Edit tour

Windows Analysis Report
Request for Quotations and specifications.pdf.exe

Overview

General Information

Sample name:	Request for Quotations and specifications.pdf.exe
Analysis ID:	1573553
MD5:	a27b87004e36c99c5ae138960f632287
SHA1:	b85c27e89d6eaf68a8cbc0d683546d46b8d270f6
SHA256:	31ee50c565b3d2bc907ce74e87ed30d9a282bcdd99995fce3924adb7d7028cb8
Tags:	exeMassLoggerQuotationuser-cocaman
Infos:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension File Execution

Yara detected AntiVM3

Yara detected MassLogger RAT

Yara detected Telegram RAT

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

Allocates memory in foreign processes

Contains functionality to log keystrokes (.Net Source)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

File is packed with WinRar

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Request for Quotations and specifications.pdf.exe (PID: 6764 cmdline: "C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe" MD5: A27B87004E36C99C5AE138960F632287)

holy.exe (PID: 3032 cmdline: "C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe" MD5: F072A1E438C9D2453EE1B74027D07DD2)

RegAsm.exe (PID: 2156 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

Acrobat.exe (PID: 4080 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\img.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 6540 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 4280 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2056 --field-trial-handle=1664,i,10022418553164981674,7923153825484368479,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "8030768790:AAFwJTXJb6rGHC9gtdsn8NQ4WDL395xAhlE", "Telegram Chatid": "698123469"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.1449728784.0000000003D93000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000002.00000002.1449728784.0000000003D93000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1449728784.0000000003D93000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.1449728784.0000000003D93000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xfc0d:$a1: get_encryptedPassword 0xff35:$a2: get_encryptedUsername 0xf99a:$a3: get_timePasswordChanged 0xfabb:$a4: get_passwordField 0xfc23:$a5: set_encryptedPassword 0x11581:$a7: get_logins 0x11232:$a8: GetOutlookPasswords 0x11024:$a9: StartKeylogger 0x114d1:$a10: KeyLoggerEventArgs 0x11081:$a11: KeyLoggerEventArgsEventHandler
00000003.00000002.2692802312.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000003.00000002.2692802312.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2692802312.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.2692802312.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf55d:$a1: get_encryptedPassword 0xf885:$a2: get_encryptedUsername 0xf2ea:$a3: get_timePasswordChanged 0xf40b:$a4: get_passwordField 0xf573:$a5: set_encryptedPassword 0x10ed1:$a7: get_logins 0x10b82:$a8: GetOutlookPasswords 0x10974:$a9: StartKeylogger 0x10e21:$a10: KeyLoggerEventArgs 0x109d1:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.1449728784.0000000003C84000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000002.00000002.1449728784.0000000003C84000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1449728784.0000000003C84000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.1449728784.0000000003C84000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xec5dd:$a1: get_encryptedPassword 0x103a0d:$a1: get_encryptedPassword 0xec905:$a2: get_encryptedUsername 0x103d35:$a2: get_encryptedUsername 0xec36a:$a3: get_timePasswordChanged 0x10379a:$a3: get_timePasswordChanged 0xec48b:$a4: get_passwordField 0x1038bb:$a4: get_passwordField 0xec5f3:$a5: set_encryptedPassword 0x103a23:$a5: set_encryptedPassword 0xedf51:$a7: get_logins 0x105381:$a7: get_logins 0xedc02:$a8: GetOutlookPasswords 0x105032:$a8: GetOutlookPasswords 0xed9f4:$a9: StartKeylogger 0x104e24:$a9: StartKeylogger 0xedea1:$a10: KeyLoggerEventArgs 0x1052d1:$a10: KeyLoggerEventArgs 0xeda51:$a11: KeyLoggerEventArgsEventHandler 0x104e81:$a11: KeyLoggerEventArgsEventHandler
00000003.00000002.2694976808.0000000003426000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: holy.exe PID: 3032	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: holy.exe PID: 3032	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: holy.exe PID: 3032	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: holy.exe PID: 3032	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: holy.exe PID: 3032	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x4d25:$a1: get_encryptedPassword 0x18d23:$a1: get_encryptedPassword 0x4fcd:$a2: get_encryptedUsername 0x1903c:$a2: get_encryptedUsername 0x4ad9:$a3: get_timePasswordChanged 0x18ac4:$a3: get_timePasswordChanged 0x4bed:$a4: get_passwordField 0x18be5:$a4: get_passwordField 0x4d3b:$a5: set_encryptedPassword 0x18d39:$a5: set_encryptedPassword 0x61b7:$a7: get_logins 0x1a63e:$a7: get_logins 0x5ee5:$a8: GetOutlookPasswords 0x1a2ef:$a8: GetOutlookPasswords 0x5d2f:$a9: StartKeylogger 0x1a0e1:$a9: StartKeylogger 0x611c:$a10: KeyLoggerEventArgs 0x1a58e:$a10: KeyLoggerEventArgs 0x5d8c:$a11: KeyLoggerEventArgsEventHandler 0x1a13e:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegAsm.exe PID: 2156	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 2156	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 2156	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 2156	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12b9:$a1: get_encryptedPassword 0x15d2:$a2: get_encryptedUsername 0x105a:$a3: get_timePasswordChanged 0x117b:$a4: get_passwordField 0x12cf:$a5: set_encryptedPassword 0x2bd4:$a7: get_logins 0x2885:$a8: GetOutlookPasswords 0x2677:$a9: StartKeylogger 0x2b24:$a10: KeyLoggerEventArgs 0x26d4:$a11: KeyLoggerEventArgsEventHandler
Click to see the 17 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.RegAsm.exe.400000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
3.2.RegAsm.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegAsm.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.RegAsm.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf75d:$a1: get_encryptedPassword 0xfa85:$a2: get_encryptedUsername 0xf4ea:$a3: get_timePasswordChanged 0xf60b:$a4: get_passwordField 0xf773:$a5: set_encryptedPassword 0x110d1:$a7: get_logins 0x10d82:$a8: GetOutlookPasswords 0x10b74:$a9: StartKeylogger 0x11021:$a10: KeyLoggerEventArgs 0x10bd1:$a11: KeyLoggerEventArgsEventHandler
3.2.RegAsm.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x148ad:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13dab:$a3: \Google\Chrome\User Data\Default\Login Data 0x140b9:$a4: \Orbitum\User Data\Default\Login Data 0x14eb1:$a5: \Kometa\User Data\Default\Login Data
2.2.holy.exe.3d60e80.4.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.holy.exe.3d60e80.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.holy.exe.3d60e80.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.holy.exe.3d60e80.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd95d:$a1: get_encryptedPassword 0xdc85:$a2: get_encryptedUsername 0xd6ea:$a3: get_timePasswordChanged 0xd80b:$a4: get_passwordField 0xd973:$a5: set_encryptedPassword 0xf2d1:$a7: get_logins 0xef82:$a8: GetOutlookPasswords 0xed74:$a9: StartKeylogger 0xf221:$a10: KeyLoggerEventArgs 0xedd1:$a11: KeyLoggerEventArgsEventHandler
2.2.holy.exe.3d60e80.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12aad:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11fab:$a3: \Google\Chrome\User Data\Default\Login Data 0x122b9:$a4: \Orbitum\User Data\Default\Login Data 0x130b1:$a5: \Kometa\User Data\Default\Login Data
2.2.holy.exe.3d22630.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.holy.exe.3d22630.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.holy.exe.3d22630.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.holy.exe.3d22630.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x4dfad:$a1: get_encryptedPassword 0x653dd:$a1: get_encryptedPassword 0x4e2d5:$a2: get_encryptedUsername 0x65705:$a2: get_encryptedUsername 0x4dd3a:$a3: get_timePasswordChanged 0x6516a:$a3: get_timePasswordChanged 0x4de5b:$a4: get_passwordField 0x6528b:$a4: get_passwordField 0x4dfc3:$a5: set_encryptedPassword 0x653f3:$a5: set_encryptedPassword 0x4f921:$a7: get_logins 0x66d51:$a7: get_logins 0x4f5d2:$a8: GetOutlookPasswords 0x66a02:$a8: GetOutlookPasswords 0x4f3c4:$a9: StartKeylogger 0x667f4:$a9: StartKeylogger 0x4f871:$a10: KeyLoggerEventArgs 0x66ca1:$a10: KeyLoggerEventArgs 0x4f421:$a11: KeyLoggerEventArgsEventHandler 0x66851:$a11: KeyLoggerEventArgsEventHandler
2.2.holy.exe.3d22630.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x530fd:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x6a52d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x525fb:$a3: \Google\Chrome\User Data\Default\Login Data 0x69a2b:$a3: \Google\Chrome\User Data\Default\Login Data 0x52909:$a4: \Orbitum\User Data\Default\Login Data 0x69d39:$a4: \Orbitum\User Data\Default\Login Data 0x53701:$a5: \Kometa\User Data\Default\Login Data 0x6ab31:$a5: \Kometa\User Data\Default\Login Data
2.2.holy.exe.3cfb200.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.holy.exe.3cfb200.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.holy.exe.3cfb200.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.holy.exe.3cfb200.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x753dd:$a1: get_encryptedPassword 0x8c80d:$a1: get_encryptedPassword 0x75705:$a2: get_encryptedUsername 0x8cb35:$a2: get_encryptedUsername 0x7516a:$a3: get_timePasswordChanged 0x8c59a:$a3: get_timePasswordChanged 0x7528b:$a4: get_passwordField 0x8c6bb:$a4: get_passwordField 0x753f3:$a5: set_encryptedPassword 0x8c823:$a5: set_encryptedPassword 0x76d51:$a7: get_logins 0x8e181:$a7: get_logins 0x76a02:$a8: GetOutlookPasswords 0x8de32:$a8: GetOutlookPasswords 0x767f4:$a9: StartKeylogger 0x8dc24:$a9: StartKeylogger 0x76ca1:$a10: KeyLoggerEventArgs 0x8e0d1:$a10: KeyLoggerEventArgs 0x76851:$a11: KeyLoggerEventArgsEventHandler 0x8dc81:$a11: KeyLoggerEventArgsEventHandler
2.2.holy.exe.3cfb200.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x7a52d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x9195d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x79a2b:$a3: \Google\Chrome\User Data\Default\Login Data 0x90e5b:$a3: \Google\Chrome\User Data\Default\Login Data 0x79d39:$a4: \Orbitum\User Data\Default\Login Data 0x91169:$a4: \Orbitum\User Data\Default\Login Data 0x7ab31:$a5: \Kometa\User Data\Default\Login Data 0x91f61:$a5: \Kometa\User Data\Default\Login Data
2.2.holy.exe.3d60e80.4.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.holy.exe.3d60e80.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.holy.exe.3d60e80.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.holy.exe.3d60e80.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf75d:$a1: get_encryptedPassword 0x26b8d:$a1: get_encryptedPassword 0xfa85:$a2: get_encryptedUsername 0x26eb5:$a2: get_encryptedUsername 0xf4ea:$a3: get_timePasswordChanged 0x2691a:$a3: get_timePasswordChanged 0xf60b:$a4: get_passwordField 0x26a3b:$a4: get_passwordField 0xf773:$a5: set_encryptedPassword 0x26ba3:$a5: set_encryptedPassword 0x110d1:$a7: get_logins 0x28501:$a7: get_logins 0x10d82:$a8: GetOutlookPasswords 0x281b2:$a8: GetOutlookPasswords 0x10b74:$a9: StartKeylogger 0x27fa4:$a9: StartKeylogger 0x11021:$a10: KeyLoggerEventArgs 0x28451:$a10: KeyLoggerEventArgs 0x10bd1:$a11: KeyLoggerEventArgsEventHandler 0x28001:$a11: KeyLoggerEventArgsEventHandler
2.2.holy.exe.3d60e80.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x148ad:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2bcdd:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13dab:$a3: \Google\Chrome\User Data\Default\Login Data 0x2b1db:$a3: \Google\Chrome\User Data\Default\Login Data 0x140b9:$a4: \Orbitum\User Data\Default\Login Data 0x2b4e9:$a4: \Orbitum\User Data\Default\Login Data 0x14eb1:$a5: \Kometa\User Data\Default\Login Data 0x2c2e1:$a5: \Kometa\User Data\Default\Login Data
Click to see the 20 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe", CommandLine: "C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe", CommandLine|base64offset|contains: ~, Image: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe, NewProcessName: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe, OriginalFileName: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe", ProcessId: 6764, ProcessName: Request for Quotations and specifications.pdf.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T09:02:13.293315+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49704	193.122.6.168	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe

Avira: detection malicious, Label: HEUR/AGEN.1306767

Found malware configuration

Source: 00000002.00000002.1449728784.0000000003C84000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "8030768790:AAFwJTXJb6rGHC9gtdsn8NQ4WDL395xAhlE", "Telegram Chatid": "698123469"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe

Virustotal: Detection: 45%

Perma Link

Multi AV Scanner detection for submitted file

Source: Request for Quotations and specifications.pdf.exe

Virustotal: Detection: 44%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Request for Quotations and specifications.pdf.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: unknown

HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.8:49705 version: TLS 1.0

Source: Request for Quotations and specifications.pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: G:\IMPORTANT SRC\GOOD Nova\Crypter\Runpe\WindowsFormsApp1\WindowsFormsApp1\obj\Debug\Piver.pdb source: holy.exe, 00000002.00000002.1449424584.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, holy.exe, 00000002.00000002.1451805107.00000000051C0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: Request for Quotations and specifications.pdf.exe
Source:	Binary string: G:\IMPORTANT SRC\GOOD Nova\Crypter\Runpe\WindowsFormsApp1\WindowsFormsApp1\obj\Debug\Piver.pdb_JyJ kJ_CorDllMainmscoree.dll source: holy.exe, 00000002.00000002.1449424584.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, holy.exe, 00000002.00000002.1451805107.00000000051C0000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C6B190 SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,WaitForInputIdle,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF663C6B190
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C540BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF663C540BC
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C7FCA0 FindFirstFileExA,	0_2_00007FF663C7FCA0

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Code function: 4x nop then jmp 02B50DD9h	2_2_02B50B98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 01735782h	3_2_01735358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 017351B9h	3_2_01734F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 01735782h	3_2_01735367
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 01735782h	3_2_017356AF

Source: global traffic

HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.67.152 104.21.67.152
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49704 -> 193.122.6.168:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.8:49705 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: x1.i.lencr.org

Source: RegAsm.exe, 00000003.00000002.2694976808.0000000003350000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegAsm.exe, 00000003.00000002.2694976808.0000000003350000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: RegAsm.exe, 00000003.00000002.2694976808.0000000003350000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2694976808.000000000333E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegAsm.exe, 00000003.00000002.2694976808.00000000032D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegAsm.exe, 00000003.00000002.2694976808.0000000003350000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: holy.exe, 00000002.00000002.1449728784.0000000003C84000.00000004.00000800.00020000.00000000.sdmp, holy.exe, 00000002.00000002.1449728784.0000000003D93000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2692802312.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegAsm.exe, 00000003.00000002.2694976808.0000000003350000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: 77EC63BDA74BD0D0E0426DC8F80085060.5.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: RegAsm.exe, 00000003.00000002.2694976808.000000000336D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegAsm.exe, 00000003.00000002.2694976808.000000000336D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: RegAsm.exe, 00000003.00000002.2694976808.00000000032D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 2D85F72862B55C4EADD9E66E06947F3D.5.dr	String found in binary or memory: http://x1.i.lencr.org/
Source: holy.exe, 00000002.00000002.1449728784.0000000003C84000.00000004.00000800.00020000.00000000.sdmp, holy.exe, 00000002.00000002.1449728784.0000000003D93000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2692802312.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: RegAsm.exe, 00000003.00000002.2694976808.0000000003350000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: holy.exe, 00000002.00000002.1449728784.0000000003C84000.00000004.00000800.00020000.00000000.sdmp, holy.exe, 00000002.00000002.1449728784.0000000003D93000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2692802312.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2694976808.0000000003350000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegAsm.exe, 00000003.00000002.2694976808.0000000003350000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.175d
Source: RegAsm.exe, 00000003.00000002.2694976808.0000000003350000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.175l

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 2.2.holy.exe.3d60e80.4.raw.unpack, UltraSpeed.cs

.Net Code: VKCodeToUnicode

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.holy.exe.3d60e80.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.holy.exe.3d60e80.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.holy.exe.3d22630.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.holy.exe.3d22630.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.holy.exe.3cfb200.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.holy.exe.3cfb200.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.holy.exe.3d60e80.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.holy.exe.3d60e80.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.1449728784.0000000003D93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.2692802312.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.1449728784.0000000003C84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: holy.exe PID: 3032, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegAsm.exe PID: 2156, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: Request for Quotations and specifications.pdf.exe
Source: initial sample	Static PE information: Filename: Request for Quotations and specifications.pdf.exe

Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe

Code function: 0_2_00007FF663C4C2F0: CreateFileW,CloseHandle,wcscpy,wcscpy,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF663C4C2F0

Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C63484	0_2_00007FF663C63484
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C5A4AC	0_2_00007FF663C5A4AC
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C6B190	0_2_00007FF663C6B190
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C54928	0_2_00007FF663C54928
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C4F930	0_2_00007FF663C4F930
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C70754	0_2_00007FF663C70754
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C61F20	0_2_00007FF663C61F20
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C6CE88	0_2_00007FF663C6CE88
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C45E24	0_2_00007FF663C45E24
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C5B534	0_2_00007FF663C5B534
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C653F0	0_2_00007FF663C653F0
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C4A310	0_2_00007FF663C4A310
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C4C2F0	0_2_00007FF663C4C2F0
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C47288	0_2_00007FF663C47288
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C5126C	0_2_00007FF663C5126C
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C621D0	0_2_00007FF663C621D0
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C5F180	0_2_00007FF663C5F180
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C7C838	0_2_00007FF663C7C838
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C44840	0_2_00007FF663C44840
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C476C0	0_2_00007FF663C476C0
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C82550	0_2_00007FF663C82550
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C78C1C	0_2_00007FF663C78C1C
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C5BB90	0_2_00007FF663C5BB90
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C64B98	0_2_00007FF663C64B98
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C55B60	0_2_00007FF663C55B60
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C85AF8	0_2_00007FF663C85AF8
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C7FA94	0_2_00007FF663C7FA94
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C62AB0	0_2_00007FF663C62AB0
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C41AA4	0_2_00007FF663C41AA4
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C51A48	0_2_00007FF663C51A48
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C789A0	0_2_00007FF663C789A0
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C5C96C	0_2_00007FF663C5C96C
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C63964	0_2_00007FF663C63964
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C82080	0_2_00007FF663C82080
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C5AF18	0_2_00007FF663C5AF18
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C68DF4	0_2_00007FF663C68DF4
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C70754	0_2_00007FF663C70754
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C62D58	0_2_00007FF663C62D58
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Code function: 2_2_02B532DF	2_2_02B532DF
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Code function: 2_2_02B50B98	2_2_02B50B98
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Code function: 2_2_02B50B80	2_2_02B50B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0173C168	3_2_0173C168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0173CA58	3_2_0173CA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_01732DD1	3_2_01732DD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_01734F08	3_2_01734F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_01737E68	3_2_01737E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0173B9E0	3_2_0173B9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_01737E63	3_2_01737E63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_01734EF8	3_2_01734EF8

Source: Request for Quotations and specifications.pdf.exe, 00000000.00000002.2693047988.000001540F0CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAcrobat.exe< vs Request for Quotations and specifications.pdf.exe
Source: Request for Quotations and specifications.pdf.exe, 00000000.00000003.1441073247.00000154131F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameconfig.exe. vs Request for Quotations and specifications.pdf.exe

Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.holy.exe.3d60e80.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.holy.exe.3d60e80.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.holy.exe.3d22630.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.holy.exe.3d22630.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.holy.exe.3cfb200.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.holy.exe.3cfb200.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.holy.exe.3d60e80.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.holy.exe.3d60e80.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.1449728784.0000000003D93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.2692802312.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.1449728784.0000000003C84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: holy.exe PID: 3032, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegAsm.exe PID: 2156, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: holy.exe.0.dr, NationalSymbols.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.holy.exe.3cfb200.2.raw.unpack, Foures.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.holy.exe.3d22630.3.raw.unpack, Foures.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.holy.exe.54a0000.6.raw.unpack, Foures.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.holy.exe.3d60e80.4.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.holy.exe.3d60e80.4.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@20/52@3/2

Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe

Code function: 0_2_00007FF663C4B6D8 GetLastError,FormatMessageW,LocalFree,

0_2_00007FF663C4B6D8

Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe

Code function: 0_2_00007FF663C68624 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00007FF663C68624

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\holy.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0

Jump to behavior

Source: Request for Quotations and specifications.pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegAsm.exe, 00000003.00000002.2694976808.00000000033CE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2694976808.00000000033EF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2694976808.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2694976808.00000000033E3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2694976808.00000000033B0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2695916494.00000000042FD000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Request for Quotations and specifications.pdf.exe

Virustotal: Detection: 44%

Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe

File read: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe "C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe"
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\img.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2056 --field-trial-handle=1664,i,10022418553164981674,7923153825484368479,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\img.pdf"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2056 --field-trial-handle=1664,i,10022418553164981674,7923153825484368479,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Request for Quotations and specifications.pdf.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: Request for Quotations and specifications.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Request for Quotations and specifications.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Request for Quotations and specifications.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Request for Quotations and specifications.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Request for Quotations and specifications.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Request for Quotations and specifications.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Request for Quotations and specifications.pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: Request for Quotations and specifications.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: G:\IMPORTANT SRC\GOOD Nova\Crypter\Runpe\WindowsFormsApp1\WindowsFormsApp1\obj\Debug\Piver.pdb source: holy.exe, 00000002.00000002.1449424584.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, holy.exe, 00000002.00000002.1451805107.00000000051C0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: Request for Quotations and specifications.pdf.exe
Source:	Binary string: G:\IMPORTANT SRC\GOOD Nova\Crypter\Runpe\WindowsFormsApp1\WindowsFormsApp1\obj\Debug\Piver.pdb_JyJ kJ_CorDllMainmscoree.dll source: holy.exe, 00000002.00000002.1449424584.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, holy.exe, 00000002.00000002.1451805107.00000000051C0000.00000004.08000000.00040000.00000000.sdmp

Source: Request for Quotations and specifications.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Request for Quotations and specifications.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Request for Quotations and specifications.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Request for Quotations and specifications.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Request for Quotations and specifications.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains potential unpacker

Source: holy.exe.0.dr, Program.cs	.Net Code: Main System.Reflection.Assembly.Load(byte[])
Source: holy.exe.0.dr, Program.cs	.Net Code: LoadAndInvoke
Source: 2.2.holy.exe.3cfb200.2.raw.unpack, Fives.cs	.Net Code: FD System.AppDomain.Load(byte[])
Source: 2.2.holy.exe.3d22630.3.raw.unpack, Fives.cs	.Net Code: FD System.AppDomain.Load(byte[])
Source: 2.2.holy.exe.54a0000.6.raw.unpack, Fives.cs	.Net Code: FD System.AppDomain.Load(byte[])

Source: holy.exe.0.dr

Static PE information: 0xB7863B0E [Wed Jul 27 21:24:30 2067 UTC]

Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_5238109

Jump to behavior

Source: Request for Quotations and specifications.pdf.exe	Static PE information: section name: .didat
Source: Request for Quotations and specifications.pdf.exe	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C85166 push rsi; retf	0_2_00007FF663C85167
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C85156 push rsi; retf	0_2_00007FF663C85157
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0173F273 push ebp; retf	3_2_0173F281
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_017364F5 pushfd ; iretd	3_2_017364FA

Source: holy.exe.0.dr

Static PE information: section name: .text entropy: 7.062980207558431

Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.exe

Static PE information: Request for Quotations and specifications.pdf.exe

Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: holy.exe PID: 3032, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Memory allocated: 2B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Memory allocated: 2C80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Memory allocated: 4C80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 1730000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 32D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 52D0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe TID: 2344

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C6B190 SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,WaitForInputIdle,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF663C6B190
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C540BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF663C540BC
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C7FCA0 FindFirstFileExA,	0_2_00007FF663C7FCA0

Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe

Code function: 0_2_00007FF663C716A4 VirtualQuery,GetSystemInfo,

0_2_00007FF663C716A4

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: RegAsm.exe, 00000003.00000002.2693725364.00000000015C1000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0173C168 LdrInitializeThunk,LdrInitializeThunk,

3_2_0173C168

Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe

Code function: 0_2_00007FF663C73170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF663C73170

Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe

Code function: 0_2_00007FF663C80D20 GetProcessHeap,

0_2_00007FF663C80D20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C72510 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF663C72510
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C73354 SetUnhandledExceptionFilter,	0_2_00007FF663C73354
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C73170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF663C73170
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Code function: 0_2_00007FF663C776D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF663C776D8

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: holy.exe.0.dr, SystemEvents.cs	Reference to suspicious API methods: global::Interop.Kernel32.LoadLibrary("wtsapi32.dll")
Source: 2.2.holy.exe.2ca6770.1.raw.unpack, Nive.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 2.2.holy.exe.3d60e80.4.raw.unpack, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41A000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41C000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1191008	Jump to behavior

Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe

Code function: 0_2_00007FF663C6B190 SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,WaitForInputIdle,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF663C6B190

Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\img.pdf"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe

Code function: 0_2_00007FF663C858E0 cpuid

0_2_00007FF663C858E0

Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00007FF663C6A2CC

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe

Code function: 0_2_00007FF663C70754 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,CloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF663C70754

Source: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe

Code function: 0_2_00007FF663C551A4 GetVersionExW,

0_2_00007FF663C551A4

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.holy.exe.3d60e80.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.holy.exe.3d22630.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.holy.exe.3cfb200.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.holy.exe.3d60e80.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1449728784.0000000003D93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2692802312.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1449728784.0000000003C84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: holy.exe PID: 3032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2156, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.holy.exe.3d60e80.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.holy.exe.3d22630.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.holy.exe.3cfb200.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.holy.exe.3d60e80.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1449728784.0000000003D93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2692802312.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1449728784.0000000003C84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: holy.exe PID: 3032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2156, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.holy.exe.3d60e80.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.holy.exe.3d22630.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.holy.exe.3cfb200.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.holy.exe.3d60e80.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1449728784.0000000003D93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2692802312.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1449728784.0000000003C84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2694976808.0000000003426000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: holy.exe PID: 3032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2156, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.holy.exe.3d60e80.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.holy.exe.3d22630.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.holy.exe.3cfb200.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.holy.exe.3d60e80.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1449728784.0000000003D93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2692802312.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1449728784.0000000003C84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: holy.exe PID: 3032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2156, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.holy.exe.3d60e80.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.holy.exe.3d22630.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.holy.exe.3cfb200.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.holy.exe.3d60e80.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1449728784.0000000003D93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2692802312.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1449728784.0000000003C84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: holy.exe PID: 3032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2156, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 Input Capture	2 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	311 Process Injection	13 Obfuscated Files or Information	Security Account Manager	36 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	121 Security Software Discovery	Distributed Component Object Model	1 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	311 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Request for Quotations and specifications.pdf.exe	44%	Virustotal		Browse
Request for Quotations and specifications.pdf.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	100%	Avira	HEUR/AGEN.1306767
C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe	46%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	high
reallyfreegeoip.org	104.21.67.152	true	false	high
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	217.20.58.98	true	false	high
checkip.dyndns.com	193.122.6.168	true	false	high
x1.i.lencr.org	unknown	unknown	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.175	false		high
http://checkip.dyndns.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://x1.i.lencr.org/	2D85F72862B55C4EADD9E66E06947F3D.5.dr	false	high
https://reallyfreegeoip.org/xml/8.46.123.175d	RegAsm.exe, 00000003.00000002.2694976808.0000000003350000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.comd	RegAsm.exe, 00000003.00000002.2694976808.0000000003350000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	holy.exe, 00000002.00000002.1449728784.0000000003C84000.00000004.00000800.00020000.00000000.sdmp, holy.exe, 00000002.00000002.1449728784.0000000003D93000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2692802312.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.orgd	RegAsm.exe, 00000003.00000002.2694976808.000000000336D000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	RegAsm.exe, 00000003.00000002.2694976808.000000000336D000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.orgd	RegAsm.exe, 00000003.00000002.2694976808.0000000003350000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	RegAsm.exe, 00000003.00000002.2694976808.0000000003350000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	RegAsm.exe, 00000003.00000002.2694976808.0000000003350000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2694976808.000000000333E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	RegAsm.exe, 00000003.00000002.2694976808.0000000003350000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/d	RegAsm.exe, 00000003.00000002.2694976808.0000000003350000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegAsm.exe, 00000003.00000002.2694976808.00000000032D1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.175l	RegAsm.exe, 00000003.00000002.2694976808.0000000003350000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	holy.exe, 00000002.00000002.1449728784.0000000003C84000.00000004.00000800.00020000.00000000.sdmp, holy.exe, 00000002.00000002.1449728784.0000000003D93000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2692802312.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	holy.exe, 00000002.00000002.1449728784.0000000003C84000.00000004.00000800.00020000.00000000.sdmp, holy.exe, 00000002.00000002.1449728784.0000000003D93000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2692802312.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2694976808.0000000003350000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.67.152	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
193.122.6.168	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1573553
Start date and time:	2024-12-12 09:01:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Request for Quotations and specifications.pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@20/52@3/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 86 Number of non-executed functions: 92
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 88.221.168.141, 50.16.47.176, 34.237.241.83, 54.224.241.105, 18.213.11.84, 172.64.41.3, 162.159.61.3, 23.195.61.56, 217.20.58.98, 2.19.126.143, 2.19.126.149, 88.221.168.226, 3.233.129.217, 23.47.168.24, 20.109.210.53, 13.107.246.63
Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, fs.microsoft.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com, p13n.adobe.io, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, armmf.adobe.com, ssl-delivery.adobe.com.edgekey.net, a122.dscd.akamai.net, geo2.adobe.com, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:02:22	API Interceptor	2x Sleep call for process: AcroCEF.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.67.152	hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse
	hesaphareketi-01.pdfsxlx..exe	Get hash	malicious	Snake Keylogger	Browse
	41570002689_20220814_05352297_HesapOzeti.exe	Get hash	malicious	MassLogger RAT	Browse
	malware.ps1	Get hash	malicious	MassLogger RAT	Browse
	Shipping Documents.exe	Get hash	malicious	MassLogger RAT	Browse
	Bank Swift and SOA PVRN0072700314080353_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	DEC 2024 RFQ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Confirm revised invoice to proceed with payment ASAP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	Bank Swift and SOA PRN0072700314159453_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse
193.122.6.168	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Confirm revised invoice to proceed with payment ASAP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	REQUEST FOR QUOATION AND PRICES 0108603076-24_pdf.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/
	Bank Swift and SOA PRN0072700314159453_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	New_Order_List.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	file.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Payment Confirmation..docm	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	1733755327131807265395c8beb00b001ee74b7ae39a6579109a5e4a352d4399291272954e392.dat-decoded.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Lenticels.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	MHDeXPq2uB.exe	Get hash	malicious	RedLine	Browse	199.232.210.172
	n70CrSGL8G.exe	Get hash	malicious	RedLine	Browse	199.232.214.172
	1.e	Get hash	malicious	DanaBot	Browse	199.232.210.172
	xuhu.exe	Get hash	malicious	AsyncRAT	Browse	199.232.210.172
	Review_Approval_rocjr.pdf	Get hash	malicious	Captcha Phish, HTMLPhisher	Browse	199.232.210.172
	https://computeroids.com/hp-printer-driver?utm_source=Google&utm_medium=Click&utm_campaign=HP&utm_term=%7Bkeywords%7D&utm_content=%7Bmedium%7D&tm=tt&ap=gads&aaid=adaHxflMmgPq7&camp_id=12260099411&ad_g_id=118845692873&keyword=install%20hp%20printer%20to%20computer&device=c&network=searchAd&adposition=&gad_source=5&gclid=EAIaIQobChMI0JDUvuabigMV_Uf_AR2MuQCMEAAYASAAEgKQMPD_BwE	Get hash	malicious	PureLog Stealer	Browse	199.232.210.172
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	Unknown	Browse	199.232.210.172
	Employee_Letter.pdf	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	SSTS218947014.pdf	Get hash	malicious	ScreenConnect Tool, Phisher	Browse	199.232.210.172
	Final Demand to Harbor Wholesale Grocery Inc.pdf	Get hash	malicious	Unknown	Browse	199.232.210.172
reallyfreegeoip.org	hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	hesaphareketi-01.pdfsxlx..exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	41570002689_20220814_05352297_HesapOzeti.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	malware.ps1	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	Shipping Documents.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	QUOTES REQUEST FOR PRICES.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	T#U00fcbitak SAGE RfqF#U0334D#U0334P#U0334..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	Bank Swift and SOA PVRN0072700314080353_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	DEC 2024 RFQ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	Tyler_In service Agreement889889.pdf	Get hash	malicious	Unknown	Browse	217.20.58.101
	https://download-695-18811-018-webdav-logicaldoc.cdn-serveri4731-ns.shop/Documents/Instruction_695-18014-012_Rev.PDF.lnk	Get hash	malicious	Unknown	Browse	84.201.211.22
	Employee_Letter.pdf	Get hash	malicious	HTMLPhisher	Browse	217.20.58.99
	Carisls Open Benefits Enrollment.eml	Get hash	malicious	unknown	Browse	217.20.58.101
	Ou1b9NGTq8.dll	Get hash	malicious	Unknown	Browse	217.20.58.98
	CID5B21A97B8635.pdf	Get hash	malicious	Captcha Phish	Browse	217.20.58.101
	FG Or#U00e7amento JAN 2025.pdf	Get hash	malicious	Unknown	Browse	217.20.58.98
	Stonhard Response Required 10 Dec, 2024- 0PH8-NYFV0C-ZDU7.msg	Get hash	malicious	Unknown	Browse	217.20.57.24
	Ziraat Bankasi Swift Mesaji.dqy.dll	Get hash	malicious	AsyncRAT, VenomRAT	Browse	217.20.58.98
	file.exe	Get hash	malicious	Credential Flusher	Browse	217.20.58.98

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	hesaphareketi-01.pdfsxlx..exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	T#U00fcbitak SAGE RfqF#U0334D#U0334P#U0334..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	Confirm revised invoice to proceed with payment ASAP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	Josho.ppc.elf	Get hash	malicious	Unknown	Browse	140.238.49.71
	Malzeme #U0130stek Formu_12102024.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	Request for quote.doc	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	REQUEST FOR QUOATION AND PRICES 0108603076-24_pdf.exe	Get hash	malicious	GuLoader	Browse	193.122.6.168
	Bank Swift and SOA PRN0072700314159453_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
CLOUDFLARENETUS	Agreement for Cooperation.PDF.lnk.download.lnk	Get hash	malicious	RedLine	Browse	172.67.223.31
	Agreement for YouTube cooperation.pdf.lnk.download.lnk	Get hash	malicious	Unknown	Browse	172.67.210.76
	V7CnS4XGYS.exe	Get hash	malicious	LummaC	Browse	172.67.143.116
	RFQ-004282A.Teknolojileri A.S.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	hesaphareketi-01.pdfsxlx..exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	41570002689_20220814_05352297_HesapOzeti.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	Strait STS.vbs	Get hash	malicious	Remcos, GuLoader	Browse	172.67.216.143
	Captcha.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, LummaC Stealer	Browse	172.67.206.64
	malware.ps1	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	hesaphareketi-01.pdfsxlx..exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	41570002689_20220814_05352297_HesapOzeti.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	malware.ps1	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	Shipping Documents.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	QUOTES REQUEST FOR PRICES.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	T#U00fcbitak SAGE RfqF#U0334D#U0334P#U0334..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	peks66Iy06.exe	Get hash	malicious	Unknown	Browse	104.21.67.152
	XXHYneydvF.exe	Get hash	malicious	Unknown	Browse	104.21.67.152
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	291
Entropy (8bit):	5.181304424598763
Encrypted:	false
SSDEEP:	6:77dA34q2PCHhJ2nKuAl9OmbnIFUt8O7cXZmw+O7cFkwOCHhJ2nKuAl9OmbjLJ:7RxvBHAahFUt8Oc/+Oc56HAaSJ
MD5:	D85ED64B07983BE8688C4DEAD280E745
SHA1:	04EC8570EFA6A4103C1C0EE8E3BA7C9623C1BAC9
SHA-256:	EEC529551EBF964FCA857C91E11EF0DD6EBD5831DA62027C61C88DFE86826E4E
SHA-512:	0D2367B1FC68F8E96572A48273B6E09037EF0EA969AA55A8079D66058BC6346A9B47371DC189117D0BCDB204349918B7EC1F54C71BDD8011B0CA89708023040E
Malicious:	false
Reputation:	low
Preview:	2024/12/12-03:02:11.896 7c4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/12-03:02:11.902 7c4 Recovering log #3.2024/12/12-03:02:11.902 7c4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	291
Entropy (8bit):	5.181304424598763
Encrypted:	false
SSDEEP:	6:77dA34q2PCHhJ2nKuAl9OmbnIFUt8O7cXZmw+O7cFkwOCHhJ2nKuAl9OmbjLJ:7RxvBHAahFUt8Oc/+Oc56HAaSJ
MD5:	D85ED64B07983BE8688C4DEAD280E745
SHA1:	04EC8570EFA6A4103C1C0EE8E3BA7C9623C1BAC9
SHA-256:	EEC529551EBF964FCA857C91E11EF0DD6EBD5831DA62027C61C88DFE86826E4E
SHA-512:	0D2367B1FC68F8E96572A48273B6E09037EF0EA969AA55A8079D66058BC6346A9B47371DC189117D0BCDB204349918B7EC1F54C71BDD8011B0CA89708023040E
Malicious:	false
Reputation:	low
Preview:	2024/12/12-03:02:11.896 7c4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/12-03:02:11.902 7c4 Recovering log #3.2024/12/12-03:02:11.902 7c4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	335
Entropy (8bit):	5.146259478446161
Encrypted:	false
SSDEEP:	6:771UGFwDM+q2PCHhJ2nKuAl9Ombzo2jMGIFUt8O7PGtgZmw+O7BtDMVkwOCHhJ2g:7OGFwDM+vBHAa8uFUt8OzGtg/+OrDMVH
MD5:	26F7F7B9A588C37097A22BC77E6B58B8
SHA1:	76E6EC967A4C8052CFD3F2E5E98B1291A1686C53
SHA-256:	788FE710E565314F78A32393231B124CCD6ADC37FFCCEE7CF430486C2E0CF633
SHA-512:	839DB3057DE91FB53C417766ACB4195B9D2E221D251D39DAA045C2E2F3E8E42AAD0295D5870294AF599272E2AD4D27ABAB76A87A035FCA57D113DE38B9375114
Malicious:	false
Reputation:	low
Preview:	2024/12/12-03:02:11.961 cfc Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/12-03:02:11.963 cfc Recovering log #3.2024/12/12-03:02:11.964 cfc Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	335
Entropy (8bit):	5.146259478446161
Encrypted:	false
SSDEEP:	6:771UGFwDM+q2PCHhJ2nKuAl9Ombzo2jMGIFUt8O7PGtgZmw+O7BtDMVkwOCHhJ2g:7OGFwDM+vBHAa8uFUt8OzGtg/+OrDMVH
MD5:	26F7F7B9A588C37097A22BC77E6B58B8
SHA1:	76E6EC967A4C8052CFD3F2E5E98B1291A1686C53
SHA-256:	788FE710E565314F78A32393231B124CCD6ADC37FFCCEE7CF430486C2E0CF633
SHA-512:	839DB3057DE91FB53C417766ACB4195B9D2E221D251D39DAA045C2E2F3E8E42AAD0295D5870294AF599272E2AD4D27ABAB76A87A035FCA57D113DE38B9375114
Malicious:	false
Reputation:	low
Preview:	2024/12/12-03:02:11.961 cfc Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/12-03:02:11.963 cfc Recovering log #3.2024/12/12-03:02:11.964 cfc Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\6f92ea5c-18dd-4cc0-ab65-a44ed8a54101.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	modified
Size (bytes):	475
Entropy (8bit):	4.967105522201735
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqy6hsBdOg2HZcaq3QYiub6P7E4TX:Y2sRds5dMHg3QYhbS7n7
MD5:	ECBE2AC4933ED1F5867218A82FB523C1
SHA1:	D5D63D4F6903DD3AE723B206B4DC52E300B56C72
SHA-256:	7EB8D75B8351EF4EE2727AEE50EFB01C57596DB69648DF387530D03E3AA2979F
SHA-512:	B7219139A73F4DCA98A61522A814B6FBB085337F76118B93A9BFE93653C7FC88467035385A04AA0BBB0839DF8DD01738EFFA1BB283D48BA30F40F92E2ED901CA
Malicious:	false
Reputation:	low
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13378550544045854","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":937417},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.8","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	475
Entropy (8bit):	4.963247713778661
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqRYSsBdOg2HEcaq3QYiub6P7E4TX:Y2sRds9dMHX3QYhbS7n7
MD5:	D46529E824E6E834D0D750C5560C136C
SHA1:	E6597929E439E6AF24CE7249F0D303987F0760BF
SHA-256:	818753A5C6D3C843FBA032CCB1B1681F6226C17B388A1E3052774B1DD8809C72
SHA-512:	CE939B02393B7F46CE528527A40DCB56023CF6682B664D5685354CDA51388EE603FCAF018A428EFB08AD5800B68847F6F512B05F6D772E435507EE32BCEA0963
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341054937965898","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146333},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.8","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF51281f.TMP (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	475
Entropy (8bit):	4.963247713778661
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqRYSsBdOg2HEcaq3QYiub6P7E4TX:Y2sRds9dMHX3QYhbS7n7
MD5:	D46529E824E6E834D0D750C5560C136C
SHA1:	E6597929E439E6AF24CE7249F0D303987F0760BF
SHA-256:	818753A5C6D3C843FBA032CCB1B1681F6226C17B388A1E3052774B1DD8809C72
SHA-512:	CE939B02393B7F46CE528527A40DCB56023CF6682B664D5685354CDA51388EE603FCAF018A428EFB08AD5800B68847F6F512B05F6D772E435507EE32BCEA0963
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341054937965898","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146333},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.8","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\d20d1d51-da8e-4dd3-9417-ec0e167c0487.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	475
Entropy (8bit):	4.963247713778661
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqRYSsBdOg2HEcaq3QYiub6P7E4TX:Y2sRds9dMHX3QYhbS7n7
MD5:	D46529E824E6E834D0D750C5560C136C
SHA1:	E6597929E439E6AF24CE7249F0D303987F0760BF
SHA-256:	818753A5C6D3C843FBA032CCB1B1681F6226C17B388A1E3052774B1DD8809C72
SHA-512:	CE939B02393B7F46CE528527A40DCB56023CF6682B664D5685354CDA51388EE603FCAF018A428EFB08AD5800B68847F6F512B05F6D772E435507EE32BCEA0963
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341054937965898","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146333},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.8","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	3878
Entropy (8bit):	5.2387156039527305
Encrypted:	false
SSDEEP:	96:S4bz5vsZ4CzSAsfTxiVud4TxY0CIOr3MCWO3VxBaw+bptkOgT:S43C4mS7fFi0KFYDjr3LWO3V3aw+bpta
MD5:	04BF9E82C0A7DF6718B01EF6505EE965
SHA1:	115234CB65260D95678BD3E312B0B11F10F918C4
SHA-256:	F5A0881AAF95AF89D21946CBECEBBF56D8D30573AAE6FFD5000C4C8416017F2B
SHA-512:	C03ED1D0B68C8CBD7A58B6FC4095F86FE6C3B3DDD64BAC3B53418B22CFAC3BA93C8F0FD3ACD3756F8149B8925AF39A0DC295A7FCC6EDD55102066524EF141942
Malicious:	false
Preview:	*...#................version.1..namespace-8..\|o................next-map-id.1.Pnamespace-656dc224_0825_4dad_892f_a4fe9098071c-https://rna-resource.acrobat.com/.0...dr................next-map-id.2.Snamespace-ef12e1ab_9f14_41d7_aae3_3f05adf09ebc-https://rna-v2-resource.acrobat.com/.1....r................next-map-id.3.Snamespace-07eb38e9_046b_46c4_bd67_b1578df56145-https://rna-v2-resource.acrobat.com/.2.$..o................next-map-id.4.Pnamespace-f0c0a73c_e89b_42d5_bb63_4f8a3b04cf3a-https://rna-resource.acrobat.com/.3+...^...............Pnamespace-656dc224_0825_4dad_892f_a4fe9098071c-https://rna-resource.acrobat.com/....^...............Pnamespace-f0c0a73c_e89b_42d5_bb63_4f8a3b04cf3a-https://rna-resource.acrobat.com/T.3.a...............Snamespace-ef12e1ab_9f14_41d7_aae3_3f05adf09ebc-https://rna-v2-resource.acrobat.com/.U..a...............Snamespace-07eb38e9_046b_46c4_bd67_b1578df56145-https://rna-v2-resource.acrobat.com/.$..o................next-map-id.5.Pnamespace-c66013b9_73b6_4b3f_b279_

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	323
Entropy (8bit):	5.114710806812602
Encrypted:	false
SSDEEP:	6:77wjDOwDM+q2PCHhJ2nKuAl9OmbzNMxIFUt8O7wj4DpgZmw+O7wjvDMVkwOCHhJS:7sjKwDM+vBHAa8jFUt8Osj4Dpg/+Osjn
MD5:	47C171FF4D37B1C3BE9BBAD5922681F6
SHA1:	C7379CF576B05130D7A3BF1CEA13093A03A06B3E
SHA-256:	F046F8D359C3A912E740DF720F47A2BB5A5E172D6A6D1DC1CF07E230EDC1ABC9
SHA-512:	69BB255C17EA9B54A4ACB60DF904B14D76E6E86A31D0FA746FA66E4044904CE6B4D93629BD9C4FB6C8A3388F70B80C9CAB7F75333FB9BABB4703905DC4B0E272
Malicious:	false
Preview:	2024/12/12-03:02:12.225 cfc Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/12-03:02:12.226 cfc Recovering log #3.2024/12/12-03:02:12.227 cfc Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	323
Entropy (8bit):	5.114710806812602
Encrypted:	false
SSDEEP:	6:77wjDOwDM+q2PCHhJ2nKuAl9OmbzNMxIFUt8O7wj4DpgZmw+O7wjvDMVkwOCHhJS:7sjKwDM+vBHAa8jFUt8Osj4Dpg/+Osjn
MD5:	47C171FF4D37B1C3BE9BBAD5922681F6
SHA1:	C7379CF576B05130D7A3BF1CEA13093A03A06B3E
SHA-256:	F046F8D359C3A912E740DF720F47A2BB5A5E172D6A6D1DC1CF07E230EDC1ABC9
SHA-512:	69BB255C17EA9B54A4ACB60DF904B14D76E6E86A31D0FA746FA66E4044904CE6B4D93629BD9C4FB6C8A3388F70B80C9CAB7F75333FB9BABB4703905DC4B0E272
Malicious:	false
Preview:	2024/12/12-03:02:12.225 cfc Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/12-03:02:12.226 cfc Recovering log #3.2024/12/12-03:02:12.227 cfc Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	Certificate, Version=3
Category:	dropped
Size (bytes):	1391
Entropy (8bit):	7.705940075877404
Encrypted:	false
SSDEEP:	24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
MD5:	0CD2F9E0DA1773E9ED864DA5E370E74E
SHA1:	CABD2A79A1076A31F21D253635CB039D4329A5E8
SHA-256:	96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
SHA-512:	3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
Malicious:	false
Preview:	0..k0..S............@.YDc.c...0....H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0....H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.\|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I......A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.\|C.t..t.....0.[q6....00\H..;..}`...).........A.......\|.;F.H..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..\|o..;.....'...}~.."......

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	192
Entropy (8bit):	2.732136534099205
Encrypted:	false
SSDEEP:	3:kkFklPpKRVltfllXlE/HT8km/tNNX8RolJuRdxLlGB9lQRYwpDdt:kKFRVleT8hNMa8RdWBwRd
MD5:	6DB939E24BB1CBAB2C78D621FBA09596
SHA1:	4804F5302FF84040B84C00611F3640DFF92930F7
SHA-256:	F86BAC126CB3E5657165B2AA7D60769705F0F26507582C54429F15F368140FDF
SHA-512:	8C4815926F56B72CC270DF071DDB0F8EECF5A75ABAC2FDE1C1EEDB955C7E8AFEBDC183A9675D184591ACA51A65E2ADDC1D8FB09F506D0B877FF5AF14D60BE353
Malicious:	false
Preview:	p...... ........\|.o,lL..(....................................................... ..........W....\|O..............o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	modified
Size (bytes):	328
Entropy (8bit):	3.1391791584200512
Encrypted:	false
SSDEEP:	6:kKlLllL9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:NLaDnLNkPlE99SNxAhUe/3
MD5:	C46B6544AB7C6A3DC9E0A041462CE824
SHA1:	1184C969510A1AF0C6E825054F4EB28E91D150ED
SHA-256:	FB6FD304651EC464334E7CAE320195AD74EB873A8BBB3AF4C02EF6BC72DCABBE
SHA-512:	72C06E25BE903545B804868377F2CECCD95E4C7E53E2F73318F2C9D730FE07888DB0E15B90F56CF54715434E2395ED6DF452766E64EB976B4D70A3ED5B835CBB
Malicious:	false
Preview:	p...... ..........?lL..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1233
Entropy (8bit):	5.233980037532449
Encrypted:	false
SSDEEP:	24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
MD5:	8BA9D8BEBA42C23A5DB405994B54903F
SHA1:	FC1B1646EC8A7015F492AA17ADF9712B54858361
SHA-256:	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
SHA-512:	26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.3872

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1233
Entropy (8bit):	5.233980037532449
Encrypted:	false
SSDEEP:	24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
MD5:	8BA9D8BEBA42C23A5DB405994B54903F
SHA1:	FC1B1646EC8A7015F492AA17ADF9712B54858361
SHA-256:	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
SHA-512:	26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1233
Entropy (8bit):	5.233980037532449
Encrypted:	false
SSDEEP:	24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
MD5:	8BA9D8BEBA42C23A5DB405994B54903F
SHA1:	FC1B1646EC8A7015F492AA17ADF9712B54858361
SHA-256:	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
SHA-512:	26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	10880
Entropy (8bit):	5.214360287289079
Encrypted:	false
SSDEEP:	192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
MD5:	B60EE534029885BD6DECA42D1263BDC0
SHA1:	4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
SHA-256:	B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
SHA-512:	52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt23.lst.3872

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	10880
Entropy (8bit):	5.214360287289079
Encrypted:	false
SSDEEP:	192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
MD5:	B60EE534029885BD6DECA42D1263BDC0
SHA1:	4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
SHA-256:	B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
SHA-512:	52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.348547761738924
Encrypted:	false
SSDEEP:	6:YEQXJ2HXBqtNdrrvB3/dVlPIHAR0YioAvJM3g98kUwPeUkwRe9:YvXKXB6NtrvR/ZwHA9GMbLUkee9
MD5:	C4FBC91E02D378DD0779D4CAEA8B8428
SHA1:	E2358871D71054AEE8118E35E638DD5AEAFC59F8
SHA-256:	A0FB4BD68503EB1B8E8F0599781703BEE7653D57B46FA0D90C360537300B149C
SHA-512:	B54B41D0BCA5AD2FDE5E48E35C1807B3A72B89EC2160D9D0EA8A7D516B4C99F3482AD74C9BFD5A996A9D698BFBAC6B27C5012A8AE58C050BE5D12C9233C40C1C
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"6d90b737-2be3-4fbb-bab7-cfe6fa854873","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734168173435,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.2829858545003265
Encrypted:	false
SSDEEP:	6:YEQXJ2HXBqtNdrrvB3/dVlPIHAR0YioAvJfBoTfXpnrPeUkwRe9:YvXKXB6NtrvR/ZwHA9GWTfXcUkee9
MD5:	291EFFE75A3EB17F1A007E0F81F1A386
SHA1:	BEC135FCF4067891E248F2B72D687758F6F84756
SHA-256:	139AD204B7413A9C97F0E73521E73A5C1D15C007FAE8A2AB021B7445F7623D63
SHA-512:	82C14C1D1B76B5DF9F5155C1838475D8B74F5D625BA537029D2F4F0137AF80BB6541B54070D610F75AA7B7179408F2DABFC81DA7C53F2323CFFFB0684B60A6D4
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"6d90b737-2be3-4fbb-bab7-cfe6fa854873","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734168173435,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.261980889895403
Encrypted:	false
SSDEEP:	6:YEQXJ2HXBqtNdrrvB3/dVlPIHAR0YioAvJfBD2G6UpnrPeUkwRe9:YvXKXB6NtrvR/ZwHA9GR22cUkee9
MD5:	CBDC4D5C5E2B5D99CE02086DE4633B8B
SHA1:	B4750B0FD6875A16EB7C863746193C064AC1E1C7
SHA-256:	C24D801AEED112D8E8C511C81F323CFF018604BBCBC296257528063CE698AE83
SHA-512:	D865E7D5678C51646A4C58956AA2591CA2101DFA5FEC6FDC1B0C3178D7CE903F5A073164417BD69BC70929A22687CB487639BF8EFAB0A863A2B6BFE2D59A22D0
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"6d90b737-2be3-4fbb-bab7-cfe6fa854873","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734168173435,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	285
Entropy (8bit):	5.32497646180779
Encrypted:	false
SSDEEP:	6:YEQXJ2HXBqtNdrrvB3/dVlPIHAR0YioAvJfPmwrPeUkwRe9:YvXKXB6NtrvR/ZwHA9GH56Ukee9
MD5:	DF8645BF7705EB54C016D2AE409EA1C6
SHA1:	ABF6A2CDCC21BDD48D7075C392243B26F0317057
SHA-256:	A0D43E4DE3580B31DCA1099FA4C1FD7EA6ED53468181CC7093CA3F50EC7AE5FA
SHA-512:	E4A0108AFC15D10221DA4C27FB5ECEBD40BF2E25D1330DC7B601F7BB8D4A9CACE795D1C637F49248B1FA3D8E60E7FCFFE9102FE4B11EB10CBF81F3F99C7D3E1E
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"6d90b737-2be3-4fbb-bab7-cfe6fa854873","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734168173435,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1123
Entropy (8bit):	5.687973456763737
Encrypted:	false
SSDEEP:	24:Yv6XBcrJhWpLgE9cQx8LennAvzBvkn0RCmK8czOCCSIEWBY:YvE4JhWhgy6SAFv5Ah8cv/P
MD5:	C92F759C6A38E4462A58BA98AD59EE7E
SHA1:	57671DC78E19DF1ACD96258F0BD0D407284E3AE5
SHA-256:	1CF080EB56BA291F19CA24BB2594BBBE2DDA48ED3DEFFFE5D5E16695C80FC149
SHA-512:	706E8CFCE7545404CE5346D9AD3CBB98E60E52E70C4B6155B323278AD0222C0FC8CAEBD57DAEF03A4CAD24B2756EC1900A49328A472F44CA0BC88E65EA93A618
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"6d90b737-2be3-4fbb-bab7-cfe6fa854873","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734168173435,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.2742875246627
Encrypted:	false
SSDEEP:	6:YEQXJ2HXBqtNdrrvB3/dVlPIHAR0YioAvJf8dPeUkwRe9:YvXKXB6NtrvR/ZwHA9GU8Ukee9
MD5:	623426352B66E68B3116F3954933EF89
SHA1:	8E73651C26F3F00E67F766667B0A655A4DB3DB95
SHA-256:	7786976FEE17312F18A902482029CF4B9BB1DB2C0634A361AA0D224E43EDCB95
SHA-512:	587317FC17D8BB0AD360FFE0ABC2540DEF8A78A370493EEC872CDE2D5AFAB0776508A760E12AA8876031AA61EFA64F230D194403F57533C57FB7C15A1AA0F1FE
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"6d90b737-2be3-4fbb-bab7-cfe6fa854873","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734168173435,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.272939862175992
Encrypted:	false
SSDEEP:	6:YEQXJ2HXBqtNdrrvB3/dVlPIHAR0YioAvJfQ1rPeUkwRe9:YvXKXB6NtrvR/ZwHA9GY16Ukee9
MD5:	EB671D13F0E73730AAE3F8278E6ACEAE
SHA1:	81D2D60684C5D0D53BDB706E2404DF2E1FA962AC
SHA-256:	48AE363F6168ADB2DBD95DEAC79E0F46476D6FB4DC1A38E169DE2719394EBF02
SHA-512:	21B52C4A6C221BF22B2A6518676997701FB3E5FC94EBE8AC9AF7997CDA85B4D5B260843906424011EE484D36A26339BD446587A4C331EAB791B3855789D4311F
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"6d90b737-2be3-4fbb-bab7-cfe6fa854873","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734168173435,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.289260233007157
Encrypted:	false
SSDEEP:	6:YEQXJ2HXBqtNdrrvB3/dVlPIHAR0YioAvJfFldPeUkwRe9:YvXKXB6NtrvR/ZwHA9Gz8Ukee9
MD5:	C792D4B7EB58A8BEB548260E401FC645
SHA1:	06B3066B81474135A9E0522634E0B54C3D663852
SHA-256:	120C6D34EF466BAA914FF8753E753DE3C4E66599E57A580CD5DE7BA1488C3EA9
SHA-512:	C3FF9DB3F9164CA884856D3F9FA0C2CD01245E7906C25976E7815017B42C246CB65B7DBFC4D69D35C607DD689F967C5DF87998FB49AFE9112CA99BB87E2C6719
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"6d90b737-2be3-4fbb-bab7-cfe6fa854873","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734168173435,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.302340275679065
Encrypted:	false
SSDEEP:	6:YEQXJ2HXBqtNdrrvB3/dVlPIHAR0YioAvJfzdPeUkwRe9:YvXKXB6NtrvR/ZwHA9Gb8Ukee9
MD5:	775EACD1A9BF92ABD17504BB3D585A17
SHA1:	05BDBB59DA4ED4DE80E70A9A84A8BB214E7F3F7F
SHA-256:	4FFE0058D0EA33493853468F6DB29520795DBB408FEDA9253A9308652787808F
SHA-512:	A73EEBB606479562B6A6D44FC88B5759AA0582CAB0253DB8A0F1B80B5713F13080DFB39F3EB10D6239964AD3B75440AC064F63440EF23AA5040532A679D10DDF
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"6d90b737-2be3-4fbb-bab7-cfe6fa854873","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734168173435,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.282630592600029
Encrypted:	false
SSDEEP:	6:YEQXJ2HXBqtNdrrvB3/dVlPIHAR0YioAvJfYdPeUkwRe9:YvXKXB6NtrvR/ZwHA9Gg8Ukee9
MD5:	1311BC1B2F855897BB4CCBEB0895635F
SHA1:	9FE8B1758A451F1DA0963D768E0F2E407642EB4B
SHA-256:	0508BFC61A233DBC9EBA3A50F315D4314E748BE2E541A56116BEF08238A33FEF
SHA-512:	622C29729D422732B61E0753E76AE1E6C2DEF11015298F79EAE88AB2446DDEAB504CA6101A044864C40B81CA12EC537F3BC9B9460C20847E01FE68E6418C9652
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"6d90b737-2be3-4fbb-bab7-cfe6fa854873","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734168173435,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	284
Entropy (8bit):	5.268674156924488
Encrypted:	false
SSDEEP:	6:YEQXJ2HXBqtNdrrvB3/dVlPIHAR0YioAvJf+dPeUkwRe9:YvXKXB6NtrvR/ZwHA9G28Ukee9
MD5:	0643FE178031959A78AEF12EA607DCAB
SHA1:	6C2AF77B276E27BAC2D08027B3E1787AD1F0DA63
SHA-256:	DF5638D897D31A2A43C9F8E23CEFB522D2D7D48D8CA08DA3152336203EE8AACE
SHA-512:	5432FDDF93444D3CA8147D31C020519A4FD6B72C096F1D3232D3D1E0D4EDFA9E06CA91F7EB1707BC5CC2077CCCD439192572E002399D855785EBCD43692738EE
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"6d90b737-2be3-4fbb-bab7-cfe6fa854873","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734168173435,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	291
Entropy (8bit):	5.26629706764434
Encrypted:	false
SSDEEP:	6:YEQXJ2HXBqtNdrrvB3/dVlPIHAR0YioAvJfbPtdPeUkwRe9:YvXKXB6NtrvR/ZwHA9GDV8Ukee9
MD5:	BE1622DCEBC68EF1A11A3851168A6EE1
SHA1:	75C4B0063EFE368FABE6A1F7B9F4CF0FEC19BE03
SHA-256:	8026B87E84F9E94C421B51DE90F6FA4DB4C7269625F93D845ED5E3E52A3B06AB
SHA-512:	AFE87E2034FCD51E79696EC7EAFD7D0856F39481B278652DC5F038EC88ACBFF5C5C9A3534064A530BBC1ACF7EE7448195C8177A13E47AFCCD62A5902B2F7BD85
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"6d90b737-2be3-4fbb-bab7-cfe6fa854873","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734168173435,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	287
Entropy (8bit):	5.265099598348317
Encrypted:	false
SSDEEP:	6:YEQXJ2HXBqtNdrrvB3/dVlPIHAR0YioAvJf21rPeUkwRe9:YvXKXB6NtrvR/ZwHA9G+16Ukee9
MD5:	D524845EF8BD02C6F2E341B88DB45A9C
SHA1:	C4E19865A918F1F13DA050E1CC962E97DC1FAB54
SHA-256:	49A6555CBA895EF1EBCFF16BD9BF91098B8172665BD7AF53475591AF89EB1FC0
SHA-512:	0CDB623002F16DA4DCC38AE5805F727E897A19FA2D571283DF5DCAE860383F3583A329CDAA390B657A50D4E8DE200C218085873A0179E5FEC959B0846960C845
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"6d90b737-2be3-4fbb-bab7-cfe6fa854873","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734168173435,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	5.6655891293675085
Encrypted:	false
SSDEEP:	24:Yv6XBcrJhKamXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BSIEWBY:YvE4JhEBgkDMUJUAh8cvMP
MD5:	251E1C3A028D62BFC2DE5F10588BBA39
SHA1:	D8E158528470F5C1434B048B56DD37B0B402BC3E
SHA-256:	8EE722174945EDBA4047D8089458191D4E181AB0805E3D2D31F10A69DCAFC147
SHA-512:	AA2D5D861610D3253A435799B6CC78FD8E9B582A4BE37227C81733D136BA683325967556897AA20F7EE416D573006E6CC5B84118D2A5A682D59A962DBA23C258
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"6d90b737-2be3-4fbb-bab7-cfe6fa854873","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734168173435,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	286
Entropy (8bit):	5.240660178762542
Encrypted:	false
SSDEEP:	6:YEQXJ2HXBqtNdrrvB3/dVlPIHAR0YioAvJfshHHrPeUkwRe9:YvXKXB6NtrvR/ZwHA9GUUUkee9
MD5:	180DA0D97ACE13070A4FE115244F3773
SHA1:	F0A2C5A030571E0B47EF9CCDE8243E1DDD56B0BE
SHA-256:	3DFB39B14A0129BA243E76EF170225F8850BAF014E85BBBA861CDF22246B8FB7
SHA-512:	C008BB761C182A55091CBA7ED45086E4DFB2F4ABDCFC3BDA08E820502B76598C76182D6641F93CC5F77818CED4F392C5D2F5BB0FECAA64EFF6553A0BE9F76FEF
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"6d90b737-2be3-4fbb-bab7-cfe6fa854873","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734168173435,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	282
Entropy (8bit):	5.264768921613848
Encrypted:	false
SSDEEP:	6:YEQXJ2HXBqtNdrrvB3/dVlPIHAR0YioAvJTqgFCrPeUkwRe9:YvXKXB6NtrvR/ZwHA9GTq16Ukee9
MD5:	C5615BBC5A71C44D85153AA414E52C5B
SHA1:	DD6DCCF69DE8B80342787DAD7900F43C1DE3999B
SHA-256:	036DEB2BD9043CF457E11903DB90B90F7B092B8676743F2240B0F2B8F52BCED3
SHA-512:	7D72346A60A050A35DCAEF6462BE97B31AEF6256F925105BAF2B02494CB4B3B275305D489F39695F11A0B803B358232E4660F2A51791A8CA4210471CC02A29CD
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"6d90b737-2be3-4fbb-bab7-cfe6fa854873","sophiaUUID":"6BC8D74A-F8DC-462C-8ED4-D40FDD780397"},"encodingScheme":true,"expirationDTS":1734168173435,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.8112781244591328
Encrypted:	false
SSDEEP:	3:e:e
MD5:	DC84B0D741E5BEAE8070013ADDCC8C28
SHA1:	802F4A6A20CBF157AAF6C4E07E4301578D5936A2
SHA-256:	81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
SHA-512:	65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
Malicious:	false
Preview:	....

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2814
Entropy (8bit):	5.135659202090742
Encrypted:	false
SSDEEP:	24:YPWE4aaayTEt45ZSEZTwrEzdSWnEJgBWEgWE0DHPfEVj4Fj0S5ENbOxaEY2Z2LSj:YUF8W59ce2Fc23l16PvTodng9Lt
MD5:	BC8CD05D25350DD41C392AED011364E8
SHA1:	ED8D0B4B2B12DFDFD2358B0409657F91761CE1EA
SHA-256:	5D259153634470CC34EF200C88802D4581FFEAB08478757B5B3F240878BE17A1
SHA-512:	AD0A35AA90E8E10A62528F521FA18AEFF90A2C073D53BE29956A85CC6DCE00F6D671D256485C1B7231D9774AB638371D014F77755D71DEA66570ED76725E8AE4
Malicious:	false
Preview:	{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"19205cdafa36d3d8acb03d9b6a5fa2e7","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1733990542000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"71a0e176dced7bb034e9339e1d13007a","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1733990542000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"f984cd61d7ac094fdef598af12e8f17d","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1733990542000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"e791db669c82cd136d241397a4f31f5f","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1733990542000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"6a7743530de18d569bf87c8d4d305ef0","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1733990542000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"863f9fd2acfe44b45ceb391fac75214e","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	1.318804102521374
Encrypted:	false
SSDEEP:	48:TGufl2GL7ms9WR1CPmPbPahkPQypilIuP2:lNVms9WfMwbPahkoFu
MD5:	9EC83D4183770AC74ED8D467C1740BA0
SHA1:	BD9330E2AB7A0FF34B12D61DAABA7D21F70338F0
SHA-256:	4786909CE8C255848832352DB21BBF6E8BB72D3AC86644A87D28645F8A7EB57C
SHA-512:	C971027958E0A27FF372BE8F6CF094CF55F7AAC180E1675C3A51B69883B7337D46D3C1ADAC6512274783FCD2C93290DBFA6CD70FD05D74D068641376392CF010
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	1.7811406316776563
Encrypted:	false
SSDEEP:	48:7M7WR1CPmPbPahkPVypilItqFl2GL7msg:7KWfMwbPahkd4KVmsg
MD5:	55908BEACC59A0FDAF6F6CABF83B5A89
SHA1:	A7DF929871E32262F414FAE6818EF9BBC293AED5
SHA-256:	D6A468528CB4550612CECE921F3D75B7A01CCDC7EFC06D0C3D6B1690112EA145
SHA-512:	C1CB5D70BCD4ADA269E25AC10B456EAC421FAA1714DA3B0DEC4D7A8A264584C50E14F8309A1E4A3B81C2F1F73C3888FFA62BC359F7BB11C2885B7233D26AD86B
Malicious:	false
Preview:	.... .c......PZ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................^..^.^.^.^.^.^.^.p.p.p.p.p.p.p.p.p.p..........................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	66726
Entropy (8bit):	5.392739213842091
Encrypted:	false
SSDEEP:	768:RNOpblrU6TBH44ADKZEggwuA3VB65WcR9QwvEy7wr2jpzZiYyu:6a6TZ44ADERuA3Vo9Tnwr2jpzgK
MD5:	0664CDE7FF7B0BE15CE2028C8DCE5BD3
SHA1:	62256E0EC89B6D0CCEFA34B0EF1E0A0B9401D164
SHA-256:	C5B5DA5CF010597513C40DAD021845C4164D1A445E7FC9E63FA8BB1DDB133147
SHA-512:	A0F1FF0C073A493B7F4124AA076599F64A0127D1FA1CE54A5F5BFBF3C2973C15D9B5EE7EFD4A7D8273BD8D6550D6870B088FBC263CC476C87D2B8555C208E2FD
Malicious:	false
Preview:	4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\holy.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	617
Entropy (8bit):	5.3554278163807965
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKharkvoDLI4MWuCt92n4M6:ML9E4KlKDE4KhKiKhIE4Ko84j
MD5:	A47392ECAB97B1AD6350E5445F07F3FD
SHA1:	C9AE28B3118306868E7AE54B212C853C7ED9705E
SHA-256:	925EBF33DCB86A12A8CA3195D01B72FAC0840B408C07D079A612E40646BF03F2
SHA-512:	681B8D60FCFDAB4067DC6EEC62D9841B33F8EA6319C38CBAC1544BBEF5B9F14AB37129DBEFB1F1FF6F119B33792A37C415B1D88E292B3D9907F0AFBDD07E721D
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Temp\MSI1c0e.LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	246
Entropy (8bit):	3.486646639490294
Encrypted:	false
SSDEEP:	6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8qKDgalYH:Qw946cPbiOxDlbYnuRKtKEuYH
MD5:	4BAD71A236E70F7F2B628423969F8352
SHA1:	211E950ACF2C3DC5971C86F26DF147BC279A3802
SHA-256:	91E3D7CEA29B1B8255424E779ECF087D57FA5E675667F51640A91090D02D49D5
SHA-512:	EEE9FF8F28B2F2FFDAA0389882963CE188D7AB5DA9B101D3F2F8057C720B046AD19F88FB6607D8564869538B1EDFB5734622FBB97B3B5B50702F5AEB6043B663
Malicious:	false
Preview:	..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .1.2./.1.2./.2.0.2.4. . .0.3.:.0.2.:.2.0. .=.=.=.....

C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe

Download File

Process:	C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	477184
Entropy (8bit):	7.049584533826611
Encrypted:	false
SSDEEP:	6144:BDD86eavzyToezlwxtESyz0nixBOaKAZToI+XFAXJP7nVEPUefKbd+hQ+W3F5gy:FDXeavzyToea5yzOq+XOXJP7nes2UL
MD5:	F072A1E438C9D2453EE1B74027D07DD2
SHA1:	32EB35774177A028851E314C333E51355674DA37
SHA-256:	54ADF0A0FF5F28C4284F20DADF8B5EE4D5D43D93296690DF95951F202467A423
SHA-512:	E64176BA5894056BA9BCA488C32E7218DB9C4F14DF7DA97BD65EF1BC0C563C690D549643B12FC6862F9634B70E7FE9EACFB37F0CCC16855C6F36C5B73094B661
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 46%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;................0..>...........\... ...`....@.. ....................................@.................................x\..S....`............................................................................... ............... ..H............text....<... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............F..............@..B.................\......H...........\}.........../..............................................^..}.....( ......(.....~(....(....(....rA..p(m........&.(=.....".......".(A....Vs....(B...t...........{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......(=.......(.......(.......(........(......sC...(.....>..(.....oD......{...."..}......{...."..}......{...."..}......{...."..}......(=.......(.......(.......(!.....sF...(#....>..("....oG......{....*"..}....

C:\Users\user\AppData\Local\Temp\RarSFX0\img.pdf

Download File

Process:	C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe
File Type:	PDF document, version 1.7, 1 pages
Category:	dropped
Size (bytes):	41950
Entropy (8bit):	7.990999767126439
Encrypted:	true
SSDEEP:	768:/Iv9D+uwNaqaOD5SeA6DZDL4gZsSzygZ/D5sqJo3IBWrquzSfeXxLEYF:/IYaqacL4Wy4/1y3X4OpF
MD5:	E6BDF42550DA919F083B74F06E629703
SHA1:	6278393C436E4C40E625EC9BF812E1685391D09F
SHA-256:	82FA4F3CE03D99D100B1D55E731A44A1EF34CEFC6363095F086439F100FBBCA8
SHA-512:	70F530AC6F2DAB07ABCD6D4D1F92717D6161524CAB670A29EA2A39357543E1564F25F3C9B5F34CD09DAB21E27AA2D9723A178EED7E7FC8BECC8AD9F4CA6B3B65
Malicious:	false
Preview:	%PDF-1.7.%.....4 0 obj.<<./Type /XObject./Subtype /Image./Width 1240./Height 826./BitsPerComponent 8./ColorSpace /DeviceRGB./Filter [/FlateDecode /DCTDecode]./DecodeParms [null <<./Quality 60.>>]./Length 41017.>>.stream.x...XT..7.iDB`P.%E.!.{...P..n............T:%.........s..z.y...^.k.{....k.{....u1~1....W....\.JHH@DJOFJBB.JM{..6;..mv.[\|..\|..B......U.!..^I..F...Z...C....I.IY..X4...4......1..(.8..#.N..A.v.........?..?4t.L,l.\.K#o.....a`.cb`aab".."....X$.<..Z.q..@..Q..L2.Md..-f>...+x.o.SP.daec..........+'.........o`hdi...#k.........w....g._..cb.._%$&ee........y[Y.....}sKk[{GgW...........s...K.+..;.{...G.'.~...h....~.#...............bL,..l.i-..N..... ....+L\|.-2........on..v..^.......?.5..c.!'......i.......([.?HK..\6.,..a-9.....>...........,..pe#.-...C.2.....k9..6..UB C../..\|.D.....nr.4..@........W.[...r \.se....@ZR..)....P..K...w@.....O.......Wr..l..M.-C..j...`....@Ky..l....F.*.!r .U..20.@ZI..B=g]I....y%.......3...m..E.sL=.5...s.........Y.@Y.p.....@..zH.......a

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-12 03-02-14-204.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393)
Category:	dropped
Size (bytes):	16525
Entropy (8bit):	5.33860678500249
Encrypted:	false
SSDEEP:	384:IC2heaVGJMUPhP80d0Wc+9eG/CCihFomva7RVRkfKhZmWWyC7rjgNgXo6ge5iaW0:X8B
MD5:	C3FEDB046D1699616E22C50131AAF109
SHA1:	C9EEA5A1A16BD2CD8154E8C308C8A336E990CA8D
SHA-256:	EA948BAC75D609B74084113392C9F0615D447B7F4AACA78D818205503EACC3FD
SHA-512:	845CDB5166B35B39215A051144452BEF9161FFD735B3F8BD232FB9A7588BA016F7939D91B62E27D6728686DFA181EFC3F3CC9954B2EDAB7FC73FCCE850915185
Malicious:	false
Preview:	SessionID=29b7f1b4-edf3-467e-b302-20b20356cfee.1696494928080 Timestamp=2023-10-05T10:35:28:080+0200 ThreadID=6832 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=29b7f1b4-edf3-467e-b302-20b20356cfee.1696494928080 Timestamp=2023-10-05T10:35:28:081+0200 ThreadID=6832 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=29b7f1b4-edf3-467e-b302-20b20356cfee.1696494928080 Timestamp=2023-10-05T10:35:28:081+0200 ThreadID=6832 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=29b7f1b4-edf3-467e-b302-20b20356cfee.1696494928080 Timestamp=2023-10-05T10:35:28:081+0200 ThreadID=6832 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=29b7f1b4-edf3-467e-b302-20b20356cfee.1696494928080 Timestamp=2023-10-05T10:35:28:081+0200 ThreadID=6832 Component=ngl-lib_NglAppLib Description="SetConfig:

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393), with CRLF line terminators
Category:	dropped
Size (bytes):	15114
Entropy (8bit):	5.346332701893433
Encrypted:	false
SSDEEP:	384:lzRSFSKSdSx9O9Oq9q9D9T9I9i9x/Q/S/Q/6uUPuUuBuJupugudumYAtAlAXhxh5:llKfiIwUqcRh6czYKoSPPnsKebYKCSgP
MD5:	B190B6EC9926B731241EB278BAED07F5
SHA1:	A1AFB2BFAA0863789DA10931A2B486CA0D874392
SHA-256:	9AAE0180D23B544B460D118885E20C79F392437777C582DFBEDF63E7A931CE83
SHA-512:	24D4E3680C6B90DCE2B0101C3FD53BE5144CB1070B84D01659A7019D55C297EB30CC77A14D72B6A21AB7694AAA49106C7347F1420841DBCDF154FB405FD85B01
Malicious:	false
Preview:	SessionID=7f22960c-4e61-4dba-99d8-d2dd02791976.1733990534214 Timestamp=2024-12-12T03:02:14:214-0500 ThreadID=7556 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=7f22960c-4e61-4dba-99d8-d2dd02791976.1733990534214 Timestamp=2024-12-12T03:02:14:215-0500 ThreadID=7556 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=7f22960c-4e61-4dba-99d8-d2dd02791976.1733990534214 Timestamp=2024-12-12T03:02:14:215-0500 ThreadID=7556 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=7f22960c-4e61-4dba-99d8-d2dd02791976.1733990534214 Timestamp=2024-12-12T03:02:14:215-0500 ThreadID=7556 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=7f22960c-4e61-4dba-99d8-d2dd02791976.1733990534214 Timestamp=2024-12-12T03:02:14:215-0500 ThreadID=7556 Component=ngl-lib_NglAppLib Description="SetConf

C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	29752
Entropy (8bit):	5.404805252988832
Encrypted:	false
SSDEEP:	192:TcbeIewcbVcbqI4ucbrcbQIrJcb6cbCIC4cb3cbuIVNcbx:ceo4+rsC2Vq
MD5:	9A90DEBB385BFDB86E895588DD40B43C
SHA1:	3FE87F43262FC739B09CBBE552B76AEFA795E355
SHA-256:	B14E14A0CF78643423C5ADDAA367D04D0B721C3CB7B6D02D9DE01756F62F7FBA
SHA-512:	99794656CCC1A23BECCF2278CCE368C43441DBB472E534969174B6E8C8830DF2B4C15E017FBB223F9BB035FDEB308656E60094A89418A2B40B2DF9E8E428A489
Malicious:	false
Preview:	05-10-2023 10:18:29:.---2---..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : *************************************..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : ***********************************..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : **** Starting new session ******..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : Starting NGL..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..05-10-2023 10:18:29:.Closing File..05-10-

C:\Users\user\AppData\Local\Temp\acrocef_low\2c76bc17-a71b-4ced-963d-aecf90038ca3.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
Category:	dropped
Size (bytes):	386528
Entropy (8bit):	7.9736851559892425
Encrypted:	false
SSDEEP:	6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
MD5:	5C48B0AD2FEF800949466AE872E1F1E2
SHA1:	337D617AE142815EDDACB48484628C1F16692A2F
SHA-256:	F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
SHA-512:	44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
Malicious:	false
Preview:	...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....\|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-\|..h#.g.\.PO.\|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..\|m.WC.....\|.....e.[W.p.8...rm....^..x'......5!...\|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.\|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

C:\Users\user\AppData\Local\Temp\acrocef_low\7c4499e7-6e40-4a88-89c2-b6a4cf1de40d.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
Category:	dropped
Size (bytes):	1407294
Entropy (8bit):	7.97605879016224
Encrypted:	false
SSDEEP:	24576:/xA7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07/WLaGZDwYIGNPJe:JVB3mlind9i4ufFXpAXkrfUs0jWLaGZo
MD5:	A0CFC77914D9BFBDD8BC1B1154A7B364
SHA1:	54962BFDF3797C95DC2A4C8B29E873743811AD30
SHA-256:	81E45F94FE27B1D7D61DBC0DAFC005A1816D238D594B443BF4F0EE3241FB9685
SHA-512:	74A8F6D96E004B8AFB4B635C0150355CEF5D7127972EA90683900B60560AA9C7F8DE780D1D5A4A944AF92B63C69F80DCDE09249AB99696932F1955F9EED443BE
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\acrocef_low\987e5a0f-c45a-4937-8bf6-b4118aed9f4a.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
Category:	dropped
Size (bytes):	758601
Entropy (8bit):	7.98639316555857
Encrypted:	false
SSDEEP:	12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
MD5:	3A49135134665364308390AC398006F1
SHA1:	28EF4CE5690BF8A9E048AF7D30688120DAC6F126
SHA-256:	D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
SHA-512:	BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
Malicious:	false
Preview:	...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......\|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!\|G.1...... .3.`./....`~......G.............\|..pS.e.C....:o.u_..oi.:..\|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

C:\Users\user\AppData\Local\Temp\acrocef_low\c5b38c92-27b8-47b8-be2b-f0afdeba5c03.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
Category:	dropped
Size (bytes):	1419751
Entropy (8bit):	7.976496077007677
Encrypted:	false
SSDEEP:	24576:uwYIGNPHD9WL07oXGZf1dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:uwZG99WLxXGZV3mlind9i4ufFXpAXkru
MD5:	EEA0B822B1F85710138D30EEEC4048D7
SHA1:	EFD1465E991ECDE6E21F0CF95450841B5A99A971
SHA-256:	ADC3F12372CBE7C64A2F7F7DB3D1AF70AB5D8367A8C809122C74C01233A1A0D0
SHA-512:	A8554AA4C4128C83CB275F5CCD260E6F6144A1A931EF7FBB5C4B08010CEA3E6610518E00FB0ED0C93B08EB794220B67C4EB1D1FB642316062357F2B6EE8C3490
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.244233360215043
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Request for Quotations and specifications.pdf.exe
File size:	666'699 bytes
MD5:	a27b87004e36c99c5ae138960f632287
SHA1:	b85c27e89d6eaf68a8cbc0d683546d46b8d270f6
SHA256:	31ee50c565b3d2bc907ce74e87ed30d9a282bcdd99995fce3924adb7d7028cb8
SHA512:	3c04870f94706737c0ec1019f6154047fd753cac84a19f9ed6313e0fb0a63d6a33e7d9923e7dfb5c0f1d353adfb6613e17e6abf5102701beab02c4828466201d
SSDEEP:	12288:PyveQB/fTHIGaPkKEYzURNAwbAg34GzrYkemklmWgq5Smn2sDMMt1l:PuDXTIGaPhEYzUzA0KaYP3l/7b2St7
TLSH:	1BE4AE19E3F40CF8E0B7E538D9524902E7763D490B70969F2BA1156A1F3B3D0AD3AB21
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$.2.`.\.`.\.`.\..y..h.\..y....\..y..m.\.....b.\...X.r.\..._.j.\...Y.Y.\.i...i.\.i...b.\.i...g.\.`.].C.\...Y.R.\...\.a.\.....a.\

File Icon


Icon Hash:	d292c2c2949c9888

Static PE Info

General

Entrypoint:	0x140032ee0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x66409723 [Sun May 12 10:17:07 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	b1c5b1beabd90d9fdabd1df0779ea832

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FC5A8F2B368h
dec eax
add esp, 28h
jmp 00007FC5A8F2ACFFh
int3
int3
dec eax
mov eax, esp
dec eax
mov dword ptr [eax+08h], ebx
dec eax
mov dword ptr [eax+10h], ebp
dec eax
mov dword ptr [eax+18h], esi
dec eax
mov dword ptr [eax+20h], edi
inc ecx
push esi
dec eax
sub esp, 20h
dec ebp
mov edx, dword ptr [ecx+38h]
dec eax
mov esi, edx
dec ebp
mov esi, eax
dec eax
mov ebp, ecx
dec ecx
mov edx, ecx
dec eax
mov ecx, esi
dec ecx
mov edi, ecx
inc ecx
mov ebx, dword ptr [edx]
dec eax
shl ebx, 04h
dec ecx
add ebx, edx
dec esp
lea eax, dword ptr [ebx+04h]
call 00007FC5A8F2A183h
mov eax, dword ptr [ebp+04h]
and al, 66h
neg al
mov eax, 00000001h
sbb edx, edx
neg edx
add edx, eax
test dword ptr [ebx+04h], edx
je 00007FC5A8F2AE93h
dec esp
mov ecx, edi
dec ebp
mov eax, esi
dec eax
mov edx, esi
dec eax
mov ecx, ebp
call 00007FC5A8F2CEA7h
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov ebp, dword ptr [esp+38h]
dec eax
mov esi, dword ptr [esp+40h]
dec eax
mov edi, dword ptr [esp+48h]
dec eax
add esp, 20h
inc ecx
pop esi
ret
int3
int3
int3
dec eax
sub esp, 48h
dec eax
lea ecx, dword ptr [esp+20h]
call 00007FC5A8F19713h
dec eax
lea edx, dword ptr [00025747h]
dec eax
lea ecx, dword ptr [esp+20h]
call 00007FC5A8F2BF62h
int3
jmp 00007FC5A8F32144h
int3
int3
int3
int3
int3
int3

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x597a0	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x597d4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x70000	0x8940	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x6a000	0x306c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x79000	0x970	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x536c0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x53780	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4b3f0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x48000	0x508	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x588bc	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4676e	0x46800	f06bb06e02377ae8b223122e53be35c2	False	0.5372340425531915	data	6.47079645411382	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x48000	0x128c4	0x12a00	2de06d4a6920a6911e64ff20000ea72f	False	0.4499003775167785	data	5.273999097784603	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5b000	0xe75c	0x1a00	0dbdb901a7d477980097e42e511a94fb	False	0.28275240384615385	data	3.2571023907881185	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x6a000	0x306c	0x3200	b0ce0f057741ad2a4ef4717079fa34e9	False	0.483359375	data	5.501810413666288	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat	0x6e000	0x360	0x400	1fcc7b1d7a02443319f8fcc2be4ca936	False	0.2578125	data	3.0459938492946015	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
_RDATA	0x6f000	0x15c	0x200	3f331ec50f09ba861beaf955b33712d5	False	0.408203125	data	3.3356393424384843	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x70000	0x8940	0x8a00	af5b25015032fb043c0ce3790246cb92	False	0.4205163043478261	data	6.177360157668852	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x79000	0x970	0xa00	77a9ddfc47a5650d6eebbcc823e39532	False	0.52421875	data	5.336289720085303	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x705b4	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x710fc	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x726a8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0			0.40602836879432624
RT_ICON	0x72b10	0x1128	Device independent bitmap graphic, 32 x 64 x 32, image size 0			0.20013661202185792
RT_ICON	0x73c38	0x2668	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.15581773799837267
RT_DIALOG	0x762a0	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x76528	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x76664	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x76750	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x76880	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x76bb8	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x76e0c	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x76ff0	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x771bc	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x77374	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x774bc	0x46c	data	English	United States	0.3454063604240283
RT_STRING	0x77928	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x77a90	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x77be4	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x77cf0	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x77dac	0x1c0	data	English	United States	0.5178571428571429
RT_STRING	0x77f6c	0x250	data	English	United States	0.44256756756756754
RT_GROUP_ICON	0x781bc	0x30	data			0.8541666666666666
RT_MANIFEST	0x781ec	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

Imports

DLL	Import
KERNEL32.dll	LocalFree, GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, CreateDirectoryW, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetModuleFileNameW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExpandEnvironmentStringsW, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, GlobalMemoryStatusEx, LoadResource, SizeofResource, GetTimeFormatW, GetDateFormatW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindNextFileA, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, WaitForSingleObjectEx, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlPcToFileHeader, RtlUnwindEx, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, GetStringTypeW, HeapReAlloc, LCMapStringW, FindFirstFileExA
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipCloneImage, GdipFree, GdipDisposeImage, GdipCreateBitmapFromStream, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipAlloc

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-12T09:02:13.293315+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49704	193.122.6.168	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 12, 2024 09:02:11.439990997 CET	49704	80	192.168.2.8	193.122.6.168
Dec 12, 2024 09:02:11.559408903 CET	80	49704	193.122.6.168	192.168.2.8
Dec 12, 2024 09:02:11.559504032 CET	49704	80	192.168.2.8	193.122.6.168
Dec 12, 2024 09:02:11.561352015 CET	49704	80	192.168.2.8	193.122.6.168
Dec 12, 2024 09:02:11.680558920 CET	80	49704	193.122.6.168	192.168.2.8
Dec 12, 2024 09:02:12.825721025 CET	80	49704	193.122.6.168	192.168.2.8
Dec 12, 2024 09:02:12.839361906 CET	49704	80	192.168.2.8	193.122.6.168
Dec 12, 2024 09:02:12.959678888 CET	80	49704	193.122.6.168	192.168.2.8
Dec 12, 2024 09:02:13.245096922 CET	80	49704	193.122.6.168	192.168.2.8
Dec 12, 2024 09:02:13.293314934 CET	49704	80	192.168.2.8	193.122.6.168
Dec 12, 2024 09:02:13.473485947 CET	49705	443	192.168.2.8	104.21.67.152
Dec 12, 2024 09:02:13.473530054 CET	443	49705	104.21.67.152	192.168.2.8
Dec 12, 2024 09:02:13.473953962 CET	49705	443	192.168.2.8	104.21.67.152
Dec 12, 2024 09:02:13.527964115 CET	49705	443	192.168.2.8	104.21.67.152
Dec 12, 2024 09:02:13.527983904 CET	443	49705	104.21.67.152	192.168.2.8
Dec 12, 2024 09:02:14.745136976 CET	443	49705	104.21.67.152	192.168.2.8
Dec 12, 2024 09:02:14.745218039 CET	49705	443	192.168.2.8	104.21.67.152
Dec 12, 2024 09:02:14.758723021 CET	49705	443	192.168.2.8	104.21.67.152
Dec 12, 2024 09:02:14.758744001 CET	443	49705	104.21.67.152	192.168.2.8
Dec 12, 2024 09:02:14.759012938 CET	443	49705	104.21.67.152	192.168.2.8
Dec 12, 2024 09:02:14.799218893 CET	49705	443	192.168.2.8	104.21.67.152
Dec 12, 2024 09:02:15.213589907 CET	49705	443	192.168.2.8	104.21.67.152
Dec 12, 2024 09:02:15.259337902 CET	443	49705	104.21.67.152	192.168.2.8
Dec 12, 2024 09:02:15.541296959 CET	443	49705	104.21.67.152	192.168.2.8
Dec 12, 2024 09:02:15.541357040 CET	443	49705	104.21.67.152	192.168.2.8
Dec 12, 2024 09:02:15.541608095 CET	49705	443	192.168.2.8	104.21.67.152
Dec 12, 2024 09:02:15.549985886 CET	49705	443	192.168.2.8	104.21.67.152
Dec 12, 2024 09:03:18.244684935 CET	80	49704	193.122.6.168	192.168.2.8
Dec 12, 2024 09:03:18.244796038 CET	49704	80	192.168.2.8	193.122.6.168
Dec 12, 2024 09:03:53.250685930 CET	49704	80	192.168.2.8	193.122.6.168
Dec 12, 2024 09:03:53.370122910 CET	80	49704	193.122.6.168	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 12, 2024 09:02:11.121803045 CET	57975	53	192.168.2.8	1.1.1.1
Dec 12, 2024 09:02:11.259747982 CET	53	57975	1.1.1.1	192.168.2.8
Dec 12, 2024 09:02:13.323178053 CET	60753	53	192.168.2.8	1.1.1.1
Dec 12, 2024 09:02:13.467442036 CET	53	60753	1.1.1.1	192.168.2.8
Dec 12, 2024 09:02:21.828501940 CET	64790	53	192.168.2.8	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 12, 2024 09:02:11.121803045 CET	192.168.2.8	1.1.1.1	0xe0af	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Dec 12, 2024 09:02:13.323178053 CET	192.168.2.8	1.1.1.1	0x956e	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Dec 12, 2024 09:02:21.828501940 CET	192.168.2.8	1.1.1.1	0xac0a	Standard query (0)	x1.i.lencr.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 12, 2024 09:02:11.259747982 CET	1.1.1.1	192.168.2.8	0xe0af	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 12, 2024 09:02:11.259747982 CET	1.1.1.1	192.168.2.8	0xe0af	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Dec 12, 2024 09:02:11.259747982 CET	1.1.1.1	192.168.2.8	0xe0af	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Dec 12, 2024 09:02:11.259747982 CET	1.1.1.1	192.168.2.8	0xe0af	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Dec 12, 2024 09:02:11.259747982 CET	1.1.1.1	192.168.2.8	0xe0af	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Dec 12, 2024 09:02:11.259747982 CET	1.1.1.1	192.168.2.8	0xe0af	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Dec 12, 2024 09:02:13.467442036 CET	1.1.1.1	192.168.2.8	0x956e	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
Dec 12, 2024 09:02:13.467442036 CET	1.1.1.1	192.168.2.8	0x956e	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Dec 12, 2024 09:02:22.044291019 CET	1.1.1.1	192.168.2.8	0xac0a	No error (0)	x1.i.lencr.org	crl.root-x1.letsencrypt.org.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 12, 2024 09:02:23.961770058 CET	1.1.1.1	192.168.2.8	0xa58b	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 12, 2024 09:02:23.961770058 CET	1.1.1.1	192.168.2.8	0xa58b	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.58.98	A (IP address)	IN (0x0001)	false
Dec 12, 2024 09:02:23.961770058 CET	1.1.1.1	192.168.2.8	0xa58b	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.58.100	A (IP address)	IN (0x0001)	false
Dec 12, 2024 09:02:23.961770058 CET	1.1.1.1	192.168.2.8	0xa58b	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.58.101	A (IP address)	IN (0x0001)	false
Dec 12, 2024 09:02:23.961770058 CET	1.1.1.1	192.168.2.8	0xa58b	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.58.99	A (IP address)	IN (0x0001)	false
Dec 12, 2024 09:03:32.635379076 CET	1.1.1.1	192.168.2.8	0x7c98	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 12, 2024 09:03:32.635379076 CET	1.1.1.1	192.168.2.8	0x7c98	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49704	193.122.6.168	80	2156	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Dec 12, 2024 09:02:11.561352015 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 12, 2024 09:02:12.825721025 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 08:02:12 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 749a520274212c80c7280b994bc762b0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>
Dec 12, 2024 09:02:12.839361906 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 12, 2024 09:02:13.245096922 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 08:02:13 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 132ddc2f4a5d26411024e669c9e16c74 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49705	104.21.67.152	443	2156	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-12 08:02:15 UTC	85	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-12 08:02:15 UTC	880	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 08:02:15 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 169858 Last-Modified: Tue, 10 Dec 2024 08:51:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xFXUlsWDay%2FneoLT793%2Byd0cMfoBNGOsaatkyNWeXUyJQDJxKSY6Y0zC549HpSB%2BQ2aI6qbm8DsNocx7lrCf20lt8hkilZqs835kvnw1Sif%2BgVzoizYs4hYW%2F1rcrlAhkCt89Lo8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f0c30ee19ee435e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1723&min_rtt=1722&rtt_var=649&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1682027&cwnd=240&unsent_bytes=0&cid=89ab744e03a733a7&ts=807&x=0"
2024-12-12 08:02:15 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	03:02:08
Start date:	12/12/2024
Path:	C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe"
Imagebase:	0x7ff663c40000
File size:	666'699 bytes
MD5 hash:	A27B87004E36C99C5AE138960F632287
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	03:02:08
Start date:	12/12/2024
Path:	C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\RarSFX0\holy.exe"
Imagebase:	0x990000
File size:	477'184 bytes
MD5 hash:	F072A1E438C9D2453EE1B74027D07DD2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.1449728784.0000000003D93000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1449728784.0000000003D93000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.1449728784.0000000003D93000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.1449728784.0000000003D93000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.1449728784.0000000003C84000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1449728784.0000000003C84000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.1449728784.0000000003C84000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.1449728784.0000000003C84000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 46%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:02:09
Start date:	12/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xfa0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.2692802312.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2692802312.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.2692802312.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.2692802312.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2694976808.0000000003426000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	03:02:10
Start date:	12/12/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\img.pdf"
Imagebase:	0x7ff6e8200000
File size:	5'641'176 bytes
MD5 hash:	24EAD1C46A47022347DC0F05F6EFBB8C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	03:02:11
Start date:	12/12/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Imagebase:	0x7ff79c940000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	03:02:11
Start date:	12/12/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2056 --field-trial-handle=1664,i,10022418553164981674,7923153825484368479,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Imagebase:	0x7ff79c940000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	11.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	28.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	30

Executed Functions

Function 00007FF663C6B190 Relevance: 118.7, APIs: 57, Strings: 10, Instructions: 1421windowfilesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF663C4255C: GetDlgItem.USER32 ref: 00007FF663C425AC
Part of subcall function 00007FF663C4255C: SetWindowTextW.USER32 ref: 00007FF663C425C8

SetDlgItemTextW.USER32 ref: 00007FF663C6B320
GetMessageW.USER32 ref: 00007FF663C6B350
IsDialogMessageW.USER32 ref: 00007FF663C6B369
TranslateMessage.USER32 ref: 00007FF663C6B37B
DispatchMessageW.USER32 ref: 00007FF663C6B389
GetDlgItem.USER32 ref: 00007FF663C6B410
SendMessageW.USER32 ref: 00007FF663C6B431
SendMessageW.USER32 ref: 00007FF663C6B449
SetFocus.USER32 ref: 00007FF663C6B452
GetLastError.KERNEL32 ref: 00007FF663C6B634
GetLastError.KERNEL32 ref: 00007FF663C6B665
GetTickCount.KERNEL32 ref: 00007FF663C6B68B
GetLastError.KERNEL32 ref: 00007FF663C6B6F5
GetCommandLineW.KERNEL32 ref: 00007FF663C6B841
CreateFileMappingW.KERNEL32 ref: 00007FF663C6B900
MapViewOfFile.KERNEL32 ref: 00007FF663C6B923
ShellExecuteExW.SHELL32 ref: 00007FF663C6B95B
Sleep.KERNEL32 ref: 00007FF663C6B9B6
UnmapViewOfFile.KERNEL32 ref: 00007FF663C6B9DF
CloseHandle.KERNEL32 ref: 00007FF663C6B9E8
SetDlgItemTextW.USER32 ref: 00007FF663C6BCDE
DialogBoxParamW.USER32 ref: 00007FF663C6C0D7
EnableWindow.USER32 ref: 00007FF663C6C2A6
SendMessageW.USER32 ref: 00007FF663C6C2F8
WaitForInputIdle.USER32 ref: 00007FF663C6B9A3

Part of subcall function 00007FF663C5AAE0: LoadStringW.USER32 ref: 00007FF663C5AB67
Part of subcall function 00007FF663C5AAE0: LoadStringW.USER32 ref: 00007FF663C5AB80

SendMessageW.USER32 ref: 00007FF663C6BEC3
SendDlgItemMessageW.USER32 ref: 00007FF663C6BEEA
GetDlgItem.USER32 ref: 00007FF663C6BEF8
SendMessageW.USER32 ref: 00007FF663C6BF12
GetDlgItem.USER32 ref: 00007FF663C6BF4F
SetDlgItemTextW.USER32 ref: 00007FF663C6BFEC
SetDlgItemTextW.USER32 ref: 00007FF663C6C004
SetDlgItemTextW.USER32 ref: 00007FF663C6C321
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C6C363
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C6C369
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C6C36F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C6C375
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C6C37B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C6C381
SendDlgItemMessageW.USER32 ref: 00007FF663C6C449
GetDlgItem.USER32 ref: 00007FF663C6C491
SetFocus.USER32 ref: 00007FF663C6C49A
SendDlgItemMessageW.USER32 ref: 00007FF663C6C53E
FindFirstFileW.KERNEL32 ref: 00007FF663C6C562
FindClose.KERNEL32 ref: 00007FF663C6C68A
SendDlgItemMessageW.USER32 ref: 00007FF663C6C7AF

Part of subcall function 00007FF663C4129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF663C41396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C6CAA9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C6CAAF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C6CAB5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C6CABB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C6CAC1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C6CAC7

Strings

winrarsfxmappingfile.tmp, xrefs: 00007FF663C6B8E0
LICENSEDLG, xrefs: 00007FF663C6C0C9
@, xrefs: 00007FF663C6B7B6
REPLACEFILEDLG, xrefs: 00007FF663C6C3D3
__tmp_rar_sfx_access_check_, xrefs: 00007FF663C6B6A9
%s %s, xrefs: 00007FF663C6C6D9, 00007FF663C6C946
STARTDLG, xrefs: 00007FF663C6B1CA
-el -s2 "-d%s" "-sp%s", xrefs: 00007FF663C6B799
p, xrefs: 00007FF663C6B7AB
runas, xrefs: 00007FF663C6B7C9

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: Item$Message$_invalid_parameter_noinfo_noreturn$Send$Text$File$ErrorLast$CloseDialogFindFocusLoadStringViewWindow$CommandConcurrency::cancel_current_taskCountCreateDispatchEnableExecuteFirstHandleIdleInputLineMappingParamShellSleepTickTranslateUnmapWait
String ID: %s %s$-el -s2 "-d%s" "-sp%s"$@$LICENSEDLG$REPLACEFILEDLG$STARTDLG$__tmp_rar_sfx_access_check_$p$runas$winrarsfxmappingfile.tmp
API String ID: 2843345789-2702805183
Opcode ID: edeb6bfabd7eaeb7cd9bcc304c0296b3610e9c120c931593e8c7bda36bba63fc
Instruction ID: 6fb1d0804cd365a7e14901b5996b5d217cc521cedd9f31f58bac1c3e5fa534eb
Opcode Fuzzy Hash: edeb6bfabd7eaeb7cd9bcc304c0296b3610e9c120c931593e8c7bda36bba63fc
Instruction Fuzzy Hash: 4CD2B262E09782D2EA209B66E8562F96371FF86790F404131F94DAF7AADF3CE544C700

Function 00007FF663C6CE88 Relevance: 63.2, APIs: 25, Strings: 10, Instructions: 1963windowfileCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00007FF663C6D5F3
SendMessageW.USER32 ref: 00007FF663C6D626
SendMessageW.USER32 ref: 00007FF663C6D655
MoveFileW.KERNEL32 ref: 00007FF663C6DB4B
MoveFileExW.KERNEL32 ref: 00007FF663C6DB69
GetTempPathW.KERNEL32 ref: 00007FF663C6DC49

Part of subcall function 00007FF663C41FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C41FFB

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF663C6EEE3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C6EEEF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C6EF07
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C6EF0D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C6EF13
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C6EF19
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C6EF1F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C6EF25
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C6EF2B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C6EF31
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C6EF37
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C6EF3D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C6EF43
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C6EF49
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C6EF4F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C6EF55
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C6EF5B
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF663C6EF67
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF663C6EF73

Strings

MAX, xrefs: 00007FF663C6EA82, 00007FF663C6EA91
lnk, xrefs: 00007FF663C6E3CA, 00007FF663C6E3D9
MIN, xrefs: 00007FF663C6EAE5, 00007FF663C6EAF4
Software\Microsoft\Windows\CurrentVersion, xrefs: 00007FF663C6D501
@set:user, xrefs: 00007FF663C6DD96, 00007FF663C6DDA5
HIDE, xrefs: 00007FF663C6E9E5, 00007FF663C6E9F4
ProgramFilesDir, xrefs: 00007FF663C6D4F0
.tmp, xrefs: 00007FF663C6DA85
<br>, xrefs: 00007FF663C6D6DA, 00007FF663C6D6E9
.lnk, xrefs: 00007FF663C6E406, 00007FF663C6E415

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task$FileMessageMoveSend$ItemPathTemp
String ID: .lnk$.tmp$<br>$@set:user$HIDE$MAX$MIN$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$lnk
API String ID: 1275900774-3916287355
Opcode ID: cac509c614b203b8349121355fbb87f3211af6ba43052407af84ed962e8e34b6
Instruction ID: 06a88dcf12901bf87f36ff0981376cc5a102d4f3b9988e198c4aa2abad431677
Opcode Fuzzy Hash: cac509c614b203b8349121355fbb87f3211af6ba43052407af84ed962e8e34b6
Instruction Fuzzy Hash: 6C13AD32A04B82C9EB109F75D8462FC27B1EB41398F501536EA5DABBDADF38E595C340

Function 00007FF663C70754 Relevance: 42.4, APIs: 19, Strings: 5, Instructions: 380
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF663C5DFD0: GetModuleHandleW.KERNEL32(?,?,?,00000000,?), ref: 00007FF663C5E018
Part of subcall function 00007FF663C5DFD0: GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF663C5E030
Part of subcall function 00007FF663C5DFD0: GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF663C5E05D

Part of subcall function 00007FF663C562DC: GetCurrentDirectoryW.KERNEL32 ref: 00007FF663C562F2
Part of subcall function 00007FF663C562DC: GetCurrentDirectoryW.KERNEL32 ref: 00007FF663C5632C

Part of subcall function 00007FF663C6946C: OleInitialize.OLE32 ref: 00007FF663C69486
Part of subcall function 00007FF663C6946C: SHGetMalloc.SHELL32 ref: 00007FF663C694D4

GetCommandLineW.KERNEL32 ref: 00007FF663C7096E
OpenFileMappingW.KERNEL32 ref: 00007FF663C70A07
MapViewOfFile.KERNEL32 ref: 00007FF663C70A30
UnmapViewOfFile.KERNEL32 ref: 00007FF663C70A46
MapViewOfFile.KERNEL32 ref: 00007FF663C70A63
UnmapViewOfFile.KERNEL32 ref: 00007FF663C70ACA
CloseHandle.KERNEL32 ref: 00007FF663C70AD3
SetEnvironmentVariableW.KERNEL32 ref: 00007FF663C70BAD
GetLocalTime.KERNEL32 ref: 00007FF663C70BB8
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF663C70C13
SetEnvironmentVariableW.KERNEL32 ref: 00007FF663C70C26
GetModuleHandleW.KERNEL32 ref: 00007FF663C70C2E
LoadIconW.USER32 ref: 00007FF663C70C4D
DialogBoxParamW.USER32 ref: 00007FF663C70CB6
Sleep.KERNEL32 ref: 00007FF663C70CE6
CloseHandle.KERNEL32 ref: 00007FF663C70D67
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C70DD7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C70DDD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C70DE3

Part of subcall function 00007FF663C6FD0C: SetEnvironmentVariableW.KERNEL32 ref: 00007FF663C6FD43
Part of subcall function 00007FF663C6FD0C: SetEnvironmentVariableW.KERNEL32 ref: 00007FF663C6FDBC

Strings

winrarsfxmappingfile.tmp, xrefs: 00007FF663C709F9
sfxstime, xrefs: 00007FF663C70C1F
sfxname, xrefs: 00007FF663C70B9B
STARTDLG, xrefs: 00007FF663C70CA5
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00007FF663C70C02

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: File$EnvironmentHandleVariableView$_invalid_parameter_noinfo_noreturn$AddressCloseCurrentDirectoryModuleProcUnmap$CommandDialogIconInitializeLineLoadLocalMallocMappingOpenParamSleepTimeswprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 3400486126-3710569615
Opcode ID: 915dcf94f2fc9226729027f2c98a7d2c819f7627f6a6cfa0c301de63e570f219
Instruction ID: aae0650b347252c1540bea860db78b535d1c9ce59713687e4eebf46f68851bf4
Opcode Fuzzy Hash: 915dcf94f2fc9226729027f2c98a7d2c819f7627f6a6cfa0c301de63e570f219
Instruction Fuzzy Hash: A0127261A18B86D6EB109B25E8462B97371FF85794F404231FA9DAABA9DF3DF140D300

Function 00007FF663C5A4AC Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 250
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF663C5A504

Part of subcall function 00007FF663C60F68: WideCharToMultiByte.KERNEL32 ref: 00007FF663C60F99

SetDlgItemTextW.USER32 ref: 00007FF663C5A573
GetWindowRect.USER32 ref: 00007FF663C5A5AD
GetClientRect.USER32 ref: 00007FF663C5A5BB
GetWindowLongPtrW.USER32 ref: 00007FF663C5A66C
GetWindowRect.USER32 ref: 00007FF663C5A6B2
SetWindowTextW.USER32 ref: 00007FF663C5A6EC
GetSystemMetrics.USER32 ref: 00007FF663C5A6F7
GetWindow.USER32 ref: 00007FF663C5A708
GetWindowRect.USER32 ref: 00007FF663C5A746
GetWindow.USER32 ref: 00007FF663C5A808

Strings

$%s:, xrefs: 00007FF663C5A4EF
CAPTION, xrefs: 00007FF663C5A6CF

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWideswprintf
String ID: $%s:$CAPTION
API String ID: 2100155373-404845831
Opcode ID: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
Instruction ID: c20cf3e4bb52bbe0a51bfe952cb1c37089ba043914e28089e4caadf80418b11a
Opcode Fuzzy Hash: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
Instruction Fuzzy Hash: EE91B436A18641C6E714DF3AA8116A9A7B1FBC4784F445535FE49ABB98CE3CE805CB40

Function 00007FF663C68624 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 101
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32 ref: 00007FF663C6863D
SizeofResource.KERNEL32 ref: 00007FF663C68659
LoadResource.KERNEL32 ref: 00007FF663C68673
LockResource.KERNEL32 ref: 00007FF663C68685
GlobalAlloc.KERNELBASE ref: 00007FF663C686A6
GlobalLock.KERNEL32 ref: 00007FF663C686BB
CreateStreamOnHGlobal.COMBASE ref: 00007FF663C686E8
GdipAlloc.GDIPLUS ref: 00007FF663C686FE
GdipCreateHBITMAPFromBitmap.GDIPLUS ref: 00007FF663C68769
GlobalUnlock.KERNEL32 ref: 00007FF663C6878C
GlobalFree.KERNEL32 ref: 00007FF663C68795

Strings

PNG, xrefs: 00007FF663C6862F

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
String ID: PNG
API String ID: 211097158-364855578
Opcode ID: c8606208415c3a11eb94d5df8c8f8595ea54109f2541637b646828bce78d4013
Instruction ID: 4c6ac83a71ebb144d1e88763ef989d8cdbd54ac08b2d09ec18d1270b49244bac
Opcode Fuzzy Hash: c8606208415c3a11eb94d5df8c8f8595ea54109f2541637b646828bce78d4013
Instruction Fuzzy Hash: 01413D25A09B12C2EF149B27D85577967B0BF8AB90F040435EE0DDB7A4EF7CE5488300

Function 00007FF663C4F930 Relevance: 17.2, APIs: 8, Strings: 1, Instructions: 1417COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C51239
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C5123F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C51245
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C5124B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C51251
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C51257
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C5125D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C51263

Strings

__tmp_reference_source_, xrefs: 00007FF663C4FCCF, 00007FF663C4FCDE

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: __tmp_reference_source_
API String ID: 3668304517-685763994
Opcode ID: 6851538e357941a99ebb696b081bc24ed3bcd29be91ebe21427510cb9cba344c
Instruction ID: bf628beca7c7f5c35bb534a49e7c3badbe255944fcbff13a4f64ec0c82793b61
Opcode Fuzzy Hash: 6851538e357941a99ebb696b081bc24ed3bcd29be91ebe21427510cb9cba344c
Instruction Fuzzy Hash: ADE29672A086C2D2EA64CB25D4563BE67B1FB81794F404131EB9DAB7A6CF3CE465C700

Function 00007FF663C44840 Relevance: 12.1, APIs: 5, Strings: 1, Instructions: 1624COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C4511E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C45124
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C4512A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C45E16
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C45E1C

Strings

CMT, xrefs: 00007FF663C459B2

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: CMT
API String ID: 3668304517-2756464174
Opcode ID: 84bdbc0025f9110493083925689b4d7f895f5cf4e4c171c52cbbd829bd468cec
Instruction ID: 3c89f98ac0bf6a8993000bbc69eb6b7fe6f713068d62ab5d4c5718e704bd64e7
Opcode Fuzzy Hash: 84bdbc0025f9110493083925689b4d7f895f5cf4e4c171c52cbbd829bd468cec
Instruction Fuzzy Hash: 31E2DC22B08682C6EB28DB65D5522FE77B1FB45794F400035EA5EABB96DF3CE465C300

Function 00007FF663C540BC Relevance: 10.7, APIs: 7, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE ref: 00007FF663C5410B
FindFirstFileW.KERNELBASE ref: 00007FF663C5415E
GetLastError.KERNEL32 ref: 00007FF663C541AF
FindNextFileW.KERNEL32 ref: 00007FF663C541D7
GetLastError.KERNEL32 ref: 00007FF663C541E5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C5430F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C54315

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: FileFind$ErrorFirstLast_invalid_parameter_noinfo_noreturn$Next
String ID:
API String ID: 474548282-0
Opcode ID: 5b7a682f346ba33cc6e8113bf8bb974c5d06c867b30d63dc8f71ee7e42fd28a6
Instruction ID: d6372e24618d3d75fd7efc71d4347bfae2912c492d5815018f65522cbc120d1b
Opcode Fuzzy Hash: 5b7a682f346ba33cc6e8113bf8bb974c5d06c867b30d63dc8f71ee7e42fd28a6
Instruction Fuzzy Hash: 88619372A18646C1DA108B25E84226E6371FB957B4F105331FAADABBD9DF3CE564C700

Function 00007FF663C45E24 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 586COMMON

Download Yara Rule

Strings

CMT, xrefs: 00007FF663C459B2, 00007FF663C4675B

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID:
String ID: CMT
API String ID: 0-2756464174
Opcode ID: 1483503f4f6562bc116dab0f55c891e212737330d95d7192c6dc5e801ab4a3f4
Instruction ID: a52fc4ed34d3cf779ff21349a6c898f46c78b4ade466950d01e1a03fc59ca92d
Opcode Fuzzy Hash: 1483503f4f6562bc116dab0f55c891e212737330d95d7192c6dc5e801ab4a3f4
Instruction Fuzzy Hash: 5A42AF22B08A82D6EB18DB74D1522FD67B1EB51754F400136EB5EAB79BDF38E568C300

Function 00007FF663C61F20 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00cc9b5d49baee892d39d1da46008d2b4229947a5b0a2c39888c4d08721f4c94
Instruction ID: 7dda9045fd33c8c4d6e660b0dc581d0f76d66ce882602b29f9c9bf5a16277674
Opcode Fuzzy Hash: 00cc9b5d49baee892d39d1da46008d2b4229947a5b0a2c39888c4d08721f4c94
Instruction Fuzzy Hash: 0CE1E722A08282CAEB64CF2AA4562BD77B1FB46748F055135EB4EEB746DF3CE541C704

Function 00007FF663C63484 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9f1d4af68ebc00f7ab7abf4cea58f5074969ee2768498b55c72978f68bcf28
Instruction ID: 11b12d6eba9e8c1e976afa96fa8c4511cf11f9c138709b569555ebade37dd772
Opcode Fuzzy Hash: 3d9f1d4af68ebc00f7ab7abf4cea58f5074969ee2768498b55c72978f68bcf28
Instruction Fuzzy Hash: B2B1E0A2B04BC992DE59CA66DA096F963B1B746FC4F488036EE0D6B751DF3CE155C300

Function 00007FF663C54928 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID:
API String ID: 3340455307-0
Opcode ID: 351ceed20d24346c920f2b33a82c7c15764e1b5f9a2ac08ee0b3c21e451927ce
Instruction ID: 7290c7ebd910d568f509b67dfcb6e62d7114a9912714054f32461c9fa5834609
Opcode Fuzzy Hash: 351ceed20d24346c920f2b33a82c7c15764e1b5f9a2ac08ee0b3c21e451927ce
Instruction Fuzzy Hash: E0412832B15696C6FBA4DF21E94376A2272FBC4B94F045030EE0DAB795CE3CE4628704

Function 00007FF663C5DFD0 Relevance: 143.9, APIs: 16, Strings: 66, Instructions: 440
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,00000000,?), ref: 00007FF663C5E018
GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF663C5E030
GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF663C5E05D
CreateFileW.KERNEL32 ref: 00007FF663C5E3F0
SetFilePointer.KERNEL32 ref: 00007FF663C5E40E
ReadFile.KERNEL32 ref: 00007FF663C5E436

Part of subcall function 00007FF663C5DFD0: GetSystemDirectoryW.KERNEL32 ref: 00007FF663C5DDDF

CompareStringW.KERNELBASE ref: 00007FF663C5E559
CloseHandle.KERNEL32 ref: 00007FF663C5E4F3

Part of subcall function 00007FF663C41FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C41FFB

Part of subcall function 00007FF663C551A4: GetVersionExW.KERNEL32 ref: 00007FF663C551D5

Part of subcall function 00007FF663C5DFD0: LoadLibraryExW.KERNELBASE ref: 00007FF663C5DEFF
Part of subcall function 00007FF663C5DFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C5DFB5
Part of subcall function 00007FF663C5DFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C5DFBB
Part of subcall function 00007FF663C5DFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C5DFC1
Part of subcall function 00007FF663C5DFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C5DFC7

AllocConsole.KERNEL32(?,?,?,00000000,?), ref: 00007FF663C5E74B
GetCurrentProcessId.KERNEL32(?,?,?,00000000,?), ref: 00007FF663C5E755
AttachConsole.KERNEL32(?,?,?,00000000,?), ref: 00007FF663C5E75D
GetStdHandle.KERNEL32(?,?,?,00000000,?), ref: 00007FF663C5E780
WriteConsoleW.KERNEL32(?,?,?,00000000,?), ref: 00007FF663C5E799
Sleep.KERNEL32(?,?,?,00000000,?), ref: 00007FF663C5E7A4
FreeConsole.KERNEL32(?,?,?,00000000,?), ref: 00007FF663C5E7AA
ExitProcess.KERNEL32 ref: 00007FF663C5E7BB

Strings

linkinfo.dll, xrefs: 00007FF663C5E347
cscapi.dll, xrefs: 00007FF663C5E22F
rsaenh.dll, xrefs: 00007FF663C5E0A7
kernel32, xrefs: 00007FF663C5E011
cryptui.dll, xrefs: 00007FF663C5E1A3
uxtheme.dll, xrefs: 00007FF663C5E66D
rasadhlp.dll, xrefs: 00007FF663C5E30F
netapi32.dll, xrefs: 00007FF663C5E16B
version.dll, xrefs: 00007FF663C5E07B
msasn1.dll, xrefs: 00007FF663C5E195
devrtl.dll, xrefs: 00007FF663C5E29F
profapi.dll, xrefs: 00007FF663C5E205
SetDllDirectoryW, xrefs: 00007FF663C5E026
ieframe.dll, xrefs: 00007FF663C5E120
dnsapi.DLL, xrefs: 00007FF663C5E259
psapi.dll, xrefs: 00007FF663C5E115
dhcpcsvc.dll, xrefs: 00007FF663C5E32B
aclui.dll, xrefs: 00007FF663C5E371
UXTheme.dll, xrefs: 00007FF663C5E0B2
peerdist.dll, xrefs: 00007FF663C5E38D
ws2_32.dll, xrefs: 00007FF663C5E0FF
netutils.dll, xrefs: 00007FF663C5E283
comres.dll, xrefs: 00007FF663C5E0F4
sfc_os.dll, xrefs: 00007FF663C5E091
cabinet.dll, xrefs: 00007FF663C5E1DB
crypt32.dll, xrefs: 00007FF663C5E187
ntshrui.dll, xrefs: 00007FF663C5E12B
mlang.dll, xrefs: 00007FF663C5E2BB
dwmapi.dll, xrefs: 00007FF663C5E0BD, 00007FF663C5E661
browcli.dll, xrefs: 00007FF663C5E301
imageres.dll, xrefs: 00007FF663C5E24B
atl.dll, xrefs: 00007FF663C5E136
dsrole.dll, xrefs: 00007FF663C5E37F
cryptsp.dll, xrefs: 00007FF663C5E355
SetDefaultDllDirectories, xrefs: 00007FF663C5E053
iphlpapi.DLL, xrefs: 00007FF663C5E267
propsys.dll, xrefs: 00007FF663C5E2AD
lpk.dll, xrefs: 00007FF663C5E0D3
dfscli.dll, xrefs: 00007FF663C5E2F3
RpcRtRemote.dll, xrefs: 00007FF663C5E363
WindowsCodecs.dll, xrefs: 00007FF663C5E213
dhcpcsvc6.dll, xrefs: 00007FF663C5E31D
samlib.dll, xrefs: 00007FF663C5E2D7
setupapi.dll, xrefs: 00007FF663C5E141
ws2help.dll, xrefs: 00007FF663C5E10A
shdocvw.dll, xrefs: 00007FF663C5E179
slc.dll, xrefs: 00007FF663C5E23D
oleaccrc.dll, xrefs: 00007FF663C5E1E9
apphelp.dll, xrefs: 00007FF663C5E14F
usp10.dll, xrefs: 00007FF663C5E0DE
SSPICLI.DLL, xrefs: 00007FF663C5E09C
secur32.dll, xrefs: 00007FF663C5E1CD
clbcatq.dll, xrefs: 00007FF663C5E0E9
cryptbase.dll, xrefs: 00007FF663C5E0C8
wintrust.dll, xrefs: 00007FF663C5E1B1
XmlLite.dll, xrefs: 00007FF663C5E339
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00007FF663C5E73B
mpr.dll, xrefs: 00007FF663C5E291
srvcli.dll, xrefs: 00007FF663C5E221
samcli.dll, xrefs: 00007FF663C5E2C9
shell32.dll, xrefs: 00007FF663C5E1BF
wkscli.dll, xrefs: 00007FF663C5E2E5
userenv.dll, xrefs: 00007FF663C5E15D
ntmarta.dll, xrefs: 00007FF663C5E1F7
DXGIDebug.dll, xrefs: 00007FF663C5E086, 00007FF663C5E5B6
WINNSI.DLL, xrefs: 00007FF663C5E275

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Console$FileHandle$AddressProcProcess$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadModulePointerReadSleepStringSystemVersionWrite
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$RpcRtRemote.dll$SSPICLI.DLL$SetDefaultDllDirectories$SetDllDirectoryW$UXTheme.dll$WINNSI.DLL$WindowsCodecs.dll$XmlLite.dll$aclui.dll$apphelp.dll$atl.dll$browcli.dll$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$cryptbase.dll$cryptsp.dll$cryptui.dll$cscapi.dll$devrtl.dll$dfscli.dll$dhcpcsvc.dll$dhcpcsvc6.dll$dnsapi.DLL$dsrole.dll$dwmapi.dll$ieframe.dll$imageres.dll$iphlpapi.DLL$kernel32$linkinfo.dll$lpk.dll$mlang.dll$mpr.dll$msasn1.dll$netapi32.dll$netutils.dll$ntmarta.dll$ntshrui.dll$oleaccrc.dll$peerdist.dll$profapi.dll$propsys.dll$psapi.dll$rasadhlp.dll$rsaenh.dll$samcli.dll$samlib.dll$secur32.dll$setupapi.dll$sfc_os.dll$shdocvw.dll$shell32.dll$slc.dll$srvcli.dll$userenv.dll$usp10.dll$uxtheme.dll$version.dll$wintrust.dll$wkscli.dll$ws2_32.dll$ws2help.dll
API String ID: 1496594111-2013832382
Opcode ID: bf3e3aa97e4221fedf22e700a2e9e8c0c09081c11d5f1b10540170e9206d2c43
Instruction ID: 97fda54901c839e12ff9bf0c8ab8fb16d7f838541cbda1bf7e4b5b6830ef780d
Opcode Fuzzy Hash: bf3e3aa97e4221fedf22e700a2e9e8c0c09081c11d5f1b10540170e9206d2c43
Instruction Fuzzy Hash: 24321E31A09B82E5EB219F64E8421E937B4FF44354F501236EA4DABBA5EF3CE655C340

Function 00007FF663C598DC Relevance: 25.2, APIs: 3, Strings: 11, Instructions: 702COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF663C58E58: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF663C58F8D

_snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF663C59F75
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C5A42F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C5A435

Part of subcall function 00007FF663C60BBC: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF663C60B44), ref: 00007FF663C60BE9

Strings

*messages***, xrefs: 00007FF663C59C04
,, xrefs: 00007FF663C59FAA
$%s:, xrefs: 00007FF663C59F50
DIALOG, xrefs: 00007FF663C59DCD
*messages***, xrefs: 00007FF663C59BC6
MENU, xrefs: 00007FF663C59DD9
@%s:, xrefs: 00007FF663C59F57
DIRECTION, xrefs: 00007FF663C59DE5
STRINGS, xrefs: 00007FF663C59DC1
, xrefs: 00007FF663C59DF9
RTL, xrefs: 00007FF663C59F2E

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ByteCharConcurrency::cancel_current_taskMultiWide_snwprintf
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS
API String ID: 3629253777-3268106645
Opcode ID: 96347e7981fae7733940ad93ba4258564ebec1a9a55cc8409c872ccb2165f156
Instruction ID: 58dfe7c8cf89294468f9eaa04bdbe67e371adf8f1c83050c8a6713f687278268
Opcode Fuzzy Hash: 96347e7981fae7733940ad93ba4258564ebec1a9a55cc8409c872ccb2165f156
Instruction Fuzzy Hash: 6762CF76A19682D5EB11DB25C4462BE2371FB807A8F804131EA4EAB7D5EF3DE564C340

Function 00007FF663C71900 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 195
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF663C71558: DloadProtectSection.DELAYIMP ref: 00007FF663C715C9

RaiseException.KERNEL32 ref: 00007FF663C719A7
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00007FF663C71993

Part of subcall function 00007FF663C71868: DloadProtectSection.DELAYIMP ref: 00007FF663C718C7

LoadLibraryExA.KERNELBASE ref: 00007FF663C71A46
GetLastError.KERNEL32 ref: 00007FF663C71A54
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00007FF663C71A86
RaiseException.KERNEL32 ref: 00007FF663C71A9A

Strings

H, xrefs: 00007FF663C71974

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: DloadSection$AccessExceptionProtectRaiseReleaseWrite$ErrorLastLibraryLoad
String ID: H
API String ID: 3432403771-2852464175
Opcode ID: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
Instruction ID: 99e2c1113ba114d5f9516f8d09c50e0eca8d4b9f3c9f6a153a07da2642df8126
Opcode Fuzzy Hash: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
Instruction Fuzzy Hash: 83915A72A05B52DAEB10CFA9D8566AC37B1FB08B98F054435EE0D6BB54EF38E545C340

Function 00007FF663C6F4E0 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 285
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32 ref: 00007FF663C6F747
IsWindowVisible.USER32 ref: 00007FF663C6F777
ShowWindow.USER32 ref: 00007FF663C6F786
WaitForInputIdle.USER32 ref: 00007FF663C6F797
GetExitCodeProcess.KERNEL32 ref: 00007FF663C6F7BD
CloseHandle.KERNEL32 ref: 00007FF663C6F7E7
ShowWindow.USER32 ref: 00007FF663C6F83F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C6F8FB

Strings

p, xrefs: 00007FF663C6F529
.inf, xrefs: 00007FF663C6F675
Install, xrefs: 00007FF663C6F684
.exe, xrefs: 00007FF663C6F7F2

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: Window$Show$CloseCodeExecuteExitHandleIdleInputProcessShellVisibleWait_invalid_parameter_noinfo_noreturn
String ID: .exe$.inf$Install$p
API String ID: 148627002-3607691742
Opcode ID: ba68baa1d40b04d42f521f463501f8dbe15c8949e0b8882c71566322c056b8bc
Instruction ID: 60676b6283854926521e7ceaa1b0040fc2ea6ce6ad23b474bfb1fb2e0621e461
Opcode Fuzzy Hash: ba68baa1d40b04d42f521f463501f8dbe15c8949e0b8882c71566322c056b8bc
Instruction Fuzzy Hash: 4BC17162F18602D9FB10DB66D95227D27B1BF8A784F045035EE4DABBA5DF3CE8618340

Function 00007FF663C6F0A4 Relevance: 16.6, APIs: 11, Instructions: 102
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF663C6AE1C: PeekMessageW.USER32 ref: 00007FF663C6AE32
Part of subcall function 00007FF663C6AE1C: GetMessageW.USER32 ref: 00007FF663C6AE49
Part of subcall function 00007FF663C6AE1C: IsDialogMessageW.USER32 ref: 00007FF663C6AE60
Part of subcall function 00007FF663C6AE1C: TranslateMessage.USER32 ref: 00007FF663C6AE6F
Part of subcall function 00007FF663C6AE1C: DispatchMessageW.USER32 ref: 00007FF663C6AE7A

GetDlgItem.USER32 ref: 00007FF663C6F0E3
ShowWindow.USER32 ref: 00007FF663C6F109
SendMessageW.USER32 ref: 00007FF663C6F11E
SendMessageW.USER32 ref: 00007FF663C6F136
SendMessageW.USER32 ref: 00007FF663C6F157
SendMessageW.USER32 ref: 00007FF663C6F173
SendMessageW.USER32 ref: 00007FF663C6F1B6
SendMessageW.USER32 ref: 00007FF663C6F1D4
SendMessageW.USER32 ref: 00007FF663C6F1E8
SendMessageW.USER32 ref: 00007FF663C6F212
SendMessageW.USER32 ref: 00007FF663C6F22A

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID:
API String ID: 3569833718-0
Opcode ID: c58ef51af4c11ae469b78d40ba7290d4e9656f32b0895ce54e4debee0d1a06d9
Instruction ID: 25eea3102da7f3816aa894ff6c523e3a73c7619aa7f0d9564f2f8f54f1f307c2
Opcode Fuzzy Hash: c58ef51af4c11ae469b78d40ba7290d4e9656f32b0895ce54e4debee0d1a06d9
Instruction Fuzzy Hash: 6F41B371B14642CAF700CF71E812BAA3770FB85B98F442135ED0A6BB95CE7DE4458744

Function 00007FF663C4EF10 Relevance: 11.0, APIs: 7, Instructions: 453COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C4F542
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C4F548
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C4F554
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C4F55A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C4F560
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C4F56C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C4F572

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: e994a9db728abc9e3b7c2f1aeddd0c1bbb8b4fdc17eb45be45aeabee48c93372
Instruction ID: 8cc998b4be554f0209962eef8f2b69d7ad19af53c3ebea90831a7c52003c3e07
Opcode Fuzzy Hash: e994a9db728abc9e3b7c2f1aeddd0c1bbb8b4fdc17eb45be45aeabee48c93372
Instruction Fuzzy Hash: A4129062F08742C9FA10DB65D4462AD23B1EB457A8F404232EE5DABBDADF3CE585C340

Function 00007FF663C524C0 Relevance: 9.2, APIs: 6, Instructions: 164
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FF663C5259B
GetLastError.KERNEL32 ref: 00007FF663C525AE
CreateFileW.KERNEL32 ref: 00007FF663C5260E
GetLastError.KERNEL32 ref: 00007FF663C52617
SetFileTime.KERNEL32 ref: 00007FF663C526C9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C52736

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: File$CreateErrorLast$Time_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3536497005-0
Opcode ID: 7e74b88d639c8d570aa5cbccebcd9353285634c108726f52f9c563d03d833b9c
Instruction ID: 844e817b994a160368c89f64c8bd78e7a7a9b5ce15cb950b05788891ae34d9fb
Opcode Fuzzy Hash: 7e74b88d639c8d570aa5cbccebcd9353285634c108726f52f9c563d03d833b9c
Instruction Fuzzy Hash: 4961D272A18781C5E7208B29E41236E67B1FB847B8F101334EEA96BBD8CF3DD0658704

Function 00007FF663C6FE24 Relevance: 7.5, APIs: 5, Instructions: 29
windowsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32 ref: 00007FF663C6FE41
GetMessageW.USER32 ref: 00007FF663C6FE58
TranslateMessage.USER32 ref: 00007FF663C6FE63
DispatchMessageW.USER32 ref: 00007FF663C6FE6E
WaitForSingleObject.KERNEL32 ref: 00007FF663C6FE7C

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: Message$DispatchObjectPeekSingleTranslateWait
String ID:
API String ID: 3621893840-0
Opcode ID: eb57a341668d454e4e6cd52f39bb1811463ddcab187ea95c48cb89abc8d18535
Instruction ID: eb5382de49a4c845a6d55e076a588a30add01bb72a600e2ea1affc2c76e03166
Opcode Fuzzy Hash: eb57a341668d454e4e6cd52f39bb1811463ddcab187ea95c48cb89abc8d18535
Instruction Fuzzy Hash: 83F04F21B28556C3FB508731E496A3A6271FFE4B05F441030F64E99A959E2DD149C700

Function 00007FF663C6AE1C Relevance: 7.5, APIs: 5, Instructions: 27
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32 ref: 00007FF663C6AE32
GetMessageW.USER32 ref: 00007FF663C6AE49
IsDialogMessageW.USER32 ref: 00007FF663C6AE60
TranslateMessage.USER32 ref: 00007FF663C6AE6F
DispatchMessageW.USER32 ref: 00007FF663C6AE7A

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 8f901ab8bb575df3ccfb48a5cb3294f091b017f84468599a2020223c8e70b7dc
Instruction ID: 4a88f27510750fb0593f7da7a120fb361b147fa0c4a0db1bbd914a1954c7d7bb
Opcode Fuzzy Hash: 8f901ab8bb575df3ccfb48a5cb3294f091b017f84468599a2020223c8e70b7dc
Instruction Fuzzy Hash: 07F0EC25E38562C3FB509B21E8A6A3A6371FFD0705F806431F64E95A55DF2DD518CB00

Function 00007FF663C691E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32 ref: 00007FF663C69211
SHAutoComplete.SHLWAPI ref: 00007FF663C69255

Part of subcall function 00007FF663C613C4: CompareStringW.KERNEL32 ref: 00007FF663C613E3

FindWindowExW.USER32 ref: 00007FF663C6923F

Strings

EDIT, xrefs: 00007FF663C6921B, 00007FF663C69233

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
Instruction ID: ab4d157ab468df105b3f767a5f21ae05b39dc40cf75c1ef11e6e21f189465022
Opcode Fuzzy Hash: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
Instruction Fuzzy Hash: C0018161B18A43C1FA609B22E8223B663B4AF99B44F441031ED4EAE795DE3CE149C680

Function 00007FF663C52CE0 Relevance: 6.1, APIs: 4, Instructions: 136
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(00007FF663C58C9A), ref: 00007FF663C52D22
WriteFile.KERNEL32 ref: 00007FF663C52D6C
WriteFile.KERNELBASE ref: 00007FF663C52D9A

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 95d7fd16c8d926fcf5da752308064adee905e679e75eda990adbc5c1a1c917ca
Instruction ID: 079511bb0ba045a2b0c5d6275714d385035def757bd4199e566652062496cb67
Opcode Fuzzy Hash: 95d7fd16c8d926fcf5da752308064adee905e679e75eda990adbc5c1a1c917ca
Instruction Fuzzy Hash: 3251E132B19A42D2FA608B25D85677A63B0FF85BA4F440131FA4DAAB90DF7CE595C300

Function 00007FF663C703E0 Relevance: 6.1, APIs: 4, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowTextW.USER32 ref: 00007FF663C70556
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C705C1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C705C7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C705CD

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$TextWindow
String ID:
API String ID: 2912839123-0
Opcode ID: 398714b8a983ed6cb119d18cda1b7bc47d2b30c0ee71a2e849910cbb5793c2eb
Instruction ID: dec8318d337f51eb6492ba12d90beb1a8b2720ae60ca4a0a62ce86aa75d14046
Opcode Fuzzy Hash: 398714b8a983ed6cb119d18cda1b7bc47d2b30c0ee71a2e849910cbb5793c2eb
Instruction Fuzzy Hash: AB519FA2F14762C4FB009BA5D8462AD2332BF45BE4F400236EE1DAABD6DF6DE441C304

Function 00007FF663C53684 Relevance: 6.1, APIs: 4, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?,?,?,?,?,?,00000000,?,00007FF663C5309D), ref: 00007FF663C536CE
CreateDirectoryW.KERNEL32 ref: 00007FF663C53733
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,00007FF663C5309D), ref: 00007FF663C53791
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C537CE

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2359106489-0
Opcode ID: 9d9d2995018f7f6f648ac6a5d97c5d37007cde808aee1d861722df7aa9659c46
Instruction ID: fe3a6194a888947de5d47c3c87882f667bb38f8ce0a002311203ff6ab75b6d10
Opcode Fuzzy Hash: 9d9d2995018f7f6f648ac6a5d97c5d37007cde808aee1d861722df7aa9659c46
Instruction Fuzzy Hash: AA31A032E0C642C1EA609B25A9462796271FB887E0F540231FE8DEA7D5CF3CE5658700

Function 00007FF663C72D6C Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF663C72D7B

Part of subcall function 00007FF663C727FC: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF663C7281E

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF663C72D90
__scrt_release_startup_lock.LIBCMT ref: 00007FF663C72DFE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF663C72E51

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 1452418845-0
Opcode ID: f380b52e8f95e6a0f24ce785192d8cb773bc143ddf3d62aee805abe4fb8ed354
Instruction ID: 94e4cd8113efd5144070e07f0e89a41c6365c4b9ae647d2b6b83f3184f87b1f7
Opcode Fuzzy Hash: f380b52e8f95e6a0f24ce785192d8cb773bc143ddf3d62aee805abe4fb8ed354
Instruction Fuzzy Hash: A6313721E1D243C2FA64AB6498237BA27B1AF45384F445434FE4EEF7D3DE2CB9448291

Function 00007FF663C52320 Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(?,?,?,?,00000000,00007FF663C52927,?,00100000,?,00000001,00000000,00000000,?,00007FF663C514C1), ref: 00007FF663C52348
ReadFile.KERNELBASE ref: 00007FF663C52367
GetLastError.KERNEL32 ref: 00007FF663C5239B
GetLastError.KERNEL32 ref: 00007FF663C523BA

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
Instruction ID: f4c0b11f382e227e9833c7db40b1c6562214d1d7e93c0e83f0a73a2534cb35b5
Opcode Fuzzy Hash: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
Instruction Fuzzy Hash: E9219231A0C642C1EA605F11A41123967F8FF65BA4F144530FA5DEE784CF7CE8A58710

Function 00007FF663C5E948 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF663C5ECD8: ResetEvent.KERNEL32 ref: 00007FF663C5ECF1
Part of subcall function 00007FF663C5ECD8: ReleaseSemaphore.KERNEL32 ref: 00007FF663C5ED07

ReleaseSemaphore.KERNEL32 ref: 00007FF663C5E974
CloseHandle.KERNELBASE ref: 00007FF663C5E993
DeleteCriticalSection.KERNEL32 ref: 00007FF663C5E9AA
CloseHandle.KERNEL32 ref: 00007FF663C5E9B7

Part of subcall function 00007FF663C5EA5C: WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF663C5E95F,?,?,?,00007FF663C5463A,?,?,?), ref: 00007FF663C5EA63
Part of subcall function 00007FF663C5EA5C: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF663C5E95F,?,?,?,00007FF663C5463A,?,?,?), ref: 00007FF663C5EA6E

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: CloseHandleReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 502429940-0
Opcode ID: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
Instruction ID: b1273b325a2aaaa28029efda4888ff09e4f81e61d06023d9c328f8e12e29b288
Opcode Fuzzy Hash: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
Instruction Fuzzy Hash: 08014032A18B91E2E658DB21E5856ADB731FB84BD0F005031EB5D67725CF39E5B4C740

Function 00007FF663C6B014 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32 ref: 00007FF663C6B02A
GetObjectW.GDI32 ref: 00007FF663C6B05B

Part of subcall function 00007FF663C68624: FindResourceW.KERNEL32 ref: 00007FF663C6863D
Part of subcall function 00007FF663C68624: SizeofResource.KERNEL32 ref: 00007FF663C68659
Part of subcall function 00007FF663C68624: LoadResource.KERNEL32 ref: 00007FF663C68673
Part of subcall function 00007FF663C68624: LockResource.KERNEL32 ref: 00007FF663C68685
Part of subcall function 00007FF663C68624: GlobalAlloc.KERNELBASE ref: 00007FF663C686A6
Part of subcall function 00007FF663C68624: GlobalLock.KERNEL32 ref: 00007FF663C686BB
Part of subcall function 00007FF663C68624: CreateStreamOnHGlobal.COMBASE ref: 00007FF663C686E8
Part of subcall function 00007FF663C68624: GdipAlloc.GDIPLUS ref: 00007FF663C686FE
Part of subcall function 00007FF663C68624: GdipCreateHBITMAPFromBitmap.GDIPLUS ref: 00007FF663C68769
Part of subcall function 00007FF663C68624: GlobalUnlock.KERNEL32 ref: 00007FF663C6878C
Part of subcall function 00007FF663C68624: GlobalFree.KERNEL32 ref: 00007FF663C68795

Strings

], xrefs: 00007FF663C6B063

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: Global$Resource$AllocBitmapCreateGdipLoadLock$FindFreeFromObjectSizeofStreamUnlock
String ID: ]
API String ID: 2565863721-3352871620
Opcode ID: 2f79d63664e457f963bfbd157e1c525b341384e02eb8e860e1f42d2dee528bbf
Instruction ID: 6d04cb4f35d855d91ddee03ba86e91d1f149df5acacc81ef1669fe7ea66af635
Opcode Fuzzy Hash: 2f79d63664e457f963bfbd157e1c525b341384e02eb8e860e1f42d2dee528bbf
Instruction Fuzzy Hash: BA114661B0D742C2FA649B23A65677957B1EF8ABC4F080034F95D9FB96DE3DE8048740

Function 00007FF663C5EAA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 00007FF663C5EAE0
SetThreadPriority.KERNEL32 ref: 00007FF663C5EB36

Strings

CreateThread failed, xrefs: 00007FF663C5EAEE

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: Thread$CreatePriority
String ID: CreateThread failed
API String ID: 2610526550-3849766595
Opcode ID: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
Instruction ID: 7eb7e1b6c46463d8fcf5f61a7f8c3ad717f8cd27894e94910bc00aa1ac559939
Opcode Fuzzy Hash: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
Instruction Fuzzy Hash: 84114C31A09B42D2EB15DF20E8422AA7770FB84B94F544131FA8DAA769EF3CE595C740

Function 00007FF663C6946C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26comCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF663C5DFD0: GetSystemDirectoryW.KERNEL32 ref: 00007FF663C5DDDF

OleInitialize.OLE32 ref: 00007FF663C69486
SHGetMalloc.SHELL32 ref: 00007FF663C694D4

Strings

riched20.dll, xrefs: 00007FF663C69475

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: DirectoryInitializeMallocSystem
String ID: riched20.dll
API String ID: 174490985-3360196438
Opcode ID: 0d85db053d286d1bd0fa19ead2840fc3f5149c6ee0f027e6ed6c33eb2c824e37
Instruction ID: ff22e3ce0a755e6013e6abe8452c949ba930d5731897f12de8f418cd1a3745c7
Opcode Fuzzy Hash: 0d85db053d286d1bd0fa19ead2840fc3f5149c6ee0f027e6ed6c33eb2c824e37
Instruction Fuzzy Hash: 0DF04F71618A41C2EB009F60F41616AB7B0FF88754F401135FA8E9A754DF7CE199CB00

Function 00007FF663C6095C Relevance: 4.7, APIs: 3, Instructions: 152windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF663C6853C: GlobalMemoryStatusEx.KERNEL32 ref: 00007FF663C6856C

Part of subcall function 00007FF663C5AAE0: LoadStringW.USER32 ref: 00007FF663C5AB67
Part of subcall function 00007FF663C5AAE0: LoadStringW.USER32 ref: 00007FF663C5AB80

Part of subcall function 00007FF663C41FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C41FFB

Part of subcall function 00007FF663C4129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF663C41396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C701BB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C701C1
SendDlgItemMessageW.USER32 ref: 00007FF663C701F2

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$LoadString$Concurrency::cancel_current_taskGlobalItemMemoryMessageSendStatus
String ID:
API String ID: 3106221260-0
Opcode ID: 50943eb0d71ceff129c8121e8f01f0fadb5476574ce88c5faafc7aadbcf6f760
Instruction ID: 97061586ed9c3e3539d12137fb2c094c893af138f456fed9d67c860bca2bce6b
Opcode Fuzzy Hash: 50943eb0d71ceff129c8121e8f01f0fadb5476574ce88c5faafc7aadbcf6f760
Instruction Fuzzy Hash: 9851BE62F05642CAFB109BA6D4562FD2372AB85B98F400235EE4DAB7DADE2CE510C340

Function 00007FF663C41744 Relevance: 4.6, APIs: 3, Instructions: 118COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C4189C
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF663C418A8
__std_exception_copy.LIBVCRUNTIME ref: 00007FF663C418D4

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: Concurrency::cancel_current_task__std_exception_copy_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2371198981-0
Opcode ID: a50b0030b050ded6b6f91e1f6aff0fbaa0ec1f604de9c547ba2e308d5291563c
Instruction ID: 42e822800f960fddd29f790a06713c6f68527392766bc258a23884941b516565
Opcode Fuzzy Hash: a50b0030b050ded6b6f91e1f6aff0fbaa0ec1f604de9c547ba2e308d5291563c
Instruction Fuzzy Hash: B4411462B08645C5EA14DB16E646279A375EB04BE0F544231EEBC9FBD6DF3CE0A1C304

Function 00007FF663C52134 Relevance: 4.6, APIs: 3, Instructions: 114fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 00007FF663C521CF
CreateFileW.KERNEL32 ref: 00007FF663C5223C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C522D8

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: CreateFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2272807158-0
Opcode ID: 4ce248ffffd21e537046429b603db88a9fd2a3d13b10b45fb751dcef003d6319
Instruction ID: f91a3484e2f188f8f05e8fb47d6260d7d012d65fa332612e707ab3f18f943646
Opcode Fuzzy Hash: 4ce248ffffd21e537046429b603db88a9fd2a3d13b10b45fb751dcef003d6319
Instruction Fuzzy Hash: 1341B372A08785C2EB248B15E45626A67B1FB847B4F105334EFAD5BBD5CF3DE4A18700

Function 00007FF663C423F8 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32 ref: 00007FF663C4243E
GetWindowTextW.USER32 ref: 00007FF663C42476
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C42505

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: TextWindow$Length_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2176759853-0
Opcode ID: 324ad9725680782466c8b9226039195d64c3332d7d8035b24254b52cca95445d
Instruction ID: dc5b6de69c929acea602f619ad0eb9e816600f5c865d60371dfb6b100fce672a
Opcode Fuzzy Hash: 324ad9725680782466c8b9226039195d64c3332d7d8035b24254b52cca95445d
Instruction Fuzzy Hash: F521B162A28B8581EA108B25B44217AA374FB89BD0F145231FFDD97B95CF3CE190C740

Function 00007FF663C61F94 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF663C6205B
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF663C62077
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF663C62093

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: std::bad_alloc::bad_alloc
String ID:
API String ID: 1875163511-0
Opcode ID: 0ac8b931c67533783bb99e44ed512301af0920adb1b65b15738df05c1e7b1342
Instruction ID: b5949272c952ebd8598a77dd9703dba0cdf5834cf514b26061c8300857be65a5
Opcode Fuzzy Hash: 0ac8b931c67533783bb99e44ed512301af0920adb1b65b15738df05c1e7b1342
Instruction Fuzzy Hash: 7D31AF22A09A86D1FB249B15E4563B963B0FB41B84F544031F68CAEBA9DF7CE946C301

Function 00007FF663C53D34 Relevance: 4.6, APIs: 3, Instructions: 62COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?,?,?,?,?,00000000,00000001,?,00007FF663C607E1), ref: 00007FF663C53D5E
SetFileAttributesW.KERNEL32 ref: 00007FF663C53DB0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C53E1A

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1203560049-0
Opcode ID: 523e4a483c86c9ac9ee543cf6c476d9bf2e9d6353514affc3e0f4067b8c7bc61
Instruction ID: fd9e7d5cdd088de66c482ed3e2b22bb02bcde9b14dac64fcd4e54c069b257890
Opcode Fuzzy Hash: 523e4a483c86c9ac9ee543cf6c476d9bf2e9d6353514affc3e0f4067b8c7bc61
Instruction Fuzzy Hash: 83218332A18B85C1EA209B25E85626A6371FF88BA4F505230FE9E9A795DF3CD551CB00

Function 00007FF663C531BC Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000000,00007FF663C60822), ref: 00007FF663C531E7
DeleteFileW.KERNEL32 ref: 00007FF663C53237
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C532A1

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: DeleteFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3118131910-0
Opcode ID: 9e0f12d03b62ccef14e62e4bf3878a3457daa81ed2db8d115c48a0739d4b379d
Instruction ID: 5d313119e16e6efa63312666d522d04e0f029773b25ba9f61e5c31f082a0b29b
Opcode Fuzzy Hash: 9e0f12d03b62ccef14e62e4bf3878a3457daa81ed2db8d115c48a0739d4b379d
Instruction Fuzzy Hash: 5A218632A18B81C1EA108B25E85626E7371FB84BA4F505230FE9DAABD5DF3CE551C700

Function 00007FF663C532BC Relevance: 4.6, APIs: 3, Instructions: 57COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,?,00007FF663C5E5B1,?,?,?,00000000,?), ref: 00007FF663C532E7
GetFileAttributesW.KERNELBASE ref: 00007FF663C53334
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C53399

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1203560049-0
Opcode ID: d981565e32c06465bb9ca9e6032df0ff87469bcd01ee0110978b6e45bf249536
Instruction ID: 45961a61e383d9d5285f5f67194ee8b0e91b3b81b1eebc17107f29a3d1bc19a9
Opcode Fuzzy Hash: d981565e32c06465bb9ca9e6032df0ff87469bcd01ee0110978b6e45bf249536
Instruction Fuzzy Hash: 98218332A18B81C1EA108B29F8462297371FBD8BA4F540231FA9D9BBE5DF3CE551C700

Function 00007FF663C4F578 Relevance: 3.2, APIs: 2, Instructions: 193COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C4F895
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C4F89B

Part of subcall function 00007FF663C53EC8: FindClose.KERNELBASE(?,?,00000000,00007FF663C60811), ref: 00007FF663C53EFD

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseFind
String ID:
API String ID: 3587649625-0
Opcode ID: 31de71ccb13629eb4e8ff473cf0e989b9a8a473b909947ada8621b483159802c
Instruction ID: 2e4d2f415e03a56ddb4e23d49836c2cde342e9b468f3eb916acaf332dced0317
Opcode Fuzzy Hash: 31de71ccb13629eb4e8ff473cf0e989b9a8a473b909947ada8621b483159802c
Instruction Fuzzy Hash: BE917E73A18A81D4EB10DB24D4462AD63B1FB85798F504135FA5CABBEADF78E585C300

Function 00007FF663C43904 Relevance: 3.1, APIs: 2, Instructions: 124COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C43AB3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C43AB9

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 8a0d7ffcdee688d7cb22665fdd22367b6c642a36889c5767c2428ca75abdd5ff
Instruction ID: 556436ade900084f3c9aa2fd1f686649f1ebe1e84d6ddb3d684ee7e81d6a8c77
Opcode Fuzzy Hash: 8a0d7ffcdee688d7cb22665fdd22367b6c642a36889c5767c2428ca75abdd5ff
Instruction Fuzzy Hash: 4B418062F14652C4FB00DAB5D8522BD2770AF85BA8F145135EE1DBBBDADE38E4928300

Function 00007FF663C52778 Relevance: 3.1, APIs: 2, Instructions: 100COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000002,?,00000F99,?,00007FF663C5274D), ref: 00007FF663C528A9
GetLastError.KERNEL32(?,00007FF663C5274D), ref: 00007FF663C528B8

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
Instruction ID: ccd21b082bb3105fb6306c46f49f4a0692b76fefd57504dffa3773fa4bea1cc5
Opcode Fuzzy Hash: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
Instruction Fuzzy Hash: CB31A433B19A52C2EA604B6AD95267963F0EF14BE4F180131FE1DAFB90DE3CE5519740

Function 00007FF663C422BC Relevance: 3.1, APIs: 2, Instructions: 83COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00007FF663C422F1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C423F0

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: Item_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1746051919-0
Opcode ID: 8763c555b957396376e96df864685bb2527d49eefc22d4d720e740779d29c564
Instruction ID: acad66ccfe33040e3513c0ba8323513cda1495f98b21e432dbb8d1bd2cc92b3c
Opcode Fuzzy Hash: 8763c555b957396376e96df864685bb2527d49eefc22d4d720e740779d29c564
Instruction Fuzzy Hash: 9331B022A18746C2EA209B25F45637EB374EB84B90F444231FB9C9BB96EF3CF1418704

Function 00007FF663C52AD0 Relevance: 3.1, APIs: 2, Instructions: 76timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32 ref: 00007FF663C52AFE
SetFileTime.KERNELBASE ref: 00007FF663C52B9B

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
Instruction ID: 6600be2f34def7a5139cf1e6aaf0ba01f145e7710135faa12ebf4c8ae8b04d4b
Opcode Fuzzy Hash: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
Instruction Fuzzy Hash: 2221E232F09B42D1EA628E51D4627BA67F0AF017A4F144131EE4E9A391EE3CD5A6C300

Function 00007FF663C5AAE0 Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

LoadStringW.USER32 ref: 00007FF663C5AB67
LoadStringW.USER32 ref: 00007FF663C5AB80

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: efc1550bd5bba1d5ac9face2304fa075ed5e4cb94ffc19493764f318ca00d951
Instruction ID: d3f5605982d871b80724043c7067962742e704ea82235fb24fa5bb7450b56612
Opcode Fuzzy Hash: efc1550bd5bba1d5ac9face2304fa075ed5e4cb94ffc19493764f318ca00d951
Instruction Fuzzy Hash: 26116D75B08651C6EB048F1AA84216977B1BB88FD0F544535EE0DFB721DF7CE5518384

Function 00007FF663C52BB0 Relevance: 3.0, APIs: 2, Instructions: 47COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE ref: 00007FF663C52C11
GetLastError.KERNEL32 ref: 00007FF663C52C1E

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
Instruction ID: 342859d0dfa15471f778f695d3e0afb2336676498c33050df5758a1c9d13c53c
Opcode Fuzzy Hash: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
Instruction Fuzzy Hash: E8116031A08641C1FB608B25E84226976B0FB54BB4F544331EA6DAA7D6CF3DE596C300

Function 00007FF663C4255C Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF663C5A4AC: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF663C5A504
Part of subcall function 00007FF663C5A4AC: SetDlgItemTextW.USER32 ref: 00007FF663C5A573
Part of subcall function 00007FF663C5A4AC: GetWindowRect.USER32 ref: 00007FF663C5A5AD
Part of subcall function 00007FF663C5A4AC: GetClientRect.USER32 ref: 00007FF663C5A5BB

GetDlgItem.USER32 ref: 00007FF663C425AC
SetWindowTextW.USER32 ref: 00007FF663C425C8

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: ItemRectTextWindow$Clientswprintf
String ID:
API String ID: 3322643685-0
Opcode ID: ad94589889145b650e3461eb84003e845283bd92425fc2a9221c8100a4e27e71
Instruction ID: 3a4ca9e49a8d5e1c4aa9c690832782307b88c4d8b3ed94c5af598dc547586a57
Opcode Fuzzy Hash: ad94589889145b650e3461eb84003e845283bd92425fc2a9221c8100a4e27e71
Instruction Fuzzy Hash: FF012520A1D34AC2FF556762A4672B957725F85744F085035F84DEE3DADE6CF485C300

Function 00007FF663C5EB58 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,00007FF663C5EBAD,?,?,?,?,00007FF663C55752,?,?,?,00007FF663C556DE), ref: 00007FF663C5EB5C
GetProcessAffinityMask.KERNEL32 ref: 00007FF663C5EB6F

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
Instruction ID: 0867a33a245b8bee1d1b39502b737179b605e2c1258257f585eab924ff6be7b4
Opcode Fuzzy Hash: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
Instruction Fuzzy Hash: CDE0E561B1864682DB098B65C4428E973B2BF88B40B849035E60BD7B14DE3CE2458B00

Function 00007FF663C721D0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF663C72200

Part of subcall function 00007FF663C72F7C: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF663C72F85

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF663C72206

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
String ID:
API String ID: 1173176844-0
Opcode ID: ac554a43d54612151bc7e480101717375080be3004ee5b366f50feb51e7139dd
Instruction ID: aece2cb03b7e94919a0dace6b61a4e0ea63d1b69bd78c0c0ab0d4ba2e9581b0a
Opcode Fuzzy Hash: ac554a43d54612151bc7e480101717375080be3004ee5b366f50feb51e7139dd
Instruction Fuzzy Hash: 1FE0BD40E0A20BC2FA2862A618371B400705F69371E581B30FE7EAC7D3EE1DF8A28150

Function 00007FF663C7D90C Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL ref: 00007FF663C7D922
GetLastError.KERNEL32 ref: 00007FF663C7D934

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
Instruction ID: d63d726bef097ed84574e94e081ca1d764253b79d2ec9197cf3a20c00fd7c62e
Opcode Fuzzy Hash: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
Instruction Fuzzy Hash: 74E08C60E09203C2FF28ABB2980B1B916F05F94B92F040034ED0DEE352EE3CB5818600

Function 00007FF663C433E4 Relevance: 1.8, APIs: 1, Instructions: 328COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C4388C

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: db0f75601c8d953953658c1d14be6529ec917dbd1ad2d5887d518296e9f1c024
Instruction ID: 92b6534b29654c1e006cd15d4c69900e7b9358806e518c90d2eea66ddafb7c3a
Opcode Fuzzy Hash: db0f75601c8d953953658c1d14be6529ec917dbd1ad2d5887d518296e9f1c024
Instruction Fuzzy Hash: 90D1C972B08682D6EB689B259A452BD67B1FB95B84F040035EF5D9B7A2CF3CE4708700

Function 00007FF663C55294 Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C5551B

Part of subcall function 00007FF663C613F4: CompareStringW.KERNEL32 ref: 00007FF663C6145A

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: CompareString_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1017591355-0
Opcode ID: fa91c3799828e3c7186940546e344b2356dc381c1e63a9425ea543ecc2eeea66
Instruction ID: 0e272b35e637598087450e1fc24632453c6c8ee4435bccbf00139ff3e40b2037
Opcode Fuzzy Hash: fa91c3799828e3c7186940546e344b2356dc381c1e63a9425ea543ecc2eeea66
Instruction Fuzzy Hash: A261DF71E0C647C1FA649A2A841727A52B1AF95BF5F144131FE4FEEBC5EE6CE4618300

Function 00007FF663C61870 Relevance: 1.7, APIs: 1, Instructions: 172COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF663C5E948: ReleaseSemaphore.KERNEL32 ref: 00007FF663C5E974
Part of subcall function 00007FF663C5E948: CloseHandle.KERNELBASE ref: 00007FF663C5E993
Part of subcall function 00007FF663C5E948: DeleteCriticalSection.KERNEL32 ref: 00007FF663C5E9AA
Part of subcall function 00007FF663C5E948: CloseHandle.KERNEL32 ref: 00007FF663C5E9B7

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C61ACB

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: CloseHandle$CriticalDeleteReleaseSectionSemaphore_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 904680172-0
Opcode ID: f81b05313dfd5b5a73717daa6d384c08c9459244a7d30a6ec5ae517113eafb45
Instruction ID: edd696b679e8e85d70013219286cc6b7c670865d8255b141e61176245c775b80
Opcode Fuzzy Hash: f81b05313dfd5b5a73717daa6d384c08c9459244a7d30a6ec5ae517113eafb45
Instruction Fuzzy Hash: 2C617062B15685D2EE08DB6AD5560BC7375FB41F90B544232FB2D9BBD2CF28E4718300

Function 00007FF663C4EC9C Relevance: 1.6, APIs: 1, Instructions: 145COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C4EEB8

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: d7b1a399856acf99fdb305a598bd345408e38bb8b7611d952776f17d246575aa
Instruction ID: ec5c3eb65a975ccd2d6722dfaceec28270b99e5fb1a90056eefce3923ffcd8ef
Opcode Fuzzy Hash: d7b1a399856acf99fdb305a598bd345408e38bb8b7611d952776f17d246575aa
Instruction Fuzzy Hash: CA51CF62A08A82C0EA14DB25E4463B96771FB85BD4F581132FF4DAB397CE3DE495C300

Function 00007FF663C4E7A8 Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF663C53EC8: FindClose.KERNELBASE(?,?,00000000,00007FF663C60811), ref: 00007FF663C53EFD

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C4E993

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: CloseFind_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1011579015-0
Opcode ID: e982e273b1865209a75a3cfd535ad9023e3388265a11ab7418cbf5dec2d39955
Instruction ID: 1b796883dd2a57ae2325f89730f53a63b1fa78442d77173d973576ab39dd85ba
Opcode Fuzzy Hash: e982e273b1865209a75a3cfd535ad9023e3388265a11ab7418cbf5dec2d39955
Instruction Fuzzy Hash: DF516F22A08786C2FE60DF28D4463AD6371FB94B94F451136FA8DAB7A6CF2CE441C350

Function 00007FF663C51794 Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C5187D

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: cab7305fc7f02fa62d82a2074b03de0e890be2f3ad12253e4411164f42ee387c
Instruction ID: bb34c52e788322107a950653fdd392ee3cbcc6a116254639e56f5821dfbb9124
Opcode Fuzzy Hash: cab7305fc7f02fa62d82a2074b03de0e890be2f3ad12253e4411164f42ee387c
Instruction Fuzzy Hash: 1741E672B18B8182EE148E16AA06379A271FB44BD0F448535FE4D9BF5ADF3CE4A18300

Function 00007FF663C52F58 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C530C8

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: c12ddbc590a903591de313708f19a8cb728d3d3f41945339a7b2dbf0642da7e2
Instruction ID: 348ee2f8eeaf7e3f165be109dea36f37f9e40bcc7eac0277e19b2cc04ad0cf1e
Opcode Fuzzy Hash: c12ddbc590a903591de313708f19a8cb728d3d3f41945339a7b2dbf0642da7e2
Instruction Fuzzy Hash: B341E673A08B06C1EF149B29E94637963B1EB84BE8F141135FA8D9B799DF3DE4608700

Function 00007FF663C4129C Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF663C41396

Part of subcall function 00007FF663C41F80: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF663C41F89

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: Concurrency::cancel_current_taskstd::bad_alloc::bad_alloc
String ID:
API String ID: 680105476-0
Opcode ID: 81bbc9496a7d415ea2bbbc601fb53a43020ae880daa92f7a292fdc8bc8c92929
Instruction ID: ef22f7d8836c1201a5c3027bba23f52e35126921d91dd67a37761a88c064ac29
Opcode Fuzzy Hash: 81bbc9496a7d415ea2bbbc601fb53a43020ae880daa92f7a292fdc8bc8c92929
Instruction Fuzzy Hash: 58216522A09751C5EA149F56A5022796270FB05BF0F580731EEBD9FBD2EE7CE4618344

Function 00007FF663C42C54 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C42D77

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 31b34ebacb9280de439ed9c8253ac234116577bf367a3ee86a8e065c3418b0aa
Instruction ID: b06552946999bea08f2d5630c79d758a875bbb6d1137c4003c5f09bfbd750062
Opcode Fuzzy Hash: 31b34ebacb9280de439ed9c8253ac234116577bf367a3ee86a8e065c3418b0aa
Instruction Fuzzy Hash: 09214922B14686A2EA08EB20D5663F86335FB84784F944431FB1D9B7A3CF3DE5A5C300

Function 00007FF663C8124C Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF663C81280

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 9dd5a9e84c18447e56e2265fa04046f11d37b96b7f5b774ce3305aa6458b3f00
Instruction ID: 3007ea22d1739096d59df8673b37d50cacf744686acc5149fd9d0591461a0ec5
Opcode Fuzzy Hash: 9dd5a9e84c18447e56e2265fa04046f11d37b96b7f5b774ce3305aa6458b3f00
Instruction Fuzzy Hash: 95114632A1C682D6F6509B58A4826796AF4FB40380F550535FAAEEF796DF3CFA108700

Function 00007FF663C6FC68 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF663C6F0A4: GetDlgItem.USER32 ref: 00007FF663C6F0E3
Part of subcall function 00007FF663C6F0A4: ShowWindow.USER32 ref: 00007FF663C6F109
Part of subcall function 00007FF663C6F0A4: SendMessageW.USER32 ref: 00007FF663C6F11E
Part of subcall function 00007FF663C6F0A4: SendMessageW.USER32 ref: 00007FF663C6F136
Part of subcall function 00007FF663C6F0A4: SendMessageW.USER32 ref: 00007FF663C6F157
Part of subcall function 00007FF663C6F0A4: SendMessageW.USER32 ref: 00007FF663C6F173
Part of subcall function 00007FF663C6F0A4: SendMessageW.USER32 ref: 00007FF663C6F1B6
Part of subcall function 00007FF663C6F0A4: SendMessageW.USER32 ref: 00007FF663C6F1D4
Part of subcall function 00007FF663C6F0A4: SendMessageW.USER32 ref: 00007FF663C6F1E8
Part of subcall function 00007FF663C6F0A4: SendMessageW.USER32 ref: 00007FF663C6F212
Part of subcall function 00007FF663C6F0A4: SendMessageW.USER32 ref: 00007FF663C6F22A

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C6FD03

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: MessageSend$ItemShowWindow_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1587882848-0
Opcode ID: fa0b25d607c2a3d7c3132c1b972b51ca43b41eaf5a0b6b23d19ec92ece6d4f9e
Instruction ID: 3c4024169aaf622ad7fad136c7780369d3378f19acdd40fdf0219d98cf7d44d2
Opcode Fuzzy Hash: fa0b25d607c2a3d7c3132c1b972b51ca43b41eaf5a0b6b23d19ec92ece6d4f9e
Instruction Fuzzy Hash: 9401C4A2A2968986E9209B25D44737E6371EF8A794F501331FA9C9EBD6DE2CF0408604

Function 00007FF663C43AD8 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C43B6C

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: dd833eb704b03c62a36fea145c0b0b4abee32047d89ef2e694e61e0216d7ee09
Instruction ID: 6c8d7d700dc26acb7846684497da636768a1a3c56d31bb9d9434d3c4a927313d
Opcode Fuzzy Hash: dd833eb704b03c62a36fea145c0b0b4abee32047d89ef2e694e61e0216d7ee09
Instruction Fuzzy Hash: 5001C462E18785C1EA119728E8462297371FBC97A4F405231FA9C5BBA6DF2CE0418704

Function 00007FF663C71558 Relevance: 1.5, APIs: 1, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF663C71604: GetModuleHandleW.KERNEL32(?,?,?,00007FF663C71573,?,?,?,00007FF663C7192A), ref: 00007FF663C7162B

DloadProtectSection.DELAYIMP ref: 00007FF663C715C9

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: DloadHandleModuleProtectSection
String ID:
API String ID: 2883838935-0
Opcode ID: 902d746097657f35995c40355b3f554eba39218e3fb79a70aefbb70b68ceb6fd
Instruction ID: bbaed5f4ce48fb08935afd968b10b1c11ff868d3e70ca0b070ee18b1836f2f19
Opcode Fuzzy Hash: 902d746097657f35995c40355b3f554eba39218e3fb79a70aefbb70b68ceb6fd
Instruction Fuzzy Hash: D3118A60D09647C7FBA8BB19A863B702BB1AF54348F140435FD0DEE3A1EE3CB5959600

Function 00007FF663C53EC8 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF663C540BC: FindFirstFileW.KERNELBASE ref: 00007FF663C5410B
Part of subcall function 00007FF663C540BC: FindFirstFileW.KERNELBASE ref: 00007FF663C5415E
Part of subcall function 00007FF663C540BC: GetLastError.KERNEL32 ref: 00007FF663C541AF

FindClose.KERNELBASE(?,?,00000000,00007FF663C60811), ref: 00007FF663C53EFD

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: 18fe74ab7ca813274cb64c08179860cc48efc587ad39327f0b25563dc18ddab5
Instruction ID: 8189e6d0526242de498f46c8bdf4ccc5ddf4625f944626362ebea6b725649335
Opcode Fuzzy Hash: 18fe74ab7ca813274cb64c08179860cc48efc587ad39327f0b25563dc18ddab5
Instruction Fuzzy Hash: 1BF0AF72908281C5EA109BB5A90227D37709B1ABB4F285378FA3D9B3C7CE28D4A58744

Function 00007FF663C52490 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE ref: 00007FF663C524A2

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
Instruction ID: 27202881d140f35fe1c1d35f4c31ad8302656edae15bc984dad94306fcf957bc
Opcode Fuzzy Hash: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
Instruction Fuzzy Hash: 8ED0C922909541D2DD109635986203C22B0AF92736FA40720E63EE57E1CF2D95A6A311

Function 00007FF663C57FC4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE ref: 00007FF663C57FD2

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 176ab68ebee512dad0278907058cd855c5c44f8615b79807412a7d406b36e525
Instruction ID: a7f636b674f2431112691d7a91eb4913ae21b0135fb34857540b612e2e28a57c
Opcode Fuzzy Hash: 176ab68ebee512dad0278907058cd855c5c44f8615b79807412a7d406b36e525
Instruction Fuzzy Hash: 78C08C20F05602C1DA089B26CCCA81813B4BB40B04B608034E10CD5260CE3CC5FAA345

Function 00007FF663C7FA04 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 00007FF663C7FA59

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: c4d23aaef5024e3722ccbb242168b3e22d65bf63548bcaacbbf61b8d0a3ba7a1
Instruction ID: 087e6aaedc7a51bbbbe8a1ac7294244ad58fe0485345ec6ebe08652127f55d10
Opcode Fuzzy Hash: c4d23aaef5024e3722ccbb242168b3e22d65bf63548bcaacbbf61b8d0a3ba7a1
Instruction Fuzzy Hash: E8F0F955B09207C9FE546A6599972B916F09F95FA0F485430ED0EEE782ED2CB6814220

Function 00007FF663C7D94C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 00007FF663C7D98A

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
Instruction ID: cfdfe3725061bc8784a3731e7e65bd39a10eb957c2aea20503278c061309aec6
Opcode Fuzzy Hash: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
Instruction Fuzzy Hash: D6F01C51F09247C5FF6467B1585B6B51AB05F847A0F085A30FD6EEE7C2DE2CF4818610

Function 00007FF663C520D0 Relevance: 1.3, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,00000001,00007FF663C5207E), ref: 00007FF663C520F6

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
Instruction ID: 7d6745f3a3c21524c9d64f29c701995e832d1cd30edc7d90b460e3f21a5ff297
Opcode Fuzzy Hash: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
Instruction Fuzzy Hash: 16F0A432A08682D6FB248B30E05237A66B0EB14B78F484334F73C892D4CF28D8A59300

Non-executed Functions

Function 00007FF663C4C2F0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 754fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF663C4DE04: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF663C4CF4B), ref: 00007FF663C4DE27
Part of subcall function 00007FF663C4DE04: GetLastError.KERNEL32 ref: 00007FF663C4DE88
Part of subcall function 00007FF663C4DE04: CloseHandle.KERNEL32 ref: 00007FF663C4DE9B

wcscpy.LIBCMT ref: 00007FF663C4CBC8
wcscpy.LIBCMT ref: 00007FF663C4CBFE
CreateFileW.KERNEL32 ref: 00007FF663C4CC38
DeviceIoControl.KERNEL32 ref: 00007FF663C4CD01
CloseHandle.KERNEL32 ref: 00007FF663C4CD12
GetLastError.KERNEL32 ref: 00007FF663C4CD2E
RemoveDirectoryW.KERNEL32 ref: 00007FF663C4CD7D
DeleteFileW.KERNEL32 ref: 00007FF663C4CD88
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C4CE89
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C4CE8F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C4CE9B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C4CEA1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C4CEAD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C4CEB3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C4CEB9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C4CEBF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C4CEC5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C4CECB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C4CED1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C4CED7

Strings

UNC\, xrefs: 00007FF663C4C53F, 00007FF663C4C55D
\??\, xrefs: 00007FF663C4C392, 00007FF663C4C3B8
SeRestorePrivilege, xrefs: 00007FF663C4C343
SeCreateSymbolicLinkPrivilege, xrefs: 00007FF663C4C34F

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseErrorFileHandleLastwcscpy$ControlCreateCurrentDeleteDeviceDirectoryProcessRemove
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 2659423929-3508440684
Opcode ID: 133043678a36d966ba880c912d6856c5696a7c6c433e50d223eb52f27bd95b56
Instruction ID: 88a27eeac08d4850d3962f4e25af974d95c60c4823973a2395fcc82270096134
Opcode Fuzzy Hash: 133043678a36d966ba880c912d6856c5696a7c6c433e50d223eb52f27bd95b56
Instruction Fuzzy Hash: E6627E62F18742D5FB109B74D4462BD2771EB857A4F508231EA6DABBEADF38E185C300

Function 00007FF663C5F180 Relevance: 43.2, APIs: 22, Strings: 2, Instructions: 1205COMMON

Download Yara Rule

APIs

_Init_thread_footer.LIBCMT ref: 00007FF663C60528

Part of subcall function 00007FF663C5AAE0: LoadStringW.USER32 ref: 00007FF663C5AB67
Part of subcall function 00007FF663C5AAE0: LoadStringW.USER32 ref: 00007FF663C5AB80

Part of subcall function 00007FF663C6B0DC: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,00007FF663C60429), ref: 00007FF663C6B110
Part of subcall function 00007FF663C6B0DC: SetLastError.KERNEL32 ref: 00007FF663C6B153

Part of subcall function 00007FF663C4129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF663C41396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C60490
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C60496
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C6049C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C604A2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C604A8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C604AE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C604B4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C604BA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C604C0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C604C6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C604CC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C604D2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C604D8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C604DE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C604E4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C604EA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C604F0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C604F6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C60532
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C60538

Strings

%s: %s, xrefs: 00007FF663C5FC11
%ls, xrefs: 00007FF663C5F3AC, 00007FF663C5F3FF

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ErrorLastLoadString$Concurrency::cancel_current_taskInit_thread_footer
String ID: %ls$%s: %s
API String ID: 2539828978-2259941744
Opcode ID: 21568db1dfba7bc17a929e43de596192cc6caa6a0b887fe5390b464c99ea9649
Instruction ID: b8e56137dc61c53fccf40202e1aeed4aa00bdc5df779bc847424c466096f9267
Opcode Fuzzy Hash: 21568db1dfba7bc17a929e43de596192cc6caa6a0b887fe5390b464c99ea9649
Instruction Fuzzy Hash: A1B2BC72A1D682C2EA249726E4561BE6371FFC6790F104336F69DAB7D6DE6CE140C700

Function 00007FF663C82550 Relevance: 22.3, APIs: 8, Strings: 4, Instructions: 1310COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF663C82C12
memcpy_s.LIBCMT ref: 00007FF663C835BF
memcpy_s.LIBCMT ref: 00007FF663C83666

Part of subcall function 00007FF663C838BC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF663C838EE

memcpy_s.LIBCMT ref: 00007FF663C8372F

Part of subcall function 00007FF663C7D008: _invalid_parameter_noinfo.LIBCMT ref: 00007FF663C7D02D

Strings

1#INF, xrefs: 00007FF663C83807
1#IND, xrefs: 00007FF663C837AA
1#QNAN, xrefs: 00007FF663C837E8
1#SNAN, xrefs: 00007FF663C837C9

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: _invalid_parameter_noinfomemcpy_s
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 1759834784-2761157908
Opcode ID: c1568b5568d689d261f1f0b975b9c1104ab10acfc5286cd5346a40821ab4f9bc
Instruction ID: 55ec678ddec31f8426ab298dfe3a38a3107834a7bc6aa8e4707e1007ed5b4602
Opcode Fuzzy Hash: c1568b5568d689d261f1f0b975b9c1104ab10acfc5286cd5346a40821ab4f9bc
Instruction Fuzzy Hash: 1EB20976A08192DBE7258E69D8557FD3BB1FB44788F505135EA0ABBB84DF38E604CB00

Function 00007FF663C51A48 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 375fileCOMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32 ref: 00007FF663C51A97
GetLongPathNameW.KERNEL32 ref: 00007FF663C51AE0
GetShortPathNameW.KERNEL32 ref: 00007FF663C51B21
GetShortPathNameW.KERNEL32 ref: 00007FF663C51B6A

Part of subcall function 00007FF663C613C4: CompareStringW.KERNEL32 ref: 00007FF663C613E3

MoveFileW.KERNEL32 ref: 00007FF663C51DFE
MoveFileW.KERNEL32 ref: 00007FF663C51E65

Part of subcall function 00007FF663C52134: CreateFileW.KERNEL32 ref: 00007FF663C5223C

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C51FE1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C51FE7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C51FED

Strings

rtmp, xrefs: 00007FF663C51CF4, 00007FF663C51D03

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: NamePath$File_invalid_parameter_noinfo_noreturn$LongMoveShort$CompareCreateString
String ID: rtmp
API String ID: 3587137053-870060881
Opcode ID: 3dcc5890c2e22e4a5feb2ae31f1f4ae3f3b67a4ee4a7a529d594af89e49fc87b
Instruction ID: 5fba71ae5abc472a32a914b76b7e8985c77736dbcc8323175bc7b299ab7ef989
Opcode Fuzzy Hash: 3dcc5890c2e22e4a5feb2ae31f1f4ae3f3b67a4ee4a7a529d594af89e49fc87b
Instruction Fuzzy Hash: 70F1B232A08B42D1EE10DF69D8461BD67B1EB85794F500131FA4DABBAADF3CE594C740

Function 00007FF663C55B60 Relevance: 12.3, APIs: 8, Instructions: 256COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32 ref: 00007FF663C55BC2
GetFullPathNameW.KERNEL32 ref: 00007FF663C55C0E
GetFullPathNameW.KERNEL32 ref: 00007FF663C55D2B
GetFullPathNameW.KERNEL32 ref: 00007FF663C55D70
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C55EE0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C55EE6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C55EEC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C55EF2

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: FullNamePath_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1693479884-0
Opcode ID: 35b10314ce3b8e4c64707b679fc70269f3b9094245ec8e91ba41ccecbc270bb7
Instruction ID: 13492ac9fd5f25f6e3f9bcfdecba4a304fa4b68c13c3b9bdebf5c16c123b436a
Opcode Fuzzy Hash: 35b10314ce3b8e4c64707b679fc70269f3b9094245ec8e91ba41ccecbc270bb7
Instruction Fuzzy Hash: D2A19F72F15A52C5FF108BB998465BC2371AB49BB4F144231EE2EABBD9DE7CE0518304

Function 00007FF663C73170 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF663C7318C
RtlCaptureContext.KERNEL32 ref: 00007FF663C731B9
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF663C731D3
RtlVirtualUnwind.KERNEL32 ref: 00007FF663C73214
IsDebuggerPresent.KERNEL32 ref: 00007FF663C73268
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF663C73289
UnhandledExceptionFilter.KERNEL32 ref: 00007FF663C73294

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: eb4060bcbbf6947450414bc0ac192b8da1feec02df413969c5a674799d26ef14
Instruction ID: b1183a41846dde7867167a6af6cbee8f6343d2c649f5f6e068c8fc17231a3260
Opcode Fuzzy Hash: eb4060bcbbf6947450414bc0ac192b8da1feec02df413969c5a674799d26ef14
Instruction Fuzzy Hash: 30314C72608B81DAEB608F60E8517EE7770FB84744F44443AEA4D9BB99DF38E648C710

Function 00007FF663C776D8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF663C77751
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF663C77769
RtlVirtualUnwind.KERNEL32 ref: 00007FF663C777A4
IsDebuggerPresent.KERNEL32 ref: 00007FF663C777DD
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF663C777E7
UnhandledExceptionFilter.KERNEL32 ref: 00007FF663C777F2

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 5940ef1d6d2c32beaf7af9e8e0892e721e3d30544378453b8f42f9f5775f8da8
Instruction ID: 2171bd2646c094400bc21daff720b62fa6c2c6609e9c9d7334e69368a349ed13
Opcode Fuzzy Hash: 5940ef1d6d2c32beaf7af9e8e0892e721e3d30544378453b8f42f9f5775f8da8
Instruction Fuzzy Hash: 35315B32608B81D6EB608F25E8416AE77B4FB88B54F540135EE8D9BB99DF38D545CB00

Function 00007FF663C41AA4 Relevance: 6.3, APIs: 4, Instructions: 285COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C41EA9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C41EAF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C41EB5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C41EBB

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 0ba95719d321a735ef2b7b1a6a31fdddb52efdcad4a1d4ff3b8078863e84414b
Instruction ID: a2bab026d1118274a495c30c9c53cda5e26af6601772e48f1c7fe6f66ef3539a
Opcode Fuzzy Hash: 0ba95719d321a735ef2b7b1a6a31fdddb52efdcad4a1d4ff3b8078863e84414b
Instruction Fuzzy Hash: B3B1AF62B15786C6EB109B69D8462AD2371FB857D4F405231FE8DABB9AEF3CE550C300

Function 00007FF663C7FA94 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF663C7FAC4

Part of subcall function 00007FF663C77934: GetCurrentProcess.KERNEL32(00007FF663C80CCD), ref: 00007FF663C77961

Strings

*?, xrefs: 00007FF663C7FAEB
., xrefs: 00007FF663C7FEE4

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: CurrentProcess_invalid_parameter_noinfo
String ID: *?$.
API String ID: 2518042432-3972193922
Opcode ID: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
Instruction ID: 7f2455f2066b9d5e1a23347b432c2b50476ed2fca09d20d8d3b34de81da559bd
Opcode Fuzzy Hash: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
Instruction Fuzzy Hash: AE51D462B15A95C9EB10DFA298564B977F4FF48BD8B444531EE1D6BB85DF3CE0428300

Function 00007FF663C82080 Relevance: 4.8, APIs: 3, Instructions: 340COMMONLIBRARYCODE

Download Yara Rule

APIs

memcpy_s.LIBCMT ref: 00007FF663C8210B

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
Instruction ID: 401ab0603a3dace1a58be2304905d71571b02eacda919d91ebc19b1f1651a016
Opcode Fuzzy Hash: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
Instruction Fuzzy Hash: CCD1B432B19286D7DB24CF15A19966ABBB1F798744F148134EB4EA7B44DF3CE941CB00

Function 00007FF663C4B6D8 Relevance: 4.5, APIs: 3, Instructions: 36windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,00007FF663C4BA9D), ref: 00007FF663C4B6E5
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,00007FF663C4BA9D), ref: 00007FF663C4B719
LocalFree.KERNEL32(?,?,?,?,?,?,?,00007FF663C4BA9D), ref: 00007FF663C4B743

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID:
API String ID: 1365068426-0
Opcode ID: c27e05edbcf0c556cf9f4b9f4aa6354f64d9dc72ff0f252d3a2ededa039666af
Instruction ID: 2415a0a905fccd71ab6efe82103a39fcc0abdcebad66335b32b17ae2b027d404
Opcode Fuzzy Hash: c27e05edbcf0c556cf9f4b9f4aa6354f64d9dc72ff0f252d3a2ededa039666af
Instruction Fuzzy Hash: 7D01FB7560CB42D2E7109F62B99157AA7B5FB89BC0F484034FA8E9BB49CF3CE5059B40

Function 00007FF663C7FCA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

., xrefs: 00007FF663C7FEE4

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 7c9d8364e7b62915daf92aecf888b4814fe01b6aae5fc02ec6e7aa2f3019df5b
Instruction ID: e9c980e7aecf7ab9efb6b93e8b17ebf2eb660048dfba7f52a28bd51e768ed0ae
Opcode Fuzzy Hash: 7c9d8364e7b62915daf92aecf888b4814fe01b6aae5fc02ec6e7aa2f3019df5b
Instruction Fuzzy Hash: 2131EA22B1869589F7209A3698467B97AF1AB95BE4F148235FE5C9BBC5CE3CE5018300

Function 00007FF663C85AF8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF663C85D45
RaiseException.KERNEL32 ref: 00007FF663C85D56

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 131550a8e914c8a4384a7255cc8ec53066b4dff0b7ecc1394be8dfb6b4310eca
Instruction ID: 4b84b7898dd05ce57df7b872c955a7ffe03840fdf13d3585517311a34018cbfa
Opcode Fuzzy Hash: 131550a8e914c8a4384a7255cc8ec53066b4dff0b7ecc1394be8dfb6b4310eca
Instruction Fuzzy Hash: 5EB14A73604B89CBEB15CF29C8463683BB0F744B58F158922EA5E9B7A8CF79D551CB00

Function 00007FF663C6A2CC Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32 ref: 00007FF663C6A315
GetNumberFormatW.KERNEL32 ref: 00007FF663C6A371

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: a0c8fcaef59427837b2a7c7753e3d717a8442860a15e47712294eddcbb527c28
Instruction ID: 089ba4fb6ceb74fc1ee0481bdfd9fa63e80bfe30e97b70fc66aab7326fe9db83
Opcode Fuzzy Hash: a0c8fcaef59427837b2a7c7753e3d717a8442860a15e47712294eddcbb527c28
Instruction Fuzzy Hash: 6F114A22A08B85E6E6618F51E4117AA7370FF88B88F844135EA4D9B758DF3CE245C744

Function 00007FF663C5126C Relevance: 1.7, APIs: 1, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF663C524C0: CreateFileW.KERNELBASE ref: 00007FF663C5259B
Part of subcall function 00007FF663C524C0: GetLastError.KERNEL32 ref: 00007FF663C525AE
Part of subcall function 00007FF663C524C0: CreateFileW.KERNEL32 ref: 00007FF663C5260E
Part of subcall function 00007FF663C524C0: GetLastError.KERNEL32 ref: 00007FF663C52617

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C515D0

Part of subcall function 00007FF663C53980: MoveFileW.KERNEL32 ref: 00007FF663C539BD
Part of subcall function 00007FF663C53980: MoveFileW.KERNEL32 ref: 00007FF663C53A34

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: File$CreateErrorLastMove$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 34527147-0
Opcode ID: a3f7aeee67f5c6efee88f6f2c4f2f574ca9db3d7719bf1359f9a84a60e1a1e68
Instruction ID: 22f0f55972961c2e9e8b4cb053bd50f880dfc2b7e2ab787c069bff58d275dde1
Opcode Fuzzy Hash: a3f7aeee67f5c6efee88f6f2c4f2f574ca9db3d7719bf1359f9a84a60e1a1e68
Instruction Fuzzy Hash: 4891AC32B18A46C2EE10DF6AD45A2A96371FB54BD4F401032FE4DABB96DE38E565C340

Function 00007FF663C68DF4 Relevance: 1.7, APIs: 1, Instructions: 186COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF663C685E0: GetDC.USER32 ref: 00007FF663C685EC
Part of subcall function 00007FF663C685E0: GetDeviceCaps.GDI32 ref: 00007FF663C685FD
Part of subcall function 00007FF663C685E0: ReleaseDC.USER32 ref: 00007FF663C6860A

GetObjectW.GDI32 ref: 00007FF663C68E48

Part of subcall function 00007FF663C690B0: GetDC.USER32 ref: 00007FF663C690D9
Part of subcall function 00007FF663C690B0: GetObjectW.GDI32 ref: 00007FF663C69107
Part of subcall function 00007FF663C690B0: ReleaseDC.USER32 ref: 00007FF663C691BB

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID:
API String ID: 1061551593-0
Opcode ID: 68dbe16693602acb82a0a9c061fd0d735b77194d41f4ab9e90264308bb487059
Instruction ID: a4a9f6c8e8e92aa334e411a0b8f7ae8f1979897e89bfa6c5e61e0efac705984f
Opcode Fuzzy Hash: 68dbe16693602acb82a0a9c061fd0d735b77194d41f4ab9e90264308bb487059
Instruction Fuzzy Hash: C3811976B18B05C6EB20DF6AD441AAD7771FB89B88F004122EE0DABB64DF39D545C780

Function 00007FF663C551A4 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 00007FF663C551D5

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 6220f8f0736b52f52a4f9f0684f7fcd1da0b773ba531a70ae5974f71c0de4052
Instruction ID: 0b8d62507626f08b33df646a83e0158b80a0ce8e25f89b0f3ed6b07a5e209726
Opcode Fuzzy Hash: 6220f8f0736b52f52a4f9f0684f7fcd1da0b773ba531a70ae5974f71c0de4052
Instruction Fuzzy Hash: C001D3B1A0C642CBE6648B10E85277A33B1FB98754F900234E65EAA7A4DF3CF5158B00

Function 00007FF663C78C1C Relevance: 1.5, Strings: 1, Instructions: 219COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 00007FF663C78DD3

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: 0fbd957179d89af9e1d3453d65279f22830f04fe064c784c04e338e6c7bf3646
Instruction ID: 5fec24d9435b978680b478fca2a33877a3e53becb662c530f20d0742b88438ff
Opcode Fuzzy Hash: 0fbd957179d89af9e1d3453d65279f22830f04fe064c784c04e338e6c7bf3646
Instruction Fuzzy Hash: 7581C126A18343C6EAA88A258443E7D22B0EF65B44F541931FF09EFB95CF2DF846C741

Function 00007FF663C789A0 Relevance: 1.4, Strings: 1, Instructions: 199COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 00007FF663C78B3A

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
Instruction ID: 9b93a65729fe5dd372af7d26e6e080c99a9de3b7bdff661f7c57904061b16b74
Opcode Fuzzy Hash: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
Instruction Fuzzy Hash: 2171D321A0C382C6EB688A294447A7D27B0AF41B54F145531FF09FF7D6CE2DF8468741

Function 00007FF663C5C96C Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

gj, xrefs: 00007FF663C5C97B

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 226aa63bfce789330e15763d8953fb7d553c3450d9c1aa6f260de1088bdface5
Instruction ID: f8e8b2b253f9d01fb17b61a297eed451dd0b9bcf01f0b3a64d18a7b05f7aa4a9
Opcode Fuzzy Hash: 226aa63bfce789330e15763d8953fb7d553c3450d9c1aa6f260de1088bdface5
Instruction Fuzzy Hash: F851AF37A286908BD724CF25E401A9A73B5F388758F049126FF4A93B09CB39E945CF40

Function 00007FF663C7C838 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

@, xrefs: 00007FF663C7C874

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 49e7fa989fc271adaa8e130b28d1cae0d9f82f392019a5f874cdac11a507a941
Instruction ID: 5ddc250bb121efd66cdf46295104cd6198f3f0ef769c500674bbbacce377c6d9
Opcode Fuzzy Hash: 49e7fa989fc271adaa8e130b28d1cae0d9f82f392019a5f874cdac11a507a941
Instruction Fuzzy Hash: 7F41BF23714A59CAEA48CF2AE4552A973B5E758FD4B499036EE0DAB794DE3CE041C300

Function 00007FF663C80D20 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF663C80D24

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 4ce929ddb23f73c0a8458b43b9ad49d4d7e2a2f746430c3d48bba7e89996d797
Instruction ID: c5073a4358c51bea1463963538a866d3b4fbf88b0904d22411e2e69f6969f9f1
Opcode Fuzzy Hash: 4ce929ddb23f73c0a8458b43b9ad49d4d7e2a2f746430c3d48bba7e89996d797
Instruction Fuzzy Hash: 3FB09220E17B06C2EA082B516C8325422B4BF48701F948038E20CEA720DE3D21A54710

Function 00007FF663C63964 Relevance: .9, Instructions: 931COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1df1e6e81a57214c8643d36be1bb9cde3812740f73d4ab830297bee2ffae98a2
Instruction ID: 7a9ba7b107f1269a82839b913ad65337bd2a51b6f53fe3f8f2d48079680cf22a
Opcode Fuzzy Hash: 1df1e6e81a57214c8643d36be1bb9cde3812740f73d4ab830297bee2ffae98a2
Instruction Fuzzy Hash: CA8214B3A096C1C6D705CF6AD8152BC3BB1E756B88F19813AEA4E9B396DE3CD445C310

Function 00007FF663C476C0 Relevance: .9, Instructions: 893COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb6bb4a62616f0bcd3e2e2126cd32946fe2ad160a7c0dbd4e5bd03ed1428d6a6
Instruction ID: f1f251f13d71d3da97cd4f7a5c4df9f21e842e26804be6d2faefe14f229abbba
Opcode Fuzzy Hash: fb6bb4a62616f0bcd3e2e2126cd32946fe2ad160a7c0dbd4e5bd03ed1428d6a6
Instruction Fuzzy Hash: 5B627F9AD3AF9A1EE303A53954131D2E35C0EF74C9551E31BFCE431E66EB92A6832314

Function 00007FF663C653F0 Relevance: .9, Instructions: 891COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83a45c88a368d7276059de07aefbbc35b61cea5d64746511b72f3674958eea04
Instruction ID: d418b2774b14ed1d702a571aad15d9795bc92dc61a150dbe3fb4481e26eaa7eb
Opcode Fuzzy Hash: 83a45c88a368d7276059de07aefbbc35b61cea5d64746511b72f3674958eea04
Instruction Fuzzy Hash: 968200B3A096C18AD724CF2AD4056FC7BB1E756B48F288136DA4E9B78ACE3DD445C710

Function 00007FF663C5BB90 Relevance: .6, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffdf8f5a64276e3eb417e3b9ae5b43350349d41efb04db03fca9f8ba9e24336f
Instruction ID: 4a0edb87823b3c2a6d2a4fde0760a37981d6546a3fdd1cff26f481afe3cc04b6
Opcode Fuzzy Hash: ffdf8f5a64276e3eb417e3b9ae5b43350349d41efb04db03fca9f8ba9e24336f
Instruction Fuzzy Hash: 8A22E373B246508BD728CF25C89AE5E3766F798744B4B8228DF0ACB785DB39D505CB40

Function 00007FF663C64B98 Relevance: .6, Instructions: 578COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21143e83615dcc23e36b64f0d60848ac948cba63854c17a605a1a3ec217f9251
Instruction ID: 3a25d8e0817ecdeb1922ae7525b5a8ab35446ca4de04c4481711ed9a86d11332
Opcode Fuzzy Hash: 21143e83615dcc23e36b64f0d60848ac948cba63854c17a605a1a3ec217f9251
Instruction Fuzzy Hash: EE32D072A08591CBE718CF25D551ABC37B1F795B48F118139EA4AABB89DF3CE860C740

Function 00007FF663C47288 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 063370d9e2e9571dc593e8358d008e0ec5385ad0435e9f2f5019d46da215c13b
Instruction ID: f3156bd53d6ae29acbe9261aade8dd1995df91d41a21682377e6052d0cb6c020
Opcode Fuzzy Hash: 063370d9e2e9571dc593e8358d008e0ec5385ad0435e9f2f5019d46da215c13b
Instruction Fuzzy Hash: 54C18CB7B281908FE350CF7AD400AAD3BB1F39878CB519125EF59A7B09D639E645CB40

Function 00007FF663C62D58 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 602477e063b5c1ca901f2159ae3c7fc010244aaa433e93e1960e83d539d05e76
Instruction ID: 31e9494072eb08fccfbc32bfc3b35ace536ef66e77e68b0bf590430220578cea
Opcode Fuzzy Hash: 602477e063b5c1ca901f2159ae3c7fc010244aaa433e93e1960e83d539d05e76
Instruction Fuzzy Hash: B8A13873A08182C6EB15CA26D8567FD27B5EBA6744F454535FA8DAF786CE3CE841C300

Function 00007FF663C5AF18 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3f156a61251d3696a660eff3e2c5499dd818c979554cbf7ea7c30eccab92618
Instruction ID: 7da276d6fc98a662da3adac599b00c8799de42fe29151862e05b7905466e4f4d
Opcode Fuzzy Hash: e3f156a61251d3696a660eff3e2c5499dd818c979554cbf7ea7c30eccab92618
Instruction Fuzzy Hash: 7CC11777A291E08DE302CBB5A4248FD3FF1E71E30DB4A4151EFA666B4AD5285201DF60

Function 00007FF663C4A310 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: ba0d91b71a6ba36ace61fab0c0f7d4922daa1e3f8d028e3e8b3457ff5b2a4fa0
Instruction ID: 779bde60809a83dd3faf0abea4c739e202f79885b5b15cf0e2264bf73cca6613
Opcode Fuzzy Hash: ba0d91b71a6ba36ace61fab0c0f7d4922daa1e3f8d028e3e8b3457ff5b2a4fa0
Instruction Fuzzy Hash: DF91FD62B1858196EB11DF29D8526FD6731FBA5788F441031FF4EAB74AEE38E646C300

Function 00007FF663C5B534 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd80b8924012b3a81ce264cde7180753b201b1e387c519ebd9873ce58afa85e
Instruction ID: b3458f86ed6a78ee58b1503802fe7ff6de489376cb18efcd2bbd98ddb1b3d9ae
Opcode Fuzzy Hash: cfd80b8924012b3a81ce264cde7180753b201b1e387c519ebd9873ce58afa85e
Instruction Fuzzy Hash: 2B612232B191D189EB01CF7585014FD7FB1EB19794B868032EE9AAB746CE3CE116CB20

Function 00007FF663C621D0 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8137a9b05b05aada6fbcd6bbdda66db02b1ef4637fe403d2df7c72722ebbdea5
Instruction ID: 1db50593bfae32e166237a92759d81b3a93ba40f03c64e0860782d8a52e11752
Opcode Fuzzy Hash: 8137a9b05b05aada6fbcd6bbdda66db02b1ef4637fe403d2df7c72722ebbdea5
Instruction Fuzzy Hash: 2651EF73B181518BE7288F29A426BBD3771FB90B58F444134EB4A9BB89DE3DE541CB00

Function 00007FF663C62AB0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525267a7f117e2089c634eae81b531c40420bccc1aa688f1dd99d62513960580
Instruction ID: 0473afb5c61732a7df6b41c16bcc65f768fabd4c52974d2d6d48c3240f3edba9
Opcode Fuzzy Hash: 525267a7f117e2089c634eae81b531c40420bccc1aa688f1dd99d62513960580
Instruction Fuzzy Hash: CB31F5B2A085818BD718CE16DA6227E77F1F795350F448139EB4ADBB82DE7CE051C700

Function 00007FF663C858E0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20052d42666034676028b01d15d2cffdefdd266dec7e2dd0f98b8d8f07818195
Instruction ID: 8dfea3125441590e283411a67cfb026471e656146b6e6563621cac00353a8159
Opcode Fuzzy Hash: 20052d42666034676028b01d15d2cffdefdd266dec7e2dd0f98b8d8f07818195
Instruction Fuzzy Hash: 51F06272B18695CBDBA48F29A84362A77F0F7483C0F848039E68DC7B04DA3D94619F14

Function 00007FF663C73354 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57e15d0ab639cfe726454a8769b7378f2b682ff734fe90589bfb13db1bf513a
Instruction ID: a93eaaf8931c8d463f16f0657dcaeef06e5979d81971f85ba179150102906943
Opcode Fuzzy Hash: e57e15d0ab639cfe726454a8769b7378f2b682ff734fe90589bfb13db1bf513a
Instruction Fuzzy Hash: 3BA0026190CD42F0E6548B20ECA64702730FB50700B540031F40DFD6A4DF3CB502C341

Function 00007FF663C4D7D0 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 98COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C4D964

Strings

::$ATTRIBUTE_LIST, xrefs: 00007FF663C4D7FC
::$INDEX_ALLOCATION, xrefs: 00007FF663C4D83E
::$REPARSE_POINT, xrefs: 00007FF663C4D88B
::$FILE_NAME, xrefs: 00007FF663C4D833
:$TXF_DATA:$LOGGED_UTILITY_STREAM, xrefs: 00007FF663C4D875
::$DATA, xrefs: 00007FF663C4D812
:$I30:$INDEX_ALLOCATION, xrefs: 00007FF663C4D849
::$EA_INFORMATION, xrefs: 00007FF663C4D828
:$EFS:$LOGGED_UTILITY_STREAM, xrefs: 00007FF663C4D86A
::$EA, xrefs: 00007FF663C4D81D
::$INDEX_ROOT, xrefs: 00007FF663C4D854
::$LOGGED_UTILITY_STREAM, xrefs: 00007FF663C4D85F
::$BITMAP, xrefs: 00007FF663C4D807
::$OBJECT_ID, xrefs: 00007FF663C4D880

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: :$EFS:$LOGGED_UTILITY_STREAM$:$I30:$INDEX_ALLOCATION$:$TXF_DATA:$LOGGED_UTILITY_STREAM$::$ATTRIBUTE_LIST$::$BITMAP$::$DATA$::$EA$::$EA_INFORMATION$::$FILE_NAME$::$INDEX_ALLOCATION$::$INDEX_ROOT$::$LOGGED_UTILITY_STREAM$::$OBJECT_ID$::$REPARSE_POINT
API String ID: 3668304517-727060406
Opcode ID: 036f0b4177b3bd4acf8be137eac01bdc749329f6e627dd372102b0288b9b6631
Instruction ID: 7d15abb73520655ec82a5da09f5e04448c66ca1b4825ba42ab69d5a79c46a250
Opcode Fuzzy Hash: 036f0b4177b3bd4acf8be137eac01bdc749329f6e627dd372102b0288b9b6631
Instruction Fuzzy Hash: 7741F936B05F01E9EB109F65E4463E933B5EB48798F400136EA5CABB69EF38E255C340

Function 00007FF663C72A10 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF663C72A26
GetModuleHandleW.KERNEL32 ref: 00007FF663C72A33
GetModuleHandleW.KERNEL32 ref: 00007FF663C72A48
GetProcAddress.KERNEL32 ref: 00007FF663C72A60
GetProcAddress.KERNEL32 ref: 00007FF663C72A73
CreateEventW.KERNEL32 ref: 00007FF663C72A9F
DeleteCriticalSection.KERNEL32 ref: 00007FF663C72AEB
CloseHandle.KERNEL32 ref: 00007FF663C72AFD

Strings

SleepConditionVariableCS, xrefs: 00007FF663C72A56
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00007FF663C72A2C
kernel32.dll, xrefs: 00007FF663C72A41
WakeAllConditionVariable, xrefs: 00007FF663C72A66

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: 6e1e709f092c3aabc6fb1c9db3d7c09c3ef1a4a7bf2af41e7ac9402dec2f511f
Instruction ID: 69c6538ff8839b5748014229d84599caf9bf413ae32934f2e8fa9aa3580635ba
Opcode Fuzzy Hash: 6e1e709f092c3aabc6fb1c9db3d7c09c3ef1a4a7bf2af41e7ac9402dec2f511f
Instruction Fuzzy Hash: 6B212A64E09B43D2FE649B61FC6797427B0EF48B90F441034E91EAABA5DF3CB6458300

Function 00007FF663C56A0C Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 444COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C570A6

Part of subcall function 00007FF663C42004: std::_Xinvalid_argument.LIBCPMT ref: 00007FF663C4200F

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C570B2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C570B8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C570C4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C570D6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C570DC

Strings

DXGIDebug.dll, xrefs: 00007FF663C56A18
UNC, xrefs: 00007FF663C56BBF
\\?\, xrefs: 00007FF663C56A57, 00007FF663C56A66

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Xinvalid_argumentstd::_
String ID: DXGIDebug.dll$UNC$\\?\
API String ID: 4097890229-4048004291
Opcode ID: 56c6116d5534ddc5b4079fdeed8715d081fed04d0e9eb28ce3c332ce1ff1d7ed
Instruction ID: 2d8835ae5b945c9919a14734648f95364c5d5b19ed9a31887c269c6eeb965727
Opcode Fuzzy Hash: 56c6116d5534ddc5b4079fdeed8715d081fed04d0e9eb28ce3c332ce1ff1d7ed
Instruction Fuzzy Hash: 7B12D232B09B42C0EB10DB64D4461AD6371EB81BA8F505135EE5DABBEADF3CE5A5C340

Function 00007FF663C66E80 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 204memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF663C67E9B), ref: 00007FF663C67080
CreateStreamOnHGlobal.COMBASE ref: 00007FF663C670B1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C6717B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C67181
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C67187

Strings

</html>, xrefs: 00007FF663C66F72, 00007FF663C66F81
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00007FF663C66F2C, 00007FF663C66F3B
<html>, xrefs: 00007FF663C66F13
<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>, xrefs: 00007FF663C66ED5, 00007FF663C66EE4

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Global$AllocCreateStream
String ID: </html>$<html>$<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 2868844859-1533471033
Opcode ID: 31d7dc5894d1c9fa85229d9e77b41a308ef747ae09a8312bf4b27f03762016a6
Instruction ID: 5ec3977153a881e08c66a64c05aab9cca96227be37a856c2901b170d91428b19
Opcode Fuzzy Hash: 31d7dc5894d1c9fa85229d9e77b41a308ef747ae09a8312bf4b27f03762016a6
Instruction Fuzzy Hash: 3681AF62F18A46D5FB00DBB6D8422FD2371AF45798F400536EE1DAB79ADE38E50AC340

Function 00007FF663C7E650 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF663C7E7CD

Strings

NAN(IND), xrefs: 00007FF663C7E6FB
nan(snan), xrefs: 00007FF663C7E6F0
NAN(SNAN), xrefs: 00007FF663C7E6E5
NAN, xrefs: 00007FF663C7E6B1
nan, xrefs: 00007FF663C7E6B8
nan(ind), xrefs: 00007FF663C7E706
inf, xrefs: 00007FF663C7E6D6
INF, xrefs: 00007FF663C7E6C3

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
API String ID: 3215553584-2617248754
Opcode ID: ca8329083cbd7a022b2adefca7a3bb58d0ae1dff90efa4c28dbe4d3f14657870
Instruction ID: 063ab641634b241306d59fc3e9c9f5bb9f60dcd0544aeb820029194e6b683623
Opcode Fuzzy Hash: ca8329083cbd7a022b2adefca7a3bb58d0ae1dff90efa4c28dbe4d3f14657870
Instruction Fuzzy Hash: 0441AD72A09B45D9E710CF25E8427E937B4EB14398F01523AEE5CABB54DE3CE126C344

Function 00007FF663C6A440 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 257COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF663C4129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF663C41396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C6A72F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C6A735
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C6A73B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C6A741
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C6A747

Strings

Software\WinRAR SFX, xrefs: 00007FF663C6A52B, 00007FF663C6A53A
GETPASSWORD1, xrefs: 00007FF663C6A773

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task
String ID: GETPASSWORD1$Software\WinRAR SFX
API String ID: 3936042273-1315819833
Opcode ID: 100daac0e34165666268f43f408bc6971489d972bf40231fa28c726ba550acfe
Instruction ID: 57264c309fe0406c02f00d8e72337f4e3b76add1125f514570ecf25f1bc999d5
Opcode Fuzzy Hash: 100daac0e34165666268f43f408bc6971489d972bf40231fa28c726ba550acfe
Instruction Fuzzy Hash: E4B1ADA2F19B46C5FB009BA5D4462BC2372EB86398F404235EE5CBABD9DE3CE545C340

Function 00007FF663C6F390 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 85windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32 ref: 00007FF663C6F3CF
GetClassNameW.USER32 ref: 00007FF663C6F3FC
GetWindowLongPtrW.USER32 ref: 00007FF663C6F41D
SendMessageW.USER32 ref: 00007FF663C6F437
GetObjectW.GDI32 ref: 00007FF663C6F452
SendMessageW.USER32 ref: 00007FF663C6F487
GetWindow.USER32 ref: 00007FF663C6F49E

Strings

STATIC, xrefs: 00007FF663C6F402

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: Window$MessageSend$ClassLongNameObject
String ID: STATIC
API String ID: 3746718000-1882779555
Opcode ID: 028936735c5caa7e1c5955390d3996a5d13f8d6e72d7f98742e6e6c768b0ab82
Instruction ID: ce335b26b3eb2f5c8e46f98e409da7bebbab4299a816278c993ae874fb4c189a
Opcode Fuzzy Hash: 028936735c5caa7e1c5955390d3996a5d13f8d6e72d7f98742e6e6c768b0ab82
Instruction Fuzzy Hash: 9F316125B0C642C7FA609B22A5567B963B1BF8ABD0F441430FD4DABB56DE3CE4068780

Function 00007FF663C5B9B4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF663C5BA12
GetProcAddress.KERNEL32 ref: 00007FF663C5BA2D
GetCurrentProcessId.KERNEL32 ref: 00007FF663C5BACA

Part of subcall function 00007FF663C5DFD0: GetSystemDirectoryW.KERNEL32 ref: 00007FF663C5DDDF

Strings

CryptUnprotectMemory, xrefs: 00007FF663C5BA1F
CryptUnprotectMemory failed, xrefs: 00007FF663C5BAC1
CryptProtectMemory, xrefs: 00007FF663C5BA08
CryptProtectMemory failed, xrefs: 00007FF663C5BA80
Crypt32.dll, xrefs: 00007FF663C5B9F0

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: AddressProc$CurrentDirectoryProcessSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
API String ID: 2915667086-2207617598
Opcode ID: d2e93635ec338890dfe438c4789fcaf7e26687fbfe6c7ce53d5981307f2d6baa
Instruction ID: 33f4fb90539b7dbf0df09c732a229f904286d62c8580dd769d71a805099cc238
Opcode Fuzzy Hash: d2e93635ec338890dfe438c4789fcaf7e26687fbfe6c7ce53d5981307f2d6baa
Instruction Fuzzy Hash: 4F316674A0DB02D1FA148B56B9521792FB0FF44BA0F080135F84EAFBA9EE3CE6519300

Function 00007FF663C687D8 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 415COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C68DB6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C68DC2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C68DCE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C68DDA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C68DE0

Strings

, xrefs: 00007FF663C68A55
, xrefs: 00007FF663C688BE

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: $
API String ID: 3668304517-227171996
Opcode ID: 7957b1f7c23d8b99e8b957fd2374c8a83d1170bc9397b993806739df2f8497c6
Instruction ID: 32f8bbbb8c5aab965a3a27034545395aa8166cde9f83ac7e5c41d6beb9a3b37e
Opcode Fuzzy Hash: 7957b1f7c23d8b99e8b957fd2374c8a83d1170bc9397b993806739df2f8497c6
Instruction Fuzzy Hash: 57F1E162F15B46C0EE109B66D44A5BC2371AB46BA8F405231EF6DAB7D6DF7CE190C340

Function 00007FF663C757EC Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 317COMMONLIBRARYCODE

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF663C7598A
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF663C75CAD
abort.LIBCMT ref: 00007FF663C75CE1

Strings

csm, xrefs: 00007FF663C758D1
csm, xrefs: 00007FF663C75933
csm, xrefs: 00007FF663C759B1

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 2940173790-393685449
Opcode ID: 65edb01f61f21fff02eaccc9a46b43a233fa456fccf40e480b66f774ee54b1a7
Instruction ID: 4578ccca475f90f028ef8fa68056a117cf6483215d750eba2f48bb900bfb5cca
Opcode Fuzzy Hash: 65edb01f61f21fff02eaccc9a46b43a233fa456fccf40e480b66f774ee54b1a7
Instruction Fuzzy Hash: 88E18E72A18682CAE7209B35D4823AD7BB4FB45798F144135EE8DAB796CF38F485C700

Function 00007FF663C54F38 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 158COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF663C54E24: SysAllocString.OLEAUT32 ref: 00007FF663C54E5F

VariantClear.OLEAUT32 ref: 00007FF663C55125

Strings

ROOT\CIMV2, xrefs: 00007FF663C54F7B
Windows 10, xrefs: 00007FF663C5510A
SELECT * FROM Win32_OperatingSystem, xrefs: 00007FF663C55017
WQL, xrefs: 00007FF663C5502A
Name, xrefs: 00007FF663C550F9

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: AllocClearStringVariant
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
API String ID: 1959693985-3505469590
Opcode ID: a8b35b7bcd37d82ee4aaa20c3b876beaab518b1de9e1ce59ea14af8b32f1fe8d
Instruction ID: f850edb524e651a2d66e67fd0f02db4bf16aa736982a124a7e916862058eb810
Opcode Fuzzy Hash: a8b35b7bcd37d82ee4aaa20c3b876beaab518b1de9e1ce59ea14af8b32f1fe8d
Instruction Fuzzy Hash: 02713836A15B05D6EB20DF25E8815AD7BB0FB88B98F045132EA4E9BB64CF3DD654C300

Function 00007FF663C6AE90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

LICENSEDLG, xrefs: 00007FF663C6AEAE

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: ItemTextWindow
String ID: LICENSEDLG
API String ID: 2478532303-2177901306
Opcode ID: e29db3841e3cac596c2aa5df9f59b5580221106af80a371471668d29e16b4ce4
Instruction ID: 1909ff3b5148a22c4b91712e9a8a67e08659adf3fa4eb1cd156ba49e5573d6f3
Opcode Fuzzy Hash: e29db3841e3cac596c2aa5df9f59b5580221106af80a371471668d29e16b4ce4
Instruction Fuzzy Hash: 92418B65E0CA22C2FB109B62E85677922B0EF85F84F045034FA0EABB95CF3CE5468341

Function 00007FF663C772EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,00000000,00007FF663C774F3,?,?,?,00007FF663C7525E,?,?,?,00007FF663C75219), ref: 00007FF663C77371
GetLastError.KERNEL32(?,?,00000000,00007FF663C774F3,?,?,?,00007FF663C7525E,?,?,?,00007FF663C75219), ref: 00007FF663C7737F
LoadLibraryExW.KERNEL32(?,?,00000000,00007FF663C774F3,?,?,?,00007FF663C7525E,?,?,?,00007FF663C75219), ref: 00007FF663C773A9
FreeLibrary.KERNEL32(?,?,00000000,00007FF663C774F3,?,?,?,00007FF663C7525E,?,?,?,00007FF663C75219), ref: 00007FF663C773EF
GetProcAddress.KERNEL32(?,?,00000000,00007FF663C774F3,?,?,?,00007FF663C7525E,?,?,?,00007FF663C75219), ref: 00007FF663C773FB

Strings

api-ms-, xrefs: 00007FF663C77391

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: eedfc97f7024c66fbeb39a7219499b253e22696fd1fdab2c5f769bf1fd383016
Instruction ID: 0e029ca2f5c570d4f84d2a96014db14b5fde919e212a9035cb0d8a163a1bbd79
Opcode Fuzzy Hash: eedfc97f7024c66fbeb39a7219499b253e22696fd1fdab2c5f769bf1fd383016
Instruction Fuzzy Hash: B631F221B1A746D1EE21AB06A80257927B4FF48BA0F194635FD1DAF790DF3CF0409710

Function 00007FF663C71604 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,00007FF663C71573,?,?,?,00007FF663C7192A), ref: 00007FF663C7162B
GetProcAddress.KERNEL32(?,?,?,00007FF663C71573,?,?,?,00007FF663C7192A), ref: 00007FF663C71648
GetProcAddress.KERNEL32(?,?,?,00007FF663C71573,?,?,?,00007FF663C7192A), ref: 00007FF663C71664

Strings

AcquireSRWLockExclusive, xrefs: 00007FF663C7163E
ReleaseSRWLockExclusive, xrefs: 00007FF663C71653
KERNEL32.DLL, xrefs: 00007FF663C71624

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: 4fe35f58cd4175722fa2f4edd42b7d77b08fa8d78ae8e9bf73ccac7c2071e7f8
Instruction ID: 739da69e7e3924410cf780ec7bc9c46221f5343b4b2ea3cf96e81f5b185c0707
Opcode Fuzzy Hash: 4fe35f58cd4175722fa2f4edd42b7d77b08fa8d78ae8e9bf73ccac7c2071e7f8
Instruction Fuzzy Hash: ED115B20A0EB42D2FE759B08A9622741AB1EF08B94F5C5439ED1DAE790EE3CB5948600

Function 00007FF663C5ED24 Relevance: 9.1, APIs: 6, Instructions: 120timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF663C551A4: GetVersionExW.KERNEL32 ref: 00007FF663C551D5

FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF663C45AB4), ref: 00007FF663C5ED8C
FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF663C45AB4), ref: 00007FF663C5ED98
SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF663C45AB4), ref: 00007FF663C5EDA8
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF663C45AB4), ref: 00007FF663C5EDB6
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF663C45AB4), ref: 00007FF663C5EDC4
FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF663C45AB4), ref: 00007FF663C5EE05

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 197518eb8103cda2bd6b54f1f5e99fa721289ee203340eaf45d2c62117a67569
Instruction ID: c96e0c944d5edd911216ec91cc775008f3e8a918b311d1330dc41243da17b64d
Opcode Fuzzy Hash: 197518eb8103cda2bd6b54f1f5e99fa721289ee203340eaf45d2c62117a67569
Instruction Fuzzy Hash: 52516AB2B14651CAEB14CFB9D4415AC37B1F748B98B60503AEE0DABB58DF38E556C700

Function 00007FF663C5F010 Relevance: 9.1, APIs: 6, Instructions: 80timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32 ref: 00007FF663C5F074

Part of subcall function 00007FF663C551A4: GetVersionExW.KERNEL32 ref: 00007FF663C551D5

LocalFileTimeToFileTime.KERNEL32 ref: 00007FF663C5F096
FileTimeToSystemTime.KERNEL32 ref: 00007FF663C5F0A2
TzSpecificLocalTimeToSystemTime.KERNEL32 ref: 00007FF663C5F0B2
SystemTimeToFileTime.KERNEL32 ref: 00007FF663C5F0C0
SystemTimeToFileTime.KERNEL32 ref: 00007FF663C5F0CE

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 93bf5fe4be91675a5f4cba4a2df0f2c5ed0bd126a165fd4d88c3e7d5e64543a6
Instruction ID: 4c653fff30b86cc6d796f12e2577c456ea58fad61482403ba202678caf75a440
Opcode Fuzzy Hash: 93bf5fe4be91675a5f4cba4a2df0f2c5ed0bd126a165fd4d88c3e7d5e64543a6
Instruction Fuzzy Hash: 9B313B66B10A51DEFB14CFB5D8811AC3770FB08758B54502AEE0EA7B58EF38E595C700

Function 00007FF663C57918 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 233COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C57C8C

Strings

sfx, xrefs: 00007FF663C579F3, 00007FF663C57A02
exe, xrefs: 00007FF663C579AF, 00007FF663C579BE
.rar, xrefs: 00007FF663C57969, 00007FF663C57978
rar, xrefs: 00007FF663C57A9B, 00007FF663C57AAA, 00007FF663C57B67, 00007FF663C57B7C

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: .rar$exe$rar$sfx
API String ID: 3668304517-630704357
Opcode ID: 2fc35cbdd70ebaba8229e08f8487c40f3259a53efddd90ef8447a9b59f22dcea
Instruction ID: ced037a51e7dafd762a35b64eb889d34f3be1846dbb364dac57035b9c2a1ee45
Opcode Fuzzy Hash: 2fc35cbdd70ebaba8229e08f8487c40f3259a53efddd90ef8447a9b59f22dcea
Instruction Fuzzy Hash: F8A19E32A14B06D0EB049B25D8566BC2371EF40BA8F505231ED5DAB7EADF3CE5A1D340

Function 00007FF663C75CE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF663C75D58

Part of subcall function 00007FF663C75210: abort.LIBCMT ref: 00007FF663C75223

_CallSETranslator.LIBVCRUNTIME ref: 00007FF663C75DA3
abort.LIBCMT ref: 00007FF663C75FD1

Strings

RCC, xrefs: 00007FF663C75D74
MOC, xrefs: 00007FF663C75D6C

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: 0f4c2d06ef2d655583c55900dbb020dcf620b12558a4295111afe460be181df6
Instruction ID: e3b335fe9f0fa77929b73b1521a31a2c5f4ca4ba33f4212fca59c3d3d1280959
Opcode Fuzzy Hash: 0f4c2d06ef2d655583c55900dbb020dcf620b12558a4295111afe460be181df6
Instruction Fuzzy Hash: 39918E73A18B91CAE710CB65E8812AD7BB0FB44788F144129FE4DABB55DF38E195CB00

Function 00007FF663C74F80 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF663C74FAB
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF663C75040
RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FF663C72F5E), ref: 00007FF663C7508F

Strings

f, xrefs: 00007FF663C74FBE
csm, xrefs: 00007FF663C75026

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: a7c39da158025e753bf36dfb1e051fd0b17def11f5f8def40396cbfe1c046983
Instruction ID: 20750b2ccfe06cba7f7a7f274e70dda1db157762cb0076a1df64dda2f2fbbaab
Opcode Fuzzy Hash: a7c39da158025e753bf36dfb1e051fd0b17def11f5f8def40396cbfe1c046983
Instruction Fuzzy Hash: BA519D32A19602D7EB14CB15E845A2937B5FB40B88F518034FE5AAB788DF79F941C740

Function 00007FF663C4CEE0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 139COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF663C4D03D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C4D0D1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C4D0D7

Part of subcall function 00007FF663C4DE04: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF663C4CF4B), ref: 00007FF663C4DE27
Part of subcall function 00007FF663C4DE04: GetLastError.KERNEL32 ref: 00007FF663C4DE88
Part of subcall function 00007FF663C4DE04: CloseHandle.KERNEL32 ref: 00007FF663C4DE9B

Strings

SeRestorePrivilege, xrefs: 00007FF663C4CF5E
SeSecurityPrivilege, xrefs: 00007FF663C4CF3F

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: ErrorLast_invalid_parameter_noinfo_noreturn$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 2102711378-639343689
Opcode ID: 6c1d5a5d5395298d9d74f6f4ee4569930d238c95dd33962f37e3fdaa32d53d1a
Instruction ID: 22d0b48629dd72951d193a8f312d0aaf053c689e9a9cf51e8f5af2e3e06e3ed1
Opcode Fuzzy Hash: 6c1d5a5d5395298d9d74f6f4ee4569930d238c95dd33962f37e3fdaa32d53d1a
Instruction Fuzzy Hash: 0C51BC62F18752D6FB10EB74D8462BD27B1AF847A4F000131EE1DAB7A7DE3CA485C200

Function 00007FF663C67B28 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

ShowWindow.USER32 ref: 00007FF663C67B6F
GetWindowRect.USER32 ref: 00007FF663C67BC0
ShowWindow.USER32 ref: 00007FF663C67C96
ShowWindow.USER32 ref: 00007FF663C67CC3

Strings

RarHtmlClassName, xrefs: 00007FF663C67C4B

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: Window$Show$Rect
String ID: RarHtmlClassName
API String ID: 2396740005-1658105358
Opcode ID: 2556132b3669e06fd82c4edcfb73ee53acbff31ec70f5bbfd324b20a510b6699
Instruction ID: f640fe2ef11292c8c0b3dffad4ab0889bc2857e7f7c2cd6507559b4594ab9dac
Opcode Fuzzy Hash: 2556132b3669e06fd82c4edcfb73ee53acbff31ec70f5bbfd324b20a510b6699
Instruction Fuzzy Hash: 9B517322A09B42C6EB249B26E45637A77B0FF85B80F045535EE8E9BB55DF3CE0458700

Function 00007FF663C6FD0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.KERNEL32 ref: 00007FF663C6FD43
SetEnvironmentVariableW.KERNEL32 ref: 00007FF663C6FDBC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C6FE1B

Strings

sfxcmd, xrefs: 00007FF663C6FD3C
sfxpar, xrefs: 00007FF663C6FDB5

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: EnvironmentVariable$_invalid_parameter_noinfo_noreturn
String ID: sfxcmd$sfxpar
API String ID: 3540648995-3493335439
Opcode ID: 65c4bc3e57016a74e8805048ea790c6f4a694eba210e4a6448e418b17608a108
Instruction ID: f3eb32f0ff80d4cce5c09ad3edb898191e160517dca093ed09042a14cba86d3b
Opcode Fuzzy Hash: 65c4bc3e57016a74e8805048ea790c6f4a694eba210e4a6448e418b17608a108
Instruction Fuzzy Hash: 03315032A14B15D8EB048F66E4861BC23B1EB45B98F140131EE5DAB7A9DE38E141C344

Function 00007FF663C6FED4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 00007FF663C6FF34, 00007FF663C6FF99
RENAMEDLG, xrefs: 00007FF663C6FF60

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 98f895654b64cd1d2f90e97d30244ed9b67d31cc2014a88c355cd353264df31a
Instruction ID: e5a310d2eafb9b28958424c6a2cf7fa6cb9e9b125b9a9b40d03b4c8fd2b1f67b
Opcode Fuzzy Hash: 98f895654b64cd1d2f90e97d30244ed9b67d31cc2014a88c355cd353264df31a
Instruction Fuzzy Hash: 85211925E0DB87D6FA108B66A8461B427F4BB8AB88F141036F94DEB765DE3CE184D341

Function 00007FF663C7BFB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF663C7BFD0
GetProcAddress.KERNEL32 ref: 00007FF663C7BFE6
FreeLibrary.KERNEL32 ref: 00007FF663C7C00B

Strings

mscoree.dll, xrefs: 00007FF663C7BFC7
CorExitProcess, xrefs: 00007FF663C7BFDF

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 42a4ca90c7c49dddb16080121233970ff8583544d2054868cb5f0899d871e2db
Instruction ID: 5172c4db3bfecdf046084459f9fb104119d337c57c73a740c420a352cc301261
Opcode Fuzzy Hash: 42a4ca90c7c49dddb16080121233970ff8583544d2054868cb5f0899d871e2db
Instruction Fuzzy Hash: 18F04F21A19B42D1EF548B11F45167967B0AF88B90F445035F94F9AB65DE3CE5848700

Function 00007FF663C845C0 Relevance: 7.7, APIs: 5, Instructions: 203COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF663C84605

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: cf462e6f26ae3af6f96c078c51b53c82231ed120809331cf2f591469c69a5a17
Instruction ID: 1efc48eca174523c20146a5a276b4d2af804a5898668f7f9c3abb01bd0e057a0
Opcode Fuzzy Hash: cf462e6f26ae3af6f96c078c51b53c82231ed120809331cf2f591469c69a5a17
Instruction Fuzzy Hash: 4181D262E18652E5F7209B6588426BD2FB8BB45B98F404135ED0EFB795CF3CA641C700

Function 00007FF663C53AF8 Relevance: 7.7, APIs: 5, Instructions: 164filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF663C53BBB
CreateFileW.KERNEL32 ref: 00007FF663C53C24
SetFileTime.KERNEL32 ref: 00007FF663C53CEC
CloseHandle.KERNEL32 ref: 00007FF663C53CF6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C53D2C

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: File$Create$CloseHandleTime_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2398171386-0
Opcode ID: 14fdea18fdcf977c61dce6ecaccc8aa35300d093acc7d7c713630260d7cb0aba
Instruction ID: a09d01961f473ec2cc04f4cd8b66194d55690b41ab21a34a31979453bacce6c6
Opcode Fuzzy Hash: 14fdea18fdcf977c61dce6ecaccc8aa35300d093acc7d7c713630260d7cb0aba
Instruction Fuzzy Hash: CF519172B14B42D9FB60CB75E8423BD73B1AB447A8F004635EE1DAB7D5EE3895658300

Function 00007FF663C83F34 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF663C84767), ref: 00007FF663C83F91
WideCharToMultiByte.KERNEL32 ref: 00007FF663C8406D
WriteFile.KERNEL32 ref: 00007FF663C84093
WriteFile.KERNEL32 ref: 00007FF663C840D2
GetLastError.KERNEL32 ref: 00007FF663C8410A

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
String ID:
API String ID: 3659116390-0
Opcode ID: 8f90b3f8899b92826fb288bc35eb601c263b89b4fb676f823db5d062d6f6b41f
Instruction ID: 061453bb3ad6a648bf9e12942db6f00e3e0cc822bfa6dafb6545ba7de411f649
Opcode Fuzzy Hash: 8f90b3f8899b92826fb288bc35eb601c263b89b4fb676f823db5d062d6f6b41f
Instruction Fuzzy Hash: A551E132A14A51D9E710CF25E8463AD3BB5FB44B98F048135EE4EABB98DF38D245C700

Function 00007FF663C71E00 Relevance: 7.6, APIs: 5, Instructions: 137memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF663C54DF4), ref: 00007FF663C71E87
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF663C54DF4), ref: 00007FF663C71F09
SysAllocString.OLEAUT32 ref: 00007FF663C71F16

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: 8c2dc27bb1e4af113538b7172bb6dd323e96cb8c94470b0dbd49c9d6f404eed7
Instruction ID: f7c0e16bcbc7c31b86c894c4f63b5cfab78d560379d7efb8869c33bb33ae4348
Opcode Fuzzy Hash: 8c2dc27bb1e4af113538b7172bb6dd323e96cb8c94470b0dbd49c9d6f404eed7
Instruction Fuzzy Hash: 8341C221A09746C9EB149F29986227922B4EF44BA4F144634FE6DEBBD6DF3CF1428300

Function 00007FF663C7F414 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF663C7F536

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: d8da239e760e4119be076ce5ae60c5d71a4e7276355522d8061e2664917ecd9d
Instruction ID: 594d7f036e5f8ad002e6f210f4471dab4f8e863f5f89e072153d39dec305b6ba
Opcode Fuzzy Hash: d8da239e760e4119be076ce5ae60c5d71a4e7276355522d8061e2664917ecd9d
Instruction Fuzzy Hash: 1441E062B09A42DAFA559F22A84267562F5BF14BE0F094535EE1DEFB84EE3CF0008300

Function 00007FF663C856D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF663C856FF
_set_statfp.LIBCMT ref: 00007FF663C8571A
_set_statfp.LIBCMT ref: 00007FF663C85736
_set_statfp.LIBCMT ref: 00007FF663C85772

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
Instruction ID: 854ba60887c26e2fbf468c62ffad0f74f4cd0e63afb7e26c93c860e09def0737
Opcode Fuzzy Hash: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
Instruction Fuzzy Hash: 7811BF36E3CA07E1F6540124E54337A0DB26F453A0E498234FA7FAE7D6CEFCAA404205

Function 00007FF663C7625C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF663C76286
abort.LIBCMT ref: 00007FF663C764EA

Strings

csm, xrefs: 00007FF663C7641A
csm, xrefs: 00007FF663C762AB

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: __except_validate_context_recordabort
String ID: csm$csm
API String ID: 746414643-3733052814
Opcode ID: 91fc108a1c492767e4bb41002f60c2920875b1ec76e01922ab372504797a4c8e
Instruction ID: cfb2422a270f52afd5ee9af6ac0e2eb52c9dd34c7a3eab4e88beb79b96dbfada
Opcode Fuzzy Hash: 91fc108a1c492767e4bb41002f60c2920875b1ec76e01922ab372504797a4c8e
Instruction Fuzzy Hash: 85716F72608A92C6D7608B25D45177D7BB0EB05B89F148135EE4CABB85CF3CF5A5C740

Function 00007FF663C780F4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF663C7811B
_invalid_parameter_noinfo.LIBCMT ref: 00007FF663C782ED

Strings

*, xrefs: 00007FF663C78221
, xrefs: 00007FF663C78276

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: $*
API String ID: 3215553584-3982473090
Opcode ID: 42643a1ee39b50d27a50b926b179a62c0cdc4d381fe14b17104e750277292b9f
Instruction ID: 853e92495b3fe92a070051fa6b8dd65d48300d3893e73a2e0bde0ff43bda1504
Opcode Fuzzy Hash: 42643a1ee39b50d27a50b926b179a62c0cdc4d381fe14b17104e750277292b9f
Instruction Fuzzy Hash: 17512D7290CB42CAE7A49E28C44B7783BB1FB05B1AF151135EF4AA9399CF2DF481D605

Function 00007FF663C81758 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF663C817CB
MultiByteToWideChar.KERNEL32 ref: 00007FF663C81894
GetStringTypeW.KERNEL32 ref: 00007FF663C818AE

Strings

$%s, xrefs: 00007FF663C8175A

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: ByteCharMultiWide$StringType
String ID: $%s
API String ID: 3586891840-3791308623
Opcode ID: 8174e861c2faa6f2f7f5292a0ee7474812abc1109b8acb2517e9a7bc716d8d39
Instruction ID: ef494004097aa3e70a4f53d5fb563834b6b06f413808c60b50b4f1e73a8b6060
Opcode Fuzzy Hash: 8174e861c2faa6f2f7f5292a0ee7474812abc1109b8acb2517e9a7bc716d8d39
Instruction Fuzzy Hash: FE419523B14B81DAEB618F25D8026A927F1FB44BA8F494635EE2D9B7C5DF3CE5418300

Function 00007FF663C766A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF663C75210: abort.LIBCMT ref: 00007FF663C75223

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF663C7674A
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FF663C76776

Strings

csm, xrefs: 00007FF663C76876

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_recordabort
String ID: csm
API String ID: 2466640111-1018135373
Opcode ID: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
Instruction ID: 0b410b2c82ba939f4058c765a3593567e7d645e62d59d1675b262afacb09ae87
Opcode Fuzzy Hash: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
Instruction Fuzzy Hash: BB511872619B42C7E620AB26A44226E77B4FB89B90F140535EE8D9BB55CF38F461CB00

Function 00007FF663C84360 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF663C84446
WriteFile.KERNEL32 ref: 00007FF663C84479
GetLastError.KERNEL32 ref: 00007FF663C8449B

Strings

U, xrefs: 00007FF663C84424

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: ByteCharErrorFileLastMultiWideWrite
String ID: U
API String ID: 2456169464-4171548499
Opcode ID: a3c4996b5397ae7c68c43f4944c85cd830f0b958292ccb38960a62bfe152ddee
Instruction ID: edbe6250c8b774a3a2fde5b0fe9a8797deb3d6ef1ad94eeab39e56b3ac42add2
Opcode Fuzzy Hash: a3c4996b5397ae7c68c43f4944c85cd830f0b958292ccb38960a62bfe152ddee
Instruction Fuzzy Hash: 1641C222618A81D2D7208F25E8457AA6BB4FB98794F804031FE4DDB794DF3CD545C700

Function 00007FF663C690B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF663C690D9
GetObjectW.GDI32 ref: 00007FF663C69107
ReleaseDC.USER32 ref: 00007FF663C691BB

Strings

, xrefs: 00007FF663C69153

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: ObjectRelease
String ID:
API String ID: 1429681911-3916222277
Opcode ID: 0b5772d91688d342ea342be5c9c3c9ea07a5ad9e93d570546deb1a9808731c40
Instruction ID: f5790c525d8ed1c39a7aec97136c22debe0fb5c188f485892584658badb2ffee
Opcode Fuzzy Hash: 0b5772d91688d342ea342be5c9c3c9ea07a5ad9e93d570546deb1a9808731c40
Instruction Fuzzy Hash: 8F314A3660874287EB049F22B81962AB7B0FB89FD1F405435EE4A97B54CE3CE449DB80

Function 00007FF663C5E870 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,?,?,00007FF663C6317F,?,?,00001000,00007FF663C4E51D), ref: 00007FF663C5E8BB
CreateSemaphoreW.KERNEL32(?,?,?,00007FF663C6317F,?,?,00001000,00007FF663C4E51D), ref: 00007FF663C5E8CB
CreateEventW.KERNEL32(?,?,?,00007FF663C6317F,?,?,00001000,00007FF663C4E51D), ref: 00007FF663C5E8E4

Strings

Thread pool initialization failed., xrefs: 00007FF663C5E900

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 6610cce2f1ff4f40d78c24fcbab0d777ace7136147ab701da82aad1b7a389e44
Instruction ID: 3cb917d19ada58ad417cbe200afdd67c2f50de1d6f5e05c7d8997e09162b3763
Opcode Fuzzy Hash: 6610cce2f1ff4f40d78c24fcbab0d777ace7136147ab701da82aad1b7a389e44
Instruction Fuzzy Hash: 8121C072A19602C6F7108F38E4467FD36B2EB88B18F188034DA4D8E395CF7E94558784

Function 00007FF663C685E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF663C685EC
GetDeviceCaps.GDI32 ref: 00007FF663C685FD
ReleaseDC.USER32 ref: 00007FF663C6860A

Strings

, xrefs: 00007FF663C68610

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: CapsDeviceRelease
String ID:
API String ID: 127614599-3916222277
Opcode ID: a42f7bf34e2550c06df92b4c4441a28b155cc5d7cfc3f2a0da00e80f490195b4
Instruction ID: 2a73987a500b5bd009d8e8f57680b024ae40b724d92f67f17641c82aa513f5b8
Opcode Fuzzy Hash: a42f7bf34e2550c06df92b4c4441a28b155cc5d7cfc3f2a0da00e80f490195b4
Instruction Fuzzy Hash: 5EE0C220B08641C3FB0857B6B58A03A2271AB4CBD0F15A135EA1F8BB94CE3CD8C44300

Function 00007FF663C4D1A8 Relevance: 6.2, APIs: 4, Instructions: 238timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNEL32 ref: 00007FF663C4D46C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C4D554
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C4D55A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C4D560

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$FileTime
String ID:
API String ID: 1137671866-0
Opcode ID: 6a66750d7d38e285348c6a4672a5517d432b12a502a6a2b91e6f62eece89d76d
Instruction ID: 450b10290a5249f24bc8439da5629c520af385554997b9fbf6d9c4bd135d2372
Opcode Fuzzy Hash: 6a66750d7d38e285348c6a4672a5517d432b12a502a6a2b91e6f62eece89d76d
Instruction Fuzzy Hash: 75A19F62A18B82C1EB10EB65E8461AD6371FF85794F405131FA9DABBABDF3CE544C700

Function 00007FF663C60548 Relevance: 6.1, APIs: 4, Instructions: 122COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF663C605FC
SetLastError.KERNEL32 ref: 00007FF663C60697

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 1845b41a9133370ecc17a109e2984b8a28ed2f66ab94446e4893adb0daee51a6
Instruction ID: 65c3eb1d0692d2f272415c45e4948a06581b347e3882220dbfb8e592020fedca
Opcode Fuzzy Hash: 1845b41a9133370ecc17a109e2984b8a28ed2f66ab94446e4893adb0daee51a6
Instruction Fuzzy Hash: 90517E72B18B46D5FB009B69D4562FC2371EB85B98F404131EE5CABBDAEE28E245C340

Function 00007FF663C69D90 Relevance: 6.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF663C69DBC
GetLastError.KERNEL32 ref: 00007FF663C69E08
CreateDirectoryW.KERNEL32 ref: 00007FF663C69F10
LocalFree.KERNEL32 ref: 00007FF663C69F20

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: CreateCurrentDirectoryErrorFreeLastLocalProcess
String ID:
API String ID: 1077098981-0
Opcode ID: 5a43cb7f5a8bc2b697eb0b834037522765625dc86c8d5e2913923eaf6a834e49
Instruction ID: d56821ade7097bb0d57207f0259a2cd6130378dbceb3db66141af96bb1ad240d
Opcode Fuzzy Hash: 5a43cb7f5a8bc2b697eb0b834037522765625dc86c8d5e2913923eaf6a834e49
Instruction Fuzzy Hash: 97514932A18B42C6E7508F62E8457AA77B4FB85B84F501035FA4EABB54DF3CE505CB40

Function 00007FF663C7DB5C Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF663C7DBAF
WideCharToMultiByte.KERNEL32 ref: 00007FF663C7DC81
GetLastError.KERNEL32 ref: 00007FF663C7DCA4
_invalid_parameter_noinfo.LIBCMT ref: 00007FF663C7DCD6

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
String ID:
API String ID: 4141327611-0
Opcode ID: fdb879c7c344a6dcddabd48f24568e2f5e84c2dc3f6ceef9c32cec135b3ccbbf
Instruction ID: 8dc9fa5c5b312b62f3d24f0b8601037af6d68eb7a7fabeb3244eb71c801e9e96
Opcode Fuzzy Hash: fdb879c7c344a6dcddabd48f24568e2f5e84c2dc3f6ceef9c32cec135b3ccbbf
Instruction Fuzzy Hash: A8419132A08782C6FB619A14954A37977B0EF80B90F188131FE4DAEB99DF7CF8418600

Function 00007FF663C53980 Relevance: 6.1, APIs: 4, Instructions: 101fileCOMMON

Download Yara Rule

APIs

MoveFileW.KERNEL32 ref: 00007FF663C539BD
MoveFileW.KERNEL32 ref: 00007FF663C53A34
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C53AEB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C53AF1

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: FileMove_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3823481717-0
Opcode ID: 47dbf0decc8272d9a7ae459b130201949f9107b8ec80fb87a20ec63cf3da1f82
Instruction ID: 7d6fe332d1e242d1158e8e1017691ce60316b44a3b8546e501942fac478f0123
Opcode Fuzzy Hash: 47dbf0decc8272d9a7ae459b130201949f9107b8ec80fb87a20ec63cf3da1f82
Instruction Fuzzy Hash: 3B418F62F14B52C4FB00CBB5D8862AC2372BB84BA8B105235EE5DAAB99DF78D455C300

Function 00007FF663C80B78 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF663C7C45B), ref: 00007FF663C80B91
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF663C7C45B), ref: 00007FF663C80BF3
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF663C7C45B), ref: 00007FF663C80C2D
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF663C7C45B), ref: 00007FF663C80C57

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$Free
String ID:
API String ID: 1557788787-0
Opcode ID: 23704c5f87cc5d65a6a85ab0da0438508b9fc27f2b888927c3d6011bf25654c1
Instruction ID: 08392d5d4851009e456b06cbd89baa8566a75c94b6ebf066178ac6421fcd6831
Opcode Fuzzy Hash: 23704c5f87cc5d65a6a85ab0da0438508b9fc27f2b888927c3d6011bf25654c1
Instruction Fuzzy Hash: 9F216431B19B61D1E6349F11A44102A7AB4FB54BD0F484134EE9EBBB94DF3CE5528304

Function 00007FF663C7D440 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF663C77F28,?,?,?,00007FF663C79D35), ref: 00007FF663C7D44A
SetLastError.KERNEL32(?,?,?,00007FF663C77F28,?,?,?,00007FF663C79D35), ref: 00007FF663C7D4B2
SetLastError.KERNEL32(?,?,?,00007FF663C77F28,?,?,?,00007FF663C79D35), ref: 00007FF663C7D4C8
abort.LIBCMT ref: 00007FF663C7D4CE

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: ErrorLast$abort
String ID:
API String ID: 1447195878-0
Opcode ID: df247b5a3948333368795c339682862bf84e23f7c025c70b8dad3e7beb060077
Instruction ID: 5183456647c5a1de9716166697dce380aa36144fada9156be63913f50f4f745b
Opcode Fuzzy Hash: df247b5a3948333368795c339682862bf84e23f7c025c70b8dad3e7beb060077
Instruction Fuzzy Hash: 3D015A21B0D703C6FA68A721E65B53C62B1AF44790F144438FD1EEEBD6EE2CB8408200

Function 00007FF663C68590 Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF663C68598
GetDeviceCaps.GDI32 ref: 00007FF663C685AE
GetDeviceCaps.GDI32 ref: 00007FF663C685C2
ReleaseDC.USER32 ref: 00007FF663C685D3

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: de15d0a72ac65e47349a1b4cc9ca260558533dfe27db70e7b1e031f833f09c6c
Instruction ID: 95a3062b28ec528043e14ae675b3f50a5618a239422584af6bb43849e6d39665
Opcode Fuzzy Hash: de15d0a72ac65e47349a1b4cc9ca260558533dfe27db70e7b1e031f833f09c6c
Instruction Fuzzy Hash: EAE01260F09702C3FF085BB1686A13621B0AF49741F085439E81FEE354DE3CA585D710

Function 00007FF663C4E34C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C4E549

Strings

DXGIDebug.dll, xrefs: 00007FF663C4E35A

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: DXGIDebug.dll
API String ID: 3668304517-540382549
Opcode ID: ccd1447265edc33aa01f142b30f3ce6f8137da9441e4f52810f95d7140ffd7c2
Instruction ID: b9e0d058978aa422ec907d4fc363bc3a0ae61065fa494c022d7d16ca4408a836
Opcode Fuzzy Hash: ccd1447265edc33aa01f142b30f3ce6f8137da9441e4f52810f95d7140ffd7c2
Instruction Fuzzy Hash: A3719972A14B81C6EB14CB65E8453ADB3B8FB54794F044225EFAD5BB96DF78E061C300

Function 00007FF663C7E1F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF663C7E237

Strings

gfff, xrefs: 00007FF663C7E362
e+000, xrefs: 00007FF663C7E2DF

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: e+000$gfff
API String ID: 3215553584-3030954782
Opcode ID: ffbcb58cc87a1110f60409a8afde5d08377aab6ce8cf060c3284a5669936e3c2
Instruction ID: 240056b1bc46c8fb2e75a0402046557c6cb45443bd87317ab5cab2341acf9a0a
Opcode Fuzzy Hash: ffbcb58cc87a1110f60409a8afde5d08377aab6ce8cf060c3284a5669936e3c2
Instruction Fuzzy Hash: B251E863B187C186E7658B3599423A96BB1EB41B90F08A231EE9CDBBD5CF2CF444C700

Function 00007FF663C59408 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF663C595A8: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF663C595E6

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C5959C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF663C595A2

Strings

SIZE, xrefs: 00007FF663C59443

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$swprintf
String ID: SIZE
API String ID: 449872665-3243624926
Opcode ID: 1ee6a6b9fbbd6c3126f8bc5ffec1b6aa008f2877db1f13591811bbd6ed408201
Instruction ID: 667c817388698562abb9e04e8775133d36c5352a0c0a35cc93b4806ff3a741a0
Opcode Fuzzy Hash: 1ee6a6b9fbbd6c3126f8bc5ffec1b6aa008f2877db1f13591811bbd6ed408201
Instruction Fuzzy Hash: 7041A5B2A18646C5EA10DF18E4463BD6370EF957A4F904331FA9D9A7D6EE3CE550C700

Function 00007FF663C7C2C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF663C7C2EA
GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FF663C72CD5), ref: 00007FF663C7C30B

Strings

C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe, xrefs: 00007FF663C7C2F9

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: FileModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\Request for Quotations and specifications.pdf.exe
API String ID: 3307058713-2416208979
Opcode ID: 2b307fc7043d57580c2760bc14d10e66149d3294dbd6a1f00798eb6953a6f573
Instruction ID: 78d73fc4bbc8649ccd18298929f168b5106e4d675335ecb39f794cccb32b347f
Opcode Fuzzy Hash: 2b307fc7043d57580c2760bc14d10e66149d3294dbd6a1f00798eb6953a6f573
Instruction Fuzzy Hash: 70416A32E08A56CAEB549F25A4820BC77B4EF84B94B448036FE4EABB55DE3DF4418740

Function 00007FF663C59638 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

_snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF663C596EA

Part of subcall function 00007FF663C60F68: WideCharToMultiByte.KERNEL32 ref: 00007FF663C60F99

Strings

$%s, xrefs: 00007FF663C596D7
@%s, xrefs: 00007FF663C596CE

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: ByteCharMultiWide_snwprintf
String ID: $%s$@%s
API String ID: 2650857296-834177443
Opcode ID: 68d6d98aec82f67e7f26d78b4367655257a27e60e60eb814561ac576190adeba
Instruction ID: b896b4687be70f92b17dae9b484516d5a939e7f88ce4b9ad4e7c90cf082fb713
Opcode Fuzzy Hash: 68d6d98aec82f67e7f26d78b4367655257a27e60e60eb814561ac576190adeba
Instruction Fuzzy Hash: 6F31E1B2B19A46D6EA508F26E4426E923B0FB44BD4F400032FE0DAB795EE3DE515C740

Function 00007FF663C70204 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00007FF663C7026F
DialogBoxParamW.USER32 ref: 00007FF663C702A4

Strings

GETPASSWORD1, xrefs: 00007FF663C7029D

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: DialogParamVisibleWindow
String ID: GETPASSWORD1
API String ID: 3157717868-3292211884
Opcode ID: 3689008c5ae976a1f3a242e5b1eb30ef9737a63c20829ff4d7ba5964f065d3d0
Instruction ID: 20dc51f89aa2d84e6beb6a629d8582ac5c5b8e3ee94f6945678d06bf5f59edfb
Opcode Fuzzy Hash: 3689008c5ae976a1f3a242e5b1eb30ef9737a63c20829ff4d7ba5964f065d3d0
Instruction Fuzzy Hash: F1314126E0D7D2C6EA008B62A8521B92B70BF45B84F485075FD8DBF76ACE2CF444D750

Function 00007FF663C7EB04 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF663C7EB76
GetFileType.KERNEL32 ref: 00007FF663C7EB8C

Strings

@, xrefs: 00007FF663C7EBB7

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: FileHandleType
String ID: @
API String ID: 3000768030-2766056989
Opcode ID: 01c4e23626c5bd34e0d32a71787dfe5976e9b76bf070a7e2fa99837352baeece
Instruction ID: 0e7313351eddc10cc40f82485f9478c6daf083bea10eafc58bf297348905774b
Opcode Fuzzy Hash: 01c4e23626c5bd34e0d32a71787dfe5976e9b76bf070a7e2fa99837352baeece
Instruction Fuzzy Hash: 78219523A09782C1EB608B3594961792E71EB45774F282335EA6FAB7D4CE3DF881C345

Function 00007FF663C74078 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF663C71D3E), ref: 00007FF663C740BC
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF663C71D3E), ref: 00007FF663C74102

Strings

csm, xrefs: 00007FF663C740EF

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 995ce70781ed1107fbe35a2df86b6ab92d82f2488d4e31342cdb9a65d606da21
Instruction ID: 22953e5542aab47869f3065e87e22b5ed0720e4a4d65652ec43025cac7d759aa
Opcode Fuzzy Hash: 995ce70781ed1107fbe35a2df86b6ab92d82f2488d4e31342cdb9a65d606da21
Instruction Fuzzy Hash: 0E113A32608B8182EB208B15E44126ABBF1FB88B94F184231EF8D5BB68DF3CD555CB00

Function 00007FF663C5EA5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF663C5E95F,?,?,?,00007FF663C5463A,?,?,?), ref: 00007FF663C5EA63
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF663C5E95F,?,?,?,00007FF663C5463A,?,?,?), ref: 00007FF663C5EA6E

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00007FF663C5EA78

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: ErrorLastObjectSingleWait
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1211598281-2248577382
Opcode ID: 98ce5a6e9b01a49333d4d7b683bb298ff4a8e953ba0927a3bf2f7aa8eb90df55
Instruction ID: 64bbe3ed2f011db4a49e9275c5034477473962a8e066aece6ab6cdb731c8735b
Opcode Fuzzy Hash: 98ce5a6e9b01a49333d4d7b683bb298ff4a8e953ba0927a3bf2f7aa8eb90df55
Instruction Fuzzy Hash: C5E01A21E19A12D2F610A7349C834B82630BF607B0F900330F03EE97E19F2CAA458300

Function 00007FF663C5A43C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF663C5A447
FindResourceW.KERNEL32 ref: 00007FF663C5A45D

Strings

RTL, xrefs: 00007FF663C5A453

Memory Dump Source

Source File: 00000000.00000002.2694586939.00007FF663C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663C40000, based on PE: true

Associated: 00000000.00000002.2694554690.00007FF663C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694655575.00007FF663C88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694696133.00007FF663CA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2694764032.00007FF663CAE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff663c40000_Request for Quotations and specifications.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: e39cf6139d6c3c808756c827088780cb49cd2dd94430b396554b51375d39015a
Instruction ID: 027b12d358cc577e2049cd9863447382dd6896fa545bfc4e8b284d54fd56197e
Opcode Fuzzy Hash: e39cf6139d6c3c808756c827088780cb49cd2dd94430b396554b51375d39015a
Instruction Fuzzy Hash: 46D017A5F09702D2FF298BA2A44A7341A705B18B42F485038D80A9A390EF3D9298C750

Analysis Process: holy.exePID: 3032, Parent PID: 6764COMMON

Execution Graph

Execution Coverage:	36.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	40
Total number of Limit Nodes:	2

Executed Functions

Function 02B50B98 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1448803054.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_holy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3619a850fea918183041f934f0a1761247d8622a29f82733de83d3d3a54c264
Instruction ID: c3b17ca23b3a2344c0176eaa03ae5e711bfc30ab3cc487d49f1a607fb9f1e2a8
Opcode Fuzzy Hash: e3619a850fea918183041f934f0a1761247d8622a29f82733de83d3d3a54c264
Instruction Fuzzy Hash: A1510474E01218CFDB18DFAAD494AADFBF2BF89300F14946AD815AB354DB35A942CF14

Function 02B52D96 Relevance: 1.8, APIs: 1, Instructions: 322
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02B53067

Memory Dump Source

Source File: 00000002.00000002.1448803054.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_holy.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1a0a37c6b97886efbc57f785da64b14554a39177fb2b662e7f9714ba96befb24
Instruction ID: a8c2febaadb3bcc055c7ca651fd6c4b54daabb68f8cecc3c61f9316579c5ce7f
Opcode Fuzzy Hash: 1a0a37c6b97886efbc57f785da64b14554a39177fb2b662e7f9714ba96befb24
Instruction Fuzzy Hash: EFC12571D00229CFDB24DFA8C841BEEBBB1BF49304F0095A9D859BB250DB749A85CF95

Function 02B52DA0 Relevance: 1.8, APIs: 1, Instructions: 321
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02B53067

Memory Dump Source

Source File: 00000002.00000002.1448803054.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_holy.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 4f4a5209d1b7284bb66e36e08f5683b73c86514041df29decc4af3d33592349a
Instruction ID: 01a49f96051e9d934b5ad796689826886e363549c2c020045a8fc0e6bd097e79
Opcode Fuzzy Hash: 4f4a5209d1b7284bb66e36e08f5683b73c86514041df29decc4af3d33592349a
Instruction Fuzzy Hash: 0AC12671D002298FDB24DFA8C841BEEBBB1FF49304F0095A9D849BB240DB749A85CF95

Function 02B52A10 Relevance: 1.6, APIs: 1, Instructions: 120
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02B52AEB

Memory Dump Source

Source File: 00000002.00000002.1448803054.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_holy.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 9dbcd818ad7450732883286329848b8856a5e11844fc176bc300e0cb974f8fbb
Instruction ID: 9fdff9908fc357a205bd651e5b94645ecfd379bb6b1a0dabb4773343ea9615c7
Opcode Fuzzy Hash: 9dbcd818ad7450732883286329848b8856a5e11844fc176bc300e0cb974f8fbb
Instruction Fuzzy Hash: AE41ABB5D012589FDF00CFA9D984ADEFBF1BB49310F14942AE818B7210C339A941CF64

Function 02B52A18 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02B52AEB

Memory Dump Source

Source File: 00000002.00000002.1448803054.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_holy.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 0e85b0d68020cf254f1293997630e6557d2ec8badec1046f394d1b2735129050
Instruction ID: 544bdc7b99935a3d1b6503b3a94374d614add3cb63b0bdff69124fdfc5a16f0b
Opcode Fuzzy Hash: 0e85b0d68020cf254f1293997630e6557d2ec8badec1046f394d1b2735129050
Instruction Fuzzy Hash: EA419AB5D012589FDF10CFA9D984ADEFBF1BB49310F14942AE818BB210D735AA45CF54

Function 02B52B68 Relevance: 1.6, APIs: 1, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02B52C22

Memory Dump Source

Source File: 00000002.00000002.1448803054.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_holy.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 31652348f276747cbc10dbb90dd3f227f36c8f26aa1d1e8a970feebddb6d6fff
Instruction ID: c466f35ce5e3fa8b7556ab4d2a8d3d8fa37dbeb6323cad6b20c5ed7250af3795
Opcode Fuzzy Hash: 31652348f276747cbc10dbb90dd3f227f36c8f26aa1d1e8a970feebddb6d6fff
Instruction Fuzzy Hash: 4441A9B9D00258DFCF10CFAAD981AEEFBB5BB49310F14942AE815B7210D739A945CF64

Function 02B52B70 Relevance: 1.6, APIs: 1, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02B52C22

Memory Dump Source

Source File: 00000002.00000002.1448803054.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_holy.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 98ba517b389a8069e6b67c2c9025cc73b6b7428db6335d5634d6c9b108cacec7
Instruction ID: e7073ff457e73cbcbb928d2f3e238de1799931277e69acd243f69d558a9948f8
Opcode Fuzzy Hash: 98ba517b389a8069e6b67c2c9025cc73b6b7428db6335d5634d6c9b108cacec7
Instruction Fuzzy Hash: BD41BAB9D00258DFCF10CFAAD980AEEFBB1BB49310F14942AE815B7210C735A945CF64

Function 02B528F0 Relevance: 1.6, APIs: 1, Instructions: 104
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02B529A2

Memory Dump Source

Source File: 00000002.00000002.1448803054.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_holy.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c55fcc5d4deaf095c6d753033697c8cd59ffd9e7fc98cccd5ede58ce2064338b
Instruction ID: 439bd9251a0df6938db2a17da6b28d02c4a57acac1c8e5ca1599b8a94dd7a6a4
Opcode Fuzzy Hash: c55fcc5d4deaf095c6d753033697c8cd59ffd9e7fc98cccd5ede58ce2064338b
Instruction Fuzzy Hash: 1A3196B9D00258DBCF10CFA9D980ADEFBB5BB49310F14A42AE815BB310D735A906CF65

Function 02B528F8 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02B529A2

Memory Dump Source

Source File: 00000002.00000002.1448803054.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_holy.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ec35b1b82e31f2205a87b1ebb78f077899e8fbcb767bfb6ea687fd0b7aa30197
Instruction ID: 29e5f8dcdbd7fddd567abffcf53189b7c59f8f860f1ae3afa577b73f4cb18731
Opcode Fuzzy Hash: ec35b1b82e31f2205a87b1ebb78f077899e8fbcb767bfb6ea687fd0b7aa30197
Instruction Fuzzy Hash: 483197B9D00258DFCF10CFA9D980A9EFBB1BB49310F10A42AE815BB310D735A901CF55

Function 02B527C8 Relevance: 1.6, APIs: 1, Instructions: 97
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 02B5287F

Memory Dump Source

Source File: 00000002.00000002.1448803054.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_holy.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 84c55340f5a728593e7c41a331337fb825c1c0ffd91eb6d603db60ddfb6f2ba0
Instruction ID: ba33c6325242172e9fe2c9645df36b47502870d304fa4d093968b7caedab79ea
Opcode Fuzzy Hash: 84c55340f5a728593e7c41a331337fb825c1c0ffd91eb6d603db60ddfb6f2ba0
Instruction Fuzzy Hash: D741CCB5D012589FDB14CFAAD985ADEBBF0BF49310F14802AE814B7200C739A945CF94

Function 02B527D0 Relevance: 1.6, APIs: 1, Instructions: 94
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 02B5287F

Memory Dump Source

Source File: 00000002.00000002.1448803054.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_holy.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 565a629aaa358c6486dc5b3fa95061aca38a5c0db14798209872c8e4650dd45c
Instruction ID: 0ed7a62c6f10c552b8c29dd6357a88199dbe6a6ed35073637dbaecb4294fdb83
Opcode Fuzzy Hash: 565a629aaa358c6486dc5b3fa95061aca38a5c0db14798209872c8e4650dd45c
Instruction Fuzzy Hash: 2231BBB5D012589FDB14CFAAD984AEEBBF0BF49314F14802AE818B7240C779A945CF94

Function 02B526D8 Relevance: 1.6, APIs: 1, Instructions: 76
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 02B5275E

Memory Dump Source

Source File: 00000002.00000002.1448803054.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_holy.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 522b8fbfc69b4f11bc4ac1cc5c192cd29af9b920217740a3ccfcee423d6ca9e7
Instruction ID: bad40877b100d289b931307dce3a73f757b5aaaeca6d9c11221dfec823dac816
Opcode Fuzzy Hash: 522b8fbfc69b4f11bc4ac1cc5c192cd29af9b920217740a3ccfcee423d6ca9e7
Instruction Fuzzy Hash: 7231CBB4D012189FDB14CFAAD981ADEFBB4FB49310F14946AE815B7300C739A902CFA4

Function 02B526E0 Relevance: 1.6, APIs: 1, Instructions: 73
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 02B5275E

Memory Dump Source

Source File: 00000002.00000002.1448803054.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_holy.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 90ed2ad86f851d317cba3e23d4f9dae36316053c8852b73a62a6a85a462481e3
Instruction ID: d468fa7557bbb3ab27520209f6aa7bea41c57e970b5e6993b6946230e050b9c9
Opcode Fuzzy Hash: 90ed2ad86f851d317cba3e23d4f9dae36316053c8852b73a62a6a85a462481e3
Instruction Fuzzy Hash: 5431AAB8D012189FDB14CFAAD981A9EFBF5FB49310F14946AE815B7300C775A901CF94

Analysis Process: RegAsm.exePID: 2156, Parent PID: 3032COMMON

Execution Graph

Execution Coverage:	15.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	14.3%
Total number of Nodes:	28
Total number of Limit Nodes:	3

Executed Functions

Function 0173C168 Relevance: 2.0, APIs: 1, Instructions: 533
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.2694255931.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1730000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62b8a2432cc716718f7a89d43db25f9c4c9aef5b5f365565849abfdee4d20e89
Instruction ID: 44561553d1656485fe8f18ba6abf1f4f9cfacc9a6f56839d52693f3687492294
Opcode Fuzzy Hash: 62b8a2432cc716718f7a89d43db25f9c4c9aef5b5f365565849abfdee4d20e89
Instruction Fuzzy Hash: EC222974E002198FDB15DFA8C884B9DFBB2BF88310F1481AAD409AB356DB319D85CF91

Function 0173C76C Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 0173C8AE

Memory Dump Source

Source File: 00000003.00000002.2694255931.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1730000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 31ef37e7c66c0e5cb7a0c0cd42a7738e79856acda59fc0626796636c989669c6
Instruction ID: 9f93e7ba916179c5014b7a15420c3ddd6e383537b2098b3426ac5b591265f29e
Opcode Fuzzy Hash: 31ef37e7c66c0e5cb7a0c0cd42a7738e79856acda59fc0626796636c989669c6
Instruction Fuzzy Hash: 27116A74E402098FDB19DBA8D484AEDFBB5FBC8315F14816AE944B7246D770EE41CB60

Function 0155D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2693352982.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_155d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6279fc8fb07f27c96a4746abb1786d9bbe8deef3c4124de97a2f725f1123d4b4
Instruction ID: c03019185415dd1c893bb3f166139a94d3157d33d5153911379f75423154cf02
Opcode Fuzzy Hash: 6279fc8fb07f27c96a4746abb1786d9bbe8deef3c4124de97a2f725f1123d4b4
Instruction Fuzzy Hash: C2212572504244DFDB51DF94D990B2ABBB1FB84314F24C96EDC094F262D336D447CA62

Function 0155D02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2693352982.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_155d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15854bb05083a34f833f8da36963f6296be99c0ba0ee5350f372e4fbbd1750de
Instruction ID: a4eda91b66148dd783d7fb16ae40ced5f1f04a7c552854337b0b45aa559c0a12
Opcode Fuzzy Hash: 15854bb05083a34f833f8da36963f6296be99c0ba0ee5350f372e4fbbd1750de
Instruction Fuzzy Hash: 6311A976504280DFCB12CF54D990B19FBB1FB84218F28C6AADC494F666C33AD44ACB62

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Request for Quotations and specifications.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\6f92ea5c-18dd-4cc0-ab65-a44ed8a54101.tmp

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF51281f.TMP (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\d20d1d51-da8e-4dd3-9417-ec0e167c0487.tmp

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Windows Analysis Report
Request for Quotations and specifications.pdf.exe

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre