....3.."a9...`....,vb.....cd.X..P.Fl.Y.$..c. ....I...d..f.!...,vd......8..P.......0.....2...y...D.......c.0.......b.<NA...NM..;4.X.q1..&@Q..B.Y.ah......Yl.i..."..Bvj.........ic..'3Y..'f.....,j.1........C.`....7b.., .p..T.......Y,Vi......@

C:\Users\user\AppData\Local\Temp\dews

Download File

Process:	C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe
File Type:	ASCII text, with very long lines (28756), with no line terminators
Category:	dropped
Size (bytes):	28756
Entropy (8bit):	3.5868943154659036
Encrypted:	false
SSDEEP:	768:miTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbd+IH6B34vfF3if6gyCW:miTZ+2QoioGRk6ZklputwjpjBkCiw2RR
MD5:	C8592C89D4127999A89CF6BFF88A95A9
SHA1:	57CD58748AC5E7E1738B555E5AD1E5064E42F8B4
SHA-256:	912FF714D21641F51953E204EF0823340AE0D94EBBBE4B194EB9E319ED211FA5
SHA-512:	109D91356BAEFFF2234D2BFACB1AF676CAC90A233D9FD8CF46140A36D0CB7691AFD2D881D2AF514B87DCFFC8B4CCCFA6016413A6E04138940031B635740AD585
Malicious:	false
Reputation:	low
Preview:	8D6804F867D7E3ED21599F86932DA5673082A29A59B06B261C54E6F1DF089BBB368C973697738FDC880x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffff

C:\Users\user\AppData\Local\Temp\syphilous

Download File

Process:	C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe
File Type:	data
Category:	dropped
Size (bytes):	240128
Entropy (8bit):	6.569493979329327
Encrypted:	false
SSDEEP:	6144:4kGW1uxnzJA+NSzWWbMtX65S4YhzzTMeXi3yNuGurdLabqdzcvvy:4kb1uxnzJA+NubO65S4YhHoeXmyTWhau
MD5:	4F8834335CDB525405B5002862B7402C
SHA1:	98910F7B6189803CF109309C60EB23568F2A0958
SHA-256:	E680014A8588B1579C790EDC5B0E49821ECA92F3598B7D9D5D0F421733C4C052
SHA-512:	10DF7CD0B37B7A201686CBD6DBC04A610B698D5FFAB10A8A49642B7636C8FFC0E86B59226476439E9B165DEE3A9C35B1FD9425259C5729DFF0F332AB77925B71
Malicious:	false
Reputation:	low
Preview:	...1GM6G=A07..FZ.DM6G9A0wZHFZ1DM6G9A07ZHFZ1DM6G9A07ZHFZ1DM6G.A07TW.T1.D.f.@\|.{..3Bd=D(^3QZz+'4_+9.%\aBB4h/4...egT.TRtEKP.DM6G9A0g.HF.0GM..g'07ZHFZ1D.6E8J1<ZH.Y1DE6G9A07t.EZ1dM6G.B07Z.FZ.DM6E9A47ZHFZ1DI6G9A07ZHF^1DO6G9A07XH..1D]6G)A07ZXFZ!DM6G9A 7ZHFZ1DM6G9..4Z.FZ1D.5G.D07ZHFZ1DM6G9A07ZHFZ.GM:G9A07ZHFZ1DM6G9A07ZHFZ1DM6G9A07ZHFZ1DM6G9A07ZHFZ1DM6g9A87ZHFZ1DM6G9I.7Z.FZ1DM6G9A07t<#"EDM6s.B07zHFZ.GM6E9A07ZHFZ1DM6G9a07:f4)C'M6G.D07Z.EZ1BM6G.B07ZHFZ1DM6G9Ap7Z.h(T("UG9M07ZH.Y1DO6G9.37ZHFZ1DM6G9A0wZH.Z1DM6G9A07ZHFZ1D].D9A07Z.FZ1FM3G..27.xGZ2DM6F9A67ZHFZ1DM6G9A07ZHFZ1DM6G9A07ZHFZ1DM6G9A07ZHFZ1DM6Z......x.LzGT@.g.P.K.."..O.vNq".3R....;.....}=@.xD.9w...>...D.E3>8.....~::5C^.Nn?V.U..m.p.3y..14.<..3..WG..s....g..uNDi.......Y. @G6-h.P",D..C.6ZHFZ.....^"..w2KS.UA.....rHI...?07Z,FZ16M6GXA07.HFZ^DM6)9A0IZHF$1DMpG9Ap7ZHqZ1Dh6G9,07ZlFZ1:M6G.<?8...3B.6G9A0...v.\....v..~7.O./...T...._b.B^.N.\|p..H../..Pk6...A[7@H4@=B<.T....eO2C<C73YD{Tz...f.g..c..@....C.L7ZHFZ1.M6.9A0..H.Z1D.6.9..7ZH.1.M.G...7

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.922011842190505
TrID:	Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	Payment 23832 Proforma INV Bank Confirmation.exe
File size:	557'056 bytes
MD5:	8b3b3ed278e65b96d71837e6f3eb929e
SHA1:	05c4b9758039065014ad6fc38b87f29cafa0c357
SHA256:	694510429baee227b94e5a0614b349c003acda14807ab07caaa2ec2a8562c465
SHA512:	fcc44e56acbc33e9df6f7da0c25385b88dd5ea467f63d65cde09c638f34ecf5592ae86bc1dd787cec8432fe9d351fc98b289ec34d07851f5ad60201436041537
SSDEEP:	12288:RYV6MorX7qzuC3QHO9FQVHPF51jgcrAklT3FXPLyqGXN9Ep:mBXu9HGaVHX9tlOPEp
TLSH:	45C412C54FE2D97AC49433B4D43BEC5048602872CAE93B6983A9F52EF836743D45366A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x50a050
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6685287A [Wed Jul 3 10:31:22 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	fc6683d30d9f25244a50fd5357825e79

Entrypoint Preview

Instruction
pushad
mov esi, 004B4000h
lea edi, dword ptr [esi-000B3000h]
push edi
jmp 00007FDCE4E0F7FDh
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007FDCE4E0F7F9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FDCE4E0F7DFh
mov eax, 00000001h
add ebx, ebx
jne 00007FDCE4E0F7F9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007FDCE4E0F7FDh
jne 00007FDCE4E0F81Ah
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FDCE4E0F811h
dec eax
add ebx, ebx
jne 00007FDCE4E0F7F9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007FDCE4E0F7C6h
add ebx, ebx
jne 00007FDCE4E0F7F9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007FDCE4E0F844h
xor ecx, ecx
sub eax, 03h
jc 00007FDCE4E0F803h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007FDCE4E0F867h
sar eax, 1
mov ebp, eax
jmp 00007FDCE4E0F7FDh
add ebx, ebx
jne 00007FDCE4E0F7F9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FDCE4E0F7BEh
inc ecx
add ebx, ebx
jne 00007FDCE4E0F7F9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FDCE4E0F7B0h
add ebx, ebx
jne 00007FDCE4E0F7F9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007FDCE4E0F7E1h
jne 00007FDCE4E0F7FBh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007FDCE4E0F7D6h
add ecx, 02h
cmp ebp, FFFFFB00h
adc ecx, 02h
lea edx, dword ptr [edi+ebp]
cmp ebp, FFFFFFFCh
jbe 00007FDCE4E0F800h
mov al, byte ptr [edx]

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x13c31c	0x424	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10b000	0x3131c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x13c740	0xc	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x10a234	0x48	UPX1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0xb3000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0xb4000	0x57000	0x56400	95dcbc30fa216c3853986192f83f1c3a	False	0.9872367527173913	data	7.9354146255257145	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x10b000	0x32000	0x31800	24a8ba3397d20eca6f39fa0aaffaacfc	False	0.8975151909722222	data	7.823843212517907	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x10b5ac	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0x10b6d8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0x10b804	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0x10b930	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0x10bc1c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0x10bd48	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0x10cbf4	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0x10d4a0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0x10da0c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0x10ffb8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0x111064	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xce4a0	0x50	data	English	Great Britain	1.1375
RT_STRING	0xce4f0	0x594	data	English	Great Britain	1.007703081232493
RT_STRING	0xcea84	0x68a	data	English	Great Britain	1.0065710872162486
RT_STRING	0xcf110	0x490	data	English	Great Britain	1.009417808219178
RT_STRING	0xcf5a0	0x5fc	data	English	Great Britain	1.0071801566579635
RT_STRING	0xcfb9c	0x65c	data	English	Great Britain	1.0067567567567568
RT_STRING	0xd01f8	0x466	data	English	Great Britain	1.0097690941385435
RT_STRING	0xd0660	0x158	data	English	Great Britain	1.0319767441860466
RT_RCDATA	0x1114d0	0x2a8b2	data			1.0003500556645892
RT_GROUP_ICON	0x13bd88	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x13be04	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x13be1c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x13be34	0x14	data	English	Great Britain	1.25
RT_VERSION	0x13be4c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x13bf2c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
ADVAPI32.dll	GetAce
COMCTL32.dll	ImageList_Remove
COMDLG32.dll	GetOpenFileNameW
GDI32.dll	LineTo
IPHLPAPI.DLL	IcmpSendEcho
MPR.dll	WNetUseConnectionW
ole32.dll	CoGetObject
OLEAUT32.dll	VariantInit
PSAPI.DLL	GetProcessMemoryInfo
SHELL32.dll	DragFinish
USER32.dll	GetDC
USERENV.dll	LoadUserProfileW
UxTheme.dll	IsThemeActive
VERSION.dll	VerQueryValueW
WININET.dll	FtpOpenFileW
WINMM.dll	timeGetTime
WSOCK32.dll	connect

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 3, 2024 19:03:55.131206036 CEST	49704	587	192.168.2.5	192.185.113.233
Jul 3, 2024 19:03:55.136063099 CEST	587	49704	192.185.113.233	192.168.2.5
Jul 3, 2024 19:03:55.136145115 CEST	49704	587	192.168.2.5	192.185.113.233
Jul 3, 2024 19:03:55.687971115 CEST	587	49704	192.185.113.233	192.168.2.5
Jul 3, 2024 19:03:55.689174891 CEST	49704	587	192.168.2.5	192.185.113.233
Jul 3, 2024 19:03:55.694051027 CEST	587	49704	192.185.113.233	192.168.2.5
Jul 3, 2024 19:03:55.803217888 CEST	587	49704	192.185.113.233	192.168.2.5
Jul 3, 2024 19:03:55.803450108 CEST	49704	587	192.168.2.5	192.185.113.233
Jul 3, 2024 19:03:55.808444023 CEST	587	49704	192.185.113.233	192.168.2.5
Jul 3, 2024 19:03:55.923984051 CEST	587	49704	192.185.113.233	192.168.2.5
Jul 3, 2024 19:03:55.930491924 CEST	49704	587	192.168.2.5	192.185.113.233
Jul 3, 2024 19:03:55.935251951 CEST	587	49704	192.185.113.233	192.168.2.5
Jul 3, 2024 19:03:56.058921099 CEST	587	49704	192.185.113.233	192.168.2.5
Jul 3, 2024 19:03:56.059082985 CEST	587	49704	192.185.113.233	192.168.2.5
Jul 3, 2024 19:03:56.059092045 CEST	587	49704	192.185.113.233	192.168.2.5
Jul 3, 2024 19:03:56.059130907 CEST	49704	587	192.168.2.5	192.185.113.233
Jul 3, 2024 19:03:56.059243917 CEST	587	49704	192.185.113.233	192.168.2.5
Jul 3, 2024 19:03:56.059287071 CEST	49704	587	192.168.2.5	192.185.113.233
Jul 3, 2024 19:03:56.093348026 CEST	49704	587	192.168.2.5	192.185.113.233
Jul 3, 2024 19:03:56.098098993 CEST	587	49704	192.185.113.233	192.168.2.5
Jul 3, 2024 19:03:56.206748962 CEST	587	49704	192.185.113.233	192.168.2.5
Jul 3, 2024 19:03:56.220026970 CEST	49704	587	192.168.2.5	192.185.113.233
Jul 3, 2024 19:03:56.224832058 CEST	587	49704	192.185.113.233	192.168.2.5
Jul 3, 2024 19:03:56.334017038 CEST	587	49704	192.185.113.233	192.168.2.5
Jul 3, 2024 19:03:56.335086107 CEST	49704	587	192.168.2.5	192.185.113.233
Jul 3, 2024 19:03:56.339829922 CEST	587	49704	192.185.113.233	192.168.2.5
Jul 3, 2024 19:03:56.450093031 CEST	587	49704	192.185.113.233	192.168.2.5
Jul 3, 2024 19:03:56.451180935 CEST	49704	587	192.168.2.5	192.185.113.233
Jul 3, 2024 19:03:56.455935955 CEST	587	49704	192.185.113.233	192.168.2.5
Jul 3, 2024 19:03:57.119856119 CEST	587	49704	192.185.113.233	192.168.2.5
Jul 3, 2024 19:03:57.120161057 CEST	49704	587	192.168.2.5	192.185.113.233
Jul 3, 2024 19:03:57.126578093 CEST	587	49704	192.185.113.233	192.168.2.5
Jul 3, 2024 19:03:57.233721018 CEST	587	49704	192.185.113.233	192.168.2.5
Jul 3, 2024 19:03:57.234057903 CEST	49704	587	192.168.2.5	192.185.113.233
Jul 3, 2024 19:03:57.240338087 CEST	587	49704	192.185.113.233	192.168.2.5
Jul 3, 2024 19:03:57.401705980 CEST	587	49704	192.185.113.233	192.168.2.5
Jul 3, 2024 19:03:57.402081966 CEST	49704	587	192.168.2.5	192.185.113.233
Jul 3, 2024 19:03:57.406841993 CEST	587	49704	192.185.113.233	192.168.2.5
Jul 3, 2024 19:03:57.515492916 CEST	587	49704	192.185.113.233	192.168.2.5
Jul 3, 2024 19:03:57.516287088 CEST	49704	587	192.168.2.5	192.185.113.233
Jul 3, 2024 19:03:57.516331911 CEST	49704	587	192.168.2.5	192.185.113.233
Jul 3, 2024 19:03:57.516351938 CEST	49704	587	192.168.2.5	192.185.113.233
Jul 3, 2024 19:03:57.516371965 CEST	49704	587	192.168.2.5	192.185.113.233
Jul 3, 2024 19:03:57.521181107 CEST	587	49704	192.185.113.233	192.168.2.5
Jul 3, 2024 19:03:57.521192074 CEST	587	49704	192.185.113.233	192.168.2.5
Jul 3, 2024 19:03:57.521207094 CEST	587	49704	192.185.113.233	192.168.2.5
Jul 3, 2024 19:03:57.521214962 CEST	587	49704	192.185.113.233	192.168.2.5
Jul 3, 2024 19:03:57.650441885 CEST	587	49704	192.185.113.233	192.168.2.5
Jul 3, 2024 19:03:57.700941086 CEST	49704	587	192.168.2.5	192.185.113.233
Jul 3, 2024 19:05:34.732952118 CEST	49704	587	192.168.2.5	192.185.113.233
Jul 3, 2024 19:05:34.738217115 CEST	587	49704	192.185.113.233	192.168.2.5
Jul 3, 2024 19:05:34.847104073 CEST	587	49704	192.185.113.233	192.168.2.5
Jul 3, 2024 19:05:34.853358984 CEST	49704	587	192.168.2.5	192.185.113.233

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 3, 2024 19:03:54.716974974 CEST	61535	53	192.168.2.5	1.1.1.1
Jul 3, 2024 19:03:55.122143030 CEST	53	61535	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 3, 2024 19:03:54.716974974 CEST	192.168.2.5	1.1.1.1	0xba15	Standard query (0)	mail.kxnlaos.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 3, 2024 19:03:55.122143030 CEST	1.1.1.1	192.168.2.5	0xba15	No error (0)	mail.kxnlaos.com	kxnlaos.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 3, 2024 19:03:55.122143030 CEST	1.1.1.1	192.168.2.5	0xba15	No error (0)	kxnlaos.com		192.185.113.233	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jul 3, 2024 19:03:55.687971115 CEST	587	49704	192.185.113.233	192.168.2.5	220-honcho.websitewelcome.com ESMTP Exim 4.96.2 #2 Wed, 03 Jul 2024 12:03:55 -0500 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 3, 2024 19:03:55.689174891 CEST	49704	587	192.168.2.5	192.185.113.233	EHLO 980108
Jul 3, 2024 19:03:55.803217888 CEST	587	49704	192.185.113.233	192.168.2.5	250-honcho.websitewelcome.com Hello 980108 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 3, 2024 19:03:55.803450108 CEST	49704	587	192.168.2.5	192.185.113.233	STARTTLS
Jul 3, 2024 19:03:55.923984051 CEST	587	49704	192.185.113.233	192.168.2.5	220 TLS go ahead

Target ID:	0
Start time:	13:03:51
Start date:	03/07/2024
Path:	C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe"
Imagebase:	0xdf0000
File size:	557'056 bytes
MD5 hash:	8B3B3ED278E65B96D71837E6F3EB929E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2001660401.00000000014D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2001660401.00000000014D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.2001660401.00000000014D0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:03:52
Start date:	03/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe"
Imagebase:	0x860000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3227771380.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3227771380.0000000002AD9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3226977191.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3226977191.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3227771380.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3227771380.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4%
Dynamic/Decrypted Code Coverage:	1.3%
Signature Coverage:	4.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	60

Executed Functions

Function 00DF3B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00DF3B7A
IsDebuggerPresent.KERNEL32 ref: 00DF3B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,00EB62F8,00EB62E0,?,?), ref: 00DF3BFD

Part of subcall function 00DF7D2C: _memmove.LIBCMT ref: 00DF7D66

Part of subcall function 00E00A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00DF3C26,00EB62F8,?,?,?), ref: 00E00ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00DF3C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00EA93F0,00000010), ref: 00E2D4BC
SetCurrentDirectoryW.KERNEL32(?,00EB62F8,?,?,?), ref: 00E2D4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00EA5D40,00EB62F8,?,?,?), ref: 00E2D57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 00E2D581

Part of subcall function 00DF3A58: GetSysColorBrush.USER32(0000000F), ref: 00DF3A62
Part of subcall function 00DF3A58: LoadCursorW.USER32(00000000,00007F00), ref: 00DF3A71
Part of subcall function 00DF3A58: LoadIconW.USER32(00000063), ref: 00DF3A88
Part of subcall function 00DF3A58: LoadIconW.USER32(000000A4), ref: 00DF3A9A
Part of subcall function 00DF3A58: LoadIconW.USER32(000000A2), ref: 00DF3AAC
Part of subcall function 00DF3A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00DF3AD2
Part of subcall function 00DF3A58: RegisterClassExW.USER32(?), ref: 00DF3B28

Part of subcall function 00DF39E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00DF3A15
Part of subcall function 00DF39E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00DF3A36
Part of subcall function 00DF39E7: ShowWindow.USER32(00000000,?,?), ref: 00DF3A4A
Part of subcall function 00DF39E7: ShowWindow.USER32(00000000,?,?), ref: 00DF3A53

Part of subcall function 00DF43DB: _memset.LIBCMT ref: 00DF4401
Part of subcall function 00DF43DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00DF44A6

Strings

This is a third-party compiled AutoIt script., xrefs: 00E2D4B4
runas, xrefs: 00E2D575
%, xrefs: 00DF3C56

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%
API String ID: 529118366-3343222573
Opcode ID: c588d70a1368b459752e4c44b12e87983b25723f7042ac91226104fb7932075a
Instruction ID: 0cee6cac7c26cb722f60352239334b2e35d39323c22794460cadcbd4230fc79c
Opcode Fuzzy Hash: c588d70a1368b459752e4c44b12e87983b25723f7042ac91226104fb7932075a
Instruction Fuzzy Hash: 9151143090824CAEDF11EBB5EC06AFE7B78EF45300B068165F655B61A2CA749A49CB31

Function 00DF3633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
timewindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 00DF36D2
KillTimer.USER32(?,00000001), ref: 00DF36FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00DF371F
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00DF372A
CreatePopupMenu.USER32 ref: 00DF373E
PostQuitMessage.USER32(00000000), ref: 00DF375F

Strings

TaskbarCreated, xrefs: 00DF3725
%, xrefs: 00E2D2D1, 00E2D31F

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
String ID: TaskbarCreated$%
API String ID: 157504867-3835587964
Opcode ID: 29bad85cc748b71b34f6ba9f419af547a492dbd3b0020905beec589de42de978
Instruction ID: d15aff9300e91c88b610e0ebb881c58d1f9c6ce7b3bc4d5198f977efcf455fd3
Opcode Fuzzy Hash: 29bad85cc748b71b34f6ba9f419af547a492dbd3b0020905beec589de42de978
Instruction Fuzzy Hash: 8941F5B220410DBFDB18BB68EC0AB7A3795EB40301F175229F742F62E1DA64DE549271

Function 00DF4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00DF4B2B

Part of subcall function 00DF7D2C: _memmove.LIBCMT ref: 00DF7D66

GetCurrentProcess.KERNEL32(?,00E7FAEC,00000000,00000000,?), ref: 00DF4BF8
IsWow64Process.KERNEL32(00000000), ref: 00DF4BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00DF4C45
FreeLibrary.KERNEL32(00000000), ref: 00DF4C50
GetSystemInfo.KERNEL32(00000000), ref: 00DF4C81
GetSystemInfo.KERNEL32(00000000), ref: 00DF4C8D

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: c9b8f62718868c4be29871af268778718c5df80fd6eaa5257cc8e81e6d65cbe5
Instruction ID: db1bccb7f51c17ff5cd911aeda7ae910d4b28c6e3149314c5e6aa5a12b093a7e
Opcode Fuzzy Hash: c9b8f62718868c4be29871af268778718c5df80fd6eaa5257cc8e81e6d65cbe5
Instruction Fuzzy Hash: 7291C53154E7C8DEC731CB6894611BBFFE4AF25310B499D9ED1CB93A42D220E948C729

Function 00DF4FE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00DF4EEE,?,?,00000000,00000000), ref: 00DF5010
LoadResource.KERNEL32(?,00000000,?,?,00DF4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00DF4F8F), ref: 00E2DD60
SizeofResource.KERNEL32(?,00000000,?,?,00DF4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00DF4F8F), ref: 00E2DD75
LockResource.KERNEL32(00DF4EEE,?,?,00DF4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00DF4F8F,00000000), ref: 00E2DD88

Strings

SCRIPT, xrefs: 00DF5006

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SCRIPT
API String ID: 3473537107-3967369404
Opcode ID: 99e1ebe2d7a7e9b5842e5fb0bbc11ac6fde5faf16d23072ba8d426f5cc2800f9
Instruction ID: 6d7245792d74fa947995c5ac8f692fb757e9844dfd1a56449d48a2c4bf049dc5
Opcode Fuzzy Hash: 99e1ebe2d7a7e9b5842e5fb0bbc11ac6fde5faf16d23072ba8d426f5cc2800f9
Instruction Fuzzy Hash: 45115E75200704AFD7218B66EC58F677BB9EBC9B12F248168FA09D6260DF61EC448670

Function 00EFA050 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 00EFA18A
GetProcAddress.KERNEL32(?,00EF3FF9), ref: 00EFA1A8
ExitProcess.KERNEL32(?,00EF3FF9), ref: 00EFA1B9
VirtualProtect.KERNELBASE(00DF0000,00001000,00000004,?,00000000), ref: 00EFA207
VirtualProtect.KERNELBASE(00DF0000,00001000), ref: 00EFA21C

Memory Dump Source

Source File: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
String ID:
API String ID: 1996367037-0
Opcode ID: 3cbc56f6ed6e8e85c69b46493ad5b6d9683749562986af08681b62d706364433
Instruction ID: 0115a89387891dabc5f3036747dcfd78f2135b9a00d70e41175225a1e6fbc0af
Opcode Fuzzy Hash: 3cbc56f6ed6e8e85c69b46493ad5b6d9683749562986af08681b62d706364433
Instruction Fuzzy Hash: CF514AF265521A4BD7204E78ECC02B07794EB51324F2D1738D7E9EF3C6EBA458058762

Function 00DFE800 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

Dt, xrefs: 00DFEC21
Dt, xrefs: 00E33F58
Dt, xrefs: 00E33F1F
Variable must be of type 'Object'., xrefs: 00E3428C
Dt, xrefs: 00DFEC1A

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID:
String ID: Dt$Dt$Dt$Dt$Variable must be of type 'Object'.
API String ID: 0-3952547859
Opcode ID: d6ae2012cbfbaca6c5f2ecc485945359927817e6a8f8da511995b2cce5595b69
Instruction ID: 1735e653afcda8c3818ff6d7ecd242a33185cd44a4f74186b1754142071b5442
Opcode Fuzzy Hash: d6ae2012cbfbaca6c5f2ecc485945359927817e6a8f8da511995b2cce5595b69
Instruction Fuzzy Hash: 45A26D75A04209CFCB14CF58C480ABAB7B1FF48304F2AC169EA56AB361D775ED45CBA1

Function 00E54696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00E2E7C1), ref: 00E546A6
FindFirstFileW.KERNELBASE(?,?), ref: 00E546B7
FindClose.KERNEL32(00000000), ref: 00E546C7

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: c94fc09f09bb4c27afa833d3fa5af518f73f80a210495798f5413f8caecbc24b
Instruction ID: 01d30e8fe5aff4435c3c31ca21d27ef6f0ba9b9585efe005e5388a3f8bcb5b16
Opcode Fuzzy Hash: c94fc09f09bb4c27afa833d3fa5af518f73f80a210495798f5413f8caecbc24b
Instruction Fuzzy Hash: F7E0D8714144006F4210A738EC4D8EA775C9F0633AF100B15FD39E20F0E7F059D88695

Function 00E00B30 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E00BBB
timeGetTime.WINMM ref: 00E00E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E00FB3
TranslateMessage.USER32(?), ref: 00E00FC7
DispatchMessageW.USER32(?), ref: 00E00FD5
Sleep.KERNEL32(0000000A), ref: 00E00FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 00E0105A
DestroyWindow.USER32 ref: 00E01066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E01080
Sleep.KERNEL32(0000000A,?,?), ref: 00E352AD
TranslateMessage.USER32(?), ref: 00E3608A
DispatchMessageW.USER32(?), ref: 00E36098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E360AC

Strings

@TRAY_ID, xrefs: 00E35BB9
@GUI_CTRLID, xrefs: 00E35364
pr, xrefs: 00E35BDE
@GUI_CTRLHANDLE, xrefs: 00E3540E
pr, xrefs: 00E3542D
@GUI_WINHANDLE, xrefs: 00E353B9
pr, xrefs: 00E35383
@COM_EVENTOBJ, xrefs: 00E3591A
pr, xrefs: 00E353D8

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pr$pr$pr$pr
API String ID: 4003667617-1825247661
Opcode ID: 5a0a8d5978f379b12954552d7b268e20f62faac808c8419b50f9c0cbfe900ca1
Instruction ID: b54ea38d008363387ce047a5feb92998066b9cf281a5258e95fdea86079c3d3c
Opcode Fuzzy Hash: 5a0a8d5978f379b12954552d7b268e20f62faac808c8419b50f9c0cbfe900ca1
Instruction Fuzzy Hash: 36B2C471608741DFD728DF24C888BAABBE5FF84308F14591DE599A7391CB70E884CB92

Function 00E593DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E591E9: __time64.LIBCMT ref: 00E591F3

Part of subcall function 00DF5045: _fseek.LIBCMT ref: 00DF505D

__wsplitpath.LIBCMT ref: 00E594BE

Part of subcall function 00E1432E: __wsplitpath_helper.LIBCMT ref: 00E1436E

_wcscpy.LIBCMT ref: 00E594D1
_wcscat.LIBCMT ref: 00E594E4
__wsplitpath.LIBCMT ref: 00E59509
_wcscat.LIBCMT ref: 00E5951F
_wcscat.LIBCMT ref: 00E59532

Part of subcall function 00E5922F: _memmove.LIBCMT ref: 00E59268
Part of subcall function 00E5922F: _memmove.LIBCMT ref: 00E59277

_wcscmp.LIBCMT ref: 00E59479

Part of subcall function 00E599BE: _wcscmp.LIBCMT ref: 00E59AAE
Part of subcall function 00E599BE: _wcscmp.LIBCMT ref: 00E59AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00E596DC
_wcsncpy.LIBCMT ref: 00E5974F
DeleteFileW.KERNEL32(?,?), ref: 00E59785
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00E5979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00E597AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00E597BE

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: a0f14ee1f0651bcff1911f1ba9ffcde6c6307432a7d7964e26b61a706d717fff
Instruction ID: 4c1b051a79e01075783f363b29a66e0ca4774c176cd7ce8103434693a81df73d
Opcode Fuzzy Hash: a0f14ee1f0651bcff1911f1ba9ffcde6c6307432a7d7964e26b61a706d717fff
Instruction Fuzzy Hash: 1FC13CB1900219AEDF11DF95CC85EDEB7BDEF49300F0054AAF609F6152EB709A888F65

Function 00DF71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DF4864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00EB62F8,?,00DF37C0,?), ref: 00DF4882

Part of subcall function 00E1074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00DF72C5), ref: 00E10771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00DF7308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00E2ECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00E2ED32
RegCloseKey.ADVAPI32(?), ref: 00E2ED70
_wcscat.LIBCMT ref: 00E2EDC9

Strings

\, xrefs: 00E2EDEC
\Include\, xrefs: 00DF72C5
Include, xrefs: 00E2ECE8, 00E2ED29
Software\AutoIt v3\AutoIt, xrefs: 00DF72FE

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: dd75c7a4753e7cf2228f42d689afc5a0e4b2647e0faaddd3fb46a90fcefb87af
Instruction ID: b63b925f99c814a655a461c55f65119e1dd6d186c2ff5f8cb41dff7a87a9f050
Opcode Fuzzy Hash: dd75c7a4753e7cf2228f42d689afc5a0e4b2647e0faaddd3fb46a90fcefb87af
Instruction Fuzzy Hash: 6A7183B14083159EC714EF66EC819ABB7E8FF98340F45552EF585B32B0DB709948CBA1

Function 00DF3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00DF3A62
LoadCursorW.USER32(00000000,00007F00), ref: 00DF3A71
LoadIconW.USER32(00000063), ref: 00DF3A88
LoadIconW.USER32(000000A4), ref: 00DF3A9A
LoadIconW.USER32(000000A2), ref: 00DF3AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00DF3AD2
RegisterClassExW.USER32(?), ref: 00DF3B28

Part of subcall function 00DF3041: GetSysColorBrush.USER32(0000000F), ref: 00DF3074
Part of subcall function 00DF3041: RegisterClassExW.USER32(00000030), ref: 00DF309E
Part of subcall function 00DF3041: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00DF30AF
Part of subcall function 00DF3041: LoadIconW.USER32(000000A9), ref: 00DF30F2

Strings

AutoIt v3, xrefs: 00DF3B17
0, xrefs: 00DF3B06
#, xrefs: 00DF3B0D

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
String ID: #$0$AutoIt v3
API String ID: 2880975755-4155596026
Opcode ID: 8244543d7f8f83b89b8a121d2ce896986473fd01658910baf496fc1f5f2cec68
Instruction ID: 2400422e1bc8f6b8800e7d2eb75910e611499790815a2629c0cc890e9a184caa
Opcode Fuzzy Hash: 8244543d7f8f83b89b8a121d2ce896986473fd01658910baf496fc1f5f2cec68
Instruction Fuzzy Hash: 07212171D10308AFEB15DFA6EC05BAE7BB4FB08711F00422AF604B62B0D7B95A588F54

Function 00DF3778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CMDLINE, xrefs: 00DF3834
b, xrefs: 00E2D44E
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00DF37C0
CMDLINERAW, xrefs: 00DF380D
/ErrorStdOut, xrefs: 00DF388F
/AutoIt3ExecuteScript, xrefs: 00DF38CE
/AutoIt3ExecuteLine, xrefs: 00DF38B9
/AutoIt3OutputDebug, xrefs: 00DF38A4

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$b
API String ID: 1825951767-3834736419
Opcode ID: 166475f752af21b7ea1fe484abf4b2797ed38a26bb66c6b461f8ae3f45804289
Instruction ID: 55273c63e5cf0c98ef7a5634a69193d7faa78b0eb63c5397a8358c5900d5e39f
Opcode Fuzzy Hash: 166475f752af21b7ea1fe484abf4b2797ed38a26bb66c6b461f8ae3f45804289
Instruction Fuzzy Hash: 00A14C7191022D9ADB04EBA0DC91AFEB778FF14300F468529F616B7191DB74AA49CB70

Function 00DF3015 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 73
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00DF3074
RegisterClassExW.USER32(00000030), ref: 00DF309E
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00DF30AF
LoadIconW.USER32(000000A9), ref: 00DF30F2

Strings

AutoIt v3 GUI, xrefs: 00DF3090
0, xrefs: 00DF3056
+, xrefs: 00DF305D
TaskbarCreated, xrefs: 00DF30A4

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Register$BrushClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 975902462-1005189915
Opcode ID: 278d9be07f36fc01abbf2d48195c802c6959621782ee24325b41bdff9c8765e3
Instruction ID: ffa318119743dbc40c21a4d5835a266dcc4353b6588ed9b76d458e4f1553b04c
Opcode Fuzzy Hash: 278d9be07f36fc01abbf2d48195c802c6959621782ee24325b41bdff9c8765e3
Instruction Fuzzy Hash: E2313871845309EFDB01CFA5EC85ADABBF4FB09310F10862AE554B62A0D3B90589CF90

Function 00DF3041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00DF3074
RegisterClassExW.USER32(00000030), ref: 00DF309E
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00DF30AF
LoadIconW.USER32(000000A9), ref: 00DF30F2

Strings

AutoIt v3 GUI, xrefs: 00DF3090
0, xrefs: 00DF3056
+, xrefs: 00DF305D
TaskbarCreated, xrefs: 00DF30A4

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Register$BrushClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 975902462-1005189915
Opcode ID: 84fb91b729f7a663e94f3d00c41b44491829ac07f9c1dc3b17efe2cfe0c8026e
Instruction ID: 1facc8c751997f88d3410c0aaa7d3d3026cdb88c2d8f7d2f04fa84a4c8331199
Opcode Fuzzy Hash: 84fb91b729f7a663e94f3d00c41b44491829ac07f9c1dc3b17efe2cfe0c8026e
Instruction Fuzzy Hash: F121C9B1950218AFDF04DF95EC49B9EBBF4FB08710F00822AF514B62A0D7B54588CF95

Function 00DFF8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E103A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E103D3
Part of subcall function 00E103A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00E103DB
Part of subcall function 00E103A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E103E6
Part of subcall function 00E103A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E103F1
Part of subcall function 00E103A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00E103F9
Part of subcall function 00E103A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00E10401

Part of subcall function 00E06259: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 00E062B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00DFFB2D
OleInitialize.OLE32(00000000), ref: 00DFFBAA
CloseHandle.KERNEL32(00000000), ref: 00E349F2

Strings

\d, xrefs: 00DFF957
c, xrefs: 00DFF94B
%, xrefs: 00DFF8F6, 00DFF908, 00DFFACE, 00DFFBB1
<g, xrefs: 00DFFA90

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
String ID: <g$\d$%$c
API String ID: 3094916012-619945097
Opcode ID: 235da9d2132c1eca8efad9e856cc1c61c74803e057928bc9e25221e3f9c08f1b
Instruction ID: c4690c2a4e88064ffc323252f61ea1c670a937835b93fd018189e61e218ad3fd
Opcode Fuzzy Hash: 235da9d2132c1eca8efad9e856cc1c61c74803e057928bc9e25221e3f9c08f1b
Instruction Fuzzy Hash: 3D81BCB1901A508FC794EF2BE9566677BE4FB88308310963AD128F7272EB39444D8F61

Function 014C25D0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 014C26A1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 014C28C7

Memory Dump Source

Source File: 00000000.00000002.2001647116.00000000014C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14c0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
Instruction ID: ad74f10d360e3cfdfbac26dc49a1360405065fed0a5a7766db880da7408e6aab
Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
Instruction Fuzzy Hash: D4A11A78E01209EBDB54CFA4C994FEEBBB5BF48704F10815EE501BB290D7B59A41CB64

Function 00DF39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00DF3A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00DF3A36
ShowWindow.USER32(00000000,?,?), ref: 00DF3A4A
ShowWindow.USER32(00000000,?,?), ref: 00DF3A53

Strings

edit, xrefs: 00DF3A30
AutoIt v3, xrefs: 00DF3A0D, 00DF3A12, 00DF3A13

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 3718a9f356e7679145cf7d5cd53d6ce07ef35d0a42ec6767d1509a7a6a91d1d0
Instruction ID: 0e57dba942f2a52cf399caa9628368959c1302b5167c26580fae37407be9aa20
Opcode Fuzzy Hash: 3718a9f356e7679145cf7d5cd53d6ce07ef35d0a42ec6767d1509a7a6a91d1d0
Instruction Fuzzy Hash: 80F0DA716412907EFA3157276C49E772E7DD7C6F50B00422AFA04B6270C6A91855DAB0

Function 014C23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 141
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 014C22A0: Sleep.KERNELBASE(000001F4), ref: 014C22B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 014C24C5

Strings

HFZ1DM6G9A07Z, xrefs: 014C2528, 014C252B

Memory Dump Source

Source File: 00000000.00000002.2001647116.00000000014C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14c0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: CreateFileSleep
String ID: HFZ1DM6G9A07Z
API String ID: 2694422964-1925664152
Opcode ID: 2e6168a27b15c33f93eee1df7b10573ac4473e88a83042084bea170d3fe25c03
Instruction ID: 83e983d2569e34e82164787cd8ebd453fa13f6a3bff78dd637ef6acfd710711a
Opcode Fuzzy Hash: 2e6168a27b15c33f93eee1df7b10573ac4473e88a83042084bea170d3fe25c03
Instruction Fuzzy Hash: 9C517E34D14249EBEF11DBE4C814BEFBB79AF18700F00419AE209BB2D0D6B91B45CBA5

Function 00DF410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00E2D5EC

Part of subcall function 00DF7D2C: _memmove.LIBCMT ref: 00DF7D66

_memset.LIBCMT ref: 00DF418D
_wcscpy.LIBCMT ref: 00DF41E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00DF41F1

Strings

Line: , xrefs: 00E2D615

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 7613587278933ad9e6ba733702e77c2d40550e8ed8be6105ab4c0e8ab4c6c858
Instruction ID: 7441415a9f4a5c7751440eab7417de04a45ae480a796bff65e30711e85d520c2
Opcode Fuzzy Hash: 7613587278933ad9e6ba733702e77c2d40550e8ed8be6105ab4c0e8ab4c6c858
Instruction Fuzzy Hash: 3631B3710083189EE721EB60EC45FEB77E8AF55300F15861EF295A20A1EB74A648C7B6

Function 00E1564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E156AB
_memcpy_s.LIBCMT ref: 00E1571D
__read_nolock.LIBCMT ref: 00E1577B
__filbuf.LIBCMT ref: 00E1579E
_memset.LIBCMT ref: 00E157E2

Part of subcall function 00E18D68: __getptd_noexit.LIBCMT ref: 00E18D68

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction ID: c43f1bda45d39a0553cc38a20102f1f5c3880e2b42c3399b36ba8f62eb5bc185
Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction Fuzzy Hash: 9251B372A00B05DFDB249F79C8856EE77A5AF80324F64972AF835B62D0D7709DD08B80

Function 00DF69CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00DF4F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00EB62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00DF4F6F

_free.LIBCMT ref: 00E2E68C
_free.LIBCMT ref: 00E2E6D3

Part of subcall function 00DF6BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00DF6D0D

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00E2E462
Bad directive syntax error, xrefs: 00E2E6BB

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: ac1fd1a5a0db2232e039d40df4d9fc62ba25bfd69416503d336800e11247cb1a
Instruction ID: 5207fe9298b0244aea691a7f5f2db65cf32a75299995d7d4300af5cac969a02c
Opcode Fuzzy Hash: ac1fd1a5a0db2232e039d40df4d9fc62ba25bfd69416503d336800e11247cb1a
Instruction Fuzzy Hash: A8918D71910229AFCF04EFA4E8919EDB7B4FF18314F14946AF915BB291EB30A945CB60

Function 00DF35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00DF35A1,SwapMouseButtons,00000004,?), ref: 00DF35D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00DF35A1,SwapMouseButtons,00000004,?,?,?,?,00DF2754), ref: 00DF35F5
RegCloseKey.KERNELBASE(00000000,?,?,00DF35A1,SwapMouseButtons,00000004,?,?,?,?,00DF2754), ref: 00DF3617

Strings

Control Panel\Mouse, xrefs: 00DF35D2

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: f6d1b6b9ff74f834a5f465b076e696d531ba66f3069fa1c7a26488ee76039487
Instruction ID: 32ba80a2f5ed131cb4ced65aec5ca90a1c363a290fcdc3713b7b33bab66cb3f9
Opcode Fuzzy Hash: f6d1b6b9ff74f834a5f465b076e696d531ba66f3069fa1c7a26488ee76039487
Instruction Fuzzy Hash: 1811457161020CBFDF20CF65DC80ABEBBB8EF04740F028469E909E7210E271DE449BA0

Function 014C12A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 014C1ACD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 014C1AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 014C1B13

Memory Dump Source

Source File: 00000000.00000002.2001647116.00000000014C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14c0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
Instruction ID: 925c54d579a1ea1dec91644853404be93a58463598985ef9d518e7ae7af72c58
Opcode Fuzzy Hash: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
Instruction Fuzzy Hash: B5620B34A14258DBEB64DFA4C840BDEB372EF58700F1091A9D10DEB3A1E7769E81CB59

Function 00E597E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00DF5045: _fseek.LIBCMT ref: 00DF505D

Part of subcall function 00E599BE: _wcscmp.LIBCMT ref: 00E59AAE
Part of subcall function 00E599BE: _wcscmp.LIBCMT ref: 00E59AC1

_free.LIBCMT ref: 00E5992C
_free.LIBCMT ref: 00E59933
_free.LIBCMT ref: 00E5999E

Part of subcall function 00E12F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00E19C64), ref: 00E12FA9
Part of subcall function 00E12F95: GetLastError.KERNEL32(00000000,?,00E19C64), ref: 00E12FBB

_free.LIBCMT ref: 00E599A6

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction ID: bd09bdac5beaec4cc3d9343970fcd6a4382209195a4070354b3e77bf68f73af6
Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction Fuzzy Hash: C55161B1904258EFDF249F64DC45AEEBBB9EF48300F00449EB609B7242DB315A94CF69

Function 00E1493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E149D0
__flush.LIBCMT ref: 00E149F0
__write.LIBCMT ref: 00E14A23
__flsbuf.LIBCMT ref: 00E14A51

Part of subcall function 00E18D68: __getptd_noexit.LIBCMT ref: 00E18D68

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction ID: 4fae192645ec0fa681e63638cbd1ec943ddd48b85d5c35af0317a5e079e6c8e1
Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction Fuzzy Hash: 4541C5F16006069BDB18CE69C8809EF77A6EF84364B24A17DE855A77C0E7719DC08B44

Function 00DF4DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00DF4E1A

Strings

EA06, xrefs: 00E2DCF5
AU3!P/, xrefs: 00DF4E14

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/$EA06
API String ID: 4104443479-182974850
Opcode ID: dc9cf930e6ee8ab95f21f5dbbdd34cb8ee69b816cea690c23aed1242db032e16
Instruction ID: dad628907d9213083d702d0b5e4f7b2c8746002cdbcf02ef3e087a607d7bbd7c
Opcode Fuzzy Hash: dc9cf930e6ee8ab95f21f5dbbdd34cb8ee69b816cea690c23aed1242db032e16
Instruction Fuzzy Hash: B5415D32A0415C5BDF119B649C527BF7FA5EF05300F6EC065FF82AB286D5619E8483B1

Function 00DF73E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E2EE62
7516D0D0.COMDLG32(?), ref: 00E2EEAC

Part of subcall function 00DF48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00DF48A1,?,?,00DF37C0,?), ref: 00DF48CE

Part of subcall function 00E109D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E109F4

Strings

X, xrefs: 00E2EE7A

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: NamePath$7516FullLong_memset
String ID: X
API String ID: 3926756254-3081909835
Opcode ID: ec89091aff0e0f67535518f790edec1406fa6050d66744164216ca645dd81a23
Instruction ID: 00d425671d5d2e3cee8b2a1a8994050abf98818955ef2f9c961c23cfe611bc93
Opcode Fuzzy Hash: ec89091aff0e0f67535518f790edec1406fa6050d66744164216ca645dd81a23
Instruction Fuzzy Hash: 4A21A131A0025C9BCB11DF94DC45BFE7BF8AF49304F00805AE509BB242DBB459898FA1

Function 00E5901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E59036
__fread_nolock.LIBCMT ref: 00E5904B

Strings

EA06, xrefs: 00E5907D

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 58177dff9ba039adf8db78fe548e047f0241359ad15251cb650c863a87c4dd21
Instruction ID: b4f65ae035c4c2067615354aa7743bb8fa1a096b809a6c212c64713732a60dc8
Opcode Fuzzy Hash: 58177dff9ba039adf8db78fe548e047f0241359ad15251cb650c863a87c4dd21
Instruction Fuzzy Hash: 4501F972C04258AEDB28C6A8C856EEE7BF8DB05301F00459AF552E2181E5B5A608CB60

Function 00E10FF6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E1594C: __FF_MSGBANNER.LIBCMT ref: 00E15963
Part of subcall function 00E1594C: __NMSG_WRITE.LIBCMT ref: 00E1596A
Part of subcall function 00E1594C: RtlAllocateHeap.NTDLL(01520000,00000000,00000001), ref: 00E1598F

std::exception::exception.LIBCMT ref: 00E1102C
__CxxThrowException@8.LIBCMT ref: 00E11041

Part of subcall function 00E187DB: RaiseException.KERNEL32(?,?,00000000,00EABAF8,?,00000001,?,?,?,00E11046,00000000,00EABAF8,00DF9FEC,00000001), ref: 00E18830

Strings

bad allocation, xrefs: 00E11021

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID: bad allocation
API String ID: 3902256705-2104205924
Opcode ID: de73dfc1905ce451a1b144f40e0da548de5e03926f6f23e1f7308c521dc181f2
Instruction ID: b106f030bd7d464a0630931428ed808a418722cc92478c3f98180425d903fa1e
Opcode Fuzzy Hash: de73dfc1905ce451a1b144f40e0da548de5e03926f6f23e1f7308c521dc181f2
Instruction Fuzzy Hash: D1F0283590034DA6CB20BA68ED029EF7BEC9F04350F10206AFA08B61C1DFB18AC0D2D0

Function 00E59B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNELBASE(00000104,?), ref: 00E59B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00E59B99

Strings

aut, xrefs: 00E59B93

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 2dde86afedd1f544f12d0f2f3719f5649ed99ed940c936017a04e3b6527de3ba
Instruction ID: 2587cd1861a8f2792c31c58970cf61e247e2198d136222ced4877afd4d46befb
Opcode Fuzzy Hash: 2dde86afedd1f544f12d0f2f3719f5649ed99ed940c936017a04e3b6527de3ba
Instruction Fuzzy Hash: FFD05B7554030DAFDB10DB90DC0DF9A776CD704701F0041B1FE54A50B2EEB055D98B91

Function 00E6CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fe0f05c3c6d89d1e7f2e96c738461df1d5cbda7b74aae988acaf1fbe2c89107
Instruction ID: d74a01a066213312f3fb6f9898fdf4b4a311ea4eb6062d06a94def9e921ff50c
Opcode Fuzzy Hash: 6fe0f05c3c6d89d1e7f2e96c738461df1d5cbda7b74aae988acaf1fbe2c89107
Instruction Fuzzy Hash: 05F16870A083059FC714DF28C890A6ABBE5FF88354F54992EF899AB351D730E945CF92

Function 00DF43DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DF4401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00DF44A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00DF44C3

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: abf17293283fc209df16e6a03e899287be528e3f858cca67307b36b2b1baabe2
Instruction ID: 11b942431fea2226b8688114db5dd38473a38fe657eda2b79577146592be08b5
Opcode Fuzzy Hash: abf17293283fc209df16e6a03e899287be528e3f858cca67307b36b2b1baabe2
Instruction Fuzzy Hash: 9D3184705047059FD721DF35D8847A7BBE4FB48304F044A2EF69AA3250D7B5A948CBA2

Function 00E1594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00E15963

Part of subcall function 00E1A3AB: __NMSG_WRITE.LIBCMT ref: 00E1A3D2
Part of subcall function 00E1A3AB: __NMSG_WRITE.LIBCMT ref: 00E1A3DC

__NMSG_WRITE.LIBCMT ref: 00E1596A

Part of subcall function 00E1A408: GetModuleFileNameW.KERNEL32(00000000,00EB43BA,00000104,00000000,00000001,00000000), ref: 00E1A49A
Part of subcall function 00E1A408: ___crtMessageBoxW.LIBCMT ref: 00E1A548

Part of subcall function 00E132DF: ___crtCorExitProcess.LIBCMT ref: 00E132E5
Part of subcall function 00E132DF: ExitProcess.KERNEL32 ref: 00E132EE

Part of subcall function 00E18D68: __getptd_noexit.LIBCMT ref: 00E18D68

RtlAllocateHeap.NTDLL(01520000,00000000,00000001), ref: 00E1598F

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: d9396c84ce43117cfe21d20f8de244d38a639f5caacfecb4fbcafd206f99a4e1
Instruction ID: c51ac2e623567c0ea13f6a48c8e9d400bd227ef2eda3683c6a509c1096230c71
Opcode Fuzzy Hash: d9396c84ce43117cfe21d20f8de244d38a639f5caacfecb4fbcafd206f99a4e1
Instruction Fuzzy Hash: 0F01D672201716DEE6113B35EC42AEE72D89FC1734F502136F420BA1D1DA709DC18662

Function 00E59B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00E597D2,?,?,?,?,?,00000004), ref: 00E59B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00E597D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00E59B5B
CloseHandle.KERNEL32(00000000,?,00E597D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00E59B62

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: d63b30c5d122e9f098b896b11f666cf17e58c2bed86155d5cd2d59e6418fce0c
Instruction ID: e6d9fb50e6197f7bf8a5b8aa504e3d2cd3866dafff62863887f472ddd4eda32f
Opcode Fuzzy Hash: d63b30c5d122e9f098b896b11f666cf17e58c2bed86155d5cd2d59e6418fce0c
Instruction Fuzzy Hash: 12E08632581214FBE7215B65EC09FCA7B58AB05765F104220FB58790E187B125559798

Function 00E58F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E58FA5

Part of subcall function 00E12F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00E19C64), ref: 00E12FA9
Part of subcall function 00E12F95: GetLastError.KERNEL32(00000000,?,00E19C64), ref: 00E12FBB

_free.LIBCMT ref: 00E58FB6
_free.LIBCMT ref: 00E58FC8

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction ID: 509d229c25660b8e58e4cb1948c0c55e8934f978b00feacf3ce560fb28fce120
Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction Fuzzy Hash: 2AE0C2B130C7004ACE20A538BE04AC317EF0F4C316B082C0DBA0AFB142CE20E8928034

Function 00DFAB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00E3002B

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 22cd98746103f60224261031139345d39dd0a58684ab74f6ef3b0da2edf26507
Instruction ID: b66b380e389d28f0dbb328a7d9c629042cb26995cc38866a0b679443fc19362f
Opcode Fuzzy Hash: 22cd98746103f60224261031139345d39dd0a58684ab74f6ef3b0da2edf26507
Instruction Fuzzy Hash: 0C226A70508345CFC724DF18C494B6ABBE1BF84304F1AC95DE99A9B262D731EC85CB92

Function 00DF7A84 Relevance: 3.1, APIs: 2, Instructions: 119COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00DF7B0D
_memmove.LIBCMT ref: 00E2F009

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 94d4751bcf77ed02d179e8d2c13277ac55910fe424fe6e9b1d3577abebbbef57
Instruction ID: 3cb3f70fe6efb5b05cd161a77b87faefaddb5c97855a1ac4cfaea8c81163877a
Opcode Fuzzy Hash: 94d4751bcf77ed02d179e8d2c13277ac55910fe424fe6e9b1d3577abebbbef57
Instruction Fuzzy Hash: 3D41F571B00615EBDB04DF65E842ABDFBB4FF09300F22816AE015E7251EF30A9A0D791

Function 00DF492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

745AC8D0.UXTHEME ref: 00DF4992

Part of subcall function 00E135AC: __lock.LIBCMT ref: 00E135B2
Part of subcall function 00E135AC: RtlDecodePointer.NTDLL(00000001), ref: 00E135BE
Part of subcall function 00E135AC: RtlEncodePointer.NTDLL(?), ref: 00E135C9

Part of subcall function 00DF4A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00DF4A73
Part of subcall function 00DF4A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00DF4A88

Part of subcall function 00DF3B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00DF3B7A
Part of subcall function 00DF3B4C: IsDebuggerPresent.KERNEL32 ref: 00DF3B8C
Part of subcall function 00DF3B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00EB62F8,00EB62E0,?,?), ref: 00DF3BFD
Part of subcall function 00DF3B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00DF3C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00DF49D2

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$DebuggerDecodeEncodeFullNamePathPresent__lock
String ID:
API String ID: 2688871447-0
Opcode ID: 9bbbd4664a03a11bfe0f02dffd85d514485e348e809f6309c4a083bd9b396762
Instruction ID: 4c1039da880407effb525c61738722b9e94414c8d572ae8d587ae985b51d24a8
Opcode Fuzzy Hash: 9bbbd4664a03a11bfe0f02dffd85d514485e348e809f6309c4a083bd9b396762
Instruction Fuzzy Hash: D011C0719183059FC700DF2ADC0592BFBE8EF84710F00861EF594A72B1DB708958CBA1

Function 00DF5DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00DF5981,?,?,?,?), ref: 00DF5E27
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00DF5981,?,?,?,?), ref: 00E2E19C

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ee0fc6be0ad1dc6f6df952be6128e2fbf0bc7503417ec7738f7ac2348a5c3348
Instruction ID: fc44f6a8f7563b1e23df03938d1c5b7de134a9dd6259cf11043f4e846c107322
Opcode Fuzzy Hash: ee0fc6be0ad1dc6f6df952be6128e2fbf0bc7503417ec7738f7ac2348a5c3348
Instruction Fuzzy Hash: 16018470244618BEF3244E14DC86F763A9CAB01768F14C318BBE56A1D0C6B05E958B60

Function 00E1582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E1585C
__lock_file.LIBCMT ref: 00E1587D

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: b11b94a8843a3dd9608d0f3aed2b54e237624318d40f54051231b766022cc90c
Instruction ID: 842916ac6b97ee5bfa73c1890bc4f92a45f6447ca8cbd7f4006daa1269250178
Opcode Fuzzy Hash: b11b94a8843a3dd9608d0f3aed2b54e237624318d40f54051231b766022cc90c
Instruction Fuzzy Hash: E8018872800608EBCF11AF698D029DE7BA1AF85360F145225B8247A161DB318A91DB91

Function 00E155D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E18D68: __getptd_noexit.LIBCMT ref: 00E18D68

__lock_file.LIBCMT ref: 00E1561B

Part of subcall function 00E16E4E: __lock.LIBCMT ref: 00E16E71

__fclose_nolock.LIBCMT ref: 00E15626

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 03bf23a8e9ba9c4b97a59d37a3a627d5cc56137399897e47a3370a5b491fb7f9
Instruction ID: c4eef39930d0e9dfcf184cae60b1b532fceadcbd7baf9d82afd64225156f3a0f
Opcode Fuzzy Hash: 03bf23a8e9ba9c4b97a59d37a3a627d5cc56137399897e47a3370a5b491fb7f9
Instruction Fuzzy Hash: 59F0B473904B04DAD720AF758902BEE77E16F81334F65A209A425BB1C1CFBC8EC19B95

Function 00DF81C1 Relevance: 2.6, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,00DF558F,?,?,?,?,?), ref: 00DF81DA
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,00DF558F,?,?,?,?,?), ref: 00DF820D

Part of subcall function 00DF78AD: _memmove.LIBCMT ref: 00DF78E9

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: ByteCharMultiWide$_memmove
String ID:
API String ID: 3033907384-0
Opcode ID: cc7939b202ae565793a08a6ead2d3de05ebe737b07372e27be899bc16da04477
Instruction ID: ad77ab87943954dff02f5583c3bbd4913b26cd6778371e87cb1f8d4921210675
Opcode Fuzzy Hash: cc7939b202ae565793a08a6ead2d3de05ebe737b07372e27be899bc16da04477
Instruction Fuzzy Hash: F001A231205108BFEB246B25DD46FBB7B5CEB89760F10803AFE05DD191DE20D840D671

Function 014C129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 014C1ACD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 014C1AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 014C1B13

Memory Dump Source

Source File: 00000000.00000002.2001647116.00000000014C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14c0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
Instruction ID: 626334d6ff8b7b8c2d8c013496f5cf1304af68b2dbbcce3e3175e8d90e5635dc
Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
Instruction Fuzzy Hash: 8412CD24E24658C6EB24DF64D8507DEB232EF68700F1090ED910DEB7A5E77A4E81CF5A

Function 00E02123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9e5bcc8b21581eaec5dc24117029310e7b66dce4014e56f68f1e7dbaff1ecf4
Instruction ID: a459b31d78aa1ecc94c4798590abf4cafdaf2cc3a44fd98575559763460d87c8
Opcode Fuzzy Hash: f9e5bcc8b21581eaec5dc24117029310e7b66dce4014e56f68f1e7dbaff1ecf4
Instruction Fuzzy Hash: 14518E35600604ABCF14EB64C995FBE77E6EF85314F15D0A8FA06BB292CA30ED40DB61

Function 00DF5C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00DF5CF6

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 498d257e9279c4a2a7c8315c027b3423cd86af1cdbfdc2ea3860fcbc4dae05c1
Instruction ID: f48e386114c5cebe440577b569bb1dde3b773c5dc56dac409e81148dfb5e3f64
Opcode Fuzzy Hash: 498d257e9279c4a2a7c8315c027b3423cd86af1cdbfdc2ea3860fcbc4dae05c1
Instruction Fuzzy Hash: 12315C31A00B19AFCB18DF2DE884A6DB7B1FF48310F15C629DA1997714D731A960DBA0

Function 00E300D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00E300E1

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 597e2a752ea8137e960bb4c04dfc9f8fa83a9f2d6eb4d28bd5ff3a0d9891bda9
Instruction ID: 51f96e0031db8384ff1fea3ae721a336ecfac966437eb63a86c39244465cde68
Opcode Fuzzy Hash: 597e2a752ea8137e960bb4c04dfc9f8fa83a9f2d6eb4d28bd5ff3a0d9891bda9
Instruction Fuzzy Hash: 7F410BB4504355CFDB14DF18C494B2ABBE0BF45318F1A889CE9999B362D335EC85CB52

Function 00DF4F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF4D13: FreeLibrary.KERNEL32(00000000,?), ref: 00DF4D4D

Part of subcall function 00E1548B: __wfsopen.LIBCMT ref: 00E15496

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00EB62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00DF4F6F

Part of subcall function 00DF4CC8: FreeLibrary.KERNEL32(00000000), ref: 00DF4D02

Part of subcall function 00DF4DD0: _memmove.LIBCMT ref: 00DF4E1A

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: e475883cd41d990f42a018c351ad41877705e6af60e22e4cf0dc3296cd2a8af5
Instruction ID: bb90b683eaab5bc58151f2f652e84c3d8c7f278b6fb17b853fb475155d5d0578
Opcode Fuzzy Hash: e475883cd41d990f42a018c351ad41877705e6af60e22e4cf0dc3296cd2a8af5
Instruction Fuzzy Hash: 5011C43160060DAACB10AF70DC02BBE77A4DF80711F12C429FB45AA1C2DA759A059770

Function 00E301AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00E301BB

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: b9165f7defcb3e4ed60c2484ce900cc8ab1e78941965e884db1fdd2c3fe745bb
Instruction ID: 45c80488996f329669f983e0bc051bd6ab9f5e9f375236d4c2318d2fecb01109
Opcode Fuzzy Hash: b9165f7defcb3e4ed60c2484ce900cc8ab1e78941965e884db1fdd2c3fe745bb
Instruction Fuzzy Hash: 0C2127B4A08345CFCB14DF14C444B6ABBE0BF88314F0A896CFA9957761D731E849CB62

Function 00DF78AD Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00DF78E9

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: e0b0f1feff7007f9a685850875a5a6e1ea6a23f504afe070e1a0459631d1335c
Instruction ID: 9331dcacf01ee169d47127d327ddb1131a272ff380ebbbd0232732c522551514
Opcode Fuzzy Hash: e0b0f1feff7007f9a685850875a5a6e1ea6a23f504afe070e1a0459631d1335c
Instruction Fuzzy Hash: 9D1108326092196BC714AF2CD882DBAB39DEF49360719C22AFE15C7294DF719C50CBB1

Function 00DF5D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00DF5807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00DF5D76

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 79edc6591375560abadd29f76b2b9e49e385f7723a708bea4cfb29c69809836c
Instruction ID: 8a986d6aa09eb275cde2aba5af847bc5b17fb7a815471349b9757c0577125eba
Opcode Fuzzy Hash: 79edc6591375560abadd29f76b2b9e49e385f7723a708bea4cfb29c69809836c
Instruction Fuzzy Hash: 2D116A31201B099FD330CF05D884B62B7E4EF45710F15C92EE6AA86A54D7B0E944CF60

Function 00E14A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00E14AD6

Part of subcall function 00E18D68: __getptd_noexit.LIBCMT ref: 00E18D68

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 31ee6291cec7207983bf84a20f9456515edb7eafa0a3f9045c52992c60228c59
Instruction ID: a9f498edb154b0e2f576206ea4dde35fbb2d5fed5fa3496047f23d85be621383
Opcode Fuzzy Hash: 31ee6291cec7207983bf84a20f9456515edb7eafa0a3f9045c52992c60228c59
Instruction Fuzzy Hash: FFF0FFB1900209ABDF61AF748C02BDE36E0AF00329F05A104B424BA2D1DB788AD1CF90

Function 00DF4FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00EB62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00DF4FDE

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: e79da77b1098235df27e7be5d48bb22067a5c96c65eda99d04268afc004d4efc
Instruction ID: 1ede81944563e27a52d1c195b93bffa6317663934f3a03ac763ad3ef3796a517
Opcode Fuzzy Hash: e79da77b1098235df27e7be5d48bb22067a5c96c65eda99d04268afc004d4efc
Instruction Fuzzy Hash: 77F01571105716CFCB349F64E494823BBF1BF04329326CA3EE2DA82A10C731A884DB60

Function 00E109D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E109F4

Part of subcall function 00DF7D2C: _memmove.LIBCMT ref: 00DF7D66

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 4ab42de76f67a45f9a8bcea1aff8687cbbbb45a6e7cdbc784483df10a4fa3847
Instruction ID: 3ef53e9b056d84c6ff7a32073dc5b7edb3b218fc0ab28c53d64f181b1476d6cf
Opcode Fuzzy Hash: 4ab42de76f67a45f9a8bcea1aff8687cbbbb45a6e7cdbc784483df10a4fa3847
Instruction Fuzzy Hash: 18E0CD3690422C9BC720D658AC05FFA77EDDF88790F0541F5FD0CD7215D9609D8186A0

Function 00E59129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00E5914B

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction ID: bb1a5d64805a660fe503eb86dfe6b7bb412761a21770fcef9bcc73db0cde6cf2
Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction Fuzzy Hash: 07E092B1104B409FD7388A24D8507E373E0AB06319F00081CF69A93342EB6278458B59

Function 00DF5DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00E2E16B,?,?,00000000), ref: 00DF5DBF

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: f702842c69ec51ff926e52fac543345e9071ef68f28a1fd879e09567f7f7a2db
Instruction ID: 1f47bc3d69bb019832a4b678c3f37b4829c51827c03405c205a5c670bfa26fa0
Opcode Fuzzy Hash: f702842c69ec51ff926e52fac543345e9071ef68f28a1fd879e09567f7f7a2db
Instruction Fuzzy Hash: 40D0C77464020CBFE710DB81DC46FA9777CE705710F500294FD0466690D6B27D548795

Function 00E1548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00E15496

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: b42fac6b638b4e8f4446c8f423b4292d2fd01938fb53ed1c1fa23f053d2368cf
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: C8B0927684020CB7DE012E82EC02A993B599B80678F808020FB1D28162A673A6A09689

Function 00E5D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 00E5D46A

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 6861a1fb2a8c3e9249ded587012bac645acab9445b323df1a28d0758170bb659
Instruction ID: e845b25d1fd6ea3223ac5428c7db0db044bd21d4b6d7a6bfc3dd0475d76db6e9
Opcode Fuzzy Hash: 6861a1fb2a8c3e9249ded587012bac645acab9445b323df1a28d0758170bb659
Instruction Fuzzy Hash: D77197306087058FC714EF24D891AAEB7E0EF88315F05596DFA9697291DB30ED49CB62

Function 00E10E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00E10EF7

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 494bb14852c776536c45d204932ac4b6fccdbb131e471ae370bf6ba0f2fd0a9e
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: DA31F670A00105DFCB18DF59C4809A9F7B6FF59304B64AAA5E40AEB651D7B1EDC1CBC0

Function 014C229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 014C22B1

Memory Dump Source

Source File: 00000000.00000002.2001647116.00000000014C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14c0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: e462c82f5e774763a9338a5949e728ccfff39d87310478621136daff319d7521
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 83E0BF7494020EEFDB00EFA8D6496EE7BB4EF04711F1005A5FD05D7691DB709E548A62

Function 014C22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 014C22B1

Memory Dump Source

Source File: 00000000.00000002.2001647116.00000000014C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14c0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 749255ce209797948ae027d2e94c0d992cfa5ebd2acb84ef18c3932a6352e1d7
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 3AE0E67494020EDFDB00EFB8D6496AE7FB4EF04701F100165FD01D2281D6709D508A72

Non-executed Functions

Function 00E7CDAC Relevance: 70.6, APIs: 37, Strings: 3, Instructions: 637windowkeyboardnativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF2612: GetWindowLongW.USER32(?,000000EB), ref: 00DF2623

NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?), ref: 00E7CE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00E7CE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00E7CED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00E7CF00
SendMessageW.USER32 ref: 00E7CF29
_wcsncpy.LIBCMT ref: 00E7CFA1
GetKeyState.USER32(00000011), ref: 00E7CFC2
GetKeyState.USER32(00000009), ref: 00E7CFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00E7CFE5
GetKeyState.USER32(00000010), ref: 00E7CFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00E7D018
SendMessageW.USER32 ref: 00E7D03F
SendMessageW.USER32(?,00001030,?,00E7B602), ref: 00E7D145
SetCapture.USER32(?), ref: 00E7D177
ClientToScreen.USER32(?,?), ref: 00E7D1DC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00E7D203
ReleaseCapture.USER32 ref: 00E7D20E
GetCursorPos.USER32(?), ref: 00E7D248
ScreenToClient.USER32(?,?), ref: 00E7D255
SendMessageW.USER32(?,00001012,00000000,?), ref: 00E7D2B1
SendMessageW.USER32 ref: 00E7D2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 00E7D31C
SendMessageW.USER32 ref: 00E7D34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00E7D36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00E7D37B
GetCursorPos.USER32(?), ref: 00E7D39B
ScreenToClient.USER32(?,?), ref: 00E7D3A8
GetParent.USER32(?), ref: 00E7D3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 00E7D431
SendMessageW.USER32 ref: 00E7D462
ClientToScreen.USER32(?,?), ref: 00E7D4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00E7D4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 00E7D51A
SendMessageW.USER32 ref: 00E7D53D
ClientToScreen.USER32(?,?), ref: 00E7D58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00E7D5C3

Part of subcall function 00DF25DB: GetWindowLongW.USER32(?,000000EB), ref: 00DF25EC

GetWindowLongW.USER32(?,000000F0), ref: 00E7D65F

Strings

@GUI_DRAGID, xrefs: 00E7D1AA
pr, xrefs: 00E7D1BD
F, xrefs: 00E7D543

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
String ID: @GUI_DRAGID$F$pr
API String ID: 302779176-1436871235
Opcode ID: 6900977c5a2695e9f568b91d40f62ddb93f29fd7283ae16736427024511da966
Instruction ID: a09561424ad4cbbdda7abbb8913140548d7eee871dcfd5d41584d1695b7f7773
Opcode Fuzzy Hash: 6900977c5a2695e9f568b91d40f62ddb93f29fd7283ae16736427024511da966
Instruction Fuzzy Hash: 8842A130204241AFD725CF68CC44FAABBE9FF48718F24952DF699A72A0C731D955CB92

Function 00E7804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00E7873F

Strings

%d/%02d/%02d, xrefs: 00E78478

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: c0226070487c1bb7f4dd074ff3d8a5ec7654268fbc1fe01ae1cf6a815043b57d
Instruction ID: 411d5017ecb72bf95b2e9557d9a08d6bffd056b7b02c997c8df98420c3d17040
Opcode Fuzzy Hash: c0226070487c1bb7f4dd074ff3d8a5ec7654268fbc1fe01ae1cf6a815043b57d
Instruction Fuzzy Hash: D112E171540204AFEB248F65CD4DFAA7BF4EF59714F20A129F91AFA2A1DF708981CB50

Function 00E0710E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E075C2
_memset.LIBCMT ref: 00E076B1
_memmove.LIBCMT ref: 00E07C4B
_memmove.LIBCMT ref: 00E07E4F

Strings

\b(?=\w), xrefs: 00E43C34
DEFINE, xrefs: 00E425AF
[:<:]], xrefs: 00E075F1
Oa, xrefs: 00E4287E
[:>:]], xrefs: 00E0760A
\b(?<=\w), xrefs: 00E43C41
Q\E, xrefs: 00E081C1
0w, xrefs: 00E41F5B

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: _memmove$_memset
String ID: 0w$DEFINE$Oa$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-332139107
Opcode ID: e5b5f0bb159db7735a4f74973a632084d1072757d6f9e1e72bb9699d2103f406
Instruction ID: c321d4dc877ddfb2b779fab81fa0c294009ac851c2a8da1a381c957d55fca7df
Opcode Fuzzy Hash: e5b5f0bb159db7735a4f74973a632084d1072757d6f9e1e72bb9699d2103f406
Instruction Fuzzy Hash: 8F93A171E00215DBDB24CFA8D881BEDB7B1FF48314F65916AE955BB280E770AE81CB50

Function 00DF4A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00DF4A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E2DA8E
IsIconic.USER32(?), ref: 00E2DA97
ShowWindow.USER32(?,00000009), ref: 00E2DAA4
SetForegroundWindow.USER32(?), ref: 00E2DAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00E2DAC4
GetCurrentThreadId.KERNEL32 ref: 00E2DACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 00E2DAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 00E2DAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 00E2DAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 00E2DAF8
SetForegroundWindow.USER32(?), ref: 00E2DAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E2DB10
keybd_event.USER32(00000012,00000000), ref: 00E2DB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E2DB25
keybd_event.USER32(00000012,00000000), ref: 00E2DB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E2DB33
keybd_event.USER32(00000012,00000000), ref: 00E2DB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E2DB42
keybd_event.USER32(00000012,00000000), ref: 00E2DB47
SetForegroundWindow.USER32(?), ref: 00E2DB4A
AttachThreadInput.USER32(?,?,00000000), ref: 00E2DB71

Strings

Shell_TrayWnd, xrefs: 00E2DA89

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 49e0ac39da35270ecb8d183a9bca984791bf9364699c3e3f87e643137ef300b0
Instruction ID: 6ef945d2b50617a5b103d1b1314891132fee5e74483479d851a4458c77bc6104
Opcode Fuzzy Hash: 49e0ac39da35270ecb8d183a9bca984791bf9364699c3e3f87e643137ef300b0
Instruction Fuzzy Hash: 76313271A44318BFEB21AFA29C49FBF7F6CEB44B50F114025FA05FA1D1D6B05D50AAA0

Function 00E6425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00E7F910), ref: 00E64284
IsClipboardFormatAvailable.USER32(0000000D), ref: 00E64292
GetClipboardData.USER32(0000000D), ref: 00E6429A
CloseClipboard.USER32 ref: 00E642A6
GlobalFix.KERNEL32(00000000), ref: 00E642C2
CloseClipboard.USER32 ref: 00E642CC
GlobalUnWire.KERNEL32(00000000), ref: 00E642E1
IsClipboardFormatAvailable.USER32(00000001), ref: 00E642EE
GetClipboardData.USER32(00000001), ref: 00E642F6
GlobalFix.KERNEL32(00000000), ref: 00E64303
GlobalUnWire.KERNEL32(00000000), ref: 00E64337
CloseClipboard.USER32 ref: 00E64447

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatWire$Open
String ID:
API String ID: 941120096-0
Opcode ID: 7638e4a36679f147812ae4c2a17ef4ff9b00c25116b5002dbb2db90294c0c5de
Instruction ID: 2ea7ea9529ffa0ed9440a5bf51738dc60eb757314686c000bceebef5ba70ca34
Opcode Fuzzy Hash: 7638e4a36679f147812ae4c2a17ef4ff9b00c25116b5002dbb2db90294c0c5de
Instruction Fuzzy Hash: 2751BF71244206AFD310EF61EC96FBE77A8EB84B44F105529F55AF21E1DF30D9488B62

Function 00E48858 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00E48CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E48D0D
Part of subcall function 00E48CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E48D3A
Part of subcall function 00E48CC3: GetLastError.KERNEL32 ref: 00E48D47

_memset.LIBCMT ref: 00E4889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00E488ED
CloseHandle.KERNEL32(?), ref: 00E488FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00E48915
GetProcessWindowStation.USER32 ref: 00E4892E
SetProcessWindowStation.USER32(00000000), ref: 00E48938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00E48952

Part of subcall function 00E48713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00E48851), ref: 00E48728
Part of subcall function 00E48713: CloseHandle.KERNEL32(?,?,00E48851), ref: 00E4873A

Strings

, xrefs: 00E488AA
default, xrefs: 00E4894D
winsta0, xrefs: 00E48910

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 70bc6f47bfef75afb1e2292c9104b1320dee5aa9781735211e9c92a13925913b
Instruction ID: bfc5fdd681e093fc047ce1c83f9d6aeecb530952a40889b9a860b68aba53ed47
Opcode Fuzzy Hash: 70bc6f47bfef75afb1e2292c9104b1320dee5aa9781735211e9c92a13925913b
Instruction Fuzzy Hash: 13818E71C00209AFDF11DFA4ED45AEE7BB8EF08348F08512AF924B6161DB718E54EB61

Function 00E5C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00E5C9F8
FindClose.KERNEL32(00000000), ref: 00E5CA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E5CA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E5CA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 00E5CAAF
__swprintf.LIBCMT ref: 00E5CAFB
__swprintf.LIBCMT ref: 00E5CB3E

Part of subcall function 00DF7F41: _memmove.LIBCMT ref: 00DF7F82

__swprintf.LIBCMT ref: 00E5CB92

Part of subcall function 00E138D8: __woutput_l.LIBCMT ref: 00E13931

__swprintf.LIBCMT ref: 00E5CBE0

Part of subcall function 00E138D8: __flsbuf.LIBCMT ref: 00E13953
Part of subcall function 00E138D8: __flsbuf.LIBCMT ref: 00E1396B

__swprintf.LIBCMT ref: 00E5CC2F
__swprintf.LIBCMT ref: 00E5CC7E
__swprintf.LIBCMT ref: 00E5CCCD

Strings

%02d, xrefs: 00E5CB86, 00E5CB90, 00E5CBDE, 00E5CC2D, 00E5CC7C, 00E5CCCB
%4d%02d%02d%02d%02d%02d, xrefs: 00E5CAF5
%4d, xrefs: 00E5CB38

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: af653e4f95a8d879f4402fa1d9d09becef6bb85d2ea8136f02afeec1f43a4e6e
Instruction ID: d6b7c53db75f6b4835fc67d8931dc5ecddff20ce731e22f9b82df475b521a221
Opcode Fuzzy Hash: af653e4f95a8d879f4402fa1d9d09becef6bb85d2ea8136f02afeec1f43a4e6e
Instruction Fuzzy Hash: ECA13EB1508308AFC704EB64D895EBFB7ECEF94705F404929F686D6191EA34DA48CB72

Function 00E5F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00E5F221
_wcscmp.LIBCMT ref: 00E5F236
_wcscmp.LIBCMT ref: 00E5F24D
GetFileAttributesW.KERNEL32(?), ref: 00E5F25F
SetFileAttributesW.KERNEL32(?,?), ref: 00E5F279
FindNextFileW.KERNEL32(00000000,?), ref: 00E5F291
FindClose.KERNEL32(00000000), ref: 00E5F29C
FindFirstFileW.KERNEL32(*.*,?), ref: 00E5F2B8
_wcscmp.LIBCMT ref: 00E5F2DF
_wcscmp.LIBCMT ref: 00E5F2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 00E5F308
SetCurrentDirectoryW.KERNEL32(00EAA5A0), ref: 00E5F326
FindNextFileW.KERNEL32(00000000,00000010), ref: 00E5F330
FindClose.KERNEL32(00000000), ref: 00E5F33D
FindClose.KERNEL32(00000000), ref: 00E5F34F

Strings

*.*, xrefs: 00E5F2B3

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 1ac841002657d40157d1ab7e6e5330cdbfd4f5b84383663aa5651c0c1f562b99
Instruction ID: 33b24c538bbf39843169279a0cd309cff576982b3bab1effc70aef06acaf2558
Opcode Fuzzy Hash: 1ac841002657d40157d1ab7e6e5330cdbfd4f5b84383663aa5651c0c1f562b99
Instruction Fuzzy Hash: F231C2765002196EDF10DBB4EC58ADE73ECAF09366F1455B6E808F30A0EB30DA89CA54

Function 00E70AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E70BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,00E7F910,00000000,?,00000000,?,?), ref: 00E70C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00E70C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00E70D1D
RegCloseKey.ADVAPI32(?), ref: 00E7103D
RegCloseKey.ADVAPI32(00000000), ref: 00E7104A

Strings

REG_QWORD, xrefs: 00E70F8B
REG_MULTI_SZ, xrefs: 00E70E05
REG_EXPAND_SZ, xrefs: 00E70CBA
REG_BINARY, xrefs: 00E70FD8
REG_SZ, xrefs: 00E70D5B
REG_DWORD, xrefs: 00E70F0E

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: f5cb678eda791c7f8a311d626c35412ebabbee704a0b06d7ed82678fb6e4cbd9
Instruction ID: 6cbd969e1abae2eb183469b2fc3f48c780f43f2cc00352054ef42f523c5b9e39
Opcode Fuzzy Hash: f5cb678eda791c7f8a311d626c35412ebabbee704a0b06d7ed82678fb6e4cbd9
Instruction Fuzzy Hash: 620249756006019FCB14EF24C891A2AB7E5FF89714F05D85DF98AAB362CB70ED41CB91

Function 00E7C8EE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfilenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF2612: GetWindowLongW.USER32(?,000000EB), ref: 00DF2623

DragQueryPoint.SHELL32(?,?), ref: 00E7C917

Part of subcall function 00E7ADF1: ClientToScreen.USER32(?,?), ref: 00E7AE1A
Part of subcall function 00E7ADF1: GetWindowRect.USER32(?,?), ref: 00E7AE90
Part of subcall function 00E7ADF1: PtInRect.USER32(?,?,00E7C304), ref: 00E7AEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 00E7C980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00E7C98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00E7C9AE
_wcscat.LIBCMT ref: 00E7C9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00E7C9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 00E7CA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 00E7CA25
SendMessageW.USER32(?,000000B1,?,?), ref: 00E7CA47
DragFinish.SHELL32(?), ref: 00E7CA4E
NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 00E7CB41

Strings

@GUI_DRAGID, xrefs: 00E7CAB9
@GUI_DRAGFILE, xrefs: 00E7CAF0
@GUI_DROPID, xrefs: 00E7CA6E
pr, xrefs: 00E7CA8B

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pr
API String ID: 2166380349-2073472848
Opcode ID: 201e78820bef299b13d5f67f64c63d1211a77f20264e0e1514c12e948c875d8f
Instruction ID: 89e2dd4d636dfb30d295e96572e3c142a5f4e36836ca282c9461fff940db0c00
Opcode Fuzzy Hash: 201e78820bef299b13d5f67f64c63d1211a77f20264e0e1514c12e948c875d8f
Instruction Fuzzy Hash: FC617D71508304AFC701DF64DC85DAFBBE8FF89710F00492EF695A61A1DB309A49CB62

Function 00E5F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00E5F37E
_wcscmp.LIBCMT ref: 00E5F393
_wcscmp.LIBCMT ref: 00E5F3AA

Part of subcall function 00E545C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00E545DC

FindNextFileW.KERNEL32(00000000,?), ref: 00E5F3D9
FindClose.KERNEL32(00000000), ref: 00E5F3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 00E5F400
_wcscmp.LIBCMT ref: 00E5F427
_wcscmp.LIBCMT ref: 00E5F43E
SetCurrentDirectoryW.KERNEL32(?), ref: 00E5F450
SetCurrentDirectoryW.KERNEL32(00EAA5A0), ref: 00E5F46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 00E5F478
FindClose.KERNEL32(00000000), ref: 00E5F485
FindClose.KERNEL32(00000000), ref: 00E5F497

Strings

*.*, xrefs: 00E5F3FB

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: d0e6418d65d11096b648c2601aa7790d54c7077ca1ced91e2286aa5536790f79
Instruction ID: ae9500259fa96ba71ee7347435dfa8bc00fa87c15aff107583d7e057587c06a8
Opcode Fuzzy Hash: d0e6418d65d11096b648c2601aa7790d54c7077ca1ced91e2286aa5536790f79
Instruction Fuzzy Hash: AC31C2715012196FDF10DB64EC88AEF77AC9F09365F1416B5EC54B30A0DB30DA89CA64

Function 00E7C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF2612: GetWindowLongW.USER32(?,000000EB), ref: 00DF2623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00E7C4EC
GetFocus.USER32 ref: 00E7C4FC
GetDlgCtrlID.USER32(00000000), ref: 00E7C507
_memset.LIBCMT ref: 00E7C632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00E7C65D
GetMenuItemCount.USER32(?), ref: 00E7C67D
GetMenuItemID.USER32(?,00000000), ref: 00E7C690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00E7C6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00E7C70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00E7C744
NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 00E7C779

Strings

0, xrefs: 00E7C62A

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
String ID: 0
API String ID: 3616455698-4108050209
Opcode ID: 7bf7d95c763742cf90c0f7bb71e8cf9c8220f5d8d3581d630d61d978a18ea87d
Instruction ID: 945d96b62647f7ec75f47047eeda30e70be633b8c39530fd4844743935b26a2e
Opcode Fuzzy Hash: 7bf7d95c763742cf90c0f7bb71e8cf9c8220f5d8d3581d630d61d978a18ea87d
Instruction Fuzzy Hash: AC81B5701083019FD714CF24D884AAB7BE8FF88718F20952EF999A3251DB70D945CFA1

Function 00E481F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E4874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E48766
Part of subcall function 00E4874A: GetLastError.KERNEL32(?,00E4822A,?,?,?), ref: 00E48770
Part of subcall function 00E4874A: GetProcessHeap.KERNEL32(00000008,?,?,00E4822A,?,?,?), ref: 00E4877F
Part of subcall function 00E4874A: RtlAllocateHeap.NTDLL(00000000,?,00E4822A), ref: 00E48786
Part of subcall function 00E4874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E4879D

Part of subcall function 00E487E7: GetProcessHeap.KERNEL32(00000008,00E48240,00000000,00000000,?,00E48240,?), ref: 00E487F3
Part of subcall function 00E487E7: RtlAllocateHeap.NTDLL(00000000,?,00E48240), ref: 00E487FA
Part of subcall function 00E487E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00E48240,?), ref: 00E4880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00E4825B
_memset.LIBCMT ref: 00E48270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00E4828F
GetLengthSid.ADVAPI32(?), ref: 00E482A0
GetAce.ADVAPI32(?,00000000,?), ref: 00E482DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00E482F9
GetLengthSid.ADVAPI32(?), ref: 00E48316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00E48325
RtlAllocateHeap.NTDLL(00000000), ref: 00E4832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00E4834D
CopySid.ADVAPI32(00000000), ref: 00E48354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00E48385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00E483AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00E483BF

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 2347767575-0
Opcode ID: 8b67b5b259a5c20deae35a7c48ad1a60a6c9fb1244de851132298594022b28f1
Instruction ID: 9f7a1d2b49ad062a4bf5bafd2a6b01299e83cf18a48ac5a6dbde303982bd8b93
Opcode Fuzzy Hash: 8b67b5b259a5c20deae35a7c48ad1a60a6c9fb1244de851132298594022b28f1
Instruction Fuzzy Hash: 62613771900209EFDF10DFA5EE84AEEBBB9FF04704F149169E815B7291DB319A45CB60

Function 00E06843 Relevance: 19.6, Strings: 15, Instructions: 883COMMON

Download Yara Rule

Strings

UTF), xrefs: 00E41533
BSR_ANYCRLF), xrefs: 00E41757
NO_AUTO_POSSESS), xrefs: 00E41567
ANYCRLF), xrefs: 00E41734
Oa, xrefs: 00E41888, 00E4192F, 00E419DD
BSR_UNICODE), xrefs: 00E41771
CRLF), xrefs: 00E416FA
LIMIT_RECURSION=, xrefs: 00E41635
CR), xrefs: 00E416C0
NO_START_OPT), xrefs: 00E41588
UCP), xrefs: 00E41546
UTF16), xrefs: 00E41508
ANY), xrefs: 00E41717
LIMIT_MATCH=, xrefs: 00E415A9
LF), xrefs: 00E416DD

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$Oa$UCP)$UTF)$UTF16)
API String ID: 0-3700951917
Opcode ID: 032dfbc88fb354a893d4e223ce064570b288105a712aec9b9ca021711d3ca32e
Instruction ID: 67380a6c59c81eb1ef8ca265ec46c2af0db5fd325db4819da9ff76d152a396cd
Opcode Fuzzy Hash: 032dfbc88fb354a893d4e223ce064570b288105a712aec9b9ca021711d3ca32e
Instruction Fuzzy Hash: D5725E71E002199BDF24DF59D8807EEB7F5EF88314F1491AAE949BB290DB709D81CB90

Function 00E70665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E710A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E70038,?,?), ref: 00E710BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E70737

Part of subcall function 00DF9997: __itow.LIBCMT ref: 00DF99C2
Part of subcall function 00DF9997: __swprintf.LIBCMT ref: 00DF9A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00E707D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00E7086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00E70AAD
RegCloseKey.ADVAPI32(00000000), ref: 00E70ABA

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: c8835500cc76a6016c3006b1abbb008967bfd5fadd559f81857c55f3236cc73d
Instruction ID: 5aaa674ba5335c01706f793a81a41e9c0a7d98585c5e649bd471fb0c7fb58f81
Opcode Fuzzy Hash: c8835500cc76a6016c3006b1abbb008967bfd5fadd559f81857c55f3236cc73d
Instruction Fuzzy Hash: DEE15B71604200EFCB14DF29C891E6ABBE4EF89714F04D56DF94AEB2A2DA30E945CB51

Function 00E50219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00E50241
GetAsyncKeyState.USER32(000000A0), ref: 00E502C2
GetKeyState.USER32(000000A0), ref: 00E502DD
GetAsyncKeyState.USER32(000000A1), ref: 00E502F7
GetKeyState.USER32(000000A1), ref: 00E5030C
GetAsyncKeyState.USER32(00000011), ref: 00E50324
GetKeyState.USER32(00000011), ref: 00E50336
GetAsyncKeyState.USER32(00000012), ref: 00E5034E
GetKeyState.USER32(00000012), ref: 00E50360
GetAsyncKeyState.USER32(0000005B), ref: 00E50378
GetKeyState.USER32(0000005B), ref: 00E5038A

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: f9343f05de9e998dfcd8dc493cd56d2cd03d549741de222f61be916277587558
Instruction ID: 5e4ff99402c6147c6e1898267106da008fa2c09915e53356f540e4369f4ee1b5
Opcode Fuzzy Hash: f9343f05de9e998dfcd8dc493cd56d2cd03d549741de222f61be916277587558
Instruction Fuzzy Hash: 424186245047CA6FFF319A64C8083B5BFA06F1234AF48589DEDC6661D3EB945DCC87A2

Function 00E64458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00E6447F
EmptyClipboard.USER32 ref: 00E64485
GlobalAlloc.KERNEL32(00000002,?), ref: 00E6449A
CloseClipboard.USER32 ref: 00E64539

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 364f5095de0d7bfcf6906875e73bf6ee0757976f247d048a25e5c1fc722f920d
Instruction ID: be606fec9dbf4d63029fc9a152124eac879c47d14957b224afee551189d4fa8b
Opcode Fuzzy Hash: 364f5095de0d7bfcf6906875e73bf6ee0757976f247d048a25e5c1fc722f920d
Instruction Fuzzy Hash: F821A1752402119FDB11EF61EC19B6AB7A8EF04754F10802AF90AFB2B1DB74AC40CB95

Function 00E7C27C Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 149nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF2612: GetWindowLongW.USER32(?,000000EB), ref: 00DF2623

Part of subcall function 00DF2344: GetCursorPos.USER32(?), ref: 00DF2357
Part of subcall function 00DF2344: ScreenToClient.USER32(00EB67B0,?), ref: 00DF2374
Part of subcall function 00DF2344: GetAsyncKeyState.USER32(00000001), ref: 00DF2399
Part of subcall function 00DF2344: GetAsyncKeyState.USER32(00000002), ref: 00DF23A7

ReleaseCapture.USER32 ref: 00E7C2F0
SetWindowTextW.USER32(?,00000000), ref: 00E7C39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00E7C3AD
NtdllDialogWndProc_W.NTDLL(?,00000202,?,?,00000000,00000001,?,?), ref: 00E7C48F

Strings

pr, xrefs: 00E7C3FD
@GUI_DRAGFILE, xrefs: 00E7C424
@GUI_DROPID, xrefs: 00E7C3E1
pr, xrefs: 00E7C438

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: AsyncStateWindow$CaptureClientCursorDialogLongMessageNtdllProc_ReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$pr$pr
API String ID: 973565025-488423084
Opcode ID: 91974cf8bad40d2fa9e0c58bdb612685998bbd4abdc3a0d07a10da04b5a44ac6
Instruction ID: 310fbf4c443dd68a1c5bda10c07dbc947a4dac4246060a4d36d6745352574d99
Opcode Fuzzy Hash: 91974cf8bad40d2fa9e0c58bdb612685998bbd4abdc3a0d07a10da04b5a44ac6
Instruction Fuzzy Hash: 2F51AF70204304AFD704DF14D856FBA7BE5EF88314F10852DF699AB2E1DB34A958CB62

Function 00E04140 Relevance: 13.4, APIs: 1, Strings: 6, Instructions: 1132COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00E37B0C
ERCP, xrefs: 00E0421F
VUUU, xrefs: 00E044DB
Oa, xrefs: 00E04984, 00E38173
VUUU, xrefs: 00E04520
VUUU, xrefs: 00E044ED

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID:
String ID: ERCP$Oa$VUUU$VUUU$VUUU$VUUU
API String ID: 0-3486589167
Opcode ID: b4e2e310576217790bf3f2180cd63db7ab36b44782f8e8d33954cc97de5ea77c
Instruction ID: 45bde345ee627a55521ee97c43df9d9886623e0737f33aa851807d92ecfad0e6
Opcode Fuzzy Hash: b4e2e310576217790bf3f2180cd63db7ab36b44782f8e8d33954cc97de5ea77c
Instruction Fuzzy Hash: DFA26DF0A0421ACBDF24CF58CA947ADB7B1BB54318F14A1AAE955B72C0E7709EC5CB50

Function 00E5F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF7F41: _memmove.LIBCMT ref: 00DF7F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00E5F6AB
Sleep.KERNEL32(0000000A), ref: 00E5F6DB
_wcscmp.LIBCMT ref: 00E5F6EF
_wcscmp.LIBCMT ref: 00E5F70A
FindNextFileW.KERNEL32(?,?), ref: 00E5F7A8
FindClose.KERNEL32(00000000), ref: 00E5F7BE

Strings

*.*, xrefs: 00E5F690

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 2f76f76f5b28bb881ac01c7e5854c050b4520ca1e9fefc664408f1e7abbd527b
Instruction ID: 8f9ea6afc946194ef5f18f2a318550bf79a1c3217e5a4177b4d5bd90faa2819e
Opcode Fuzzy Hash: 2f76f76f5b28bb881ac01c7e5854c050b4520ca1e9fefc664408f1e7abbd527b
Instruction Fuzzy Hash: E841817191020A9FCF11DF64CC45AEEBBB4FF09315F144966E919B71A1EB309E88CBA0

Function 00E7D74C Relevance: 12.3, APIs: 8, Instructions: 257windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF2612: GetWindowLongW.USER32(?,000000EB), ref: 00DF2623

GetSystemMetrics.USER32(0000000F), ref: 00E7D78A
GetSystemMetrics.USER32(0000000F), ref: 00E7D7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00E7D9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00E7DA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00E7DA24
ShowWindow.USER32(00000003,00000000), ref: 00E7DA43
InvalidateRect.USER32(?,00000000,00000001), ref: 00E7DA68
NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 00E7DA8B

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$DialogInvalidateLongMoveNtdllProc_RectShow
String ID:
API String ID: 830902736-0
Opcode ID: 0c8659f2d81d9dec57a256884499ade17d9f2ed13579c79bcf12914924c24785
Instruction ID: 9bb7dc9c01c72ee3b93ace8303f504280a911d4a0ed81845ea418f072d6b9da8
Opcode Fuzzy Hash: 0c8659f2d81d9dec57a256884499ade17d9f2ed13579c79bcf12914924c24785
Instruction Fuzzy Hash: E7B1BA31604215EFDF18CF69C985BBD7BB1BF44714F08D069ED88AB295D734A990CB60

Function 00E058C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E05A05
_memmove.LIBCMT ref: 00E05A55
_memmove.LIBCMT ref: 00E05ABB

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 693a6bedfb324e3a524dd3540f3c3d743cf56cc751199d68096bf85d95b32c60
Instruction ID: b5ad230d70bedebb54e29cbd3cfc506135dffc78cf91ec74ec96528fa53bbd58
Opcode Fuzzy Hash: 693a6bedfb324e3a524dd3540f3c3d743cf56cc751199d68096bf85d95b32c60
Instruction Fuzzy Hash: E212A871A00609DFDF04DFA5E981AEEB7F5FF48300F109269E506B7291EB35A991CB60

Function 00E05680 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00E10FF6: std::exception::exception.LIBCMT ref: 00E1102C
Part of subcall function 00E10FF6: __CxxThrowException@8.LIBCMT ref: 00E11041

_memmove.LIBCMT ref: 00E4062F
_memmove.LIBCMT ref: 00E40744
_memmove.LIBCMT ref: 00E407EB

Strings

yZ, xrefs: 00E40881, 00E407FF

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID: yZ
API String ID: 1300846289-3798167742
Opcode ID: 4a38a84e71249e2b3cd54831bee4b308cf49f379deef835a0d23972ef6389ca5
Instruction ID: 70fd9d3cf86f7e3b7adf2ecdd8e146287f316eb9dd907969ffa39d17a22c3fde
Opcode Fuzzy Hash: 4a38a84e71249e2b3cd54831bee4b308cf49f379deef835a0d23972ef6389ca5
Instruction Fuzzy Hash: 9D02A271E00209DFCF04DF64E9816AE7BF5EF48300F159069E906EB295EB31D995CBA1

Function 00E5545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00E48CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E48D0D
Part of subcall function 00E48CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E48D3A
Part of subcall function 00E48CC3: GetLastError.KERNEL32 ref: 00E48D47

ExitWindowsEx.USER32(?,00000000), ref: 00E5549B

Strings

, xrefs: 00E55489
@, xrefs: 00E5548E
SeShutdownPrivilege, xrefs: 00E5546B

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 5cfbb55507412a52b2ecb79c58382dbd94834ee1896cd79c10aae0a8ea2e7094
Instruction ID: cfabcd086dd154bc06e6adb3f7a8fb8a14a452e74c5eb838318ad6cd9f3547e0
Opcode Fuzzy Hash: 5cfbb55507412a52b2ecb79c58382dbd94834ee1896cd79c10aae0a8ea2e7094
Instruction Fuzzy Hash: 6B01FC33655B115EE7285678EC6ABBA7298EB05353F242931FD27F60D3DA501C8C8590

Function 00E03190 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON

Download Yara Rule

Strings

Oa, xrefs: 00E03482

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: __itow__swprintf
String ID: Oa
API String ID: 674341424-3945284152
Opcode ID: 5120b2152a7e607156385edca0e508a59e5d5ff4be55a115059ee1b771930d68
Instruction ID: 9ab4cfb859c31b7b6c2510f923e174a056aa797abc99187f2fc8c21a5e7e093d
Opcode Fuzzy Hash: 5120b2152a7e607156385edca0e508a59e5d5ff4be55a115059ee1b771930d68
Instruction Fuzzy Hash: 8D228FB15083019FC724DF24C891BAFB7E9EF84704F10991DF996A7291DB71EA44CBA2

Function 00E66596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 00E665EF
WSAGetLastError.WS2_32(00000000), ref: 00E665FE
bind.WS2_32(00000000,?,00000010), ref: 00E6661A
listen.WS2_32(00000000,00000005), ref: 00E66629
WSAGetLastError.WS2_32(00000000), ref: 00E66643
closesocket.WS2_32(00000000), ref: 00E66657

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 12e5bbf68ba7611f17893d4abf7d485b8baf8b5048632536e9b26c7d1aa346c4
Instruction ID: 5904e69d3e104d068a1cf29266bf1610c9504ea1ad4282bd604ceeeda704088b
Opcode Fuzzy Hash: 12e5bbf68ba7611f17893d4abf7d485b8baf8b5048632536e9b26c7d1aa346c4
Instruction Fuzzy Hash: 0521CE316402049FDB00EF24E845B7EB7F9EF44364F158159E91AB72D1CB70AD45CB61

Function 00DF1287 Relevance: 7.9, APIs: 5, Instructions: 379nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF2612: GetWindowLongW.USER32(?,000000EB), ref: 00DF2623

NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 00DF19FA
GetSysColor.USER32(0000000F), ref: 00DF1A4E
SetBkColor.GDI32(?,00000000), ref: 00DF1A61

Part of subcall function 00DF1290: NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 00DF12D8

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: ColorDialogNtdllProc_$LongWindow
String ID:
API String ID: 591255283-0
Opcode ID: edd4d37f3e1746b79be376a405139163f3a801732b0441eb168517e40760b947
Instruction ID: 8e706624c694c33962c6c70c478a1067296a30c1702da894c7a876e28b62d731
Opcode Fuzzy Hash: edd4d37f3e1746b79be376a405139163f3a801732b0441eb168517e40760b947
Instruction Fuzzy Hash: 1BA1AC7810549DFED638AB29AC45DBF369CDB42345F2ED20AF752F6192CE14CC0292B1

Function 00E66A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00E680A0: inet_addr.WS2_32(00000000), ref: 00E680CB

socket.WS2_32(00000002,00000002,00000011), ref: 00E66AB1
WSAGetLastError.WS2_32(00000000), ref: 00E66ADA
bind.WS2_32(00000000,?,00000010), ref: 00E66B13
WSAGetLastError.WS2_32(00000000), ref: 00E66B20
closesocket.WS2_32(00000000), ref: 00E66B34

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: f2bc79b5057b31f9efcab2b62b3ce782478d9f30c939387f466f45a5eae28bbe
Instruction ID: 03cf56c60b74057246714d49d197fd454b8509b730363eb45fe9b02cdd063fd5
Opcode Fuzzy Hash: f2bc79b5057b31f9efcab2b62b3ce782478d9f30c939387f466f45a5eae28bbe
Instruction Fuzzy Hash: C441B575A40214AFEB10AF64DC96F7EB7A8DB44714F05C058FA1ABB2D2CA705D008BB1

Function 00E755FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00E7564C
IsWindowEnabled.USER32 ref: 00E7565A
GetForegroundWindow.USER32(?,?,00000001), ref: 00E75667
IsIconic.USER32 ref: 00E75675
IsZoomed.USER32 ref: 00E75683

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: caa03ee852be04ebdc8e1156cb0c47c47c29ea9be97d9b154000d0b21ce2faa5
Instruction ID: 9af1dd8038cbf42ed2cb1f908183013db7947d9c5547d6acd69abcefc402dccf
Opcode Fuzzy Hash: caa03ee852be04ebdc8e1156cb0c47c47c29ea9be97d9b154000d0b21ce2faa5
Instruction Fuzzy Hash: B01104327009106FE7216FA6DC44B2FB798EF44721B41D429F90EF7240CBB09D428AA5

Function 00E6F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00E6F151
Process32FirstW.KERNEL32(00000000,?), ref: 00E6F15F

Part of subcall function 00DF7F41: _memmove.LIBCMT ref: 00DF7F82

Process32NextW.KERNEL32(00000000,?), ref: 00E6F21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00E6F22E

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 1b24f484545e77569cd88eb59593959726dcfc08476d91e8617c9e7c413a6518
Instruction ID: 7b299b13ee869a373df88d228bb536e7e3374d7c8e0921fe25e85f5c7d53f56d
Opcode Fuzzy Hash: 1b24f484545e77569cd88eb59593959726dcfc08476d91e8617c9e7c413a6518
Instruction Fuzzy Hash: D85181715043059FD310EF20EC95E6BB7E8FF94750F11482DF59597262DB70A908CBA2

Function 00E7C788 Relevance: 6.1, APIs: 4, Instructions: 83nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF2612: GetWindowLongW.USER32(?,000000EB), ref: 00DF2623

GetCursorPos.USER32(?), ref: 00E7C7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00E2BBFB,?,?,?,?,?), ref: 00E7C7D7
GetCursorPos.USER32(?), ref: 00E7C824
NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,00E2BBFB,?,?,?), ref: 00E7C85E

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
String ID:
API String ID: 1423138444-0
Opcode ID: 2c2f2bbae30b3d43a2f2691d5440713cfb74b82b56a8f634b31bde6c477a1939
Instruction ID: 65b65d22a4405bf2254606d163935a491746050068a2c136a1d20c3ddbdee3b8
Opcode Fuzzy Hash: 2c2f2bbae30b3d43a2f2691d5440713cfb74b82b56a8f634b31bde6c477a1939
Instruction Fuzzy Hash: E831E435600018AFDB19CF59C898EFA7BBAEB09310F148169F909AB261C731AE51DF61

Function 00E540B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00E540D1
_memset.LIBCMT ref: 00E540F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00E54144
CloseHandle.KERNEL32(00000000), ref: 00E5414D

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: a9c9a0a3921fd4bc0dc89bd237931892325ce0c363759b01ee844970d2fd28c2
Instruction ID: 0f1321ef3310ba147ade7964bfb0dbf40902233c2837a0fa9d147f5f1480c316
Opcode Fuzzy Hash: a9c9a0a3921fd4bc0dc89bd237931892325ce0c363759b01ee844970d2fd28c2
Instruction Fuzzy Hash: 9E11EB759012287AD7309BA59C4DFEBBBBCEF44764F1045A6F908E71C0D6744EC48BA4

Function 00DF1290 Relevance: 6.1, APIs: 4, Instructions: 59nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF2612: GetWindowLongW.USER32(?,000000EB), ref: 00DF2623

NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 00DF12D8
GetClientRect.USER32(?,?), ref: 00E2B84B
GetCursorPos.USER32(?), ref: 00E2B855
ScreenToClient.USER32(?,?), ref: 00E2B860

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
String ID:
API String ID: 1010295502-0
Opcode ID: b0001e275b9b8b67bcabd8569cd0503ddf5b9f99a802e7ef8b5b6efb727d99af
Instruction ID: 3752cb4e1e59ca604e1c677db3c662806e4b9bb43678a66db1cd1a365d68693d
Opcode Fuzzy Hash: b0001e275b9b8b67bcabd8569cd0503ddf5b9f99a802e7ef8b5b6efb727d99af
Instruction Fuzzy Hash: 7E11283990011DEFCB04EFA4D8869FE77B8FB05310F018466FA45E7250C730AA958BB9

Function 00E4EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00E4EB19

Strings

(, xrefs: 00E4EB5F
|, xrefs: 00E4EB49

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 290450bf2a3328f5711ab70ef8058599aac9722f10b81c1e5520ac1df37c6e8f
Instruction ID: d040d9c25db49388c7805a223103f59db03c6156ea3c758e9c4729b03124ac28
Opcode Fuzzy Hash: 290450bf2a3328f5711ab70ef8058599aac9722f10b81c1e5520ac1df37c6e8f
Instruction Fuzzy Hash: C0323675A006059FC728CF29D4819AAB7F1FF48310B15D56EE89AEB3A1D770E981CB40

Function 00E625E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00E626D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00E6270C

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 8cee31eb6fc943269479d8e2a4bb1fa50d09cf1de45aeedac19dab8cea41fa88
Instruction ID: ef61accea257c592e34924d1bd259fcc95e689c0c26b535ca3b1f28d0991877e
Opcode Fuzzy Hash: 8cee31eb6fc943269479d8e2a4bb1fa50d09cf1de45aeedac19dab8cea41fa88
Instruction Fuzzy Hash: FD41D371940A09BFEB20DA54EC85EFF77ECEB407A8F10606EF705B6140EA71AD819764

Function 00E5B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00E5B5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00E5B608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00E5B655

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 0f15d971af1e45412e3a4aebb92c4e6024aeec478802cde48740cb7b97876e72
Instruction ID: dbdc05dde5bff280ceb8c6b2c78273201a02b0a5ef9d7c48e1d10ebf3c8a84fb
Opcode Fuzzy Hash: 0f15d971af1e45412e3a4aebb92c4e6024aeec478802cde48740cb7b97876e72
Instruction Fuzzy Hash: E2216035A00518EFCB00EF65D890AADFBB8FF49314F1580A9E905AB361DB31A959CF61

Function 00E48CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00E10FF6: std::exception::exception.LIBCMT ref: 00E1102C
Part of subcall function 00E10FF6: __CxxThrowException@8.LIBCMT ref: 00E11041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E48D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E48D3A
GetLastError.KERNEL32 ref: 00E48D47

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: af692179a7681069758ff844686e5c59cf2da5ddc10adcdef5b765c887fef63a
Instruction ID: 376c34fe6fd2f5c2369a1592f1e92385613dc7650de45a26d66d2d0f8dd4a732
Opcode Fuzzy Hash: af692179a7681069758ff844686e5c59cf2da5ddc10adcdef5b765c887fef63a
Instruction Fuzzy Hash: 7B1194B1914205AFD728DF64ED85DABB7FCFF48710B10852EF455A7241DF70AC818A60

Function 00E54C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00E54C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00E54C43
FreeSid.ADVAPI32(?), ref: 00E54C53

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 178cd6c6344bc3762aa1a33cb3b9d8888d2cc15bbf6665727e913bbec2b9973a
Instruction ID: d2ad6b7eb1781bedaed60ab77a26bce9e51ea2c790013b18e6f6a0364ebb4ab2
Opcode Fuzzy Hash: 178cd6c6344bc3762aa1a33cb3b9d8888d2cc15bbf6665727e913bbec2b9973a
Instruction Fuzzy Hash: B2F04975A1130CBFDF04DFF0DC89EAEBBBCEF08201F0044A9E905E2281E6706A489B50

Function 00E58B13 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00E58B25

Part of subcall function 00E1543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00E591F8,00000000,?,?,?,?,00E593A9,00000000,?), ref: 00E15443
Part of subcall function 00E1543A: __aulldiv.LIBCMT ref: 00E15463

Strings

0u, xrefs: 00E58B1C

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0u
API String ID: 2893107130-1339160046
Opcode ID: 8617a9cb53f5def5a9a9377cc95c35c3066d8d479062bda977d12aed1d72aa6e
Instruction ID: 7c6abd81ba8a9a045b50f68b7d86e995a555dbce46d7ca4dc43765c61e10d618
Opcode Fuzzy Hash: 8617a9cb53f5def5a9a9377cc95c35c3066d8d479062bda977d12aed1d72aa6e
Instruction Fuzzy Hash: 5F2102726355108FC329CF29D841A52B3E1EBA4311B289F2CD4E6EB2D0CA30B909CB90

Function 00DFE060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c6dfa824648c9475f064d84a1801c079bc808816c3a329e1f37354f556e4f00
Instruction ID: 51b51364b263a59db57ce00518c3ecd28048486bce8e3a479538da798cf3ff35
Opcode Fuzzy Hash: 3c6dfa824648c9475f064d84a1801c079bc808816c3a329e1f37354f556e4f00
Instruction Fuzzy Hash: 6E226D709002199FDB24DF54C484ABEBBF1FF08300F19C569EA55AB361E774E985CBA1

Function 00DF16DE Relevance: 3.1, APIs: 2, Instructions: 83nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF2612: GetWindowLongW.USER32(?,000000EB), ref: 00DF2623

Part of subcall function 00DF25DB: GetWindowLongW.USER32(?,000000EB), ref: 00DF25EC

GetParent.USER32(?), ref: 00E2BA0A
NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,00DF19B3,?,?,?,00000006,?), ref: 00E2BA84

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: LongWindow$DialogNtdllParentProc_
String ID:
API String ID: 314495775-0
Opcode ID: 2bd55da7157baac23adf36a9019478c23e206ba73fb9eec5aedcdaef30a31cc1
Instruction ID: 05292365e778153c765988c01925a103da46d9cbb5fb57d7f77b9ff30cbbcd69
Opcode Fuzzy Hash: 2bd55da7157baac23adf36a9019478c23e206ba73fb9eec5aedcdaef30a31cc1
Instruction Fuzzy Hash: 2221B438204118EFCB249F68D895DB93BE6EF4A324F598250F62D6B2F1CB319D51DB60

Function 00E5C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00E5C966
FindClose.KERNEL32(00000000), ref: 00E5C996

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 06738db38625d6546bd029f34f075662487a15958f95bd55c82e2b59a2b9e3b1
Instruction ID: 3fc22a86359c90d54ec2b48308cf016da6716c873ef57fbaa8cb230b14eb9967
Opcode Fuzzy Hash: 06738db38625d6546bd029f34f075662487a15958f95bd55c82e2b59a2b9e3b1
Instruction Fuzzy Hash: B3118E326006049FD710EF29D855A2AF7E9EF84324F01891EF9A9D72A1DB30AC04CB91

Function 00E7C86D Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF2612: GetWindowLongW.USER32(?,000000EB), ref: 00DF2623

NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,00E2BB8A,?,?,?), ref: 00E7C8E1

Part of subcall function 00DF25DB: GetWindowLongW.USER32(?,000000EB), ref: 00DF25EC

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00E7C8C7

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: LongWindow$DialogMessageNtdllProc_Send
String ID:
API String ID: 1273190321-0
Opcode ID: d4801db353c35d1d8529d026f2a71192edb3273eecb11c5ac6c0afc529a63f4b
Instruction ID: d3422db83d1d3ae01b0e850b038ad12de59a28797bc7f23855de4bfb3cfb5e73
Opcode Fuzzy Hash: d4801db353c35d1d8529d026f2a71192edb3273eecb11c5ac6c0afc529a63f4b
Instruction Fuzzy Hash: 9701DD31200214AFDB255F15DC55E767BA6FF85324F144128F9596B2E0C7316845DBA1

Function 00E7CC2E Relevance: 3.0, APIs: 2, Instructions: 33nativeCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00E7CC51
NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,00E2BC66,?,?,?,?,?), ref: 00E7CC7A

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: ClientDialogNtdllProc_Screen
String ID:
API String ID: 3420055661-0
Opcode ID: 18e2ec8a888f585cd4f06bc5c723d5fd4519525b2ef771f1ee4044d6140efaba
Instruction ID: bed1f56c18bfb64bd24db2bf3fcc0744e75a1cca97a5a9524704c8ed42f1625e
Opcode Fuzzy Hash: 18e2ec8a888f585cd4f06bc5c723d5fd4519525b2ef771f1ee4044d6140efaba
Instruction Fuzzy Hash: 29F03A7240021CFFEF05CF86EC099AE7BB9FF48311F10416AF909A2161D3716A64EBA0

Function 00E5A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00E6977D,?,00E7FB84,?), ref: 00E5A302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00E6977D,?,00E7FB84,?), ref: 00E5A314

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: ea497f50ef6533aef8bc29bec492db710fcdd894eaf407230c82ef29b093be52
Instruction ID: 24ddb908b2b900c44b38e62b266bc9220266d6af3829d08119dd45490a4062f3
Opcode Fuzzy Hash: ea497f50ef6533aef8bc29bec492db710fcdd894eaf407230c82ef29b093be52
Instruction Fuzzy Hash: FBF0823554422DBBDB109FA4DC48FFA776DFF08761F008265F908E6191D6309A48CBA1

Function 00E7CD6C Relevance: 3.0, APIs: 2, Instructions: 23nativeCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00E7CD74
NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,00E2BBE5,?,?,?,?), ref: 00E7CDA2

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 8f8bec4de7a2533dcc3e3c5a2c89e90b5cabc4099dc714d24f9fd0a2b0d83189
Instruction ID: 127a46ea93939ea508cff2ebcb05596c16854d26ee8c67ac258fa4cb12d20da1
Opcode Fuzzy Hash: 8f8bec4de7a2533dcc3e3c5a2c89e90b5cabc4099dc714d24f9fd0a2b0d83189
Instruction Fuzzy Hash: EAE08670104254BFEB249F1ADC09FBE3B58EB04751F508229F95AEA0E1C7709890D760

Function 00E48713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00E48851), ref: 00E48728
CloseHandle.KERNEL32(?,?,00E48851), ref: 00E4873A

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 671efa21841d08a0cdb14d5334f1966f6aa8c87fc669b0d03245c2c28aa5cc3c
Instruction ID: 1898c51d957677486e4e3a8b34999a25829e3c967abefa028df084aba466166f
Opcode Fuzzy Hash: 671efa21841d08a0cdb14d5334f1966f6aa8c87fc669b0d03245c2c28aa5cc3c
Instruction Fuzzy Hash: 41E0B676410610EEE7252B61ED09DB77BE9EF04395B24886DF5AA90470DB62ACD0EB10

Function 00E1A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,00E84178,00E18F97,t of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.,?,?,00000001), ref: 00E1A39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00E1A3A3

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 59bac160f1e371da3d12649f5e2dd1790632cb0d2c4985d2764a807d853709bc
Instruction ID: 82aeead4cf962f1f5849cd3113887df740d16a004a86da575cd4550353c129a3
Opcode Fuzzy Hash: 59bac160f1e371da3d12649f5e2dd1790632cb0d2c4985d2764a807d853709bc
Instruction Fuzzy Hash: 61B09231054208BFCA00AB92EC09B883F68EB44AAAF404020F60D94060CB6254948A91

Function 00E1F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 372dc3fbfd05acb3c85696eec029c5e2440c3e692cb56f93a5e875ca05713249
Instruction ID: 1abbbbda893c87f28cd20164d13a355ccc39684c6cb28f50d8f2d8de4700c3e9
Opcode Fuzzy Hash: 372dc3fbfd05acb3c85696eec029c5e2440c3e692cb56f93a5e875ca05713249
Instruction Fuzzy Hash: 88321631D69F014DD7239635D832375A24AAFB73D4F25E737E82AB59A6EB28C4C34240

Function 00E2267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93cd45f9a63d6c37009b8910ea2602ec42b5ca2095e8dbed359b2e1a6dbbea1f
Instruction ID: f0812fd199e3fcd80c6e1f223fb3d77fa75eee5eead7a6b86f8dcef41c6dc198
Opcode Fuzzy Hash: 93cd45f9a63d6c37009b8910ea2602ec42b5ca2095e8dbed359b2e1a6dbbea1f
Instruction Fuzzy Hash: E5B1F130D2AF514DE723963A8831336B65CAFBB2C5F55D72BFC2A74D22EB2185874241

Function 00E7DA9A Relevance: 1.6, APIs: 1, Instructions: 66nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF2612: GetWindowLongW.USER32(?,000000EB), ref: 00DF2623

NtdllDialogWndProc_W.NTDLL(?,00000112,?,00000000), ref: 00E7DB46

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: e5d891959f177bb076ad87bec858bdb52d01d8b7de6361a5782d6ec5b5a31935
Instruction ID: 6ace6cff72f844cedbf9c7300b0fd754049c3f728f07f7fcaa08f2467d9d8285
Opcode Fuzzy Hash: e5d891959f177bb076ad87bec858bdb52d01d8b7de6361a5782d6ec5b5a31935
Instruction Fuzzy Hash: 9D11EB312081657FEB249E2CDC06FBA3774EF85B24F20D315F9597A1D1CB649D009265

Function 00E7D6C6 Relevance: 1.5, APIs: 1, Instructions: 47nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF25DB: GetWindowLongW.USER32(?,000000EB), ref: 00DF25EC

NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,00E2BBA2,?,?,?,?,00000000,?), ref: 00E7D740

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 60ba1ceb57a2ff24c7b0220f40ad559837d154a6388637ccced16dce749c2fad
Instruction ID: d8a340f9f117670bfddc185c8ee7dd9bc8d55a9b9fbdc0580ea483e3a1230598
Opcode Fuzzy Hash: 60ba1ceb57a2ff24c7b0220f40ad559837d154a6388637ccced16dce749c2fad
Instruction Fuzzy Hash: 2A01B535604158AFDB189F29DC85AFA3BB2EF85329F089126F95D3B191C331AC6197A0

Function 00E7C220 Relevance: 1.5, APIs: 1, Instructions: 31nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF2612: GetWindowLongW.USER32(?,000000EB), ref: 00DF2623

Part of subcall function 00DF2344: GetCursorPos.USER32(?), ref: 00DF2357
Part of subcall function 00DF2344: ScreenToClient.USER32(00EB67B0,?), ref: 00DF2374
Part of subcall function 00DF2344: GetAsyncKeyState.USER32(00000001), ref: 00DF2399
Part of subcall function 00DF2344: GetAsyncKeyState.USER32(00000002), ref: 00DF23A7

NtdllDialogWndProc_W.NTDLL(?,00000204,?,?,00000001,?,?,?,00E2BC4F,?,?,?,?,?,00000001,?), ref: 00E7C272

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
String ID:
API String ID: 2356834413-0
Opcode ID: 2a3e8a576cd1224615b33e455098a2e96724d0099a9fd82fb3ed5d61c616cfb3
Instruction ID: f18087da364b522857fb3ddd80ce5af03ec119f845b038b36640f72e1e80fd81
Opcode Fuzzy Hash: 2a3e8a576cd1224615b33e455098a2e96724d0099a9fd82fb3ed5d61c616cfb3
Instruction Fuzzy Hash: DCF08930204168AFDF049F45DC16EBA3B95EB04754F004015F9466B1A2CB759960DBF0

Function 00DF189B Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF2612: GetWindowLongW.USER32(?,000000EB), ref: 00DF2623

NtdllDialogWndProc_W.NTDLL(?,00000006,00000000,?,?,?,00DF1B04,?,?,?,?,?), ref: 00DF18E2

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 5dbb741d2b58943ad0f13a6d52ce1f560c99d4e2084bfac18e8b6442107e463d
Instruction ID: 256c3290828eb01f24e18d50bf03f860a13ab51355091da2d0437ac93fc66903
Opcode Fuzzy Hash: 5dbb741d2b58943ad0f13a6d52ce1f560c99d4e2084bfac18e8b6442107e463d
Instruction Fuzzy Hash: 8EF08274600229EFDB18DF19D85197637E2FB54350F11862AFA525B2A1CB35DC50DB60

Function 00E641FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00E64218

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: f294f183852902ee8ab388be98aeee64b01ec39103a87add66f7f2cd97673753
Instruction ID: fdd07f48544c6827b3bf9500863608e04aa321db30aeaa21059adf081f222c6a
Opcode Fuzzy Hash: f294f183852902ee8ab388be98aeee64b01ec39103a87add66f7f2cd97673753
Instruction Fuzzy Hash: A4E048712801145FC710DF59E454A9AF7E8EF547A0F11C015FE49D7361DA70E8408BF0

Function 00E7CBAE Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 00E7CBEE

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 5462e61a1161bfcbc2bde19043946edb1dcf7e0df25f163798258bba69c156a4
Instruction ID: c2a73e9b78dbde7590586a3f05dc93e7dd39e811ee3403e53a4036e63c41ed74
Opcode Fuzzy Hash: 5462e61a1161bfcbc2bde19043946edb1dcf7e0df25f163798258bba69c156a4
Instruction Fuzzy Hash: 47F06D31240294BFDB21DF58DC06FC63BA5EB09724F148419FA15372E1CB707820D7A0

Function 00E54EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00E54F18

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: d05ee225935c1fc5f831614e7f6e1be3f2fe242e29f7abad43721e179f3742b4
Instruction ID: 7644f6bebf929f19993f978ad9efd56265367518b9a8bf09436fcaa6475bddaa
Opcode Fuzzy Hash: d05ee225935c1fc5f831614e7f6e1be3f2fe242e29f7abad43721e179f3742b4
Instruction Fuzzy Hash: 42D067E426460579E8198B28AC1BBB61109A34079FF947D89BA0AB94C198A568D8A035

Function 00E48C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00E488D1), ref: 00E48CB3

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 211a6dfff3a2843ded0ee23b2cfe423bdc453a0eb63b2a5b8cf730a672356f5f
Instruction ID: 4ccc3d2c25a583f029537164ceda7dba79420763dfa3ced8ab34ab7d373a9730
Opcode Fuzzy Hash: 211a6dfff3a2843ded0ee23b2cfe423bdc453a0eb63b2a5b8cf730a672356f5f
Instruction Fuzzy Hash: 26D05E3226450EAFEF018EA4DC01EAE3B69EB04B01F408111FE15D61A1C775D835AB60

Function 00E7CBF9 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,00E2BC0C,?,?,?,?,?,?), ref: 00E7CC24

Part of subcall function 00E7B8EF: _memset.LIBCMT ref: 00E7B8FE
Part of subcall function 00E7B8EF: _memset.LIBCMT ref: 00E7B90D
Part of subcall function 00E7B8EF: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00EB7F20,00EB7F64), ref: 00E7B93C
Part of subcall function 00E7B8EF: CloseHandle.KERNEL32 ref: 00E7B94E

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
String ID:
API String ID: 2364484715-0
Opcode ID: 9757f63594e329d2d19ce0644a7878ff7638f2284df8ca22b556f6732cf73f92
Instruction ID: 90bd75d1414666198ce8a75f2e13db139c3cf9566e237040819db8a1d2d45636
Opcode Fuzzy Hash: 9757f63594e329d2d19ce0644a7878ff7638f2284df8ca22b556f6732cf73f92
Instruction Fuzzy Hash: DFE01231100208DFCB02AF05ED01E8677AAFB0C310F008065FA09672B2CB31A960EF50

Function 00DF167D Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF2612: GetWindowLongW.USER32(?,000000EB), ref: 00DF2623

NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?,?,00DF1AEE,?,?,?), ref: 00DF16AB

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: e3aaeedd2a2aa09712a6691873e2733fb257f4fe7c171f81cd1bb0cc52860908
Instruction ID: 58b419548bea6b12c3d61af1dfa4dcaa18ae01569b040ae43f3dc4f49afdda18
Opcode Fuzzy Hash: e3aaeedd2a2aa09712a6691873e2733fb257f4fe7c171f81cd1bb0cc52860908
Instruction Fuzzy Hash: ADE0EC35100208BFCF05AF91DC52E753B26FB49714F108428FA455A2A1CE36A921DB60

Function 00E7CB7F Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL ref: 00E7CBA4

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: c9f3738cdaf64895446ddb675bf0f00e855fd7328d54be21547bb0144c6eec16
Instruction ID: c210d8b1ebeddb4bf54cc6434583ec9d8b002eaaeb0881aade15155f6a04f587
Opcode Fuzzy Hash: c9f3738cdaf64895446ddb675bf0f00e855fd7328d54be21547bb0144c6eec16
Instruction Fuzzy Hash: 20E0E235200248EFCB01DF88E845D863BA5AB1D300F004064FA0557262CB71A864EBA1

Function 00E7CB50 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL ref: 00E7CB75

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: fd2af482ebb8e9a73ef8fc3d2a64a53be25a5439862e4886e5273d840f789c50
Instruction ID: 87fcae62170e0c1a8c3e2ff0d515786613265dce09ff6ea84a0cd8ccea0c272d
Opcode Fuzzy Hash: fd2af482ebb8e9a73ef8fc3d2a64a53be25a5439862e4886e5273d840f789c50
Instruction Fuzzy Hash: D9E04275244249AFDB01DF89E885E963BA5AB1D700F014064FA1557262CB71A864EB61

Function 00DF16B5 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF2612: GetWindowLongW.USER32(?,000000EB), ref: 00DF2623

Part of subcall function 00DF201B: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00DF20D3
Part of subcall function 00DF201B: KillTimer.USER32(-00000001,?,?,?,?,00DF16CB,00000000,?,?,00DF1AE2,?,?), ref: 00DF216E

NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,00DF1AE2,?,?), ref: 00DF16D4

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Window$DestroyDialogKillLongNtdllProc_Timer
String ID:
API String ID: 2797419724-0
Opcode ID: 8134c70acb7c2701a9a408f2ee2c5e68f7cfc1199233378bd6d0330ea3283697
Instruction ID: 44b65a45231e5be21480d481151f1632dd60448606f2d0fb8adb5bde77139d81
Opcode Fuzzy Hash: 8134c70acb7c2701a9a408f2ee2c5e68f7cfc1199233378bd6d0330ea3283697
Instruction Fuzzy Hash: 5CD0123114031C7BDA102B51DC27F6A3A19DB54B50F40C021FB04791D3CE716850A578

Function 00E32230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00E32242

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 03abace20e0711de3fc4265c349d25d15f744f00e356fbb840730892977b3490
Instruction ID: fa05e9b7b82977341442eb7a4fc6417ea96bc8335b1b9a0df0351a68919f9ba7
Opcode Fuzzy Hash: 03abace20e0711de3fc4265c349d25d15f744f00e356fbb840730892977b3490
Instruction Fuzzy Hash: 49C04CF1C00109DBDB05DB90D98CDEEB7BCAB04314F104095E105F2100D7749B44CA71

Function 00E1A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00E1A36A

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8ad340350021ef55d85e36ee78e5749d9ca5935b17270224835f657282330522
Instruction ID: 9f2d83c7022a8c597f7d661a98f332cf040440408f8bbf0bd5a70c31ab797423
Opcode Fuzzy Hash: 8ad340350021ef55d85e36ee78e5749d9ca5935b17270224835f657282330522
Instruction Fuzzy Hash: C5A0113000020CBB8A00AB82EC08888BFACEB002A8B008020F80C800228B32A8A08A80

Function 00E08A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f426eab1696202fd9053e8292a7a5873f7739d1e1f5b2f18e9bbf08a50a04330
Instruction ID: c33b1c46e222525846463fab47846d75bab07d896a65e5f2d00dfb38b43c640d
Opcode Fuzzy Hash: f426eab1696202fd9053e8292a7a5873f7739d1e1f5b2f18e9bbf08a50a04330
Instruction Fuzzy Hash: E3220631A01615CBEF288B14D5D46BDB7B1EB46308F28647AD8C2BB6D2DB349DC1CB61

Function 00E12405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 19407bcf846f6db352e549893d89de56c6b7dfecd5b44bcb36d82249947063d0
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: C3C106322050930ADF2D4639C8305BEFAE15EA27B535A279DE5B3EB0C4EF20D5B5D620

Function 00E1283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: a23daf208af1ac002f6c4474e5b0d97f0ae991342853e5f445737507ce0c82fb
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 70C1D73220509309DF2D463988345BEFBE15EA27B535A279DE5B2EB4C4EF20D5B4D620

Function 00E737F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00E7F910), ref: 00E738AF
IsWindowVisible.USER32(?), ref: 00E738D3

Strings

TABLEFT, xrefs: 00E7390F
EDITPASTE, xrefs: 00E73BE7
ISVISIBLE, xrefs: 00E738BF
DELSTRING, xrefs: 00E739D1
GETLINE, xrefs: 00E73C23
ISENABLED, xrefs: 00E738F3
HIDEDROPDOWN, xrefs: 00E73988
SENDCOMMANDID, xrefs: 00E73C62
GETCURRENTLINE, xrefs: 00E73B75
CURRENTTAB, xrefs: 00E73945
CHECK, xrefs: 00E73AF5
TABRIGHT, xrefs: 00E73925
FINDSTRING, xrefs: 00E739FE
UNCHECK, xrefs: 00E73B0B
ADDSTRING, xrefs: 00E7399E
SETCURRENTSELECTION, xrefs: 00E73A3E
GETSELECTED, xrefs: 00E73B2B
ISCHECKED, xrefs: 00E73AC1
GETLINECOUNT, xrefs: 00E73B4E
GETCURRENTSELECTION, xrefs: 00E73A6B
SHOWDROPDOWN, xrefs: 00E73968
GETCURRENTCOL, xrefs: 00E73BB0
SELECTSTRING, xrefs: 00E73A8E

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 7ddf32aad123a977a3b3d4ad4a8f4b5616d9e79571a4ce9a687996f1ec14c43c
Instruction ID: f6c0c8b40f9867460688e5b929a343457e9c8686e058a5fd3797055e56263ba4
Opcode Fuzzy Hash: 7ddf32aad123a977a3b3d4ad4a8f4b5616d9e79571a4ce9a687996f1ec14c43c
Instruction Fuzzy Hash: 7FD18530204305DBCB54EF20D451AAAB7E1EF95344F12A458F88A7B3A3DB71EE4ADB51

Function 00E7A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00E7A89F
GetSysColorBrush.USER32(0000000F), ref: 00E7A8D0
GetSysColor.USER32(0000000F), ref: 00E7A8DC
SetBkColor.GDI32(?,000000FF), ref: 00E7A8F6
SelectObject.GDI32(?,?), ref: 00E7A905
InflateRect.USER32(?,000000FF,000000FF), ref: 00E7A930
GetSysColor.USER32(00000010), ref: 00E7A938
CreateSolidBrush.GDI32(00000000), ref: 00E7A93F
FrameRect.USER32(?,?,00000000), ref: 00E7A94E
DeleteObject.GDI32(00000000), ref: 00E7A955
InflateRect.USER32(?,000000FE,000000FE), ref: 00E7A9A0
FillRect.USER32(?,?,?), ref: 00E7A9D2
GetWindowLongW.USER32(?,000000F0), ref: 00E7A9FD

Part of subcall function 00E7AB60: GetSysColor.USER32(00000012), ref: 00E7AB99
Part of subcall function 00E7AB60: SetTextColor.GDI32(?,?), ref: 00E7AB9D
Part of subcall function 00E7AB60: GetSysColorBrush.USER32(0000000F), ref: 00E7ABB3
Part of subcall function 00E7AB60: GetSysColor.USER32(0000000F), ref: 00E7ABBE
Part of subcall function 00E7AB60: GetSysColor.USER32(00000011), ref: 00E7ABDB
Part of subcall function 00E7AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00E7ABE9
Part of subcall function 00E7AB60: SelectObject.GDI32(?,00000000), ref: 00E7ABFA
Part of subcall function 00E7AB60: SetBkColor.GDI32(?,00000000), ref: 00E7AC03
Part of subcall function 00E7AB60: SelectObject.GDI32(?,?), ref: 00E7AC10
Part of subcall function 00E7AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 00E7AC2F
Part of subcall function 00E7AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00E7AC46
Part of subcall function 00E7AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 00E7AC5B

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: cf78296a126bdd210848cef1e039ea9ab21480e6e9ce193d22f9bc2470ace5e6
Instruction ID: fc20ac6ea695ccefeb5194730c07e2b9d952d62e172221c4eeabdc3d3183770b
Opcode Fuzzy Hash: cf78296a126bdd210848cef1e039ea9ab21480e6e9ce193d22f9bc2470ace5e6
Instruction Fuzzy Hash: AFA19072008301AFD710DF65DC08E6F7BA9FF88325F145A29F96AA61E1D730D889CB52

Function 00E677BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00E677F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00E678B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00E678EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00E67900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00E67946
GetClientRect.USER32(00000000,?), ref: 00E67952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00E67996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00E679A5
GetStockObject.GDI32(00000011), ref: 00E679B5
SelectObject.GDI32(00000000,00000000), ref: 00E679B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00E679C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E679D2
DeleteDC.GDI32(00000000), ref: 00E679DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00E67A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 00E67A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00E67A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00E67A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 00E67A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00E67AAE
GetStockObject.GDI32(00000011), ref: 00E67AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00E67AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00E67ACE

Strings

msctls_progress32, xrefs: 00E67A4F
AutoIt v3, xrefs: 00E6793E
DISPLAY, xrefs: 00E6799B
static, xrefs: 00E67990, 00E67AA8

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 2f5cfe7c975afc5a8d26d344aa2d695504dd5ee2cc5a66d45dae03dea1107874
Instruction ID: 2cca897b3cef091b365aba0c7a9138eeb71eab0cb026d05245c960759d9a5c34
Opcode Fuzzy Hash: 2f5cfe7c975afc5a8d26d344aa2d695504dd5ee2cc5a66d45dae03dea1107874
Instruction Fuzzy Hash: B3A17E71A40219BFEB14DBA5DC4AFABBBB9EB44714F008214FA14B72E0D774AD44CB60

Function 00E5AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00E5AF89
GetDriveTypeW.KERNEL32(?,00E7FAC0,?,\\.\,00E7F910), ref: 00E5B066
SetErrorMode.KERNEL32(00000000,00E7FAC0,?,\\.\,00E7F910), ref: 00E5B1C4

Strings

Virtual, xrefs: 00E5B18C
Fixed, xrefs: 00E5B0AE
FileBackedVirtual, xrefs: 00E5B193
ATAPI, xrefs: 00E5B138
Unknown, xrefs: 00E5B086, 00E5B12A
RAID, xrefs: 00E5B162
SSD, xrefs: 00E5B0F1
Fibre, xrefs: 00E5B154
CDROM, xrefs: 00E5B09A
RAMDisk, xrefs: 00E5B090
\\.\, xrefs: 00E5AFDB
1394, xrefs: 00E5B146
USB, xrefs: 00E5B15B
SCSI, xrefs: 00E5B131
SAS, xrefs: 00E5B170
ATA, xrefs: 00E5B13F
Network, xrefs: 00E5B0A4
SATA, xrefs: 00E5B177
MMC, xrefs: 00E5B185
SSA, xrefs: 00E5B14D
Removable, xrefs: 00E5B0B8
PhysicalDrive, xrefs: 00E5B012
iSCSI, xrefs: 00E5B169

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 82fbb678400e6a0942f4e19bf66ac73e7ff326ea1e0ac8cb261616321e3c3c03
Instruction ID: 5b5149b183a0885d2dde94f2633c1930e8811903d2edff51cf2a29a2dfc4f6ee
Opcode Fuzzy Hash: 82fbb678400e6a0942f4e19bf66ac73e7ff326ea1e0ac8cb261616321e3c3c03
Instruction Fuzzy Hash: C351E930645705DB8B40DB10CA629FE73B0EB19347724A826FD0ABB1D0CB35AD49DB62

Function 00DF6A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00DF6A91
__wcsnicmp.LIBCMT ref: 00DF6AA9
__wcsnicmp.LIBCMT ref: 00DF6AC1
__wcsnicmp.LIBCMT ref: 00DF6AD9
__wcsnicmp.LIBCMT ref: 00DF6AF1
__wcsnicmp.LIBCMT ref: 00DF6B09
__wcsnicmp.LIBCMT ref: 00DF6B21
__wcsnicmp.LIBCMT ref: 00DF6B35
__wcsnicmp.LIBCMT ref: 00DF6B76
__wcsnicmp.LIBCMT ref: 00DF6B8A
__wcsnicmp.LIBCMT ref: 00DF6B9E
__wcsnicmp.LIBCMT ref: 00DF6BB2

Strings

#pragma compile, xrefs: 00DF6A8B
#OnAutoItStartRegister, xrefs: 00DF6AD3
Cannot parse #include, xrefs: 00E2E819
Bad directive syntax error, xrefs: 00E2E743
#comments-start, xrefs: 00DF6B1B, 00DF6B70
#cs, xrefs: 00DF6B2F, 00DF6B84
Unterminated group of comments, xrefs: 00E2E82C
#ce, xrefs: 00DF6BAC
#notrayicon, xrefs: 00DF6AA3
#include-once, xrefs: 00DF6AEB
#requireadmin, xrefs: 00DF6ABB
#include, xrefs: 00DF6B03
#comments-end, xrefs: 00DF6B98

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 0e1b3131d2e60ca2bcf5a9a07fc48c5942eb013744554ba2bcdcaa9945529d76
Instruction ID: f1f6e903931bdd9ce239672b40fbebb1a2f2e5421742f363de64dfb3b4ee6508
Opcode Fuzzy Hash: 0e1b3131d2e60ca2bcf5a9a07fc48c5942eb013744554ba2bcdcaa9945529d76
Instruction Fuzzy Hash: 9D811A70600329AACB24AF60DD92FFE77A8EF15700F099025FB45BA582EB60DA55C271

Function 00DF2C18 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00DF2CA2
DeleteObject.GDI32(00000000), ref: 00DF2CE8
DeleteObject.GDI32(00000000), ref: 00DF2CF3
DestroyCursor.USER32(00000000), ref: 00DF2CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00DF2D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00E2C68B
6F560200.COMCTL32(?,000000FF,?), ref: 00E2C6C4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00E2CAED

Part of subcall function 00DF1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00DF2036,?,00000000,?,?,?,?,00DF16CB,00000000,?), ref: 00DF1B9A

SendMessageW.USER32(?,00001053), ref: 00E2CB2A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00E2CB41

Strings

0, xrefs: 00E2C981

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: DestroyMessageSendWindow$DeleteObject$CursorF560200InvalidateMoveRect
String ID: 0
API String ID: 3972741187-4108050209
Opcode ID: 80c5177a55c938f55d019785e6199059d0995a0e230f729808144dc04427db63
Instruction ID: 29cff18eb118a9d1a05473c169f978fcec16e4f86669cec5aa7736266ea0b441
Opcode Fuzzy Hash: 80c5177a55c938f55d019785e6199059d0995a0e230f729808144dc04427db63
Instruction Fuzzy Hash: 47129C30600215AFDB24CF24D884BBDB7E5BF44304F659569E99AEB262C731EC81CFA1

Function 00E7AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00E7AB99
SetTextColor.GDI32(?,?), ref: 00E7AB9D
GetSysColorBrush.USER32(0000000F), ref: 00E7ABB3
GetSysColor.USER32(0000000F), ref: 00E7ABBE
CreateSolidBrush.GDI32(?), ref: 00E7ABC3
GetSysColor.USER32(00000011), ref: 00E7ABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00E7ABE9
SelectObject.GDI32(?,00000000), ref: 00E7ABFA
SetBkColor.GDI32(?,00000000), ref: 00E7AC03
SelectObject.GDI32(?,?), ref: 00E7AC10
InflateRect.USER32(?,000000FF,000000FF), ref: 00E7AC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00E7AC46
GetWindowLongW.USER32(00000000,000000F0), ref: 00E7AC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00E7ACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00E7ACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 00E7ACEC
DrawFocusRect.USER32(?,?), ref: 00E7ACF7
GetSysColor.USER32(00000011), ref: 00E7AD05
SetTextColor.GDI32(?,00000000), ref: 00E7AD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00E7AD21
SelectObject.GDI32(?,00E7A869), ref: 00E7AD38
DeleteObject.GDI32(?), ref: 00E7AD43
SelectObject.GDI32(?,?), ref: 00E7AD49
DeleteObject.GDI32(?), ref: 00E7AD4E
SetTextColor.GDI32(?,?), ref: 00E7AD54
SetBkColor.GDI32(?,?), ref: 00E7AD5E

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 8d8dba02357aa68dc26dcf30c1243dea7f0ca3eca2cfcc62c51d88b42ef7c456
Instruction ID: 359f018706656446009689ef5551cb2182d16f7361c720bb466f8840be8e6b47
Opcode Fuzzy Hash: 8d8dba02357aa68dc26dcf30c1243dea7f0ca3eca2cfcc62c51d88b42ef7c456
Instruction Fuzzy Hash: E0614B71901218FFDF11DFA5DC48AAEBBB9FB48320F148125F919BB2A1D6719D80DB90

Function 00E78C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00E78D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E78D45
CharNextW.USER32(0000014E), ref: 00E78D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00E78DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00E78DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E78DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00E78DF9
SetWindowTextW.USER32(?,0000014E), ref: 00E78E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00E78E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 00E78E8C
_memset.LIBCMT ref: 00E78EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00E78EFA
_memset.LIBCMT ref: 00E78F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00E78F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 00E78FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 00E79088
InvalidateRect.USER32(?,00000000,00000001), ref: 00E790AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00E790F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00E79121
DrawMenuBar.USER32(?), ref: 00E79130
SetWindowTextW.USER32(?,0000014E), ref: 00E79158

Strings

0, xrefs: 00E790C2

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: e1abef08b96663ca2631e880e6b6fff0102871b568b50f66623e0fc7c1d7e012
Instruction ID: 7d46272afb74177d15b03d809b82fc9bc0259d4f3bd8fe27b67cffca4fab9792
Opcode Fuzzy Hash: e1abef08b96663ca2631e880e6b6fff0102871b568b50f66623e0fc7c1d7e012
Instruction Fuzzy Hash: 86E1AF70901209AFDF20DF61CC88AEE7BB9EF14714F109156FA19BA291DB708A85CF60

Function 00E74B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00E74C51
GetDesktopWindow.USER32 ref: 00E74C66
GetWindowRect.USER32(00000000), ref: 00E74C6D
GetWindowLongW.USER32(?,000000F0), ref: 00E74CCF
DestroyWindow.USER32(?), ref: 00E74CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00E74D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E74D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00E74D68
SendMessageW.USER32(?,00000421,?,?), ref: 00E74D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00E74D90
IsWindowVisible.USER32(?), ref: 00E74DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00E74DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00E74DDF
GetWindowRect.USER32(?,?), ref: 00E74DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 00E74E1D
GetMonitorInfoW.USER32(00000000,?), ref: 00E74E37
CopyRect.USER32(?,?), ref: 00E74E4E
SendMessageW.USER32(?,00000412,00000000), ref: 00E74EB9

Strings

(, xrefs: 00E74E2A
tooltips_class32, xrefs: 00E74D1D
0, xrefs: 00E74BFC

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 58b4f19c800c35506e02243cd8312a3507c9e021e2a28237ed7ef4ff65f97822
Instruction ID: 8fd5372d34bf75d84d034196964f1c8b060e05fe14d546926f2a16dc191ed1c8
Opcode Fuzzy Hash: 58b4f19c800c35506e02243cd8312a3507c9e021e2a28237ed7ef4ff65f97822
Instruction Fuzzy Hash: CEB148B1604341AFDB04DF65C844B6ABBE4FF88714F00891DF599AB2A1D771EC44CBA1

Function 00DF27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00DF28BC
GetSystemMetrics.USER32(00000007), ref: 00DF28C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00DF28EF
GetSystemMetrics.USER32(00000008), ref: 00DF28F7
GetSystemMetrics.USER32(00000004), ref: 00DF291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00DF2939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00DF2949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00DF297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00DF2990
GetClientRect.USER32(00000000,000000FF), ref: 00DF29AE
GetStockObject.GDI32(00000011), ref: 00DF29CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00DF29D5

Part of subcall function 00DF2344: GetCursorPos.USER32(?), ref: 00DF2357
Part of subcall function 00DF2344: ScreenToClient.USER32(00EB67B0,?), ref: 00DF2374
Part of subcall function 00DF2344: GetAsyncKeyState.USER32(00000001), ref: 00DF2399
Part of subcall function 00DF2344: GetAsyncKeyState.USER32(00000002), ref: 00DF23A7

SetTimer.USER32(00000000,00000000,00000028,00DF1256), ref: 00DF29FC

Strings

AutoIt v3 GUI, xrefs: 00DF2974

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 4e906b5e2e5b9b7296c485e841b3d14e2cdf8dd1840c1009b47943227e2f0e21
Instruction ID: 3c4424c64281d302199b29de0377e139a678291c1dc8593d1e2696924c04966b
Opcode Fuzzy Hash: 4e906b5e2e5b9b7296c485e841b3d14e2cdf8dd1840c1009b47943227e2f0e21
Instruction Fuzzy Hash: 1FB18C71A0021AEFDB14DFA9DC45BBE7BB5FB08314F118229FA15A7290CB74D840CB60

Function 00E546D6 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 00E5473C
_wcscmp.LIBCMT ref: 00E54747
_wcscat.LIBCMT ref: 00E5475D
_wcsstr.LIBCMT ref: 00E54768
74D31560.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00E54784
_wcscat.LIBCMT ref: 00E547CD
_wcscat.LIBCMT ref: 00E547D4
_wcsncpy.LIBCMT ref: 00E547FF

Strings

StringFileInfo\, xrefs: 00E54757
04090000, xrefs: 00E547BA
\VarFileInfo\Translation, xrefs: 00E5477C
%u.%u.%u.%u, xrefs: 00E54862
DefaultLangCodepage, xrefs: 00E547E7

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: _wcscat$D31560_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 390803403-1459072770
Opcode ID: aa9a992630b6152d4e59343844e8fcf090032b4c8b48ee9204af60398ea36d26
Instruction ID: a44baa264f0af3a12fcb737dfda5051656999e724b5835f583696132a69e4f0b
Opcode Fuzzy Hash: aa9a992630b6152d4e59343844e8fcf090032b4c8b48ee9204af60398ea36d26
Instruction Fuzzy Hash: DB41E372A043007ADB14A7748C43EFF77ECDF4A710F04646AF908B61C2EB71AA9596A5

Function 00E74069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00E740F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00E741B6

Strings

GETITEMCOUNT, xrefs: 00E74128
VIEWCHANGE, xrefs: 00E74375
FINDITEM, xrefs: 00E74329
DESELECT, xrefs: 00E742A4
SELECTINVERT, xrefs: 00E74286
SELECTCLEAR, xrefs: 00E74235
GETSUBITEMCOUNT, xrefs: 00E74141
GETSELECTEDCOUNT, xrefs: 00E74199
SELECT, xrefs: 00E74250
GETSELECTED, xrefs: 00E742E4
ISSELECTED, xrefs: 00E741C1
GETTEXT, xrefs: 00E7415F
SELECTALL, xrefs: 00E7421D

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: bfe65f476115e13f8d0955b4fc002449e8320a6bd3066dcc8ebe953119aade6e
Instruction ID: 45de97f3574e97cbcbf9dab70c21a20cd6605f6c3f2cf23c906788a5d61cee22
Opcode Fuzzy Hash: bfe65f476115e13f8d0955b4fc002449e8320a6bd3066dcc8ebe953119aade6e
Instruction Fuzzy Hash: E0A1A1706142059BCB14EF20C851ABAB7E5FF85314F11A968B99ABB2D2DB30EC45CB61

Function 00E652F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00E65309
LoadCursorW.USER32(00000000,00007F8A), ref: 00E65314
LoadCursorW.USER32(00000000,00007F00), ref: 00E6531F
LoadCursorW.USER32(00000000,00007F03), ref: 00E6532A
LoadCursorW.USER32(00000000,00007F8B), ref: 00E65335
LoadCursorW.USER32(00000000,00007F01), ref: 00E65340
LoadCursorW.USER32(00000000,00007F81), ref: 00E6534B
LoadCursorW.USER32(00000000,00007F88), ref: 00E65356
LoadCursorW.USER32(00000000,00007F80), ref: 00E65361
LoadCursorW.USER32(00000000,00007F86), ref: 00E6536C
LoadCursorW.USER32(00000000,00007F83), ref: 00E65377
LoadCursorW.USER32(00000000,00007F85), ref: 00E65382
LoadCursorW.USER32(00000000,00007F82), ref: 00E6538D
LoadCursorW.USER32(00000000,00007F84), ref: 00E65398
LoadCursorW.USER32(00000000,00007F04), ref: 00E653A3
LoadCursorW.USER32(00000000,00007F02), ref: 00E653AE
GetCursorInfo.USER32(?), ref: 00E653BE
GetLastError.KERNEL32(00000001,00000000), ref: 00E653E9

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 6b35c0c8dfc6bb3248544aea2ce2fd38fa5c4e46e8e9949db11dd0b954939dd8
Instruction ID: a5a38e1f9161f7fa1a3eaa43a74d0cc05cfeb0243e742c3ee80528958021dffc
Opcode Fuzzy Hash: 6b35c0c8dfc6bb3248544aea2ce2fd38fa5c4e46e8e9949db11dd0b954939dd8
Instruction Fuzzy Hash: F4419270E443196ADB109FBA9C4996FFFF8EF41B50F10452FE519E7290DAB8A400CE61

Function 00E4AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00E4AAA5
__swprintf.LIBCMT ref: 00E4AB46
_wcscmp.LIBCMT ref: 00E4AB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00E4ABAE
_wcscmp.LIBCMT ref: 00E4ABEA
GetClassNameW.USER32(?,?,00000400), ref: 00E4AC21
GetDlgCtrlID.USER32(?), ref: 00E4AC73
GetWindowRect.USER32(?,?), ref: 00E4ACA9
GetParent.USER32(?), ref: 00E4ACC7
ScreenToClient.USER32(00000000), ref: 00E4ACCE
GetClassNameW.USER32(?,?,00000100), ref: 00E4AD48
_wcscmp.LIBCMT ref: 00E4AD5C
GetWindowTextW.USER32(?,?,00000400), ref: 00E4AD82
_wcscmp.LIBCMT ref: 00E4AD96

Part of subcall function 00E1386C: _iswctype.LIBCMT ref: 00E13874

Strings

%s%u, xrefs: 00E4AB40

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: db736cfbaed6152b82446a5066c966fa8e9a594c48e3efba51039563cb3cf3de
Instruction ID: 2abe8ddd1e78fc092c5803ffd3f604b53910e62d78ec5432d3f7f10f5360235f
Opcode Fuzzy Hash: db736cfbaed6152b82446a5066c966fa8e9a594c48e3efba51039563cb3cf3de
Instruction Fuzzy Hash: 70A1E171644206AFD718DF60D884BEAF7E8FF04329F085639F999E2190D730E945CB92

Function 00E4B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00E4B3DB
_wcscmp.LIBCMT ref: 00E4B3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 00E4B414
CharUpperBuffW.USER32(?,00000000), ref: 00E4B431
_wcscmp.LIBCMT ref: 00E4B44F
_wcsstr.LIBCMT ref: 00E4B460
GetClassNameW.USER32(00000018,?,00000400), ref: 00E4B498
_wcscmp.LIBCMT ref: 00E4B4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 00E4B4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 00E4B518
_wcscmp.LIBCMT ref: 00E4B528
GetClassNameW.USER32(00000010,?,00000400), ref: 00E4B550
GetWindowRect.USER32(00000004,?), ref: 00E4B5B9

Strings

@, xrefs: 00E4B3BC
ThumbnailClass, xrefs: 00E4B4A3, 00E4B523

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: b276c3cbf3c0d51a160b89b1052b123680d7f9f29a829c88ebc3dcf96fe381a7
Instruction ID: bcf505c981a01c8046c9f4d1ba5cc9ae4af8233941ac456b6a0f60c6b8a83d1e
Opcode Fuzzy Hash: b276c3cbf3c0d51a160b89b1052b123680d7f9f29a829c88ebc3dcf96fe381a7
Instruction Fuzzy Hash: B281C7710083059FDB04DF15E885FAAB7E8FF44318F04A56AFD85AA096DB34DD89CBA1

Function 00E4B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00E4B23F

Strings

[HANDLE:, xrefs: 00E4B24B
CLASSNAME=, xrefs: 00E4B27C
REGEXP=, xrefs: 00E4B254
HANDLE=, xrefs: 00E4B238
[ALL, xrefs: 00E4B2E5
[ACTIVE, xrefs: 00E4B22C
[LAST, xrefs: 00E4B2EC
ALL, xrefs: 00E4B2D3
[REGEXPTITLE:, xrefs: 00E4B267
[CLASS:, xrefs: 00E4B28F
LAST, xrefs: 00E4B204
ACTIVE, xrefs: 00E4B21A

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 6b778e478d9bd815bd64843110a3f997394d209b404d63dd1591c0b74b6e6e69
Instruction ID: cad4000429b91c96671ca03db9d03a0c01329fe0d8d5e724c703f5219444afc6
Opcode Fuzzy Hash: 6b778e478d9bd815bd64843110a3f997394d209b404d63dd1591c0b74b6e6e69
Instruction Fuzzy Hash: 4631AF31A44309A6DB14FE60ED43EFE77A89F29750F606029F501790E2EFA1BE04C675

Function 00E4C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00E4C4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00E4C4E6
SetWindowTextW.USER32(?,?), ref: 00E4C4FD
GetDlgItem.USER32(?,000003EA), ref: 00E4C512
SetWindowTextW.USER32(00000000,?), ref: 00E4C518
GetDlgItem.USER32(?,000003E9), ref: 00E4C528
SetWindowTextW.USER32(00000000,?), ref: 00E4C52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00E4C54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00E4C569
GetWindowRect.USER32(?,?), ref: 00E4C572
SetWindowTextW.USER32(?,?), ref: 00E4C5DD
GetDesktopWindow.USER32 ref: 00E4C5E3
GetWindowRect.USER32(00000000), ref: 00E4C5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00E4C636
GetClientRect.USER32(?,?), ref: 00E4C643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00E4C668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00E4C693

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 7c4c1a4a3ee0f2d798e4b65f5ff47770c4b9a2d10812e6cbcc5b654be1d92560
Instruction ID: 58974f29f89f31197522713a2f8977d412ef66d1df8882f93be1e26bc7c03b4b
Opcode Fuzzy Hash: 7c4c1a4a3ee0f2d798e4b65f5ff47770c4b9a2d10812e6cbcc5b654be1d92560
Instruction Fuzzy Hash: E2515C70900709AFDB20DFA9DE89B6EBBF5FF04709F104929E686B35A0D774A944CB50

Function 00E7A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E7A4C8
DestroyWindow.USER32(?,?), ref: 00E7A542

Part of subcall function 00DF7D2C: _memmove.LIBCMT ref: 00DF7D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00E7A5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00E7A5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E7A5F1
DestroyWindow.USER32(00000000), ref: 00E7A613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00DF0000,00000000), ref: 00E7A64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E7A663
GetDesktopWindow.USER32 ref: 00E7A67C
GetWindowRect.USER32(00000000), ref: 00E7A683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00E7A69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00E7A6B3

Part of subcall function 00DF25DB: GetWindowLongW.USER32(?,000000EB), ref: 00DF25EC

Strings

tooltips_class32, xrefs: 00E7A5B5, 00E7A643
0, xrefs: 00E7A4DE

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 680c5460dce900a5e072d9a5150158f1c23568684bd3e194bf92a4a4e4058664
Instruction ID: 8e3929fd82752b8fb4019675d9286b9b9c307ff7528a20c5b603370f9c8a1650
Opcode Fuzzy Hash: 680c5460dce900a5e072d9a5150158f1c23568684bd3e194bf92a4a4e4058664
Instruction Fuzzy Hash: 0D71C071140205AFD725CF68CC45FAB7BE5FB88704F18852DF989A72A0C774E946CB62

Function 00E74619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00E746AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00E746F6

Strings

GETITEMCOUNT, xrefs: 00E747D8
GETSELECTED, xrefs: 00E74806
COLLAPSE, xrefs: 00E7473C
ISCHECKED, xrefs: 00E74879
GETTOTALCOUNT, xrefs: 00E746DD
CHECK, xrefs: 00E74716
GETTEXT, xrefs: 00E74849
UNCHECK, xrefs: 00E748D2
EXISTS, xrefs: 00E7475F
EXPAND, xrefs: 00E747A8
SELECT, xrefs: 00E748A7

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 8ad59de78048a1eecac865b88343c1f8d24c7e10ec7dc556a73d84acfa94de87
Instruction ID: 2e68a9d1dc8f9274b8b1191dcd2fb416bae1b19f10ba8aba84fc797296a46c26
Opcode Fuzzy Hash: 8ad59de78048a1eecac865b88343c1f8d24c7e10ec7dc556a73d84acfa94de87
Instruction Fuzzy Hash: 349190746043059FCB14EF20C451AAAB7E1EF85314F06A46CF99A7B3A2DB70ED4ACB51

Function 00E7BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00E7BB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00E79431), ref: 00E7BBCA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00E7BC03
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00E7BC46
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00E7BC7D
FreeLibrary.KERNEL32(?), ref: 00E7BC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00E7BC99
DestroyCursor.USER32(?), ref: 00E7BCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00E7BCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00E7BCD1

Part of subcall function 00E1313D: __wcsicmp_l.LIBCMT ref: 00E131C6

Strings

.dll, xrefs: 00E7BB27
.icl, xrefs: 00E7BAE4
.exe, xrefs: 00E7BB04

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 3907162815-1154884017
Opcode ID: 353ad5dbd169cb8b306cd0ff0d250cc867ffff5d0491adfac4dfed0c43774c54
Instruction ID: b7e3e820271b22b8e336073008b56ce2070ebf0025665dcd929b16aee4ee569d
Opcode Fuzzy Hash: 353ad5dbd169cb8b306cd0ff0d250cc867ffff5d0491adfac4dfed0c43774c54
Instruction Fuzzy Hash: 3D61E071A00218BEEB14DF65CC46FFAB7A8EF08710F10911AFD19E60C0DB74A994CBA0

Function 00E5A0B5 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00E7FB78), ref: 00E5A0FC

Part of subcall function 00DF7F41: _memmove.LIBCMT ref: 00DF7F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 00E5A11E
__swprintf.LIBCMT ref: 00E5A177
__swprintf.LIBCMT ref: 00E5A190
_wprintf.LIBCMT ref: 00E5A246
_wprintf.LIBCMT ref: 00E5A264

Strings

^ ERROR, xrefs: 00E5A1E8
Line %d (File "%s"):, xrefs: 00E5A171, 00E5A18A
"%s" (%d) : ==> %s:%s%s, xrefs: 00E5A241
"%s" (%d) : ==> %s:, xrefs: 00E5A25F
Error: , xrefs: 00E5A20E
%, xrefs: 00E5A0C9

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR$%
API String ID: 311963372-1048875529
Opcode ID: a55999159015cd0a7f156efba023c611dd62c85b79d58eda7b2e4abedf610d49
Instruction ID: 8ed9a2350483faa5a442294a8e2f818d95cbdecfc98605c15af4aa3308241020
Opcode Fuzzy Hash: a55999159015cd0a7f156efba023c611dd62c85b79d58eda7b2e4abedf610d49
Instruction Fuzzy Hash: 48514D71900209AADF15EBE0DD46EEEB7B9EF08300F149665F605720A2EB316F58CB71

Function 00E5A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00DF9997: __itow.LIBCMT ref: 00DF99C2
Part of subcall function 00DF9997: __swprintf.LIBCMT ref: 00DF9A0C

CharLowerBuffW.USER32(?,?), ref: 00E5A636
GetDriveTypeW.KERNEL32 ref: 00E5A683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E5A6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E5A702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E5A730

Part of subcall function 00DF7D2C: _memmove.LIBCMT ref: 00DF7D66

Strings

type cdaudio alias cd wait, xrefs: 00E5A6AE
closed, xrefs: 00E5A64A, 00E5A653
close cd wait, xrefs: 00E5A71B
open , xrefs: 00E5A692
set cd door , xrefs: 00E5A6D1
close, xrefs: 00E5A63C
wait, xrefs: 00E5A6ED
open, xrefs: 00E5A65D

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: bffd962bae4ec6e65b823d5c428f795c2c33ee67316d702f1e811c646d0a2c91
Instruction ID: 8cb9a46949eb1caff33b5e8614efa327b3d653c878c531d8c8b529878d0e88ef
Opcode Fuzzy Hash: bffd962bae4ec6e65b823d5c428f795c2c33ee67316d702f1e811c646d0a2c91
Instruction Fuzzy Hash: FF514C711043099FC700EF20D8919AAB7F4FF88758F09996DF99667261DB31AE09CF62

Function 00E5A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00E5A47A
__swprintf.LIBCMT ref: 00E5A49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 00E5A4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00E5A4FE
_memset.LIBCMT ref: 00E5A51D
_wcsncpy.LIBCMT ref: 00E5A559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00E5A58E
CloseHandle.KERNEL32(00000000), ref: 00E5A599
RemoveDirectoryW.KERNEL32(?), ref: 00E5A5A2
CloseHandle.KERNEL32(00000000), ref: 00E5A5AC

Strings

\, xrefs: 00E5A4B2
\??\%s, xrefs: 00E5A496
:, xrefs: 00E5A4BD

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 6af2c2b17b848c45226192dfcd570c5eed7df5ab3a792921cc4e59d5968a8d33
Instruction ID: aff5645c011539dd7aa9adcea3d074dc1cca474aabd8ef166fd4d11ac86f8fd0
Opcode Fuzzy Hash: 6af2c2b17b848c45226192dfcd570c5eed7df5ab3a792921cc4e59d5968a8d33
Instruction Fuzzy Hash: 8631C3B1500209ABDB21DFA1DC48FEB37BCEF88706F1451B6F908E6160E77097888B25

Function 00E483F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E4874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E48766
Part of subcall function 00E4874A: GetLastError.KERNEL32(?,00E4822A,?,?,?), ref: 00E48770
Part of subcall function 00E4874A: GetProcessHeap.KERNEL32(00000008,?,?,00E4822A,?,?,?), ref: 00E4877F
Part of subcall function 00E4874A: RtlAllocateHeap.NTDLL(00000000,?,00E4822A), ref: 00E48786
Part of subcall function 00E4874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E4879D

Part of subcall function 00E487E7: GetProcessHeap.KERNEL32(00000008,00E48240,00000000,00000000,?,00E48240,?), ref: 00E487F3
Part of subcall function 00E487E7: RtlAllocateHeap.NTDLL(00000000,?,00E48240), ref: 00E487FA
Part of subcall function 00E487E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00E48240,?), ref: 00E4880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00E48458
_memset.LIBCMT ref: 00E4846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00E4848C
GetLengthSid.ADVAPI32(?), ref: 00E4849D
GetAce.ADVAPI32(?,00000000,?), ref: 00E484DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00E484F6
GetLengthSid.ADVAPI32(?), ref: 00E48513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00E48522
RtlAllocateHeap.NTDLL(00000000), ref: 00E48529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00E4854A
CopySid.ADVAPI32(00000000), ref: 00E48551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00E48582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00E485A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00E485BC

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 2347767575-0
Opcode ID: 41f011c1ca4c3f1694ab8e8615378e006cddd0733d07a28c36132c2ae619f04c
Instruction ID: 989e7cca3928a5df43ef0dfc8ad3ffa9eebcc1ddf76d2266078f3b5a6da1dea0
Opcode Fuzzy Hash: 41f011c1ca4c3f1694ab8e8615378e006cddd0733d07a28c36132c2ae619f04c
Instruction Fuzzy Hash: A061567190021AAFDF00DFA5ED44AEEBBB9FF04304F048169E815B7291DB349A45DF60

Function 00E6762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00E676A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00E676AE
CreateCompatibleDC.GDI32(?), ref: 00E676BA
SelectObject.GDI32(00000000,?), ref: 00E676C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00E6771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00E67757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00E6777B
SelectObject.GDI32(00000006,?), ref: 00E67783
DeleteObject.GDI32(?), ref: 00E6778C
DeleteDC.GDI32(00000006), ref: 00E67793
ReleaseDC.USER32(00000000,?), ref: 00E6779E

Strings

(, xrefs: 00E67723

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: a27f153f106ef0e4f61d7488b2f5d1cafab78375fff7b535c42f1c50df926fac
Instruction ID: fa255eb1e254b7078ddce2aff7a57e25a2815eef2e9ad68543eb1fd8015ad7f7
Opcode Fuzzy Hash: a27f153f106ef0e4f61d7488b2f5d1cafab78375fff7b535c42f1c50df926fac
Instruction Fuzzy Hash: 14516A75904209EFCB14CFA9DC84EAEBBB9FF48750F14842EF999A7210D731A844CB60

Function 00DF6BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00E10B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00DF6C6C,?,00008000), ref: 00E10BB7

Part of subcall function 00DF48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00DF48A1,?,?,00DF37C0,?), ref: 00DF48CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00DF6D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00DF6E5A

Part of subcall function 00DF59CD: _wcscpy.LIBCMT ref: 00DF5A05

Part of subcall function 00E1387D: _iswctype.LIBCMT ref: 00E13885

Strings

AU3!, xrefs: 00DF6CC1
EA06, xrefs: 00E2E87B
>>>AUTOIT SCRIPT<<<, xrefs: 00E2E8BF
Unterminated string, xrefs: 00E2EC0D
Error opening the file, xrefs: 00E2E866, 00E2E8E1
Bad directive syntax error, xrefs: 00E2EBC6
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00E2E84A

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 326ec814d45ea56b3f6256c54254180982b453357760c88be40edfedd41aeea2
Instruction ID: ec60e86c3b97d451388d72c1e0635f4b1091037b395c15cc05b05b23ada057b5
Opcode Fuzzy Hash: 326ec814d45ea56b3f6256c54254180982b453357760c88be40edfedd41aeea2
Instruction Fuzzy Hash: CC029D311083559FC724EF24D881AAFBBE5FF89314F04891DF696A72A1DB30D949CB62

Function 00DF45DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DF45F9
GetMenuItemCount.USER32(00EB6890), ref: 00E2D7CD
GetMenuItemCount.USER32(00EB6890), ref: 00E2D87D
GetCursorPos.USER32(?), ref: 00E2D8C1
SetForegroundWindow.USER32(00000000), ref: 00E2D8CA
TrackPopupMenuEx.USER32(00EB6890,00000000,?,00000000,00000000,00000000), ref: 00E2D8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00E2D8E9

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: dd5f9a9ae7c1c0706398002ed3a9c6ffd8733a19b8534f0029e37af199b971bd
Instruction ID: 07c228a327b004197b736e211fb4c07158b1b60fdfe13521ec28d9c98520e54d
Opcode Fuzzy Hash: dd5f9a9ae7c1c0706398002ed3a9c6ffd8733a19b8534f0029e37af199b971bd
Instruction Fuzzy Hash: BA71E370604219BEFB248F55EC85FAABF64FF05368F204216FA18B61E0C7B59C54DBA0

Function 00E710A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E70038,?,?), ref: 00E710BC

Strings

HKU, xrefs: 00E711CE
HKLM, xrefs: 00E7113A
HKEY_CURRENT_CONFIG, xrefs: 00E71179
HKEY_USERS, xrefs: 00E711BD
HKEY_CLASSES_ROOT, xrefs: 00E7114F
HKCU, xrefs: 00E711AC
HKCC, xrefs: 00E7118A
HKCR, xrefs: 00E71164
HKEY_LOCAL_MACHINE, xrefs: 00E71125
HKEY_CURRENT_USER, xrefs: 00E7119B

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 5ea63dbdda928e6f23e7930e8eec66ffce9d8036e2ecc8822aa0687196e75003
Instruction ID: d4beb338f80459c7c53e2c7021c9208285e5ef4c488d884220804a435f44e2fe
Opcode Fuzzy Hash: 5ea63dbdda928e6f23e7930e8eec66ffce9d8036e2ecc8822aa0687196e75003
Instruction Fuzzy Hash: 4D41913010138E8BCF10EF94E892AEA3764FF56304F41A494FD957B252DB70AD9ACB60

Function 00E55569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00DF7D2C: _memmove.LIBCMT ref: 00DF7D66

Part of subcall function 00DF7A84: _memmove.LIBCMT ref: 00DF7B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00E555D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00E555E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E555F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00E5560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00E5561C

Strings

play PlayMe wait, xrefs: 00E55606
play PlayMe, xrefs: 00E55617
close PlayMe, xrefs: 00E555E3, 00E55610
status PlayMe mode, xrefs: 00E555CD
open , xrefs: 00E55581
alias PlayMe, xrefs: 00E555AB

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 306c200decbd1a503c9399c9bb597541d882323ad894e7174cf3eaa9d026f445
Instruction ID: 7d43520915392aa38c925113316a6fc0c6cf68d6191d1ea827e4b52f777fe550
Opcode Fuzzy Hash: 306c200decbd1a503c9399c9bb597541d882323ad894e7174cf3eaa9d026f445
Instruction Fuzzy Hash: 8B11D02156026D79DB20B661CC5ACFF7B7CEF96B00F44546AB901B60C1EBA02D08C5B1

Function 00E548F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 00E5490E
gethostname.WS2_32(?,00000100), ref: 00E54928
gethostbyname.WS2_32(?), ref: 00E54935
_wcscpy.LIBCMT ref: 00E5495D
_memmove.LIBCMT ref: 00E54970
inet_ntoa.WS2_32(?), ref: 00E5497B
_strcat.LIBCMT ref: 00E54989
_wcscpy.LIBCMT ref: 00E549A0
WSACleanup.WS2_32 ref: 00E549AE
_wcscpy.LIBCMT ref: 00E549BC

Strings

0.0.0.0, xrefs: 00E54957

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: d4d3f8a89a7f1b16d989e7328fe37d150ee0c60f1d5b73addd5875fe459f0e45
Instruction ID: e7357ea9784500826692dc546932bfddf5e7fa4f6207e05a2f5239a73ed62fab
Opcode Fuzzy Hash: d4d3f8a89a7f1b16d989e7328fe37d150ee0c60f1d5b73addd5875fe459f0e45
Instruction Fuzzy Hash: 4A110572904115AFCB24EB20DC06EDB77ECAF44715F0411BAF948B6091EF709AC98751

Function 00E55217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00E5521C

Part of subcall function 00E10719: timeGetTime.WINMM(?,75A8B400,00E00FF9), ref: 00E1071D

Sleep.KERNEL32(0000000A), ref: 00E55248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 00E5526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00E5528E
SetActiveWindow.USER32 ref: 00E552AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00E552BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 00E552DA
Sleep.KERNEL32(000000FA), ref: 00E552E5
IsWindow.USER32 ref: 00E552F1
EndDialog.USER32(00000000), ref: 00E55302

Strings

BUTTON, xrefs: 00E55280

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 9eac3ff63fa202801b36b1a591650e06b84bbd1f21f1788ed2354ec3f8c8491c
Instruction ID: 370d5114838f5642d4e8d0473f8b16d0b65536f742487cd0d164509b783cd11f
Opcode Fuzzy Hash: 9eac3ff63fa202801b36b1a591650e06b84bbd1f21f1788ed2354ec3f8c8491c
Instruction Fuzzy Hash: 7D21A471105704AFE7109B72ED99A263B6AFB45387F042938F809B15B1DB61AC8CCB61

Function 00E5052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00E505A7
SetKeyboardState.USER32(?), ref: 00E50612
GetAsyncKeyState.USER32(000000A0), ref: 00E50632
GetKeyState.USER32(000000A0), ref: 00E50649
GetAsyncKeyState.USER32(000000A1), ref: 00E50678
GetKeyState.USER32(000000A1), ref: 00E50689
GetAsyncKeyState.USER32(00000011), ref: 00E506B5
GetKeyState.USER32(00000011), ref: 00E506C3
GetAsyncKeyState.USER32(00000012), ref: 00E506EC
GetKeyState.USER32(00000012), ref: 00E506FA
GetAsyncKeyState.USER32(0000005B), ref: 00E50723
GetKeyState.USER32(0000005B), ref: 00E50731

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: cf3c51744b8d1c2f388f596ac0736f8a45cc0bc438cd2ee15f9f8d36c34c40d8
Instruction ID: 697f3994cbed54386f33131403c440bb3e3df6705cdf79f70d8754017bf85483
Opcode Fuzzy Hash: cf3c51744b8d1c2f388f596ac0736f8a45cc0bc438cd2ee15f9f8d36c34c40d8
Instruction Fuzzy Hash: 6C51DC20A047841AFB35EBB085547EABFF49F01385F085DDAEDC2765C2EA949B4CCB51

Function 00E4C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00E4C746
GetWindowRect.USER32(00000000,?), ref: 00E4C758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00E4C7B6
GetDlgItem.USER32(?,00000002), ref: 00E4C7C1
GetWindowRect.USER32(00000000,?), ref: 00E4C7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00E4C827
GetDlgItem.USER32(?,000003E9), ref: 00E4C835
GetWindowRect.USER32(00000000,?), ref: 00E4C846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00E4C889
GetDlgItem.USER32(?,000003EA), ref: 00E4C897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00E4C8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 00E4C8C1

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: c2d26cfe498b667ac1979a8118de06e163ae43f5b6cd310d50f95b60581fa308
Instruction ID: 1d1b25cbb04497a7ad08e2a1beee91e63e3aaf7d32ea22248e0a9061a5ae62d8
Opcode Fuzzy Hash: c2d26cfe498b667ac1979a8118de06e163ae43f5b6cd310d50f95b60581fa308
Instruction Fuzzy Hash: 54513071B00205AFDB18CFA9DD89AAEBBB6FB88711F14812DF519E7290D770AD448B50

Function 00DF21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00DF25DB: GetWindowLongW.USER32(?,000000EB), ref: 00DF25EC

GetSysColor.USER32(0000000F), ref: 00DF21D3

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 77c74f9ed9e505b07df4f93b66cc5026bf314d9b0c793dab3bf43d0dc4dd4273
Instruction ID: 4b330ad36cc66b35fc28ba449c8ae1cf808c96be01caa2702dadb5f6ca7ec426
Opcode Fuzzy Hash: 77c74f9ed9e505b07df4f93b66cc5026bf314d9b0c793dab3bf43d0dc4dd4273
Instruction Fuzzy Hash: F841C231001154AFDB259F28EC88BB93B75EB06335F698265FE659A1E2C7318C82DB35

Function 00E5AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00E7F910), ref: 00E5AB76
GetDriveTypeW.KERNEL32(00000061,00EAA620,00000061), ref: 00E5AC40
_wcscpy.LIBCMT ref: 00E5AC6A

Strings

fixed, xrefs: 00E5ABBE
removable, xrefs: 00E5ABA8
cdrom, xrefs: 00E5AB92
ramdisk, xrefs: 00E5ABEA
network, xrefs: 00E5ABD4
all, xrefs: 00E5AB7C
unknown, xrefs: 00E5AC01

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 1d75cd9fe4398b1957e4aab16babb3a4eee79da62b15e30af298878a6c3d8b52
Instruction ID: 31e6b2100cfb3224590bd971b130f8cc042c32b954d63fce150263f10db15889
Opcode Fuzzy Hash: 1d75cd9fe4398b1957e4aab16babb3a4eee79da62b15e30af298878a6c3d8b52
Instruction Fuzzy Hash: F651C3305043059BC710EF14D891AAEB7E5FF84305F19AD2DF9866B2A2DB31AD49CB63

Function 00DF9997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00DF99C2
__swprintf.LIBCMT ref: 00DF9A0C
__i64tow.LIBCMT ref: 00E2FA0F

Strings

0x%p, xrefs: 00E2F9F1
%.15g, xrefs: 00DF9A06
True, xrefs: 00E2F9D0
False, xrefs: 00E2F9D7

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: d631c4f6e200d9a2ab1d86048b011db97afbb72c8920c372296587faa5697a18
Instruction ID: 4bef16833f6880b18c0f1d003e6da659649e5f52fd57b8c9938f9af8d0a73cb0
Opcode Fuzzy Hash: d631c4f6e200d9a2ab1d86048b011db97afbb72c8920c372296587faa5697a18
Instruction Fuzzy Hash: 3341F971A04219AADB249F74EC42FB6B3F4EF48304F25547EE649E6181EA71D982CB21

Function 00E773C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E773D9
CreateMenu.USER32 ref: 00E773F4
SetMenu.USER32(?,00000000), ref: 00E77403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E77490
IsMenu.USER32(?), ref: 00E774A6
CreatePopupMenu.USER32 ref: 00E774B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00E774DD
DrawMenuBar.USER32 ref: 00E774E5

Strings

F, xrefs: 00E774D1
0, xrefs: 00E773CF

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 29b56e7abd02afba2566fdefc0bfbfab0422d6dfde1bad4492d8d7bfa7692c38
Instruction ID: f7bddab0da508db097a6907cf282b28aa7b66efd394970038908d4b90d40138f
Opcode Fuzzy Hash: 29b56e7abd02afba2566fdefc0bfbfab0422d6dfde1bad4492d8d7bfa7692c38
Instruction Fuzzy Hash: 66414775A00209EFDB20DF65D884E9ABBF5FF49315F148029E959A7360E730AD14CB60

Function 00E7772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00E777CD
CreateCompatibleDC.GDI32(00000000), ref: 00E777D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00E777E7
SelectObject.GDI32(00000000,00000000), ref: 00E777EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 00E777FA
DeleteDC.GDI32(00000000), ref: 00E77803
GetWindowLongW.USER32(?,000000EC), ref: 00E7780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00E77821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00E7782D

Strings

static, xrefs: 00E77765

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 1eb88f4c5e9e4363df5d7fc7f50475cbf6aa7d2c6498de81accfc216cb17238f
Instruction ID: c7664a4f384e6b9100005a4399aecbd219b9eec1e822f8114835557cd2b9462b
Opcode Fuzzy Hash: 1eb88f4c5e9e4363df5d7fc7f50475cbf6aa7d2c6498de81accfc216cb17238f
Instruction Fuzzy Hash: 0031AB32105215AFDF169FA5DC08FEA3B69FF09325F118225FA59B21A0CB31D861DBA0

Function 00E17040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E1707B

Part of subcall function 00E18D68: __getptd_noexit.LIBCMT ref: 00E18D68

__gmtime64_s.LIBCMT ref: 00E17114
__gmtime64_s.LIBCMT ref: 00E1714A
__gmtime64_s.LIBCMT ref: 00E17167
__allrem.LIBCMT ref: 00E171BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E171D9
__allrem.LIBCMT ref: 00E171F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E1720E
__allrem.LIBCMT ref: 00E17225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E17243
__invoke_watson.LIBCMT ref: 00E172B4

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: b80e1c5f409750615037fdb78c15914a46d58a7c1b705b7b93d9ce97bf1434bf
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: 3471E9B1A08716ABD7149E79DC42BDAB3F4AF14B24F14522AF864F72C1E770D9808B90

Function 00E52A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E52A31
GetMenuItemInfoW.USER32(00EB6890,000000FF,00000000,00000030), ref: 00E52A92
SetMenuItemInfoW.USER32(00EB6890,00000004,00000000,00000030), ref: 00E52AC8
Sleep.KERNEL32(000001F4), ref: 00E52ADA
GetMenuItemCount.USER32(?), ref: 00E52B1E
GetMenuItemID.USER32(?,00000000), ref: 00E52B3A
GetMenuItemID.USER32(?,-00000001), ref: 00E52B64
GetMenuItemID.USER32(?,?), ref: 00E52BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00E52BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E52C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E52C24

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 4c6ccbb154e4e07e6484eea14596289bfa17ba8bc13297447eed23fc29e6f7da
Instruction ID: bd7afaeb03fb1ff65d5654edcfc735d256744e2b572e52f11924e83dfe666c15
Opcode Fuzzy Hash: 4c6ccbb154e4e07e6484eea14596289bfa17ba8bc13297447eed23fc29e6f7da
Instruction Fuzzy Hash: 7F619270900249AFDB21CF64D888DBEBBB8EB42309F14595DEE41B7252D731AD4DDB20

Function 00E77192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00E77214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00E77217
GetWindowLongW.USER32(?,000000F0), ref: 00E7723B
_memset.LIBCMT ref: 00E7724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00E7725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00E772D6

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 3f0a0bbcc9e7e3e09fe278114f5f20bbd86d2711cd32cdc96bd7b51589ea84f0
Instruction ID: 82b4337fab6d3dbcaca8e3d80f907fd036465112683eaddcd41872b2a48411ed
Opcode Fuzzy Hash: 3f0a0bbcc9e7e3e09fe278114f5f20bbd86d2711cd32cdc96bd7b51589ea84f0
Instruction Fuzzy Hash: 17616C75A00208AFDB10DFA4CC81EEE77F8EB09714F14416AFA58B72A1D774AD45DBA0

Function 00E4710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00E47135
SafeArrayAllocData.OLEAUT32(?), ref: 00E4718E
VariantInit.OLEAUT32(?), ref: 00E471A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 00E471C0
VariantCopy.OLEAUT32(?,?), ref: 00E47213
SafeArrayUnaccessData.OLEAUT32(?), ref: 00E47227
VariantClear.OLEAUT32(?), ref: 00E4723C
SafeArrayDestroyData.OLEAUT32(?), ref: 00E47249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E47252
VariantClear.OLEAUT32(?), ref: 00E47264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E4726F

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 38a7b471a37b2251bcfe6868127cd2534a40d0c9770c2928331000ec6829b017
Instruction ID: c7edeb019a75e4cf8039008a68c9fad59cb5cd5b50a5f8839e9780ef36df05dc
Opcode Fuzzy Hash: 38a7b471a37b2251bcfe6868127cd2534a40d0c9770c2928331000ec6829b017
Instruction Fuzzy Hash: D2416E71A04219AFCF14DF65D8489AEBBB8FF08354F008069F955B7261DB70A989CFA0

Function 00E65A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 00E65AA6
inet_addr.WS2_32(?), ref: 00E65AEB
gethostbyname.WS2_32(?), ref: 00E65AF7
IcmpCreateFile.IPHLPAPI ref: 00E65B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00E65B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00E65B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00E65C00
WSACleanup.WS2_32 ref: 00E65C06

Strings

Ping, xrefs: 00E65B29

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: d89bb268c3c92d4bfe91865f59ca58d58a8d473f583daedda80df9ce54a45230
Instruction ID: f58c92358feb2ea4277f7763511bb4ede043903aa5f2d2f7f2d0de9690c6214e
Opcode Fuzzy Hash: d89bb268c3c92d4bfe91865f59ca58d58a8d473f583daedda80df9ce54a45230
Instruction Fuzzy Hash: F651C0326447019FD720DF25EC45B6ABBE0EF48354F049929F659EB2A1DB70E844CF12

Function 00E5B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00E5B73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00E5B7B1
GetLastError.KERNEL32 ref: 00E5B7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 00E5B828

Strings

UNKNOWN, xrefs: 00E5B7E0
INVALID, xrefs: 00E5B7FA
READONLY, xrefs: 00E5B7F3
NOTREADY, xrefs: 00E5B7E7
READY, xrefs: 00E5B801

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: ae79484534d407fcb178c90b358663971e0ce02b2b4236948082fed37fad6990
Instruction ID: 7b3f7ceff181001aafaa4b28a595266b61c2fb166fb4c5b50082d405c00ee425
Opcode Fuzzy Hash: ae79484534d407fcb178c90b358663971e0ce02b2b4236948082fed37fad6990
Instruction Fuzzy Hash: E431C635A002089FCB04EF64CC89AFEB7B4EF49705F14952AF905FB291DB71994AC761

Function 00E49471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF7F41: _memmove.LIBCMT ref: 00DF7F82

Part of subcall function 00E4B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00E4B0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00E494F6
GetDlgCtrlID.USER32 ref: 00E49501
GetParent.USER32 ref: 00E4951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00E49520
GetDlgCtrlID.USER32(?), ref: 00E49529
GetParent.USER32(?), ref: 00E49545
SendMessageW.USER32(00000000,?,?,00000111), ref: 00E49548

Strings

ComboBox, xrefs: 00E4947E
ListBox, xrefs: 00E494B3

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: c3d3a35281599a713d5d1304981d30a6bf8a4f86f0c5672d678dd03aea824036
Instruction ID: ca691d362007d35067100bf6c8dd8b7d0879260e26fda6557373a0c268fb7c19
Opcode Fuzzy Hash: c3d3a35281599a713d5d1304981d30a6bf8a4f86f0c5672d678dd03aea824036
Instruction Fuzzy Hash: 6D21D170A00208AFCF04ABA5DC859FEBBB4EF49310F104115F621A72A2DB7599199B70

Function 00E4955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF7F41: _memmove.LIBCMT ref: 00DF7F82

Part of subcall function 00E4B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00E4B0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00E495DF
GetDlgCtrlID.USER32 ref: 00E495EA
GetParent.USER32 ref: 00E49606
SendMessageW.USER32(00000000,?,00000111,?), ref: 00E49609
GetDlgCtrlID.USER32(?), ref: 00E49612
GetParent.USER32(?), ref: 00E4962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00E49631

Strings

ComboBox, xrefs: 00E49569
ListBox, xrefs: 00E4959E

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 5e5a22e9eee1ec5f9a358d3778f1ab358f19299c78bb87f8ca2396f66e5ad531
Instruction ID: 159dc9cd943ebf10bb755e171c13b5ae2475a5458ec8c12ec322e516c9bf5198
Opcode Fuzzy Hash: 5e5a22e9eee1ec5f9a358d3778f1ab358f19299c78bb87f8ca2396f66e5ad531
Instruction Fuzzy Hash: 0421C170A00208BFDF04ABA5DC85EFEBBB8EF48300F114055FA11B71A6DB7599599B70

Function 00E49645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00E49651
GetClassNameW.USER32(00000000,?,00000100), ref: 00E49666
_wcscmp.LIBCMT ref: 00E49678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00E496F3

Strings

details, xrefs: 00E496A1
list, xrefs: 00E496D5
smallicons, xrefs: 00E496BB
largeicons, xrefs: 00E49687
SHELLDLL_DefView, xrefs: 00E49672

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 94fb02eb804fb3f20e2886ba077f81c91b47d544eedd209920e03a229334de66
Instruction ID: ebfdf34b92492e29ae8519266e470127e47b5399ecd3f72b1a19c909ce0d9bd5
Opcode Fuzzy Hash: 94fb02eb804fb3f20e2886ba077f81c91b47d544eedd209920e03a229334de66
Instruction Fuzzy Hash: 1E112976648307BAFA052631FC0BDE7B7DC9B06774F212066F900B90D3FEA169914A98

Function 00E54189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00E5419D
__swprintf.LIBCMT ref: 00E541AA

Part of subcall function 00E138D8: __woutput_l.LIBCMT ref: 00E13931

FindResourceW.KERNEL32(?,?,0000000E), ref: 00E541D4
LoadResource.KERNEL32(?,00000000), ref: 00E541E0
LockResource.KERNEL32(00000000), ref: 00E541ED
FindResourceW.KERNEL32(?,?,00000003), ref: 00E5420D
LoadResource.KERNEL32(?,00000000), ref: 00E5421F
SizeofResource.KERNEL32(?,00000000), ref: 00E5422E
LockResource.KERNEL32(?), ref: 00E5423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00E5429B

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: ac88d31104e912d228e04ec2a703f2c03c1565c0704e95b40a8a679e6907755a
Instruction ID: 4bfddd67a96d0b11564dd53bf42b9fb413db0a254121e626bbfc0aed5200be77
Opcode Fuzzy Hash: ac88d31104e912d228e04ec2a703f2c03c1565c0704e95b40a8a679e6907755a
Instruction Fuzzy Hash: 293191B550521AAFCB11DF61DD44EBB7BA8EF04306F004925FD05F21A1DB30DA95CBA0

Function 00E516DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00E51700
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00E50778,?,00000001), ref: 00E51714
GetWindowThreadProcessId.USER32(00000000), ref: 00E5171B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00E50778,?,00000001), ref: 00E5172A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00E5173C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00E50778,?,00000001), ref: 00E51755
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00E50778,?,00000001), ref: 00E51767
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00E50778,?,00000001), ref: 00E517AC
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00E50778,?,00000001), ref: 00E517C1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00E50778,?,00000001), ref: 00E517CC

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 17190d6758bb53c248909d7df2e77f9ceedf147956a63cfd24f7dd31ab59c932
Instruction ID: 81d2c909c1e53bac92e8c693dffdc7f780a373c26ae51211e49b5930a8a9b7f2
Opcode Fuzzy Hash: 17190d6758bb53c248909d7df2e77f9ceedf147956a63cfd24f7dd31ab59c932
Instruction Fuzzy Hash: 5D31D171604204BFDB11DF5ADC84F7A37E9EB4A71AF104496FD04F62A0D7749D888B54

Function 00E4A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00E4AA64), ref: 00E4A9A2

Strings

REGEXPCLASS, xrefs: 00E4A767
NAME, xrefs: 00E4A7D4
TEXT, xrefs: 00E4A8D9
CLASS, xrefs: 00E4A721
CLASSNN, xrefs: 00E4A744
INSTANCE, xrefs: 00E4A8B0

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 17d9b3e603930d7f9190897392c702f1869c2797f5d7d4ab30ef5c9a460b5307
Instruction ID: 643841173d90d385a55cce06f3297face542a41414df7dd8cdc96d8a931fa148
Opcode Fuzzy Hash: 17d9b3e603930d7f9190897392c702f1869c2797f5d7d4ab30ef5c9a460b5307
Instruction Fuzzy Hash: 8191E970940206EBDB18DF60E481BE9F7B4FF44314F59A129E989B7181DF307999CBA1

Function 00DF2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00DF2EAE

Part of subcall function 00DF1DB3: GetClientRect.USER32(?,?), ref: 00DF1DDC
Part of subcall function 00DF1DB3: GetWindowRect.USER32(?,?), ref: 00DF1E1D
Part of subcall function 00DF1DB3: ScreenToClient.USER32(?,?), ref: 00DF1E45

GetDC.USER32 ref: 00E2CF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00E2CF95
SelectObject.GDI32(00000000,00000000), ref: 00E2CFA3
SelectObject.GDI32(00000000,00000000), ref: 00E2CFB8
ReleaseDC.USER32(?,00000000), ref: 00E2CFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00E2D04B

Strings

U, xrefs: 00E2CF20

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 6cce727b6d6b0dffd28dbae8b335f6a547a2efd47ba52956dc17fb304d0d5244
Instruction ID: 1cfe1f4a451527800695ccdd9850f8b30afc2095372f4ee864cdfd1e402b173e
Opcode Fuzzy Hash: 6cce727b6d6b0dffd28dbae8b335f6a547a2efd47ba52956dc17fb304d0d5244
Instruction Fuzzy Hash: DB71D331504209DFCF21CF64DC84ABA7BB6FF48314F28926AFE55AA1A5C7318C85DB60

Function 00E6F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E6F9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00E6FB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00E6FB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00E6FBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00E6FBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00E6FD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00E6FD90
CloseHandle.KERNEL32(?), ref: 00E6FDBF
CloseHandle.KERNEL32(?), ref: 00E6FE36

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 61c5eea04a4b907a80f965e752dadef6256fdf74fbfccb7628915551887a70ff
Instruction ID: 96765d7943b9a8f47a136f2f56827b6587af4a4c209df360a4abbdc3c0cfbdf1
Opcode Fuzzy Hash: 61c5eea04a4b907a80f965e752dadef6256fdf74fbfccb7628915551887a70ff
Instruction Fuzzy Hash: F5E1E631644301DFC714EF24E491B6ABBE1EF84354F14986DF999AB2A2CB31EC45CB52

Function 00DF201B Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00DF2036,?,00000000,?,?,?,?,00DF16CB,00000000,?), ref: 00DF1B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00DF20D3
KillTimer.USER32(-00000001,?,?,?,?,00DF16CB,00000000,?,?,00DF1AE2,?,?), ref: 00DF216E
DestroyAcceleratorTable.USER32(00000000), ref: 00E2BEF6
DeleteObject.GDI32(00000000), ref: 00E2BF6C

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 2402799130-0
Opcode ID: 810ce6255b3f6eeaa1f7f45c26f95f31d40797c29e41fb11e1cd0e5fc97f9ef9
Instruction ID: 03454eb629354602145cfda77466189a8b69951c139df909b3701bf71878a39f
Opcode Fuzzy Hash: 810ce6255b3f6eeaa1f7f45c26f95f31d40797c29e41fb11e1cd0e5fc97f9ef9
Instruction Fuzzy Hash: 6761AC32200724DFDB29DF15DD48B3AB7F1FF44306F158529E286AA660CB75A884CFA0

Function 00E54F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E548AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00E538D3,?), ref: 00E548C7

Part of subcall function 00E548AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00E538D3,?), ref: 00E548E0

Part of subcall function 00E54CD3: GetFileAttributesW.KERNEL32(?,00E53947), ref: 00E54CD4

lstrcmpiW.KERNEL32(?,?), ref: 00E54FE2
_wcscmp.LIBCMT ref: 00E54FFC
MoveFileW.KERNEL32(?,?), ref: 00E55017

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: bd3a4351235702dbb2beaabbc13b0a743cbdd4597330c1f212a8f56462633693
Instruction ID: 33b0da416cb8ffc5b70c2b13b32ee5976908729b0b40ee6627f23060fd8266ce
Opcode Fuzzy Hash: bd3a4351235702dbb2beaabbc13b0a743cbdd4597330c1f212a8f56462633693
Instruction Fuzzy Hash: 725174B21087849BC724DB60DC819DFB3ECAF84305F005D2EF689E3191EE74A28C8766

Function 00E788B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00E7896E

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: a690f1dda5527dbab47517ed3495a61a52a38c2d7f3b1e43ae99d33c275d4f22
Instruction ID: b8387202df98666a61181846fa005a2bc997c2c4e636ca0b656cf54cd61aa9b2
Opcode Fuzzy Hash: a690f1dda5527dbab47517ed3495a61a52a38c2d7f3b1e43ae99d33c275d4f22
Instruction Fuzzy Hash: D851A430580208BFEF24DF29CD8DBA93B65FB24354F509122F61DF61A1DF71A98097A2

Function 00DF2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00E2C547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00E2C569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00E2C581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00E2C59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00E2C5C0
DestroyCursor.USER32(00000000), ref: 00E2C5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00E2C5EC
DestroyCursor.USER32(?), ref: 00E2C5FB

Part of subcall function 00E7A71E: DeleteObject.GDI32(00000000), ref: 00E7A757

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: CursorDestroyExtractIconImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2975913752-0
Opcode ID: 3a1fca8ccfdb5203da589d132d9fc95b45929fb827245599707c76b928af1d04
Instruction ID: 0f5e6a50e9cd090ad92c28a94750c92d97d523ab0cb07e33830bbe4703da6c26
Opcode Fuzzy Hash: 3a1fca8ccfdb5203da589d132d9fc95b45929fb827245599707c76b928af1d04
Instruction Fuzzy Hash: 7E516870A40209AFDB24DF25DC45BBA37B5EB58714F218528FA46A72A0DB70ED90DB60

Function 00E48E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00E48A84,00000B00,?,?), ref: 00E48E0C
RtlAllocateHeap.NTDLL(00000000,?,00E48A84), ref: 00E48E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00E48A84,00000B00,?,?), ref: 00E48E28
GetCurrentProcess.KERNEL32(?,00000000,?,00E48A84,00000B00,?,?), ref: 00E48E30
DuplicateHandle.KERNEL32(00000000,?,00E48A84,00000B00,?,?), ref: 00E48E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00E48A84,00000B00,?,?), ref: 00E48E43
GetCurrentProcess.KERNEL32(00E48A84,00000000,?,00E48A84,00000B00,?,?), ref: 00E48E4B
DuplicateHandle.KERNEL32(00000000,?,00E48A84,00000B00,?,?), ref: 00E48E4E
CreateThread.KERNEL32(00000000,00000000,00E48E74,00000000,00000000,00000000), ref: 00E48E68

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
String ID:
API String ID: 1422014791-0
Opcode ID: 956c95e4ff57529862a4383c6cbedf1ccac1fe77d72431185bcab088a3f40106
Instruction ID: 95078be10721af3afa447870d8b33518b8c6d26d688044fd11ab4d16c1ce9e26
Opcode Fuzzy Hash: 956c95e4ff57529862a4383c6cbedf1ccac1fe77d72431185bcab088a3f40106
Instruction Fuzzy Hash: 4A01AC75641344FFE610EB65DC49F5B3B6CEB89711F404421FA09EB1A2CA70D8448A20

Function 00E69428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E6947C
VariantInit.OLEAUT32(?), ref: 00E6954D
VariantInit.OLEAUT32(?), ref: 00E6964E
VariantClear.OLEAUT32(?), ref: 00E69658
VariantClear.OLEAUT32(?), ref: 00E696B5

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00E69631
Null Object assignment in FOR..IN loop, xrefs: 00E694DD, 00E6960B, 00E696C3

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 6eb902f8ccfea617feaa373f02559ece18bd31b8192bf547715f1506b9bac453
Instruction ID: e093dff0d5ff10df47372bd0e997eec4c6a466e12a12f95ac7af41b055157d10
Opcode Fuzzy Hash: 6eb902f8ccfea617feaa373f02559ece18bd31b8192bf547715f1506b9bac453
Instruction Fuzzy Hash: 2A91CC70A40309ABCF24DFA5E848FAEBBB8EF85354F109019F519BB281D7709945CFA0

Function 00E76FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00E77093
SendMessageW.USER32(?,00001036,00000000,?), ref: 00E770A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00E770C1
_wcscat.LIBCMT ref: 00E7711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 00E77133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00E77161

Strings

SysListView32, xrefs: 00E77065

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 90aab2dcd606867b5f1f1bfed4d0de565e6989aaf771610a2e48c6eacc51b8d8
Instruction ID: 0379217f8f8396f4ad8b88616dac42e26f6c4287778f96a4ac21018c175f964f
Opcode Fuzzy Hash: 90aab2dcd606867b5f1f1bfed4d0de565e6989aaf771610a2e48c6eacc51b8d8
Instruction Fuzzy Hash: 8C419171A04308AFDB21DFA4CC85BEE77E8EF08754F10556AF588B7192D6719D848B60

Function 00E6EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00E53E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00E53EB6
Part of subcall function 00E53E91: Process32FirstW.KERNEL32(00000000,?), ref: 00E53EC4
Part of subcall function 00E53E91: CloseHandle.KERNEL32(00000000), ref: 00E53F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E6ECB8
GetLastError.KERNEL32 ref: 00E6ECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E6ECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 00E6ED77
GetLastError.KERNEL32(00000000), ref: 00E6ED82
CloseHandle.KERNEL32(00000000), ref: 00E6EDB7

Strings

SeDebugPrivilege, xrefs: 00E6ECD6

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 12f7e5b275b4821e7573043c34ebc47d960a711b3c816163f1e61fdea540403f
Instruction ID: 6472f89567213fd3bd0bca663b116bcbaad1efb1c165a892e98e617b62b1731b
Opcode Fuzzy Hash: 12f7e5b275b4821e7573043c34ebc47d960a711b3c816163f1e61fdea540403f
Instruction Fuzzy Hash: 8E41BC712402019FDB20EF24DC95F7EB7E1AF40754F088419F946AB3C2DB75A858CBA2

Function 00E53226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00E532C5

Strings

blank, xrefs: 00E53247
info, xrefs: 00E53266
warning, xrefs: 00E532AE
question, xrefs: 00E5327E
stop, xrefs: 00E53296

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: caf1bff236912a8932704573cb614573667ea85a1a81b3b2238c8bc62c2373a9
Instruction ID: 122c745168f9758c246a3909b1bf65cae56283d935ed464cea4b2e800fceab22
Opcode Fuzzy Hash: caf1bff236912a8932704573cb614573667ea85a1a81b3b2238c8bc62c2373a9
Instruction Fuzzy Hash: B4112739309746BBE7015A74DC42DFAB3DCEF1A3B5F20242AFD00BA191E7A16B8445B5

Function 00E68BC0 Relevance: 12.3, APIs: 8, Instructions: 324COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00E68BEC
CoInitialize.OLE32(00000000), ref: 00E68C19
GetRunningObjectTable.OLE32(00000000,?), ref: 00E68D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00E68E50
CoGetObject.OLE32(?,00000000,00E82C0C,?), ref: 00E68EA7
SetErrorMode.KERNEL32(00000000), ref: 00E68EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00E68F3A
VariantClear.OLEAUT32(?), ref: 00E68F4A

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearInitInitializeRunningTable
String ID:
API String ID: 2437601815-0
Opcode ID: d3b9f27b78d9fe44190509909bf4de27e0471253f64a9718702251b307db45ca
Instruction ID: 7266c59737549534fd34fb724e05810ad86773eaa75cce20dd4d2ddd37098347
Opcode Fuzzy Hash: d3b9f27b78d9fe44190509909bf4de27e0471253f64a9718702251b307db45ca
Instruction Fuzzy Hash: C7C15671608305AFC704DF64D98492BB7E9FF88388F005A2DF589AB251DB71ED05CB62

Function 00E54534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00E5454E
LoadStringW.USER32(00000000), ref: 00E54555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00E5456B
LoadStringW.USER32(00000000), ref: 00E54572
_wprintf.LIBCMT ref: 00E54598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00E545B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00E54593

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 2b3d369e285513746758b268f54b386eb19d11bf197d1df828022bac9d58607b
Instruction ID: e2b6417057ec81b4189108e7c72aac19c4633a6c85617286bf1a5159a95fd857
Opcode Fuzzy Hash: 2b3d369e285513746758b268f54b386eb19d11bf197d1df828022bac9d58607b
Instruction Fuzzy Hash: 9F014FF2900208BFE750E7E19D89EE6776CE708301F4005A5FB49F2052EA749EC98B70

Function 00DF2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00E2C417,00000004,00000000,00000000,00000000), ref: 00DF2ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00E2C417,00000004,00000000,00000000,00000000,000000FF), ref: 00DF2B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00E2C417,00000004,00000000,00000000,00000000), ref: 00E2C46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00E2C417,00000004,00000000,00000000,00000000), ref: 00E2C4D6

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 88f80af06bad4dad803bd3ed2d98a20e39ab89cead051dae3be6c3853b13ade1
Instruction ID: dee003a39983f057409a81a402a0833b6c08fac0a5269f5b3590dce57f1e7620
Opcode Fuzzy Hash: 88f80af06bad4dad803bd3ed2d98a20e39ab89cead051dae3be6c3853b13ade1
Instruction Fuzzy Hash: 56416F302086889EC7399B3ADCAC77B7BA1EB85314F2EC41DE29793560C635D885D730

Function 00E57368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00E5737F

Part of subcall function 00E10FF6: std::exception::exception.LIBCMT ref: 00E1102C
Part of subcall function 00E10FF6: __CxxThrowException@8.LIBCMT ref: 00E11041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00E573B6
RtlEnterCriticalSection.NTDLL(?), ref: 00E573D2
_memmove.LIBCMT ref: 00E57420
_memmove.LIBCMT ref: 00E5743D
RtlLeaveCriticalSection.NTDLL(?), ref: 00E5744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00E57461
InterlockedExchange.KERNEL32(?,000001F6), ref: 00E57480

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 7d1a55c1d540511906c0418dc629cf1306f1c72adfc1a724e3e6f7eb815038fd
Instruction ID: 4e6f0b6369bea563302e47850a6edb6f7adf1394f64cd088f24b413bd3319704
Opcode Fuzzy Hash: 7d1a55c1d540511906c0418dc629cf1306f1c72adfc1a724e3e6f7eb815038fd
Instruction Fuzzy Hash: 23317031E04205EFCF10DF65DC85AAE7BB8EF49710B1441A5FE04BB256DB709A94DBA0

Function 00E76442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00E7645A
GetDC.USER32(00000000), ref: 00E76462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E7646D
ReleaseDC.USER32(00000000,00000000), ref: 00E76479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00E764B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00E764C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00E79299,?,?,000000FF,00000000,?,000000FF,?), ref: 00E76500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00E76520

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 742eee3703c15510bc798c1894ae29610282ebdac91324499319aeaa53ed824f
Instruction ID: 26d42ef9abe8cbf8b1115e1b6156d73efba07a4e071597b77a6de4c416c82b8e
Opcode Fuzzy Hash: 742eee3703c15510bc798c1894ae29610282ebdac91324499319aeaa53ed824f
Instruction Fuzzy Hash: 8B318D72201610BFEB108F51DC4AFEA3FA9FF09765F044065FE0CAA291D6759C81CBA0

Function 00E4C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00E4C087
_memcmp.LIBCMT ref: 00E4C0A9
_memcmp.LIBCMT ref: 00E4C0C1
_memcmp.LIBCMT ref: 00E4C0D4
_memcmp.LIBCMT ref: 00E4C0EE
_memcmp.LIBCMT ref: 00E4C101
_memcmp.LIBCMT ref: 00E4C119
_memcmp.LIBCMT ref: 00E4C134

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 98cb440f5e52143d73f97e05d19b1f95cfd9de11de5352bf9e8e501ec6920ae5
Instruction ID: e885e5dcda3bc9847994746a77d9529187b2b4eaba030b5a9f81e440473e8ac2
Opcode Fuzzy Hash: 98cb440f5e52143d73f97e05d19b1f95cfd9de11de5352bf9e8e501ec6920ae5
Instruction Fuzzy Hash: DE219571703205BBD694B521AD42FFB67ACAF20398F646024FF0DB7282E752DD1182A5

Function 00E5D7F8 Relevance: 10.8, APIs: 7, Instructions: 283COMMON

Download Yara Rule

APIs

Part of subcall function 00DF9997: __itow.LIBCMT ref: 00DF99C2
Part of subcall function 00DF9997: __swprintf.LIBCMT ref: 00DF9A0C

CoInitialize.OLE32(00000000), ref: 00E5D855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00E5D8E8
SHGetDesktopFolder.SHELL32(?), ref: 00E5D8FC
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00E5D9B7
_memset.LIBCMT ref: 00E5DA4C
SHBrowseForFolderW.SHELL32(?), ref: 00E5DA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00E5DAAB

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Folder$BrowseCreateDesktopFromInitializeItemListLocationPathShellSpecial__itow__swprintf_memset
String ID:
API String ID: 3008154123-0
Opcode ID: bb45510f391b62a55d04f77dce11cd6c438cab5ad2c62a3b273490d70f020dfe
Instruction ID: 5b539bffc3fef0fd59debd10bc281e753f01c80866b167a86c9c4a5eeda497c2
Opcode Fuzzy Hash: bb45510f391b62a55d04f77dce11cd6c438cab5ad2c62a3b273490d70f020dfe
Instruction Fuzzy Hash: B4B1FA75A00109AFDB14DFA4CC88EAEBBF9EF48305B148469F909EB251DB30ED45CB60

Function 00DF1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53b1e66b8b65c736585effeb6c08de6fcd33b67a099c75e7cb1e7f18c9fcb819
Instruction ID: 91e6e2318834ea3ad7dbf45653bb5371d6e92e918990df031fdff28caf6eb35f
Opcode Fuzzy Hash: 53b1e66b8b65c736585effeb6c08de6fcd33b67a099c75e7cb1e7f18c9fcb819
Instruction Fuzzy Hash: 0C716834900119EFCB04CF98CC89ABEBBB9FF85314F25C159FA15AA251C730AA51CBB4

Function 00E7B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01532A00), ref: 00E7B6A5
IsWindowEnabled.USER32(01532A00), ref: 00E7B6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00E7B795
SendMessageW.USER32(01532A00,000000B0,?,?), ref: 00E7B7CC
IsDlgButtonChecked.USER32(?,?), ref: 00E7B809
GetWindowLongW.USER32(01532A00,000000EC), ref: 00E7B82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00E7B843

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 365a0269652d2a5129551e392ffb6a9a05a0c424be335008905f55acd61e3fbd
Instruction ID: 6c133a71352efabfe9707e5502007b98abf271ca55c8f455aff3c27abaf5afd3
Opcode Fuzzy Hash: 365a0269652d2a5129551e392ffb6a9a05a0c424be335008905f55acd61e3fbd
Instruction Fuzzy Hash: CB717E34600204AFDB28DFA5C8E5FEA7BB9FF89304F14915AFA49B7261C731A941CB50

Function 00E686D0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 197COMMON

Download Yara Rule

APIs

Part of subcall function 00DF9997: __itow.LIBCMT ref: 00DF99C2
Part of subcall function 00DF9997: __swprintf.LIBCMT ref: 00DF9A0C

CoInitialize.OLE32 ref: 00E68718
VariantInit.OLEAUT32(?), ref: 00E68890
VariantClear.OLEAUT32(?), ref: 00E688F1

Strings

Invalid parameter, xrefs: 00E6880F
Failed to create object, xrefs: 00E6878E, 00E68844
NULL Pointer assignment, xrefs: 00E687C8

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Variant$ClearInitInitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 4106155388-1287834457
Opcode ID: d8467df4d56bf2add2fe0adcf9ab9facd00283e680e5bcf868bda15141d93cfd
Instruction ID: db26a95205866c6c2703f9d37b881f731e3bcfff6055f268277a287571ac84c0
Opcode Fuzzy Hash: d8467df4d56bf2add2fe0adcf9ab9facd00283e680e5bcf868bda15141d93cfd
Instruction Fuzzy Hash: 726104306483019FD714DF24DA44B6AB7E4EF48794F50591EF985BB291CB70ED48CBA2

Function 00E6F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E6F75C
_memset.LIBCMT ref: 00E6F825
ShellExecuteExW.SHELL32(?), ref: 00E6F86A

Part of subcall function 00DF9997: __itow.LIBCMT ref: 00DF99C2
Part of subcall function 00DF9997: __swprintf.LIBCMT ref: 00DF9A0C

Part of subcall function 00E0FEC6: _wcscpy.LIBCMT ref: 00E0FEE9

GetProcessId.KERNEL32(00000000), ref: 00E6F8E1
CloseHandle.KERNEL32(00000000), ref: 00E6F910

Strings

@, xrefs: 00E6F839

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: d2760443876da1546c64cbc58b400ed3f2aede8228d83370e650b8d778d5e1e6
Instruction ID: 03bdfe9835fcefea204a8349aafec84c904d28199e9c4217a8e49b3371f9eec0
Opcode Fuzzy Hash: d2760443876da1546c64cbc58b400ed3f2aede8228d83370e650b8d778d5e1e6
Instruction Fuzzy Hash: 8D619E75E006199FCB14DF64E490AAEBBF1FF48354B159069E859BB351CB30AD41CFA0

Function 00E5145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00E5149C
GetKeyboardState.USER32(?), ref: 00E514B1
SetKeyboardState.USER32(?), ref: 00E51512
PostMessageW.USER32(?,00000101,00000010,?), ref: 00E51540
PostMessageW.USER32(?,00000101,00000011,?), ref: 00E5155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00E515A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00E515C8

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: a1a05bf74a18de31887d8c8128ba97d172b7a54a0f858bd8e2e9d82425033330
Instruction ID: c4c2ac56fbc20488db9062eb473fbae1add15e9e0a506e7ea3c96172636d680f
Opcode Fuzzy Hash: a1a05bf74a18de31887d8c8128ba97d172b7a54a0f858bd8e2e9d82425033330
Instruction Fuzzy Hash: 4D51E2A06046D53EFB3252348C45BBA7FE95B4630AF08ADC9E9D5658C2D3E49CCCD750

Function 00E51276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00E512B5
GetKeyboardState.USER32(?), ref: 00E512CA
SetKeyboardState.USER32(?), ref: 00E5132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00E51357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00E51374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00E513B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00E513D9

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 2906d9afd0ac8c4ad9b24b843aeffe0353d8d866561181b924051d7a90c2c581
Instruction ID: f39b0aede072dbd288bc0ffd9526ce0118a713f5c86d075e4b9943d592a227da
Opcode Fuzzy Hash: 2906d9afd0ac8c4ad9b24b843aeffe0353d8d866561181b924051d7a90c2c581
Instruction Fuzzy Hash: 2F5126A05047D53DFB3297248C15B7A7FA95B0630AF08ACC9E9D8668C2D394AC8CE750

Function 00E5589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00E558AC
_wcsncpy.LIBCMT ref: 00E558E1
_wcsncpy.LIBCMT ref: 00E55913
_wcsncpy.LIBCMT ref: 00E55946
_wcsncpy.LIBCMT ref: 00E55988
_wcsncpy.LIBCMT ref: 00E559C2
_wcsncpy.LIBCMT ref: 00E559F1

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 1ed7a71e0ab1a116f422bc1a2f8c375c68d1c2c483a70e8c388cf535a7439eda
Instruction ID: e6c8544934d547e1f660bb2515d5f8810a0982792e842cee1d65a8987915c230
Opcode Fuzzy Hash: 1ed7a71e0ab1a116f422bc1a2f8c375c68d1c2c483a70e8c388cf535a7439eda
Instruction Fuzzy Hash: 884190B6C2011876CB11EBB48C869CFB3A89F05311F50A856E918F3262E734E798C7A5

Function 00E538AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E548AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00E538D3,?), ref: 00E548C7

Part of subcall function 00E548AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00E538D3,?), ref: 00E548E0

lstrcmpiW.KERNEL32(?,?), ref: 00E538F3
_wcscmp.LIBCMT ref: 00E5390F
MoveFileW.KERNEL32(?,?), ref: 00E53927
_wcscat.LIBCMT ref: 00E5396F
SHFileOperationW.SHELL32(?), ref: 00E539DB

Strings

\*.*, xrefs: 00E53969

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 88782c2a9362b8973a37a0fc500c09dca41d8d06a5d450860dc39fdba1e641ae
Instruction ID: fa7abf260f2c3132efa00c031e99be388c5a6343a4d8dd8f550c57489364e59a
Opcode Fuzzy Hash: 88782c2a9362b8973a37a0fc500c09dca41d8d06a5d450860dc39fdba1e641ae
Instruction Fuzzy Hash: A9418FB15083849EC751EF64D4819EFB7E8AF88385F002D2EB889E3191EA74D69CC752

Function 00E77500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E77519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E775C0
IsMenu.USER32(?), ref: 00E775D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00E77620
DrawMenuBar.USER32 ref: 00E77633

Strings

0, xrefs: 00E7750D

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: e62c6771988dc61492074765ec0438885cd9cc587f635f5b665125c3b6c6cb3a
Instruction ID: a230a3b5a7b5fa115582d47a23d603beecce00fd57fc0f5c1665a830a28280cb
Opcode Fuzzy Hash: e62c6771988dc61492074765ec0438885cd9cc587f635f5b665125c3b6c6cb3a
Instruction Fuzzy Hash: E0412975A04609EFDB20DF95D884EAABBF8FB08314F049129ED99A7250D730AD54CFA0

Function 00E7122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00E7125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E71286
FreeLibrary.KERNEL32(00000000), ref: 00E7133D

Part of subcall function 00E7122D: RegCloseKey.ADVAPI32(?), ref: 00E712A3
Part of subcall function 00E7122D: FreeLibrary.KERNEL32(?), ref: 00E712F5
Part of subcall function 00E7122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00E71318

RegDeleteKeyW.ADVAPI32(?,?), ref: 00E712E0

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 7889089fe70cca041f8c01b9bf0b3ddc8474d57afa1ef7e2d9893a9bf8fda8a6
Instruction ID: 2f2ddc98fc2c49bd6c18dc7eec1cf30e6384ffde527e71b0af79a6682ed0c57a
Opcode Fuzzy Hash: 7889089fe70cca041f8c01b9bf0b3ddc8474d57afa1ef7e2d9893a9bf8fda8a6
Instruction Fuzzy Hash: 72315EB1901209BFDB14DB94DC89EFFB7BCEF08344F0041A9E509F2251DB749E899AA0

Function 00E7653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00E7655B
GetWindowLongW.USER32(01532A00,000000F0), ref: 00E7658E
GetWindowLongW.USER32(01532A00,000000F0), ref: 00E765C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00E765F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00E7661F
GetWindowLongW.USER32(00000000,000000F0), ref: 00E76630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00E7664A

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: d8fbdcae20e6f959edbb465a86021f6f06f823063f90e20b6900d3b6c0efa736
Instruction ID: 28a4a32f440e1d0805b0fc3ebb9f10ebea43c95e95601ecab7518d63eaa63445
Opcode Fuzzy Hash: d8fbdcae20e6f959edbb465a86021f6f06f823063f90e20b6900d3b6c0efa736
Instruction Fuzzy Hash: 1A312631604510AFDB21CF59DC84F553BE1FB4A718F1852A8F509AB2B6CB71AC84EB91

Function 00E66486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00E680A0: inet_addr.WS2_32(00000000), ref: 00E680CB

socket.WS2_32(00000002,00000001,00000006), ref: 00E664D9
WSAGetLastError.WS2_32(00000000), ref: 00E664E8
ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00E66521
connect.WSOCK32(00000000,?,00000010), ref: 00E6652A
WSAGetLastError.WS2_32 ref: 00E66534
closesocket.WS2_32(00000000), ref: 00E6655D
ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00E66576

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 2446e2f52ed8d75041e83060fceecf3898da799f272b0b2d69a63dcb04b0df70
Instruction ID: f97b158cb2d6e52d00db033734e4726a4998cbfc5127c919b23091949b9cdece
Opcode Fuzzy Hash: 2446e2f52ed8d75041e83060fceecf3898da799f272b0b2d69a63dcb04b0df70
Instruction Fuzzy Hash: 1331A131650118AFEB10DF24EC85BBE7BACEB45754F048029FD1AB7291CB70AD48CB62

Function 00E7783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00DF1D73
Part of subcall function 00DF1D35: GetStockObject.GDI32(00000011), ref: 00DF1D87
Part of subcall function 00DF1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00DF1D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00E778A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00E778AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00E778B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00E778C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00E778D4

Strings

Msctls_Progress32, xrefs: 00E77872

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: b646207f51cd88a96edb7e36beb201b53efd496ff628b2dd34694009d172c3cc
Instruction ID: 6a884e0af084a8593471ce6e7e553110c188bceac2d2fd1818f39431b93c14bf
Opcode Fuzzy Hash: b646207f51cd88a96edb7e36beb201b53efd496ff628b2dd34694009d172c3cc
Instruction Fuzzy Hash: 5C1181B1110229BFEF159E60CC85EE77F6DEF08798F019115F648A6090C7719C21DBA0

Function 00E141C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 00E141E3
GetProcAddress.KERNEL32(00000000), ref: 00E141EA
RtlEncodePointer.NTDLL(00000000), ref: 00E141F6
RtlDecodePointer.NTDLL(00000001), ref: 00E14213

Strings

combase.dll, xrefs: 00E141DE
RoInitialize, xrefs: 00E141D2

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 45c31eaee3125327265d21a0c076f6a55cb7ac133a4bd6c47c674dd2ff2ac4f1
Instruction ID: 276f90441679baaa9e4c5599d9f5ae590ce71b92159e325e21b4e45e10b110d3
Opcode Fuzzy Hash: 45c31eaee3125327265d21a0c076f6a55cb7ac133a4bd6c47c674dd2ff2ac4f1
Instruction Fuzzy Hash: 7DE0E5F4A92300AFEB20ABBAEC09B453AA4AB20B06F505528F559F51F1DBB540D98B00

Function 00E1429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00E141B8), ref: 00E142B8
GetProcAddress.KERNEL32(00000000), ref: 00E142BF
RtlEncodePointer.NTDLL(00000000), ref: 00E142CA
RtlDecodePointer.NTDLL(00E141B8), ref: 00E142E5

Strings

combase.dll, xrefs: 00E142B3
RoUninitialize, xrefs: 00E142A7

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 53c04542247e88984d15fe53932ca62106cbcf7b22ddbc6e4a9239f6325db5a3
Instruction ID: 813fd9d46ca6011c8bc337f83338ed86163a5c7b5ba3e6d7ef67a560b092ea02
Opcode Fuzzy Hash: 53c04542247e88984d15fe53932ca62106cbcf7b22ddbc6e4a9239f6325db5a3
Instruction Fuzzy Hash: F2E0BFBC982310AFEB10EB66FC0DB453AA4BB14746F105128F109F11F1CB7445C8CB14

Function 00E66E17 Relevance: 9.2, APIs: 6, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WS2_32(00000000,?), ref: 00E66F14
WSAGetLastError.WS2_32(00000000), ref: 00E66F48
htons.WS2_32(?), ref: 00E66FFE
inet_ntoa.WS2_32(?), ref: 00E66FBB

Part of subcall function 00E4AE14: _strlen.LIBCMT ref: 00E4AE1E
Part of subcall function 00E4AE14: _memmove.LIBCMT ref: 00E4AE40

_strlen.LIBCMT ref: 00E67058
_memmove.LIBCMT ref: 00E670C1

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: c50fccfd705af8134686c7fd4f80a0365825762b7c77e389097297cfda20e917
Instruction ID: bd6e5ee28851750b2d65f9cc511730d19660e13031db93527878adb677b1491f
Opcode Fuzzy Hash: c50fccfd705af8134686c7fd4f80a0365825762b7c77e389097297cfda20e917
Instruction Fuzzy Hash: 8D811171508300ABC710EF24EC91F6BB7E8EF84758F10891CF655AB292DA71AD44CBB2

Function 00E5675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E568AD
_memmove.LIBCMT ref: 00E567E8

Part of subcall function 00DF9997: __itow.LIBCMT ref: 00DF99C2
Part of subcall function 00DF9997: __swprintf.LIBCMT ref: 00DF9A0C

_memmove.LIBCMT ref: 00E5685B
_memmove.LIBCMT ref: 00E56942
_memmove.LIBCMT ref: 00E5695B
_memmove.LIBCMT ref: 00E56977

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: f82c7607f84119ebeff09b9fd78fc0a0d3acecb0e74c04f4cb440ecf28d944ca
Instruction ID: 3681b18dfdaf323aa6af8b077a3d0f33f5587af9c48ab76b4f3e98c1bc1c02e4
Opcode Fuzzy Hash: f82c7607f84119ebeff09b9fd78fc0a0d3acecb0e74c04f4cb440ecf28d944ca
Instruction Fuzzy Hash: E061CE3190024A9BCF15EF20CC92FFE77A4EF48308F459859FE556B192DB70A889CB60

Function 00E7046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF7F41: _memmove.LIBCMT ref: 00DF7F82

Part of subcall function 00E710A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E70038,?,?), ref: 00E710BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E70548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E70588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00E705AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00E705D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00E70617
RegCloseKey.ADVAPI32(00000000), ref: 00E70624

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: f8c27803a1e9baec734e6639f3c433cd319e62174f92440c047d992debca7dd0
Instruction ID: 25b0b2d6a0565453d8f8eee377c212c9d258268414c01fd2473941824c9c640d
Opcode Fuzzy Hash: f8c27803a1e9baec734e6639f3c433cd319e62174f92440c047d992debca7dd0
Instruction Fuzzy Hash: 0A517A31508204EFC710EF64D885EAEBBE8FF88304F04891DF549A72A1DB31E954DB62

Function 00E75A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00E75A82
GetMenuItemCount.USER32(00000000), ref: 00E75AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00E75AE1
GetMenuItemID.USER32(?,?), ref: 00E75B50
GetSubMenu.USER32(?,?), ref: 00E75B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 00E75BAF

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 2459cc8554ee49b741a09f404c2d969de9ddce2bf73c9940bb4d9d0d890dd905
Instruction ID: 648b626be4a7341f014754c96cb6fa4446b307638f42fd986e2973948f34d35d
Opcode Fuzzy Hash: 2459cc8554ee49b741a09f404c2d969de9ddce2bf73c9940bb4d9d0d890dd905
Instruction Fuzzy Hash: E6518F32E00619EFCB15DFA4C845AAEB7F4EF48310F119469E919B7351CBB0AE41CB90

Function 00E4F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00E4F3F7
VariantClear.OLEAUT32(00000013), ref: 00E4F469
VariantClear.OLEAUT32(00000000), ref: 00E4F4C4
_memmove.LIBCMT ref: 00E4F4EE
VariantClear.OLEAUT32(?), ref: 00E4F53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00E4F569

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 69bf29abf5cf46c27d4866fcd8a43ed982b5a4afe4b8171783a6f34d75f9f111
Instruction ID: d46f97806f9daa8242d1a8546a640a73e4d082e2ce519d404c177635f6ce419b
Opcode Fuzzy Hash: 69bf29abf5cf46c27d4866fcd8a43ed982b5a4afe4b8171783a6f34d75f9f111
Instruction Fuzzy Hash: 525148B5A00209EFCB14CF58D884AAAB7F8FF4C354B158569E959EB310E734E951CBA0

Function 00E526F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E52747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E52792
IsMenu.USER32(00000000), ref: 00E527B2
CreatePopupMenu.USER32 ref: 00E527E6
GetMenuItemCount.USER32(000000FF), ref: 00E52844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00E52875

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 6ce66d664cb3224d9c1a254feca6ccc63a2c1dfd2dde3d3021a463d1a7772b74
Instruction ID: cfd84bc0c1a49f03e0d21a8edec3b734f20e95aef7b09137c1342b5747c06168
Opcode Fuzzy Hash: 6ce66d664cb3224d9c1a254feca6ccc63a2c1dfd2dde3d3021a463d1a7772b74
Instruction Fuzzy Hash: 4A51C170A00305DFDF28CFA8D888AADBBF4AF56319F10596DEE15BB290D7709948CB51

Function 00DF1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00DF2612: GetWindowLongW.USER32(?,000000EB), ref: 00DF2623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00DF179A
GetWindowRect.USER32(?,?), ref: 00DF17FE
ScreenToClient.USER32(?,?), ref: 00DF181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00DF182C
EndPaint.USER32(?,?), ref: 00DF1876

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 118642fcf67af0629de4df62b43159ea751ed858bd5a592ee66d9c6f5d13b894
Instruction ID: 7f178cbcf8fbe34dc71a921524bb3c67162d47ad7bfc0b6d815efe4f84ffb4e2
Opcode Fuzzy Hash: 118642fcf67af0629de4df62b43159ea751ed858bd5a592ee66d9c6f5d13b894
Instruction Fuzzy Hash: B241BC74100204EFD710DF65DC85BBA7BF8EB49724F048628FAA8AA2A1C7319849DB71

Function 00E7B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00EB67B0,00000000,01532A00,?,?,00EB67B0,?,00E7B862,?,?), ref: 00E7B9CC
EnableWindow.USER32(00000000,00000000), ref: 00E7B9F0
ShowWindow.USER32(00EB67B0,00000000,01532A00,?,?,00EB67B0,?,00E7B862,?,?), ref: 00E7BA50
ShowWindow.USER32(00000000,00000004,?,00E7B862,?,?), ref: 00E7BA62
EnableWindow.USER32(00000000,00000001), ref: 00E7BA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00E7BAA9

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 4bdabae640fdeeea62303ae86c248396eec266c61a89cda274d2242b3bc9b4d4
Instruction ID: abe442a27e78aa9247cf16218a1f6055387a7a90710db1aabb66501f4292ff1c
Opcode Fuzzy Hash: 4bdabae640fdeeea62303ae86c248396eec266c61a89cda274d2242b3bc9b4d4
Instruction Fuzzy Hash: E9416030600241AFDB26DF65C489B957BE0FF45318F1892B9FA5CAF2A2C731E845CB51

Function 00E673B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00E65134,?,?,00000000,00000001), ref: 00E673BF

Part of subcall function 00E63C94: GetWindowRect.USER32(?,?), ref: 00E63CA7

GetDesktopWindow.USER32 ref: 00E673E9
GetWindowRect.USER32(00000000), ref: 00E673F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00E67422

Part of subcall function 00E554E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E5555E

GetCursorPos.USER32(?), ref: 00E6744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00E674AC

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 18ca42f7320b2d43cdea51859d71527b6834a336a10118f86d21f2ffa9fa560a
Instruction ID: 63e1f600e7373d3fd1b68d94dae32520c844ce896ab04a5fe4e937313303a3bb
Opcode Fuzzy Hash: 18ca42f7320b2d43cdea51859d71527b6834a336a10118f86d21f2ffa9fa560a
Instruction Fuzzy Hash: 28310472508305AFC720DF55D849F9BBBE9FF88358F000919F899A7191DB30E948CB92

Function 00E4E0B5 Relevance: 9.1, APIs: 6, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E4E0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E4E120
SysAllocString.OLEAUT32(00000000), ref: 00E4E123
SysAllocString.OLEAUT32 ref: 00E4E144
SysFreeString.OLEAUT32 ref: 00E4E14D
SysAllocString.OLEAUT32(?), ref: 00E4E175

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$Free
String ID:
API String ID: 1313759350-0
Opcode ID: 0c99fa0c96d47a2e3fef526038b6734f19c20003dbf5a74d2d60fdbaf46b83a7
Instruction ID: 6c0cbab0ac853abc8369bd33277a9917e835780d8e02f89c0bf70e83caae83ac
Opcode Fuzzy Hash: 0c99fa0c96d47a2e3fef526038b6734f19c20003dbf5a74d2d60fdbaf46b83a7
Instruction Fuzzy Hash: 9C217435605108AF9B10DFA9DC88CAB77ECFB09760B108135F919EB360EA70DC858B64

Function 00E5ED8E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00DF9997: __itow.LIBCMT ref: 00DF99C2
Part of subcall function 00DF9997: __swprintf.LIBCMT ref: 00DF9A0C

Part of subcall function 00E0FEC6: _wcscpy.LIBCMT ref: 00E0FEE9

_wcstok.LIBCMT ref: 00E5EEFF
_wcscpy.LIBCMT ref: 00E5EF8E
_memset.LIBCMT ref: 00E5EFC1

Strings

X, xrefs: 00E5EFFE

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 56c328addc29be8c6e20b49406dc34287609e588e62136f934827f1360616033
Instruction ID: 7856fe3f5681d5c9cfc1604bb7923a8394c2d6c2ce73381688a5ba2a4b072db3
Opcode Fuzzy Hash: 56c328addc29be8c6e20b49406dc34287609e588e62136f934827f1360616033
Instruction Fuzzy Hash: B8C1B7315047049FC714EF24C991AAEB7E0FF84314F05996DF999A72A2DB30ED45CBA2

Function 00E48D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E485F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00E48608
Part of subcall function 00E485F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00E48612
Part of subcall function 00E485F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00E48621
Part of subcall function 00E485F1: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00E48628
Part of subcall function 00E485F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00E4863E

GetLengthSid.ADVAPI32(?,00000000,00E48977), ref: 00E48DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00E48DB8
RtlAllocateHeap.NTDLL(00000000), ref: 00E48DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 00E48DD8
GetProcessHeap.KERNEL32(00000000,00000000,00E48977), ref: 00E48DEC
HeapFree.KERNEL32(00000000), ref: 00E48DF3

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Heap$Process$AllocateInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 169236558-0
Opcode ID: 65654a9b9e3f08ed9fe16b366c7a1969d96fbccbe74f90575bed530a0ceb888f
Instruction ID: e9d9b278689b703d24527bfe611202a6aaaa341ce21a3a0919fd55bb4505230d
Opcode Fuzzy Hash: 65654a9b9e3f08ed9fe16b366c7a1969d96fbccbe74f90575bed530a0ceb888f
Instruction Fuzzy Hash: 1511CA31902A04EFDB10DFA5ED08BBE7BADEB41319F104129E849A3251CB329944DB60

Function 00E7C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00DF12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00DF134D
Part of subcall function 00DF12F3: SelectObject.GDI32(?,00000000), ref: 00DF135C
Part of subcall function 00DF12F3: BeginPath.GDI32(?), ref: 00DF1373
Part of subcall function 00DF12F3: SelectObject.GDI32(?,00000000), ref: 00DF139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00E7C1C4
LineTo.GDI32(00000000,00000003,?), ref: 00E7C1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00E7C1E6
LineTo.GDI32(00000000,00000000,?), ref: 00E7C1F6
EndPath.GDI32(00000000), ref: 00E7C206
StrokePath.GDI32(00000000), ref: 00E7C216

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 5a6475668213a8aa8d4758c9e108ede0e4c3f66b42f3c18575794b002ea371c1
Instruction ID: 3d4cc62784bd151331cb6a72745acbd3784121a93a350017baa77fd13cb84b1c
Opcode Fuzzy Hash: 5a6475668213a8aa8d4758c9e108ede0e4c3f66b42f3c18575794b002ea371c1
Instruction Fuzzy Hash: 8811097640014CBFDB119F91EC88EAA7FADEB08354F048025FA186A162C7719D99DBA0

Function 00E103A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E103D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 00E103DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E103E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E103F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00E103F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E10401

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: dae2f7f794d17cef2d3d6360a31311cfc3b9292b6c7f12e32bc9fd5a8390c536
Instruction ID: ca94f48baad73df60253ee3054548406a431e4a927bad1ee5c455db9f192d7f7
Opcode Fuzzy Hash: dae2f7f794d17cef2d3d6360a31311cfc3b9292b6c7f12e32bc9fd5a8390c536
Instruction Fuzzy Hash: F4016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BE15C47941C7F5A868CBE5

Function 00E5568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00E5569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00E556B1
GetWindowThreadProcessId.USER32(?,?), ref: 00E556C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E556CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E556D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E556E0

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: e0814fdbab51ce9d50f1af797a24243cc91a207ff71f30f3052b9ea8074d2b1a
Instruction ID: 90c2915977462a01e7d03d637b6f8f65743cd2c4d82ff901fb9e9a2239422db1
Opcode Fuzzy Hash: e0814fdbab51ce9d50f1af797a24243cc91a207ff71f30f3052b9ea8074d2b1a
Instruction Fuzzy Hash: F8F06D32241158BFE3209BA39C0DEAB7B7CEBC6B12F000169FA08E105196A01A45C6B5

Function 00E574D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00E574E5
RtlEnterCriticalSection.NTDLL(?), ref: 00E574F6
TerminateThread.KERNEL32(00000000,000001F6,?,00E01044,?,?), ref: 00E57503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00E01044,?,?), ref: 00E57510

Part of subcall function 00E56ED7: CloseHandle.KERNEL32(00000000,?,00E5751D,?,00E01044,?,?), ref: 00E56EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 00E57523
RtlLeaveCriticalSection.NTDLL(?), ref: 00E5752A

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 589da70361c6fa68a2a886648499e4ad74f7fd482ca2df6296ac873d95afe2ef
Instruction ID: ff443f27a6e6d06b5a896505df9a785e4ec4bdf7913a3d406b37a90c4748e223
Opcode Fuzzy Hash: 589da70361c6fa68a2a886648499e4ad74f7fd482ca2df6296ac873d95afe2ef
Instruction Fuzzy Hash: 97F09A3A444612EFDB115B24FC889EA372ABF04302F001531FA06B10B6DF715898CAA0

Function 00E68902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00E68928
CharUpperBuffW.USER32(?,?), ref: 00E68A37
VariantClear.OLEAUT32(?), ref: 00E68BAF

Part of subcall function 00E57804: VariantInit.OLEAUT32(00000000), ref: 00E57844
Part of subcall function 00E57804: VariantCopy.OLEAUT32(00000000,?), ref: 00E5784D
Part of subcall function 00E57804: VariantClear.OLEAUT32(00000000), ref: 00E57859

Strings

Incorrect Parameter format, xrefs: 00E68960, 00E68B22
AUTOIT.ERROR, xrefs: 00E68A3D

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 5b8ad442e9bc8ab77d670eebb89de55aacd242e04179c1942724af984921b737
Instruction ID: d14e4074a941c08c343982caa1d3d7316eaee96f664b6c93e7d0b0b0544ba4ee
Opcode Fuzzy Hash: 5b8ad442e9bc8ab77d670eebb89de55aacd242e04179c1942724af984921b737
Instruction Fuzzy Hash: 1F91BD746083019FC710DF24D58096ABBE4EF88354F049A2EF99AAB361DB30E945CB62

Function 00E52F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E0FEC6: _wcscpy.LIBCMT ref: 00E0FEE9

_memset.LIBCMT ref: 00E53077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00E530A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00E53159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00E53187

Strings

0, xrefs: 00E53063

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 4e8975307f2f4fe7048714b50424362f48099a8c5734aaa261e5886df5dd6f24
Instruction ID: e9038d1f11605a595357375aa0c94987ef418dbcd33a8f6dd856299999a8bf6c
Opcode Fuzzy Hash: 4e8975307f2f4fe7048714b50424362f48099a8c5734aaa261e5886df5dd6f24
Instruction Fuzzy Hash: FE51DF326093009AD7259A38C945AABB7E4EF45395F042E2DFD95F3191DB70CE4887A2

Function 00E52C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E52CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00E52CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 00E52D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00EB6890,00000000), ref: 00E52D5A

Strings

0, xrefs: 00E52CA4

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: d4c6b29702ae848122172d1b2afa711a6e5f5f23766635646f7919ce2f152680
Instruction ID: ae721677559175a91486a6f68a6b32188765546fd2b6985706ffb333cf68e27d
Opcode Fuzzy Hash: d4c6b29702ae848122172d1b2afa711a6e5f5f23766635646f7919ce2f152680
Instruction Fuzzy Hash: 564191302043029FD724DF24C845B5ABBE8EF86325F144A5EFE65A72D1D770E908CBA2

Function 00E6DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00E6DAD9

Part of subcall function 00DF79AB: _memmove.LIBCMT ref: 00DF79F9

Strings

none, xrefs: 00E6DBB4
winapi, xrefs: 00E6DB4A
cdecl, xrefs: 00E6DB30
stdcall, xrefs: 00E6DB5B

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 1bcef96dc063fb9b925a07418964a027be05720531a9cc34c10080c5925a9247
Instruction ID: 5a0d50aec4bde943ffad93ed138b8bab42426951c3194e0c0bdc6ef637ea71ed
Opcode Fuzzy Hash: 1bcef96dc063fb9b925a07418964a027be05720531a9cc34c10080c5925a9247
Instruction Fuzzy Hash: FA31F270A04609AFCF00EF54DC818FEB3B4FF05360B019A29E825BB6D5CB71A905CB90

Function 00E49372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF7F41: _memmove.LIBCMT ref: 00DF7F82

Part of subcall function 00E4B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00E4B0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00E493F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00E49409
SendMessageW.USER32(?,00000189,?,00000000), ref: 00E49439

Part of subcall function 00DF7D2C: _memmove.LIBCMT ref: 00DF7D66

Strings

ComboBox, xrefs: 00E49380
ListBox, xrefs: 00E493B5

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 00d2d8e83553af9e77cc6e9b5229a9c37e1ad02d5af3b2f2e1567706c7353355
Instruction ID: 58125a96976d1f774ccae6b3d18ebfd46a2dfd8782b8e0ed875d3bb2c86dd26f
Opcode Fuzzy Hash: 00d2d8e83553af9e77cc6e9b5229a9c37e1ad02d5af3b2f2e1567706c7353355
Instruction Fuzzy Hash: EB21E471900108AEDB14ABB4EC868FFB7B8DF45360B119119FA25B71E2DB355E4A9630

Function 00E76656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00DF1D73
Part of subcall function 00DF1D35: GetStockObject.GDI32(00000011), ref: 00DF1D87
Part of subcall function 00DF1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00DF1D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00E766D0
LoadLibraryW.KERNEL32(?), ref: 00E766D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00E766EC
DestroyWindow.USER32(?), ref: 00E766F4

Strings

SysAnimate32, xrefs: 00E766AB

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 37e5e0da7e30efcd55d987084b5b7402bd043d8d4355e991951d4b94c6ec4019
Instruction ID: b47770cfbaaf0303d86737e264319d5d48480d6c68bc0bf1e6d405f4e6f80d1e
Opcode Fuzzy Hash: 37e5e0da7e30efcd55d987084b5b7402bd043d8d4355e991951d4b94c6ec4019
Instruction Fuzzy Hash: 35219271100605AFEF104FA4EC80EBB37ADEF5936CF50A629F919B6190D771DC919760

Function 00E5703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00E5705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00E57091
GetStdHandle.KERNEL32(0000000C), ref: 00E570A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00E570DD

Strings

nul, xrefs: 00E570D8

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: b4307d36af2a02e937e08e2040f61822a1f85330eac428cdd506c641b348b17c
Instruction ID: ee22ff83a3f4c0584fe6f86dd91aee6f8ebb3f977a9f77f208583bce5e088df6
Opcode Fuzzy Hash: b4307d36af2a02e937e08e2040f61822a1f85330eac428cdd506c641b348b17c
Instruction Fuzzy Hash: 18217F74604209ABDB209F29EC05A9A77E8AF44725F205A29FDE1E72D0D77098688B60

Function 00E5710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00E5712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00E5715D
GetStdHandle.KERNEL32(000000F6), ref: 00E5716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00E571A8

Strings

nul, xrefs: 00E571A3

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: f387a899238d0e3b56a48d61a2bd85685d4df404105b8f8cb855489d0432ec4f
Instruction ID: 11cc386f446a3e5f7688f4164b8b714abdf818718b113715e387519cdc004127
Opcode Fuzzy Hash: f387a899238d0e3b56a48d61a2bd85685d4df404105b8f8cb855489d0432ec4f
Instruction Fuzzy Hash: B521C1716097059BDB209F29AD04AAAB7E8AF45335F201E19FCE1F72D0D7709869CB60

Function 00E5AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00E5AEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00E5AF13
__swprintf.LIBCMT ref: 00E5AF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,00E7F910), ref: 00E5AF6A

Strings

%lu, xrefs: 00E5AF26

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 1cf5189be1a66a6dc7015289a1a6869efa3095928c2a52e2ef1c548ef18b34c6
Instruction ID: e0e975a89fafdb007f66cc8c5ab8283fdd37fe91e09fcf81c8c07c5db6a707b0
Opcode Fuzzy Hash: 1cf5189be1a66a6dc7015289a1a6869efa3095928c2a52e2ef1c548ef18b34c6
Instruction Fuzzy Hash: 70217430A00209AFCB10DF65D985EAEBBF8EF49704B104079F909EB252DB71EA45DB21

Function 00E4A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF7D2C: _memmove.LIBCMT ref: 00DF7D66

Part of subcall function 00E4A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00E4A399
Part of subcall function 00E4A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00E4A3AC
Part of subcall function 00E4A37C: GetCurrentThreadId.KERNEL32 ref: 00E4A3B3
Part of subcall function 00E4A37C: AttachThreadInput.USER32(00000000), ref: 00E4A3BA

GetFocus.USER32 ref: 00E4A554

Part of subcall function 00E4A3C5: GetParent.USER32(?), ref: 00E4A3D3

GetClassNameW.USER32(?,?,00000100), ref: 00E4A59D
EnumChildWindows.USER32(?,00E4A615), ref: 00E4A5C5
__swprintf.LIBCMT ref: 00E4A5DF

Strings

%s%d, xrefs: 00E4A5D9

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 331122d3112e9ed8b3a6c352e6e6338e8cf6d0deccbbb37340c49a637ae0d8dd
Instruction ID: 188894cde5db3f789acdb6e6eeb2c7d521b84ce04a72a46fd3ec294634e7448e
Opcode Fuzzy Hash: 331122d3112e9ed8b3a6c352e6e6338e8cf6d0deccbbb37340c49a637ae0d8dd
Instruction Fuzzy Hash: 0C119071640208ABDF10BF64EC85FFA37A8AF48710F0890B5FE0CBA152DA7059858B75

Function 00E52017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00E52048

Strings

KEYS, xrefs: 00E5205F
REMOVE, xrefs: 00E5204E
APPEND, xrefs: 00E52081
EXISTS, xrefs: 00E52070

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 70a7529db19ce7a3a4f710c0de0929bdd7c33e3c09a3cb64d6e757e8a81d8c32
Instruction ID: 7e25ad5c15a4730aedc43492c6f1a878b3bbc9b6a94550e7fb7a22a8bc2b5cb1
Opcode Fuzzy Hash: 70a7529db19ce7a3a4f710c0de0929bdd7c33e3c09a3cb64d6e757e8a81d8c32
Instruction Fuzzy Hash: 51116D70901219DFCF00EFA4D8414FEB7B4FF6A304B109868D955BB292EB32A94ACB50

Function 00E68F5B Relevance: 7.9, APIs: 5, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00E7F910), ref: 00E6903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00E7F910), ref: 00E69071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00E691EB
SysFreeString.OLEAUT32(?), ref: 00E69215

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: ac5714ed2c6ac0c6170080bbeed8b7ecd91c166f99daeb1d25158222bf9a2f23
Instruction ID: 9fcfcabfad53d6bba69537dbd41d5017a8484ae05e988a57add1e77d35b15a8b
Opcode Fuzzy Hash: ac5714ed2c6ac0c6170080bbeed8b7ecd91c166f99daeb1d25158222bf9a2f23
Instruction Fuzzy Hash: D0F13971A40209EFDF04DF94D888EAEB7B9FF49354F108059F915AB291DB31AE45CB60

Function 00E6EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00E6EF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00E6EF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00E6F07E
CloseHandle.KERNEL32(?), ref: 00E6F0FF

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: dc7a72908faa5e1933c0f39b7959e14bc9e60f4197de4a43f2b7a637f568c90d
Instruction ID: c9fb68e6e5f9d250ee7bb34f8f4a9217573f15aaae1e602fdb49cc64b6b46e88
Opcode Fuzzy Hash: dc7a72908faa5e1933c0f39b7959e14bc9e60f4197de4a43f2b7a637f568c90d
Instruction Fuzzy Hash: 67819371A443019FD720DF24D856F2AB7E5EF48710F05881DFA99EB392DB71AC408B61

Function 00E702C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF7F41: _memmove.LIBCMT ref: 00DF7F82

Part of subcall function 00E710A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E70038,?,?), ref: 00E710BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E70388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E703C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00E7040E
RegCloseKey.ADVAPI32(?,?), ref: 00E7043A
RegCloseKey.ADVAPI32(00000000), ref: 00E70447

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 6f0a9a13268bf8bc779eaf66a69552e00dadbc7ed4ddb2fcc2474249cc79e77d
Instruction ID: e96b688b0d6cfa4a250246add4b0ecef6813897c1bafad3a6fe6822e366f6803
Opcode Fuzzy Hash: 6f0a9a13268bf8bc779eaf66a69552e00dadbc7ed4ddb2fcc2474249cc79e77d
Instruction Fuzzy Hash: 21512C71208204EFD704EF64D881E6EB7E8FF84314F04991DF699A7291DB30E905DB62

Function 00E5E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00E5E88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00E5E8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00E5E8F2

Part of subcall function 00DF9997: __itow.LIBCMT ref: 00DF99C2
Part of subcall function 00DF9997: __swprintf.LIBCMT ref: 00DF9A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00E5E917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00E5E91F

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 6123eb915777e1f2214373acd51a3101e5f152629139dd69ccb7d135e535a1c2
Instruction ID: e95b410d6ed868c0df7c4061f002a63a733a8e8f1b977e306028cf1962f33fe1
Opcode Fuzzy Hash: 6123eb915777e1f2214373acd51a3101e5f152629139dd69ccb7d135e535a1c2
Instruction Fuzzy Hash: 3C512A35A00209DFCF05EF64C991AAEBBF5EF08314B158499E909AB362CB31ED55DF60

Function 00E7A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0f5629842df1f1b4e03f9407559dc42da91d04f2c23fc9fcd66f0592989000a
Instruction ID: ff3362116bfb12b02342a116d1267ed9adcbdb3c8215a4a1baf82229e4d548c7
Opcode Fuzzy Hash: b0f5629842df1f1b4e03f9407559dc42da91d04f2c23fc9fcd66f0592989000a
Instruction Fuzzy Hash: FB41CF35900204BFD724DF28CC88BADBBA5EB89310F189275E96DB72E1D770AD419A51

Function 00DF2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00DF2357
ScreenToClient.USER32(00EB67B0,?), ref: 00DF2374
GetAsyncKeyState.USER32(00000001), ref: 00DF2399
GetAsyncKeyState.USER32(00000002), ref: 00DF23A7

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: e93af594f693b120f971813cbcba3f2b21fa3888a5a72b5b4aa037a0452d406a
Instruction ID: a138010acb2991596af69de9fb37702c1aef3d9beccaad8bcc588145802dde68
Opcode Fuzzy Hash: e93af594f693b120f971813cbcba3f2b21fa3888a5a72b5b4aa037a0452d406a
Instruction Fuzzy Hash: 5E419071504529FBCF159FA4DC44AFDBBB4FB05364F208319F928A62A0CB309994DBA1

Function 00E46920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E4695D
TranslateAcceleratorW.USER32(?,?,?), ref: 00E469A9
TranslateMessage.USER32(?), ref: 00E469D2
DispatchMessageW.USER32(?), ref: 00E469DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E469EB

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: e8f29860b06a4e873dac7585363b953b45c637c911170219bb4d2b765a239ab5
Instruction ID: e67652b97691888d45783b4060a92794e4e4837a438627cf9828edff44ee2bac
Opcode Fuzzy Hash: e8f29860b06a4e873dac7585363b953b45c637c911170219bb4d2b765a239ab5
Instruction Fuzzy Hash: B031E571900646AFDB24CFB6EC44BF77BACBB42308F105265E525F21A0D7749889D7A2

Function 00E48F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00E48F12
PostMessageW.USER32(?,00000201,00000001), ref: 00E48FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00E48FC4
PostMessageW.USER32(?,00000202,00000000), ref: 00E48FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00E48FDA

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: cb459971ebcb7cf0bd61994c23f5e4ecec04fd290859cedf36b51350d8e818f0
Instruction ID: 9cf1a376e0db11db0aec972c1b351a86fc4dbdcae0126a3a885d20fe13ff5475
Opcode Fuzzy Hash: cb459971ebcb7cf0bd61994c23f5e4ecec04fd290859cedf36b51350d8e818f0
Instruction Fuzzy Hash: 1A31C07160021DEFDB14CFA8EA4CA9E7BB6EB04325F104229F925E61D1C7B09958DB91

Function 00E4B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00E4B6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00E4B6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00E4B71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00E4B742
_wcsstr.LIBCMT ref: 00E4B74C

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 599dc34d5361d836e09fd3757675fb46e29928acafb629b3300b4ac927d9642f
Instruction ID: 87621064bd83b9130c6fc733514ec77057091bce4cb5fea1b4f0ef6894d8d6be
Opcode Fuzzy Hash: 599dc34d5361d836e09fd3757675fb46e29928acafb629b3300b4ac927d9642f
Instruction Fuzzy Hash: E521FC31604204BBEB159B79AC49EBB7B9CDF89760F00517AFD09EA161EF61DC8096A0

Function 00E7B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00DF2612: GetWindowLongW.USER32(?,000000EB), ref: 00DF2623

GetWindowLongW.USER32(?,000000F0), ref: 00E7B44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00E7B471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00E7B489
GetSystemMetrics.USER32(00000004), ref: 00E7B4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00E61184,00000000), ref: 00E7B4D0

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 4317f4d71da7e24470e7506dafa2556577574d7ad78e60d79ad9b56ca8f17d89
Instruction ID: f57abab2b36976b4c8b1331356b0aff7946f36659a2d72d1d073a2d5209b8cf2
Opcode Fuzzy Hash: 4317f4d71da7e24470e7506dafa2556577574d7ad78e60d79ad9b56ca8f17d89
Instruction Fuzzy Hash: 0D217C31910265AFCB248F39CC04BAA3BA4FB05725F149738F93AE31E1F73098509B90

Function 00E497E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00E49802

Part of subcall function 00DF7D2C: _memmove.LIBCMT ref: 00DF7D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00E49834
__itow.LIBCMT ref: 00E4984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00E49874
__itow.LIBCMT ref: 00E49885

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 8f094a00ba2a53c6eb6c1853d14ab6641f2aaa50f6599a29c0c5c21dac5d9531
Instruction ID: 51d04dcec39833739141f7fc4d9cd850ea7cc5db1378e08a711cfeadb5e5f718
Opcode Fuzzy Hash: 8f094a00ba2a53c6eb6c1853d14ab6641f2aaa50f6599a29c0c5c21dac5d9531
Instruction Fuzzy Hash: 8221CB31700208ABDB149A759C86EEF7BA8EF4E714F045025FE05FB252D6708D4597E1

Function 00DF12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00DF134D
SelectObject.GDI32(?,00000000), ref: 00DF135C
BeginPath.GDI32(?), ref: 00DF1373
SelectObject.GDI32(?,00000000), ref: 00DF139C

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 94151f913932ddce27a60fdb48bd0653271d5624c3775b9c91d5f83444ee1fa7
Instruction ID: 782dfd72cdf121728e916aebe7cc64e0526e0445255b22e2b4570bea2815fa53
Opcode Fuzzy Hash: 94151f913932ddce27a60fdb48bd0653271d5624c3775b9c91d5f83444ee1fa7
Instruction Fuzzy Hash: F9217175800208EFDB159F66EC0577A7BF8FB00321F15C32AF918BA5A0D3759999DBA0

Function 00E4C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00E4C176
_memcmp.LIBCMT ref: 00E4C194
_memcmp.LIBCMT ref: 00E4C1A7
_memcmp.LIBCMT ref: 00E4C1BF
_memcmp.LIBCMT ref: 00E4C1D7

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e9d35c1a8c6d1b9336456ce3d2bdfdc9304ac7936c6333f25fe87945141b2386
Instruction ID: 6e471e6511c3ea2b0169c6852250b232583d2f7866c3b42452fb6063d219a4ad
Opcode Fuzzy Hash: e9d35c1a8c6d1b9336456ce3d2bdfdc9304ac7936c6333f25fe87945141b2386
Instruction Fuzzy Hash: 9B0192B1A072057BE204B6206C42FFB67AC9B21398F646065FE08B7383E651AE1182A0

Function 00E54D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00E54D5C
__beginthreadex.LIBCMT ref: 00E54D7A
MessageBoxW.USER32(?,?,?,?), ref: 00E54D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00E54DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00E54DAC

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 7afc22e6859de841a9eb8d82a5674ec0cb1f0c51702f4239278ae70926b92457
Instruction ID: 13e1a5d78fdb88935fa70c55bd73e6a948588a10b06ffa8fabda53e4de329d62
Opcode Fuzzy Hash: 7afc22e6859de841a9eb8d82a5674ec0cb1f0c51702f4239278ae70926b92457
Instruction Fuzzy Hash: A81108B6904204BFD701DBA99C04ADB7FBCEB45325F144365FD18F32A1D6758D888BA0

Function 00E4874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E48766
GetLastError.KERNEL32(?,00E4822A,?,?,?), ref: 00E48770
GetProcessHeap.KERNEL32(00000008,?,?,00E4822A,?,?,?), ref: 00E4877F
RtlAllocateHeap.NTDLL(00000000,?,00E4822A), ref: 00E48786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E4879D

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
String ID:
API String ID: 883493501-0
Opcode ID: 228453688b3a1b39268850aab43e07f7e13effb11505f614a7e1a5cc855128fe
Instruction ID: fdd178b1d10025a3b262bb2a4b6ff4c69a80bde23623734989a347354e404961
Opcode Fuzzy Hash: 228453688b3a1b39268850aab43e07f7e13effb11505f614a7e1a5cc855128fe
Instruction Fuzzy Hash: 15016271605204FFDB108FA6ED4CD6B7B6CFF85355B200439F849E2160DA318C44CA70

Function 00E554E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E55502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00E55510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E55518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00E55522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E5555E

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 2d4ec9626897b1121ab21856115a5dddbadc2af4e591dc849022b06e98e37715
Instruction ID: a3b5bd5cfd1b295087d29dff22719aff81a79cb059f04b4d37fb302a683d15de
Opcode Fuzzy Hash: 2d4ec9626897b1121ab21856115a5dddbadc2af4e591dc849022b06e98e37715
Instruction Fuzzy Hash: 50016D32C01A29DBCF00DFE9E8589EDBB79FF09712F400856E805B2141EB305598C7A1

Function 00E485F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00E48608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00E48612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00E48621
RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00E48628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00E4863E

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: 7c450b82d2ac61d44a5146c4dafa74afca696b3d2713e94944a0e9b67c945d20
Instruction ID: 7b2014225e0a25635cf2b8a17e5e35a6b4f8adb3fe032ad51dac63757ac3afa5
Opcode Fuzzy Hash: 7c450b82d2ac61d44a5146c4dafa74afca696b3d2713e94944a0e9b67c945d20
Instruction Fuzzy Hash: 5DF04F31201204AFEB104FA6ED89E6F3BACFF89B58F401465F949E6150CB61DC85DA60

Function 00E48652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00E48669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00E48673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E48682
RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00E48689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E4869F

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: 612ae972330f256a09be995423ae3f81612bd5c468215a415b43ae4fc9151836
Instruction ID: bb8c33f54bfea5e818747795142d11e887b0be347ab46d8e6fce74fd5c595718
Opcode Fuzzy Hash: 612ae972330f256a09be995423ae3f81612bd5c468215a415b43ae4fc9151836
Instruction Fuzzy Hash: DBF04F71201204AFEB115FA6EC88E6B3BACFF8A758F100075F949E6150CA61D985DA60

Function 00E4C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00E4C6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 00E4C6D1
MessageBeep.USER32(00000000), ref: 00E4C6E9
KillTimer.USER32(?,0000040A), ref: 00E4C705
EndDialog.USER32(?,00000001), ref: 00E4C71F

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 43bfb8244fd1232b6ce932f529dee46501b30e338b6948dfa67a3db8ed5b8e92
Instruction ID: 1d65fdd916a0aae92951a8bd871ddaa91e680bfa6af51eac2324d3f14ae11dc1
Opcode Fuzzy Hash: 43bfb8244fd1232b6ce932f529dee46501b30e338b6948dfa67a3db8ed5b8e92
Instruction Fuzzy Hash: 9F01D630400304ABEB209F61EC4EFA677B8FF04B05F10166AF546B20E0DBF0A9988F90

Function 00DF13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00DF13BF
StrokeAndFillPath.GDI32(?,?,00E2BAD8,00000000,?), ref: 00DF13DB
SelectObject.GDI32(?,00000000), ref: 00DF13EE
DeleteObject.GDI32 ref: 00DF1401
StrokePath.GDI32(?), ref: 00DF141C

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: e0e9f23ade2e6043d9b684d77e55c0db6a394dfdb3c7f1eee657acefda366be7
Instruction ID: f3118281d08135398c7378ef4340fe0188d9bb1ff5f7e56b51ea5e06756b1e9f
Opcode Fuzzy Hash: e0e9f23ade2e6043d9b684d77e55c0db6a394dfdb3c7f1eee657acefda366be7
Instruction Fuzzy Hash: 5CF0B235004208EFDB1A9FA7EC087693BA5AB41326F08C324E569A91B1C7398999DF60

Function 00E48E74 Relevance: 7.5, APIs: 5, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00E48E7F
CloseHandle.KERNEL32(?), ref: 00E48E94
CloseHandle.KERNEL32(?), ref: 00E48E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 00E48EA5
HeapFree.KERNEL32(00000000), ref: 00E48EAC

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessSingleWait
String ID:
API String ID: 3751786701-0
Opcode ID: dabc2cf1636516c2aaf6b8f31bd1fccb7de8b91069bfd002af555b862f57a8de
Instruction ID: a9aa564086a191854e64c607c0b25ec398fe8ef25590cbf763787e5b2fc55d66
Opcode Fuzzy Hash: dabc2cf1636516c2aaf6b8f31bd1fccb7de8b91069bfd002af555b862f57a8de
Instruction Fuzzy Hash: 4CE0C236004001FFDA019FF2EC0C90ABB69FB89322B508231F21DA2471CB3294A8EB60

Function 00E02E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00E10FF6: std::exception::exception.LIBCMT ref: 00E1102C
Part of subcall function 00E10FF6: __CxxThrowException@8.LIBCMT ref: 00E11041

Part of subcall function 00DF7F41: _memmove.LIBCMT ref: 00DF7F82

Part of subcall function 00DF7BB1: _memmove.LIBCMT ref: 00DF7C0B

__swprintf.LIBCMT ref: 00E0302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00E02EC6

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: d4f2e5fcbcda2d5a52c9b23ca0371128556333f9618c5cfa76171939c75fe94e
Instruction ID: ce71dd710666b1859a6f288cdbb9095f08f0b1efefcf0ed1683b88309fb33857
Opcode Fuzzy Hash: d4f2e5fcbcda2d5a52c9b23ca0371128556333f9618c5cfa76171939c75fe94e
Instruction Fuzzy Hash: 7B918E71608305AFC718EF24D885CBFBBE8EF85744F01991DF555A72A1DA20EE84CB62

Function 00E4B7B6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00E4B981

Strings

AutoIt3GUI, xrefs: 00E4B8F9
Container, xrefs: 00E4B8FE
%, xrefs: 00E4BA24

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%
API String ID: 3565006973-1286912533
Opcode ID: 3c02ed24c81a8d18b14744e0023070b0d679d7c27b9ae961996dfdd8d26f3303
Instruction ID: 2627eb47506942e9002080e3b261643a1c4e4d1b7a3abaf870598f79aff837ed
Opcode Fuzzy Hash: 3c02ed24c81a8d18b14744e0023070b0d679d7c27b9ae961996dfdd8d26f3303
Instruction Fuzzy Hash: 5E915C706002019FDB28DF28D885A6ABBF9FF49710F14956EF94AEB791DB70E841CB50

Function 00E1524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00E152DD

Part of subcall function 00E20340: __87except.LIBCMT ref: 00E2037B

Strings

pow, xrefs: 00E152B5, 00E152D2

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: c9cddb55b4f9fcfddbf25ae56294ce85703dededeb08a64767e7f9d79d383838
Instruction ID: 19c0fc6cd7cfd45d1452dc436f3d2633012670909969088e616e23e0089911a1
Opcode Fuzzy Hash: c9cddb55b4f9fcfddbf25ae56294ce85703dededeb08a64767e7f9d79d383838
Instruction Fuzzy Hash: F4515A33A08601CACB11B714E9413EE6BD09B80754F70AD59E4E5B22EBEE74CCC4DA45

Function 00E1023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

+, xrefs: 00E10277
#, xrefs: 00E10280

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: bcc4884707c523405d5c9f72a1b56af5bd2f8f57ebf976eafd65cbf224ae5c61
Instruction ID: a3b9101e88ea972539551d08856e1544b987d517e2a5f7a9a30fe0e4b391ac0c
Opcode Fuzzy Hash: bcc4884707c523405d5c9f72a1b56af5bd2f8f57ebf976eafd65cbf224ae5c61
Instruction Fuzzy Hash: 6F515576904249DFCF15DF28E888AFA7BA4EF16314F145055ECA1BB2A2C7709C86C770

Function 00E03297 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E033D7
_memmove.LIBCMT ref: 00E03470
_free.LIBCMT ref: 00E03496
_memmove.LIBCMT ref: 00E03549

Strings

Oa, xrefs: 00E03482

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: _memmove$_free
String ID: Oa
API String ID: 2620147621-3945284152
Opcode ID: 45df88908180ebaa964e7a9eaf3bf3b1d44c2e109f02750bfcc02630f4700fb0
Instruction ID: 1d32c9fa1cb6731177c2a79e576ceb1db556ac3dafd466b4aac618a239955dc6
Opcode Fuzzy Hash: 45df88908180ebaa964e7a9eaf3bf3b1d44c2e109f02750bfcc02630f4700fb0
Instruction Fuzzy Hash: 70517DB16083419FDB24CF68D841B6BBBE5FF89304F04592DE989A73A1DB31D981CB52

Function 00E062F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E063A8
_memmove.LIBCMT ref: 00E06446
_memset.LIBCMT ref: 00E0646A

Strings

ERCP, xrefs: 00E06313

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 88066bba3419c6886fb4f82d7188a0497287167364b8fed07265f4d6ffc400b4
Instruction ID: d9ac14acb623fc049889e11623c5da5f054a691e3b4e697665f88e90bb11b6ad
Opcode Fuzzy Hash: 88066bba3419c6886fb4f82d7188a0497287167364b8fed07265f4d6ffc400b4
Instruction Fuzzy Hash: 1C51A3719007099BDB24CF65C8817EABBF4FF44318F20556EE55AEB281E771A6D4CB40

Function 00E4DA5D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121libraryloaderCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00E4DAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00E4DB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00E4DB8E

Strings

DllGetClassObject, xrefs: 00E4DB01

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: ErrorMode$AddressProc
String ID: DllGetClassObject
API String ID: 1548245697-1075368562
Opcode ID: aee727456d249ea8c336348e3ab238131e4ef9fcecf4029827d6e91c12306d71
Instruction ID: 2ccad1c47b9e91d7074f0442bd2e620acc03468ae4ccb4e0d2fc11ea4fc55a92
Opcode Fuzzy Hash: aee727456d249ea8c336348e3ab238131e4ef9fcecf4029827d6e91c12306d71
Instruction Fuzzy Hash: FD417EB1604208EFDB15CF55DC84A9ABBA9EF48310F1590AAED09AF206D7B1DD44CBA0

Function 00E77648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00E776D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00E776E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 00E77708

Strings

SysMonthCal32, xrefs: 00E7769B

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: ff1ab693b1e6e82d34b086cb8bbacc802904362845278b1518dabe99cabfae86
Instruction ID: 3f407cb266662d6ae25aebb7a1801566ac59d9ea0ead5402127e3192bf612f92
Opcode Fuzzy Hash: ff1ab693b1e6e82d34b086cb8bbacc802904362845278b1518dabe99cabfae86
Instruction Fuzzy Hash: EE21BF32500219ABDF15CEA4CC42FEA3BB9EB48718F115254FE597B1D0DAB1A8948BA0

Function 00E76F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00E76FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00E76FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00E76FDF

Strings

Listbox, xrefs: 00E76F77

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 780b5722518f6d76ab3a847b7aabf2e273bf3fdaef168b7f3c56633d0e81f4d8
Instruction ID: 5934ddca7068a23ca59b3fdcafd66d244c2232eea9ad36df112e4419a638dc59
Opcode Fuzzy Hash: 780b5722518f6d76ab3a847b7aabf2e273bf3fdaef168b7f3c56633d0e81f4d8
Instruction Fuzzy Hash: D7219232710118BFDF159F54DC85FBB3BAAEF89758F01D124F918AB190CA71AC558BA0

Function 00E7797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00E779E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00E779F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00E77A03

Strings

msctls_trackbar32, xrefs: 00E779B8

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: c49860cfbe571bd17c451fba80e85ad0d82d04520c62fbd6db3fbcfe5eb8e06c
Instruction ID: 14e665281242e3323e9047b41dee5d2400c3b523d4dcc8f5dcf98157d0350e51
Opcode Fuzzy Hash: c49860cfbe571bd17c451fba80e85ad0d82d04520c62fbd6db3fbcfe5eb8e06c
Instruction Fuzzy Hash: CD11E732244208BFEF149F61CC05FEB37A9EF89768F024529F745B6090D6719851CB60

Function 00E6C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00E31D88,?), ref: 00E6C312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00E6C324

Strings

GetSystemWow64DirectoryW, xrefs: 00E6C31E
kernel32.dll, xrefs: 00E6C30D

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 783ae2fbddce2d79ab8bafbdcc2e15edcb4accf2abfc676ca987c759431a569c
Instruction ID: 16f65f5264f062304f89255696f0ed3b5cfe9155296508ced25fb9f55b68a381
Opcode Fuzzy Hash: 783ae2fbddce2d79ab8bafbdcc2e15edcb4accf2abfc676ca987c759431a569c
Instruction Fuzzy Hash: 67E08C70280713CFCB208B26E804A5676D4EF08788F90E479E889F2210E774D880CA60

Function 00DF4C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00DF4C2E), ref: 00DF4CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00DF4CB5

Strings

GetNativeSystemInfo, xrefs: 00DF4CAF
kernel32.dll, xrefs: 00DF4C9E

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: cd7b1eacb60b6a546190c6f4d159f9efdb11e821d9651e2bd5d2c268a663c9f4
Instruction ID: 170ca66c4005782d5259a05696dd0c857687157eeb7571d1dc73e60f1b4cdf1a
Opcode Fuzzy Hash: cd7b1eacb60b6a546190c6f4d159f9efdb11e821d9651e2bd5d2c268a663c9f4
Instruction Fuzzy Hash: 28D01730511727CFD720DF32DA1861676E5AF05791F16D83AD88EE6150EA70D8C0CA60

Function 00DF4D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00DF4CE1,?), ref: 00DF4DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00DF4DB4

Strings

kernel32.dll, xrefs: 00DF4D9D
Wow64RevertWow64FsRedirection, xrefs: 00DF4DAE

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 611a6f55029bca6a2d664432d69ce2a3708120d50fa0d601ce5cbdeb98953580
Instruction ID: 648abca74710371ea88f186242a6d39610cf2204f098caa8d5c1b6a931a34ce0
Opcode Fuzzy Hash: 611a6f55029bca6a2d664432d69ce2a3708120d50fa0d601ce5cbdeb98953580
Instruction Fuzzy Hash: 50D01731550713CFD720DF32DC48A5676E4AF09365F16C83AD9CAE6150EB70D8C0CA60

Function 00DF4D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00DF4D2E,?,00DF4F4F,?,00EB62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00DF4D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00DF4D81

Strings

kernel32.dll, xrefs: 00DF4D6A
Wow64DisableWow64FsRedirection, xrefs: 00DF4D7B

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 1f17d225591f9c8d8a08838ec6d9dc32005d4249ee7432b712774ef568fbe208
Instruction ID: 77e9a1dc0232351831f4056509a8af5b5727dd7df471ecf158ded0901bae0652
Opcode Fuzzy Hash: 1f17d225591f9c8d8a08838ec6d9dc32005d4249ee7432b712774ef568fbe208
Instruction Fuzzy Hash: 76D01730511713CFD720DF32DC4862676E8AF15352F1AC83AD48AE6250E670D8C0CA60

Function 00E71072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00E712C1), ref: 00E71080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00E71092

Strings

advapi32.dll, xrefs: 00E7107B
RegDeleteKeyExW, xrefs: 00E7108C

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: c950583f4d899860166d31310ac9c4f1acf59dd01333b2fbc3bfccb856d5586c
Instruction ID: 70444e545bc393889d145376bf3c2db248e2cba0656d615b457170cdab5e9182
Opcode Fuzzy Hash: c950583f4d899860166d31310ac9c4f1acf59dd01333b2fbc3bfccb856d5586c
Instruction Fuzzy Hash: 4FD01730510712CFD720DF3AD818A1A7AE4AF0A365F11DC7AE48EFA161E770D8C0CA60

Function 00E693F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00E69009,?,00E7F910), ref: 00E69403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00E69415

Strings

kernel32.dll, xrefs: 00E693FE
GetModuleHandleExW, xrefs: 00E6940F

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: f842c84c3e20a99285ad300a9eb9a409d5360cdadab356b842e230861be1c9c2
Instruction ID: 6e350bf9e9ea702ac2f544ec98aa523369d0304212a06c9fa107163bd4c36f84
Opcode Fuzzy Hash: f842c84c3e20a99285ad300a9eb9a409d5360cdadab356b842e230861be1c9c2
Instruction Fuzzy Hash: 2AD0C730580313CFD720DF32E98C222B2E8AF05391F00D83AE49AF6952EB70C8C0CA10

Function 00E476C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 338bef8d9402d040924b2428fb5d3134793226d70eda938fea1b6002b28d5b5c
Instruction ID: 3b064a6e8f755e94ae810bccfed09efff4cc9bb5db24bbc568c4d0aec67230f2
Opcode Fuzzy Hash: 338bef8d9402d040924b2428fb5d3134793226d70eda938fea1b6002b28d5b5c
Instruction Fuzzy Hash: D3C18E74A04216EFCB14CF94D888EAEB7F5FF88714B119599E985EB250D730ED81CB90

Function 00E6E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00E6E3D2
CharLowerBuffW.USER32(?,?), ref: 00E6E415

Part of subcall function 00E6DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00E6DAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00E6E615
_memmove.LIBCMT ref: 00E6E628

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: f3fefad0b6feda2b3bd6c74f93022bba045e89bee4b515e42d5fe18dbeb705ae
Instruction ID: 03f47513205edb1ef17c4b64c36bd452d2a9c4224efb29c56e904da666d456a2
Opcode Fuzzy Hash: f3fefad0b6feda2b3bd6c74f93022bba045e89bee4b515e42d5fe18dbeb705ae
Instruction Fuzzy Hash: 5BC19C75A083018FC704DF28C48196ABBE4FF88358F04996DF999AB391D770E946CF92

Function 00E46DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00E46E04
SysAllocString.OLEAUT32(00000000), ref: 00E46EAD
VariantCopy.OLEAUT32 ref: 00E46EDC
VariantClear.OLEAUT32(?), ref: 00E46F03

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 701a77b742cf518ef666b2433d501a57ed40c873c60d2d9e16efebd583c4b48b
Instruction ID: 432e161aea4f174ce83445228141825592bcfe045fa268571b76ed968e7bd004
Opcode Fuzzy Hash: 701a77b742cf518ef666b2433d501a57ed40c873c60d2d9e16efebd583c4b48b
Instruction Fuzzy Hash: 2F51B6307043019ADB24AF65F891B7AF3E5EF49310F20A81FE5D6EB291DB7098849B56

Function 00E79A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0153EFE8,?), ref: 00E79AD2
ScreenToClient.USER32(00000002,00000002), ref: 00E79B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00E79B72

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 347800d6deebecbc5efb58a8c7e066d62ae17230760cf08a166c046929cc9ec2
Instruction ID: 67a1708d82c278f5e7d65f2aad6d430d85f8a56e558e54e645acfda62fbd25af
Opcode Fuzzy Hash: 347800d6deebecbc5efb58a8c7e066d62ae17230760cf08a166c046929cc9ec2
Instruction Fuzzy Hash: 31514135A00209EFCF14DF68D8819AE7BB6FF55324F14D259F819AB291D730AD81CB94

Function 00E5BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00E5BB09
GetLastError.KERNEL32(?,00000000), ref: 00E5BB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00E5BB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00E5BB80

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 853972d08015bf9455a66372f47706f93fb8b4e3c191bc2d7ed58de8d0d98ed3
Instruction ID: c7596d122e02ae27053bd876d9902486785638b8179e4db521ce75b8a565acf8
Opcode Fuzzy Hash: 853972d08015bf9455a66372f47706f93fb8b4e3c191bc2d7ed58de8d0d98ed3
Instruction Fuzzy Hash: 53412B35600514DFCB10EF25C594A69BBE1EF89314B0AD498ED4AAB362CB70FD45CBA1

Function 00E78AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00E78B4D

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: cd84c8d32b3fc0fe5400b4b3fabd9d5f9f7afe0b7851e24eb574dff0bb6aec96
Instruction ID: 562b9b0d1555fd14a26a1ccbeb478407dfeb54eaba364e1b6da541847501eb80
Opcode Fuzzy Hash: cd84c8d32b3fc0fe5400b4b3fabd9d5f9f7afe0b7851e24eb574dff0bb6aec96
Instruction Fuzzy Hash: 9A31F678680204BFEB248E28CD9DFE93764EB25314F24D616FA49F62A0CF30AD409751

Function 00E7ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00E7AE1A
GetWindowRect.USER32(?,?), ref: 00E7AE90
PtInRect.USER32(?,?,00E7C304), ref: 00E7AEA0
MessageBeep.USER32(00000000), ref: 00E7AF11

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 4763357d643340fe52899da50e00b08ea104458d57801bd00e4e18ee4bc4ba15
Instruction ID: 3151d0022767c8ba509b145040405ea69586c75948db84584229c9ea2f960e7a
Opcode Fuzzy Hash: 4763357d643340fe52899da50e00b08ea104458d57801bd00e4e18ee4bc4ba15
Instruction Fuzzy Hash: C7418C71600119DFCB15CF59D884AAEBBF5FB88340F18D1B9E81CAB261D730A885DB92

Function 00E50FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00E51037
SetKeyboardState.USER32(00000080,?,00000001), ref: 00E51053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00E510B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00E5110B

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: d803d6066353f6727fb7afc3587c61dcdee02ec12ad70a04befd7d208337436b
Instruction ID: cb6115feaa12160d12bb14318210d78864e90546196f592108be47bec3d0ceb4
Opcode Fuzzy Hash: d803d6066353f6727fb7afc3587c61dcdee02ec12ad70a04befd7d208337436b
Instruction Fuzzy Hash: 5B315930E40688AEFB30CA668C05BFDBBA9AB44316F045A9AFD90721D0C3748DCC8751

Function 00E51121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00E51176
SetKeyboardState.USER32(00000080,?,00008000), ref: 00E51192
PostMessageW.USER32(00000000,00000101,00000000), ref: 00E511F1
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00E51243

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 10f445bc565a913a8a6ab4e684a54e4200874ee2b5d793d56e44a2d04c8048c1
Instruction ID: 73e884f0baef8df83c9153310a89bdbd8aa7cdf3f2294a4c902073e1e3d2f04b
Opcode Fuzzy Hash: 10f445bc565a913a8a6ab4e684a54e4200874ee2b5d793d56e44a2d04c8048c1
Instruction Fuzzy Hash: 28316830941A089EEF20CA658C047FE7BAAAB49316F046BDAF981B21E1C3744D8C9761

Function 00E26415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00E2644B
__isleadbyte_l.LIBCMT ref: 00E26479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00E264A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00E264DD

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 78deba1e27513661ba4d687f20c4ed55dbdfc29b985a2c7170baa640a3d1a26c
Instruction ID: 948a85215800ca5a05dc88d804d504e9ed59eea4e2e143ee1a2a53489047d179
Opcode Fuzzy Hash: 78deba1e27513661ba4d687f20c4ed55dbdfc29b985a2c7170baa640a3d1a26c
Instruction Fuzzy Hash: 78310430600266EFDB21AF75D844BBA7BE5FF00314F155229E8B4A71A1D731D890CB90

Function 00E75175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00E75189

Part of subcall function 00E5387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00E53897
Part of subcall function 00E5387D: GetCurrentThreadId.KERNEL32 ref: 00E5389E
Part of subcall function 00E5387D: AttachThreadInput.USER32(00000000,?,00E552A7), ref: 00E538A5

GetCaretPos.USER32(?), ref: 00E7519A
ClientToScreen.USER32(00000000,?), ref: 00E751D5
GetForegroundWindow.USER32 ref: 00E751DB

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 025dce7a12799c52407b6605e0b12867a3e86f049dc13c01cfb2ee77c91aa3c2
Instruction ID: beec4a3e02863b0dff5a0ae6770959fa97cc6989b9188355286b977c4d202d6a
Opcode Fuzzy Hash: 025dce7a12799c52407b6605e0b12867a3e86f049dc13c01cfb2ee77c91aa3c2
Instruction Fuzzy Hash: D9311C71D00108AFDB04EFA5C845AEFF7F9EF98300B11806AE915E7241EA759E45CBA0

Function 00E10BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00E10BF2

Part of subcall function 00DF5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00E57B20,?,?,00000000), ref: 00DF5B8C
Part of subcall function 00DF5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00E57B20,?,?,00000000,?,?), ref: 00DF5BB0

_fprintf.LIBCMT ref: 00E10C29
OutputDebugStringW.KERNEL32(?), ref: 00E46331

Part of subcall function 00E14CDA: _flsall.LIBCMT ref: 00E14CF3

__setmode.LIBCMT ref: 00E10C5E

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 6f7a96fc51dae3e35793fecce5f56a18276672ac0e33af9d686a4de2bf5ab130
Instruction ID: 5c6daddad412ef9fc5c10d1e9d834f0274e40c994161dae1c9e7451199d70430
Opcode Fuzzy Hash: 6f7a96fc51dae3e35793fecce5f56a18276672ac0e33af9d686a4de2bf5ab130
Instruction Fuzzy Hash: C7110AB19042087EDB04B7B4AC439FEBBA9DF85320F14615AF208772D2DE615DC68BE5

Function 00E48B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E48652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00E48669
Part of subcall function 00E48652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00E48673
Part of subcall function 00E48652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E48682
Part of subcall function 00E48652: RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00E48689
Part of subcall function 00E48652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E4869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00E48BEB
_memcmp.LIBCMT ref: 00E48C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E48C44
HeapFree.KERNEL32(00000000), ref: 00E48C4B

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocateErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 2182266621-0
Opcode ID: 469991a2a2b3346d49d1950aad0d296307a1e3a671cd7e665293e0d8488340d8
Instruction ID: d7547712d95a55f013c121e41ff5651195597b6251eb1d28497439d841cc892a
Opcode Fuzzy Hash: 469991a2a2b3346d49d1950aad0d296307a1e3a671cd7e665293e0d8488340d8
Instruction Fuzzy Hash: F7218971E02208AFCB00CFA4DA84BEEB7B8EF50348F044099E458B7240DB31AA46CB61

Function 00E61A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00E61A97

Part of subcall function 00E61B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00E61B40
Part of subcall function 00E61B21: InternetCloseHandle.WININET(00000000), ref: 00E61BDD

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: dbf4ac94316f6d7f5457ec1d6a2dd1a7d9c6854edd82ddb6d1e5c0f984949e33
Instruction ID: b565625cb867f3c2b36936864ec16906deb3850f127dee8959624890e60e3cf1
Opcode Fuzzy Hash: dbf4ac94316f6d7f5457ec1d6a2dd1a7d9c6854edd82ddb6d1e5c0f984949e33
Instruction Fuzzy Hash: 4121D435280601BFDB169F60EC05FBABBADFF44781F18101EFA15A6550E731E8149B90

Function 00E4E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E4F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00E4E1C4,?,?,?,00E4EFB7,00000000,000000EF,00000119,?,?), ref: 00E4F5BC
Part of subcall function 00E4F5AD: lstrcpyW.KERNEL32(00000000,?), ref: 00E4F5E2
Part of subcall function 00E4F5AD: lstrcmpiW.KERNEL32(00000000,?,00E4E1C4,?,?,?,00E4EFB7,00000000,000000EF,00000119,?,?), ref: 00E4F613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00E4EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00E4E1DD
lstrcpyW.KERNEL32(00000000,?), ref: 00E4E203
lstrcmpiW.KERNEL32(00000002,cdecl,?,00E4EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00E4E237

Strings

cdecl, xrefs: 00E4E22E

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 42e2b8551ff100cc33822e20d37b77c4194ed96c2406d3f2931034b8391a8b4a
Instruction ID: ee9e50414090583b39823e013c5f09f265695781833c1a08b7344956fbcd5ec3
Opcode Fuzzy Hash: 42e2b8551ff100cc33822e20d37b77c4194ed96c2406d3f2931034b8391a8b4a
Instruction Fuzzy Hash: 7011D036200301EFCB25AF74EC45D7A77A8FF89350B40502AF806DB260EBB1A891D7A4

Function 00E25332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E25351

Part of subcall function 00E1594C: __FF_MSGBANNER.LIBCMT ref: 00E15963
Part of subcall function 00E1594C: __NMSG_WRITE.LIBCMT ref: 00E1596A
Part of subcall function 00E1594C: RtlAllocateHeap.NTDLL(01520000,00000000,00000001), ref: 00E1598F

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: a7bb6c1dae6fef2a74d2ffde2370fff61cd9c59310552c2f445ccd38867d394f
Instruction ID: 4220e02e864907e2bcd67f4bc480002ebf73a76df914d84a7ec4b885a3a44e7f
Opcode Fuzzy Hash: a7bb6c1dae6fef2a74d2ffde2370fff61cd9c59310552c2f445ccd38867d394f
Instruction Fuzzy Hash: CC11E373504B25AFCF21AF70BE456EE37D89F143A4F20352AF949BA191DE7189818790

Function 00DF4531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DF4560

Part of subcall function 00DF410D: _memset.LIBCMT ref: 00DF418D
Part of subcall function 00DF410D: _wcscpy.LIBCMT ref: 00DF41E1
Part of subcall function 00DF410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00DF41F1

KillTimer.USER32(?,00000001,?,?), ref: 00DF45B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00DF45C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E2D6CE

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: a1688d0bbe4c9ea85e8a911ff5a2a807dad283e001a23042e5a7818f0928ca2e
Instruction ID: f075cfde408fcdafe0c7291f19afa487f3cee7e07ce41bc0e4528f71fcb48258
Opcode Fuzzy Hash: a1688d0bbe4c9ea85e8a911ff5a2a807dad283e001a23042e5a7818f0928ca2e
Instruction Fuzzy Hash: 0921A770908798AFEB329B24DC55BF7BBEC9F01308F04509EE79E66285C7745A888B51

Function 00E48AF9 Relevance: 6.1, APIs: 4, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00E48B2A
OpenProcessToken.ADVAPI32(00000000), ref: 00E48B31
CloseHandle.KERNEL32(00000004), ref: 00E48B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00E48B7A

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
String ID:
API String ID: 2621361867-0
Opcode ID: 13940f0f33b4ebc1e88483362387714755f77650ba24373ec9320dffc461e01d
Instruction ID: 8872e46f6ace6210f17157398191d74b4ec3f490f4402c1d45143c0436793cc5
Opcode Fuzzy Hash: 13940f0f33b4ebc1e88483362387714755f77650ba24373ec9320dffc461e01d
Instruction Fuzzy Hash: A21147B6500209AFDF01CFA5ED49FDE7BA9FF08349F045065FA08B2160C6729DA4AB60

Function 00E6667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00E57B20,?,?,00000000), ref: 00DF5B8C
Part of subcall function 00DF5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00E57B20,?,?,00000000,?,?), ref: 00DF5BB0

gethostbyname.WS2_32(?), ref: 00E666AC
WSAGetLastError.WS2_32(00000000), ref: 00E666B7
_memmove.LIBCMT ref: 00E666E4
inet_ntoa.WS2_32(?), ref: 00E666EF

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 6c089c8c9ae780c6608d49a7b6f51eb2bde615490c226c78331f2ba0d3040b04
Instruction ID: 975c5673264172e854fda73f0e56f46091528429f2393e6044451f3715108037
Opcode Fuzzy Hash: 6c089c8c9ae780c6608d49a7b6f51eb2bde615490c226c78331f2ba0d3040b04
Instruction Fuzzy Hash: 80119035900508AFCB04EBA0ED96DEEB7B8EF04310B158065F606B7161DF30AE44CB71

Function 00E49023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00E49043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E49055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E4906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E49086

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d9b9c47c3193ba8015ec34fa52e40414f912aa55554d19c144c26799bd2bf5f2
Instruction ID: d1100ddfd8b9f1d794b9b8311f8389e617987ff7add2c77fdf4378a4f66c41a5
Opcode Fuzzy Hash: d9b9c47c3193ba8015ec34fa52e40414f912aa55554d19c144c26799bd2bf5f2
Instruction Fuzzy Hash: 99115E79900218FFDB10DFA5CC84E9EBBB4FB48710F204095E904B7290D6716E50DB90

Function 00E51652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00E501FD,?,00E51250,?,00008000), ref: 00E5166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00E501FD,?,00E51250,?,00008000), ref: 00E51694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00E501FD,?,00E51250,?,00008000), ref: 00E5169E
Sleep.KERNEL32(?,?,?,?,?,?,?,00E501FD,?,00E51250,?,00008000), ref: 00E516D1

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 6eb2c4395dc2278f744faef80102ac17b3650c0029f6b050504b5b42292d4cef
Instruction ID: e264b0ce00d21bbc561779811a99cf39939c8378fb2d8f7f805fddcb2b627c60
Opcode Fuzzy Hash: 6eb2c4395dc2278f744faef80102ac17b3650c0029f6b050504b5b42292d4cef
Instruction Fuzzy Hash: C7114831C01518EBCF00AFA6D848BEEBB78FF09752F444495ED44B2240CBB055A8CBA6

Function 00E27207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00E2722B

Part of subcall function 00E27912: __fltout2.LIBCMT ref: 00E2793B

__cftog_l.LIBCMT ref: 00E27251
__cftoe_l.LIBCMT ref: 00E27283

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: cdbcc3682453d63bcd38f1d2efc5333f3b475aa1bb90730bb8a0d877438d3b8a
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 4C01807304415EFBCF125E84EC028EE3F62BF59345B099515FE9868031D237C9B1AB81

Function 00E7B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00E7B59E
ScreenToClient.USER32(?,?), ref: 00E7B5B6
ScreenToClient.USER32(?,?), ref: 00E7B5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E7B5F5

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 2d26346d918d76b3f4f51bd06593398f0016b38d9cb31f40e69b961ae54c63fa
Instruction ID: 9ac24b32262de7a5ab32e65ea80771f624516f977b8f177a9ccd8deb055c11aa
Opcode Fuzzy Hash: 2d26346d918d76b3f4f51bd06593398f0016b38d9cb31f40e69b961ae54c63fa
Instruction Fuzzy Hash: 161146B5D00209EFDB41DF99C844AEEFBB5FB08310F108166E915E3220D735AA558F91

Function 00E7B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E7B8FE
_memset.LIBCMT ref: 00E7B90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00EB7F20,00EB7F64), ref: 00E7B93C
CloseHandle.KERNEL32 ref: 00E7B94E

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 375c40c3920f6e556da4a6acae384414aff98198a5c7949f3e3f0dcf9c1c63ee
Instruction ID: d90e262a9605e4ad2318a12fa6d4ebed219799ccbd78344b9bf26a9ffed035dc
Opcode Fuzzy Hash: 375c40c3920f6e556da4a6acae384414aff98198a5c7949f3e3f0dcf9c1c63ee
Instruction Fuzzy Hash: 4EF054B16443007FE2106B72AC06FBB3A9CEB48354F005020FB4CF5591D771494487AC

Function 00E56E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 00E56E88

Part of subcall function 00E5794E: _memset.LIBCMT ref: 00E57983

_memmove.LIBCMT ref: 00E56EAB
_memset.LIBCMT ref: 00E56EB8
RtlLeaveCriticalSection.NTDLL(?), ref: 00E56EC8

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 3e472ed7138dbb9e82c5619c376fcde6494c032c38c499a4048843cf399f86fe
Instruction ID: 15fcfaedfda9620484395ac795d77773f34839a776fa28617e94fd698b260c81
Opcode Fuzzy Hash: 3e472ed7138dbb9e82c5619c376fcde6494c032c38c499a4048843cf399f86fe
Instruction Fuzzy Hash: 23F0543A104200ABCF01AF55DC85E89BB6AEF49321B048065FE0C6E22BC731E995CBB4

Function 00E7C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00DF12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00DF134D
Part of subcall function 00DF12F3: SelectObject.GDI32(?,00000000), ref: 00DF135C
Part of subcall function 00DF12F3: BeginPath.GDI32(?), ref: 00DF1373
Part of subcall function 00DF12F3: SelectObject.GDI32(?,00000000), ref: 00DF139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00E7C030
LineTo.GDI32(00000000,?,?), ref: 00E7C03D
EndPath.GDI32(00000000), ref: 00E7C04D
StrokePath.GDI32(00000000), ref: 00E7C05B

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 53fc284ea9d5eaa10345811524949f9ef8498b38f6e89676dfe24ffc02bedaaf
Instruction ID: 0d13312d76f7bbe5aa12edaff36a2834224ab37fbb29c0d1f92d424fc14f05f7
Opcode Fuzzy Hash: 53fc284ea9d5eaa10345811524949f9ef8498b38f6e89676dfe24ffc02bedaaf
Instruction Fuzzy Hash: B1F0BE31001259FFDB12AF92AC0AFCE3F99AF05310F148100FA19311E2877905A8DBE5

Function 00E4A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00E4A399
GetWindowThreadProcessId.USER32(?,00000000), ref: 00E4A3AC
GetCurrentThreadId.KERNEL32 ref: 00E4A3B3
AttachThreadInput.USER32(00000000), ref: 00E4A3BA

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: d35aa92fe266ac6a3ea7684ecbbc2f8bb881ca1850d71883d686fa79a20901f1
Instruction ID: b5ee894dc1fa05c041425f9ddad6df7fe6cb1ec48e7888fab3d80f15471358d1
Opcode Fuzzy Hash: d35aa92fe266ac6a3ea7684ecbbc2f8bb881ca1850d71883d686fa79a20901f1
Instruction Fuzzy Hash: 66E01571585228BADB209FA2EC0CEDB3F5CEF167A1F048034F509A4060D671C5848BE0

Function 00DF2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00DF2231
SetTextColor.GDI32(?,000000FF), ref: 00DF223B
SetBkMode.GDI32(?,00000001), ref: 00DF2250
GetStockObject.GDI32(00000005), ref: 00DF2258
GetWindowDC.USER32(?,00000000), ref: 00E2C0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 00E2C0E0
GetPixel.GDI32(00000000,?,00000000), ref: 00E2C0F9
GetPixel.GDI32(00000000,00000000,?), ref: 00E2C112
GetPixel.GDI32(00000000,?,?), ref: 00E2C132
ReleaseDC.USER32(?,00000000), ref: 00E2C13D

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 7d1044635f87f2f0187273a8efb6ec76509a4317e1a814b306eee69b6f3283e7
Instruction ID: 2a4ff6142d7536d56efe9c88318d869761c0142c16fd4000837fcb405820f37a
Opcode Fuzzy Hash: 7d1044635f87f2f0187273a8efb6ec76509a4317e1a814b306eee69b6f3283e7
Instruction Fuzzy Hash: 1BE03031104144EEDB219F65FC097D83B10AB05336F148366FA6D680E2877149D4DB11

Function 00E48C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00E48C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,00E4882E), ref: 00E48C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00E4882E), ref: 00E48C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,00E4882E), ref: 00E48C7E

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 553b2e9da291a8a121da9285746516fa2d1b28616f3beba0db78c38e7b4605cb
Instruction ID: 24df3ea4c94ac01a4215e7639cda1b4d175aa79ecf4471d672d97ed21d7a807a
Opcode Fuzzy Hash: 553b2e9da291a8a121da9285746516fa2d1b28616f3beba0db78c38e7b4605cb
Instruction Fuzzy Hash: E3E08636A42211EFD7209FB26E0CB5A7BACFF50797F054828F249EA050DA3484C9CB61

Function 00E32187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00E32187
GetDC.USER32(00000000), ref: 00E32191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E321B1
ReleaseDC.USER32(?), ref: 00E321D2

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 81c86b2dc56fed90d888f8df99eb9342c69c1032f5a77e2540432698b3003d22
Instruction ID: b55bc0b5d4460c220bf897069e024c7e2fe0434eca531368be0552405b0bc9a8
Opcode Fuzzy Hash: 81c86b2dc56fed90d888f8df99eb9342c69c1032f5a77e2540432698b3003d22
Instruction Fuzzy Hash: CDE0E575804208EFDB019FA1D908AAD7BB1EB4C350F118429FA5AA7220CB7881869F90

Function 00E3219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00E3219B
GetDC.USER32(00000000), ref: 00E321A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E321B1
ReleaseDC.USER32(?), ref: 00E321D2

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: a15b1a58e9bb5f9b8f5dd7a165226b0a5f79c5511f0da001d82ca491039d1e50
Instruction ID: 75f1129b4b212deceee43eb26a99c79d46730b0246f455774b07f9e70f0a44b6
Opcode Fuzzy Hash: a15b1a58e9bb5f9b8f5dd7a165226b0a5f79c5511f0da001d82ca491039d1e50
Instruction Fuzzy Hash: A9E0E575804208AFCB019FA1D8086AD7BA1EB4C310F118025F95AA7220CB7891859F90

Function 00DF63A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%, xrefs: 00DF63AE

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID:
String ID: %
API String ID: 0-2291192146
Opcode ID: be8c75e75a537a39c139853c2024cbe63ecdcb2a87899dc09022f2f9ee862b2d
Instruction ID: ffd48995d1de5f09f5d205d4d48d29f3efa0002fd53d3a9443a59807288ce315
Opcode Fuzzy Hash: be8c75e75a537a39c139853c2024cbe63ecdcb2a87899dc09022f2f9ee862b2d
Instruction Fuzzy Hash: EAB19D7180420DAACF14EF98C8819FEB7B5EF44310F56C06AEB42A7695DA30DE85CB71

Function 00E6B1B7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 00E6B2C3

Strings

xr, xrefs: 00E6B325
xr, xrefs: 00E6B2F9

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: __itow_s
String ID: xr$xr
API String ID: 3653519197-2528877900
Opcode ID: ffc3556a10a394daa85671357860b2b206646ed9a43cf5e6d0e09497dec951fb
Instruction ID: 72a96a91174b07d13276ae680c57cf35dc01ba2662bf0989500827b019ca4f01
Opcode Fuzzy Hash: ffc3556a10a394daa85671357860b2b206646ed9a43cf5e6d0e09497dec951fb
Instruction Fuzzy Hash: 5EB18E70A40109ABCB14DF54D891EFAB7B9EF58344F149459FA45EB292EB30E981CB60

Function 00E69A72 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00E47652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E4758C,80070057,?,?), ref: 00E47698

_memset.LIBCMT ref: 00E69B28
_memset.LIBCMT ref: 00E69C6B

Strings

NULL Pointer assignment, xrefs: 00E69CF0

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: _memset$lstrcmpi
String ID: NULL Pointer assignment
API String ID: 1020867613-2785691316
Opcode ID: 533cc37420ab3be9798f7fb114622beed5ee572590e0f6dc7d9495e915076fb0
Instruction ID: 158eaf96d9b84ca39244f9b947160c214a41e127089a83a9d367588007e7bec4
Opcode Fuzzy Hash: 533cc37420ab3be9798f7fb114622beed5ee572590e0f6dc7d9495e915076fb0
Instruction Fuzzy Hash: AA912971D00219ABDF10DFA5EC85AEEBBB9EF08750F208169F519B7241DB716A44CFA0

Function 00E5B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00E0FEC6: _wcscpy.LIBCMT ref: 00E0FEE9

Part of subcall function 00DF9997: __itow.LIBCMT ref: 00DF99C2
Part of subcall function 00DF9997: __swprintf.LIBCMT ref: 00DF9A0C

__wcsnicmp.LIBCMT ref: 00E5B298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00E5B361

Strings

LPT, xrefs: 00E5B292

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: b5f1d2f90bee764537e2acf7b08b2d6181bc8545cbbd3eeb73ba311fa77bd58d
Instruction ID: 895ca15f584755119fbd118a0cd73eacd72fe7eaa75661eba43bc75fd74c1661
Opcode Fuzzy Hash: b5f1d2f90bee764537e2acf7b08b2d6181bc8545cbbd3eeb73ba311fa77bd58d
Instruction Fuzzy Hash: 43616E75E00219AFCB14DF94C891EAEB7B4EB08315F119469F946BB291DB70AE84CB60

Function 00E38A77 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E38B1E
_memmove.LIBCMT ref: 00E38B78

Strings

Oa, xrefs: 00E38BF2, 00E3E39A, 00E3E3B6

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: _memmove
String ID: Oa
API String ID: 4104443479-3945284152
Opcode ID: 49c3ce0204c9ad7e9ca72314e8429a11460f913a0e29da20e13cf13f9b12e0ba
Instruction ID: 7e6577faf58761c0f3c7fcc15f7156bdfd7164e4f433344e295b0988bf998fcd
Opcode Fuzzy Hash: 49c3ce0204c9ad7e9ca72314e8429a11460f913a0e29da20e13cf13f9b12e0ba
Instruction Fuzzy Hash: 805152B0900609DFCB65CF68C584AEEBBF1FF44308F14552AE85AE7350D731A995CB51

Function 00E02AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00E02AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00E02AE1

Strings

@, xrefs: 00E02AD5

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 8dd046ca93d178506f69f74d25e982b5d5e154a9f1fbc3e6f0df6abb2fee5162
Instruction ID: ae5985355e3baffc2fb7f385ceedf173a08458cac824149a6e1bdf9de2ecaf4c
Opcode Fuzzy Hash: 8dd046ca93d178506f69f74d25e982b5d5e154a9f1fbc3e6f0df6abb2fee5162
Instruction Fuzzy Hash: 98514A728187489BD320AF15DC95BAFBBE8FF84310F42885DF6D9511A1EB308569CB26

Function 00E599BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00DF506B: __fread_nolock.LIBCMT ref: 00DF5089

_wcscmp.LIBCMT ref: 00E59AAE
_wcscmp.LIBCMT ref: 00E59AC1

Strings

FILE, xrefs: 00E599FA

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 54ab0e10da040cb01464b450667d56095f72cf8186f2a914b6749822c0aa3ae7
Instruction ID: f8861c4d74b02530f8a2e65a65403d581767e09e30710d961b564bed89775ac0
Opcode Fuzzy Hash: 54ab0e10da040cb01464b450667d56095f72cf8186f2a914b6749822c0aa3ae7
Instruction Fuzzy Hash: ED41D571A00609BADF209AA0DC46FEFB7F9DF45714F014469FA00B7182DA75AA0487B5

Function 00E3099E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00E309A9

Strings

Dt, xrefs: 00DFA477
Dt, xrefs: 00DFA2B1

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: ClearVariant
String ID: Dt$Dt
API String ID: 1473721057-4168040075
Opcode ID: e1dba87631c21e140f5900624509addf11fca1b382f2202b191cc057ad241c7a
Instruction ID: 9338c8038f76fe7d34cd294ca080f15933493d6c47ce31628c86b1a5166be44e
Opcode Fuzzy Hash: e1dba87631c21e140f5900624509addf11fca1b382f2202b191cc057ad241c7a
Instruction Fuzzy Hash: EB5105B86083458FC754CF19C080A2ABBF1BF98344F55985DEA899B321D731EC85CF62

Function 00E62882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E62892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00E628C8

Strings

|, xrefs: 00E62899

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 492484d14b68a4d77afaca7e9535ca3a5e76f9d2c3b9fb3a2884c7818ec51fe1
Instruction ID: 746724ef97a3193210d3da39e7ca5356ac765c8588d964d50ce8bac8eee9ab8d
Opcode Fuzzy Hash: 492484d14b68a4d77afaca7e9535ca3a5e76f9d2c3b9fb3a2884c7818ec51fe1
Instruction Fuzzy Hash: 37311871800119AFDF01EFA1DC85EEEBFB9FF08350F104029EA15BA166DA315A56DBB0

Function 00E76CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00E76D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00E76DC2

Strings

static, xrefs: 00E76D22

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 429abf457c8eaef3851d1144450c35f550dbdb2f643497502b2d153221780949
Instruction ID: b60ca530a9e5c2cb704068783e16e1efee2b770832f2189b2701243c0d745fd2
Opcode Fuzzy Hash: 429abf457c8eaef3851d1144450c35f550dbdb2f643497502b2d153221780949
Instruction Fuzzy Hash: 4B316F71210604AEDB209F64DC40BFB77B9FF48728F10D619FA99A7190DA31AC91CB60

Function 00E52D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E52E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00E52E3B

Strings

0, xrefs: 00E52DF9

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: cbc5c02b8b5ddc3d5a5f5e0d8bb6c983565b9f2ee3c9061fbfa0634daceae469
Instruction ID: 178b2b43b0b3a9a8b1fcfb7541c6fb73d4c3ff2d6750fa795bc124ae4ea0bbac
Opcode Fuzzy Hash: cbc5c02b8b5ddc3d5a5f5e0d8bb6c983565b9f2ee3c9061fbfa0634daceae469
Instruction Fuzzy Hash: D731D731A00305ABEB26CF58D8867DEBBF9EF06355F14186DEE85B61A0DB709D48CB50

Function 00E76943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00E769D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E769DB

Strings

Combobox, xrefs: 00E7699D

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 4563d5dd503d0b2925facc648debbb54d589063d96e61755d8ca3036513448c4
Instruction ID: a7cee4f8fde9cca5a9326078980c173c1b83a36e6b929ea87be365ba73c4036e
Opcode Fuzzy Hash: 4563d5dd503d0b2925facc648debbb54d589063d96e61755d8ca3036513448c4
Instruction Fuzzy Hash: DA11B6716006096FEF119E14CC90EFB376AEB893ACF119125FA5CAB291D7719C5187A0

Function 00E76E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00DF1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00DF1D73
Part of subcall function 00DF1D35: GetStockObject.GDI32(00000011), ref: 00DF1D87
Part of subcall function 00DF1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00DF1D91

GetWindowRect.USER32(00000000,?), ref: 00E76EE0
GetSysColor.USER32(00000012), ref: 00E76EFA

Strings

static, xrefs: 00E76EBD

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 318779d99828a46cf812b393deccc462cd0c9e2deb11118216b451723c127d5a
Instruction ID: 404ca32caa245865f06bae5d86c2de3f0e1a7c2987c998b93b65f1fc1b2ebdf5
Opcode Fuzzy Hash: 318779d99828a46cf812b393deccc462cd0c9e2deb11118216b451723c127d5a
Instruction Fuzzy Hash: B5213D72610609AFDB04DFA8DD45AFA7BB8FB08318F049629FD59E3250D734E851DB60

Function 00E76B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00E76C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00E76C20

Strings

edit, xrefs: 00E76BF5

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 5d850316dd7c42efa0f400363bf4954ed3b1d5a91ffe0589903c6fff3612f70c
Instruction ID: 2af9f51a72b3a51bbd89c4574208bc28c9a3642a86f7b2c5fb124a6bf1d9198f
Opcode Fuzzy Hash: 5d850316dd7c42efa0f400363bf4954ed3b1d5a91ffe0589903c6fff3612f70c
Instruction Fuzzy Hash: 9311BC71500608AFEB118E64DC41AFB3769EB0537CF209724F968E31E0C735DC909B60

Function 00E52E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E52F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00E52F30

Strings

0, xrefs: 00E52F07

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: dfb10844d766c254dcb276890801780a00e4bb9e01f3ac2cdfa837a048ac27fa
Instruction ID: 48f3c0408f95d8968bce4b50bd3555db4a7d4935c44e78c6e5208ce99fa6eae4
Opcode Fuzzy Hash: dfb10844d766c254dcb276890801780a00e4bb9e01f3ac2cdfa837a048ac27fa
Instruction Fuzzy Hash: 1D11D332E01114ABCB35DB58EC45B9E73B9EB06319F0415A9EE44B72A0DB70AD0C87E1

Function 00E624CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00E62520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00E62549

Strings

<local>, xrefs: 00E62511

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: f3d3a6074ef1d7ee40c7c3c147c8ea9cf39f1412d8313e94afcde163a24d3186
Instruction ID: c74d995c14e64f812107d6ca2d97071938cef7d62d234fb8dfdf0e246ad54300
Opcode Fuzzy Hash: f3d3a6074ef1d7ee40c7c3c147c8ea9cf39f1412d8313e94afcde163a24d3186
Instruction Fuzzy Hash: EE110170180A21BEDB248F119C98EFBFF68FB06395F00912EFA0666040D3706980D6A1

Function 00E680A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00E6830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00E680C8,?,00000000,?,?), ref: 00E68322

inet_addr.WS2_32(00000000), ref: 00E680CB
htons.WS2_32(00000000), ref: 00E68108

Strings

255.255.255.255, xrefs: 00E680E3

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: 170add227af9e58cb86602ba275377054a295790f927d60f7701fafbfd1434c8
Instruction ID: da4ed9e67bf5739067dd5bce37ed06e38edc47ea3879f2250ac3484a8c4df6e9
Opcode Fuzzy Hash: 170add227af9e58cb86602ba275377054a295790f927d60f7701fafbfd1434c8
Instruction Fuzzy Hash: 1D11E534140209ABDB20AF64ED56FFEB374FF45360F109627EA11B7291DB31A815C751

Function 00E00A8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00DF3C26,00EB62F8,?,?,?), ref: 00E00ACE

Part of subcall function 00DF7D2C: _memmove.LIBCMT ref: 00DF7D66

_wcscat.LIBCMT ref: 00E350E1

Strings

c, xrefs: 00E00B0E

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: c
API String ID: 257928180-921687731
Opcode ID: eec3dcddde0aa915829be2705320e68130aa6542ee9038697610dcfd85d9c57a
Instruction ID: c548351e482654ca2effd4ce2d12ba3adf4e9712ecbcb2150e2dd733fa34a07f
Opcode Fuzzy Hash: eec3dcddde0aa915829be2705320e68130aa6542ee9038697610dcfd85d9c57a
Instruction Fuzzy Hash: B211697590420C9ACB50EBA4DC02ED977F8EF58354F0150A5FA48F7191DA74DBC48B21

Function 00E492E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF7F41: _memmove.LIBCMT ref: 00DF7F82

Part of subcall function 00E4B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00E4B0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00E49355

Strings

ComboBox, xrefs: 00E492F4
ListBox, xrefs: 00E4931F

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 6aaae36030ab5bcc7dd299b5e24ed67635245153785ea8dbeb7565ffe355bc6b
Instruction ID: db4e3afaca7a417c0dea1dd9ea797ebe7464b8667157bfed44aa228790eb12b7
Opcode Fuzzy Hash: 6aaae36030ab5bcc7dd299b5e24ed67635245153785ea8dbeb7565ffe355bc6b
Instruction Fuzzy Hash: 4101D271A01218AB8B08EFA4DC928FE7369FF06320B141619FA32772D2DB3169088670

Function 00E491DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF7F41: _memmove.LIBCMT ref: 00DF7F82

Part of subcall function 00E4B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00E4B0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 00E4924D

Strings

ComboBox, xrefs: 00E491EC
ListBox, xrefs: 00E49217

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 1c81f18cafd5bb80b79074c0e23b02d4fc2538a5b0a057377d50a7a703616595
Instruction ID: c3c12a890ac1c41cf88ca74d4bd684ae6d5a6b8a146b6b1f581b8b9ca775c95b
Opcode Fuzzy Hash: 1c81f18cafd5bb80b79074c0e23b02d4fc2538a5b0a057377d50a7a703616595
Instruction Fuzzy Hash: 4C01A771E41208BBCB08EBA4E992DFF73ACDF45300F151019BA1277292EA516F1C96B1

Function 00E49264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF7F41: _memmove.LIBCMT ref: 00DF7F82

Part of subcall function 00E4B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00E4B0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 00E492D0

Strings

ComboBox, xrefs: 00E49271
ListBox, xrefs: 00E4929C

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 5a48189e29a075249c3d36ed4e98c47356a5609ce9d5b986026ab1545b6ad82d
Instruction ID: b234ce18046daea05dd5e9bb510d6bc8596b9d8e569bdea1a756afaffaa74b54
Opcode Fuzzy Hash: 5a48189e29a075249c3d36ed4e98c47356a5609ce9d5b986026ab1545b6ad82d
Instruction Fuzzy Hash: 9F01D671E41208BBCB04EBA4E982EFF77ACEF15300F255115BA1277293DA61AF0C9275

Function 00E16DAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00E16DD0
__calloc_crt.LIBCMT ref: 00E16DE9

Strings

@R, xrefs: 00E16E00

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: __calloc_crt
String ID: @R
API String ID: 3494438863-2347139750
Opcode ID: 790752c91c0c8786a63bcea079d8ca630ec64263b4c1063cc8ef926072ee73b0
Instruction ID: d8b1204d8751cfbbc62cc5ba9cd86b5db730d4da8c71ecded3ded3fb78edb7c3
Opcode Fuzzy Hash: 790752c91c0c8786a63bcea079d8ca630ec64263b4c1063cc8ef926072ee73b0
Instruction Fuzzy Hash: 44F06272308616DFFB28EF5ABD516E627D5EB45724B14562AF204FA1B0EB3488C58680

Function 00E551CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00E551E8
_wcscmp.LIBCMT ref: 00E551FA

Strings

#32770, xrefs: 00E551F4

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: fd4c8047c6f93ddd966a20596e296b11e92322504efb71c232e7349940774f01
Instruction ID: ade8fd83ebfaabd6b41c3fddb9bff950bbf02f062af427a3c9ba4cbe3687bc78
Opcode Fuzzy Hash: fd4c8047c6f93ddd966a20596e296b11e92322504efb71c232e7349940774f01
Instruction Fuzzy Hash: 2BE02B325003291AD72096959C05BA7F7ACEB45721F000167FD14E3050E560A94987E0

Function 00E481BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00E481CA

Part of subcall function 00E13598: _doexit.LIBCMT ref: 00E135A2

Strings

Error allocating memory., xrefs: 00E481C3
AutoIt, xrefs: 00E481BE

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: d0242b816d2fc937dde0d734719408d3ed4b649c5d7a82d8d4942385d72578c5
Instruction ID: 19a87256452ba847ea942a6e3ecb61b39dd3315b824237e0401c988c3a89cc48
Opcode Fuzzy Hash: d0242b816d2fc937dde0d734719408d3ed4b649c5d7a82d8d4942385d72578c5
Instruction Fuzzy Hash: A7D05B323C531836D21532F96D07FCA7A884B09F56F105056FB0C755D38DD199C243E9

Function 00E2B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00E2B564: _memset.LIBCMT ref: 00E2B571

Part of subcall function 00E10B84: InitializeCriticalSectionAndSpinCount.KERNEL32(00EB5158,00000000,00EB5144,00E2B540,?,?,?,00DF100A), ref: 00E10B89

IsDebuggerPresent.KERNEL32(?,?,?,00DF100A), ref: 00E2B544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00DF100A), ref: 00E2B553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00E2B54E

Memory Dump Source

Source File: 00000000.00000002.2001400320.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000000.00000002.2001386820.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001400320.0000000000EF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001525425.0000000000EFA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001542820.0000000000EFB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df0000_Payment 23832 Proforma INV Bank Confirmation.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 439a4879e707c894b00ddb57ea073a9cf6fd9cd6f3f33099ddb99831e349051a
Instruction ID: 01512e1c85c91d88dbd997ca97024a4114fa50d7f65c36416cc0da32c032142d
Opcode Fuzzy Hash: 439a4879e707c894b00ddb57ea073a9cf6fd9cd6f3f33099ddb99831e349051a
Instruction Fuzzy Hash: D3E092702003208FDB21DF29E8047427BE4AF00704F04992DE586EB361DBB8D488CBA1

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Payment 23832 Proforma INV Bank Confirmation.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut2F74.tmp

C:\Users\user\AppData\Local\Temp\aut2FF2.tmp

C:\Users\user\AppData\Local\Temp\dews

C:\Users\user\AppData\Local\Temp\syphilous

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
Payment 23832 Proforma INV Bank Confirmation.exe

Function 00DF3B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 00DF3633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
timewindowregistryCOMMON

Function 00DF4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00DF4FE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62
COMMON

Function 00E593DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00DF71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00DF3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00DF3778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Function 00DF3015 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 73
registrywindowclipboardCOMMON

Function 00DF3041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54
registrywindowclipboardCOMMON

Function 00DFF8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Function 014C25D0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00DF39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 014C23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 141
fileCOMMON

Function 00DF410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre