Edit tour

Windows Analysis Report
30% Order payment-BLQuote_'PO#385995790.exe

Overview

General Information

Sample name:	30% Order payment-BLQuote_'PO#385995790.exe
Analysis ID:	1586938
MD5:	4fc60bc5d5efe63f44146bf1f1bece0d
SHA1:	b6dfd1478a58caca13ed041995840ea0250cff3e
SHA256:	aab63d73293024e2c135e11929702e1fd5c2497f5885f26e5a6dc6e6409c91d1
Tags:	exeuser-lowmal3
Infos:

Detection

AsyncRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected AntiVM3

Yara detected AsyncRAT

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Drops VBS files to the startup folder

Found API chain indicative of sandbox detection

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

30% Order payment-BLQuote_'PO#385995790.exe (PID: 6360 cmdline: "C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe" MD5: 4FC60BC5D5EFE63F44146BF1F1BECE0D)

teepees.exe (PID: 6804 cmdline: "C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe" MD5: 4FC60BC5D5EFE63F44146BF1F1BECE0D)

RegSvcs.exe (PID: 6300 cmdline: "C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

wscript.exe (PID: 3656 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\teepees.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

teepees.exe (PID: 1680 cmdline: "C:\Users\user\AppData\Local\exhilaratingly\teepees.exe" MD5: 4FC60BC5D5EFE63F44146BF1F1BECE0D)

RegSvcs.exe (PID: 320 cmdline: "C:\Users\user\AppData\Local\exhilaratingly\teepees.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "69.174.100.131", "Port": "6606", "Version": "0.5.8", "MutexName": "abkZfsCYRZhk", "Autorun": "false", "Group": "null"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2116828702.0000000001B90000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000002.00000002.2116828702.0000000001B90000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000002.00000002.2116828702.0000000001B90000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x9919:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x6711:$a3: get_ActivatePong 0x9b31:$a4: vmware 0x99a9:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7460:$a6: get_SslClient
00000002.00000002.2116828702.0000000001B90000.00000004.00001000.00020000.00000000.sdmp	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x6711:$str01: get_ActivatePong 0x7460:$str02: get_SslClient 0x747c:$str03: get_TcpClient 0x5d1d:$str04: get_SendSync 0x5d6d:$str05: get_IsConnected 0x649c:$str06: set_UseShellExecute 0x9c4f:$str07: Pastebin 0x9cd1:$str08: Select * from AntivirusProduct 0xac38:$str09: Stub.exe 0xacc8:$str09: Stub.exe 0x9a29:$str10: timeout 3 > NUL 0x9919:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x99a9:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
00000002.00000002.2116828702.0000000001B90000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x99ab:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000007.00000002.2377949969.00000000003B2000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000007.00000002.2377949969.00000000003B2000.00000040.80000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x97ab:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000006.00000002.2267129675.0000000003620000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000006.00000002.2267129675.0000000003620000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000006.00000002.2267129675.0000000003620000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x9919:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x6711:$a3: get_ActivatePong 0x9b31:$a4: vmware 0x99a9:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7460:$a6: get_SslClient
00000006.00000002.2267129675.0000000003620000.00000004.00001000.00020000.00000000.sdmp	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x6711:$str01: get_ActivatePong 0x7460:$str02: get_SslClient 0x747c:$str03: get_TcpClient 0x5d1d:$str04: get_SendSync 0x5d6d:$str05: get_IsConnected 0x649c:$str06: set_UseShellExecute 0x9c4f:$str07: Pastebin 0x9cd1:$str08: Select * from AntivirusProduct 0xac38:$str09: Stub.exe 0xacc8:$str09: Stub.exe 0x9a29:$str10: timeout 3 > NUL 0x9919:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x99a9:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
00000006.00000002.2267129675.0000000003620000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x99ab:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: teepees.exe PID: 6804	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: teepees.exe PID: 6804	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: teepees.exe PID: 1680	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: teepees.exe PID: 1680	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 320	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 320	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x7c11:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.teepees.exe.1b90000.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
2.2.teepees.exe.1b90000.1.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x7b19:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x8e38:$a2: Stub.exe 0x8ec8:$a2: Stub.exe 0x4911:$a3: get_ActivatePong 0x7d31:$a4: vmware 0x7ba9:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x5660:$a6: get_SslClient
2.2.teepees.exe.1b90000.1.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x4911:$str01: get_ActivatePong 0x5660:$str02: get_SslClient 0x567c:$str03: get_TcpClient 0x3f1d:$str04: get_SendSync 0x3f6d:$str05: get_IsConnected 0x469c:$str06: set_UseShellExecute 0x7e4f:$str07: Pastebin 0x7ed1:$str08: Select * from AntivirusProduct 0x8e38:$str09: Stub.exe 0x8ec8:$str09: Stub.exe 0x7c29:$str10: timeout 3 > NUL 0x7b19:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x7ba9:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
2.2.teepees.exe.1b90000.1.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x7bab:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
7.2.RegSvcs.exe.3b0000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
7.2.RegSvcs.exe.3b0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
7.2.RegSvcs.exe.3b0000.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x9919:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x6711:$a3: get_ActivatePong 0x9b31:$a4: vmware 0x99a9:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7460:$a6: get_SslClient
7.2.RegSvcs.exe.3b0000.0.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x6711:$str01: get_ActivatePong 0x7460:$str02: get_SslClient 0x747c:$str03: get_TcpClient 0x5d1d:$str04: get_SendSync 0x5d6d:$str05: get_IsConnected 0x649c:$str06: set_UseShellExecute 0x9c4f:$str07: Pastebin 0x9cd1:$str08: Select * from AntivirusProduct 0xac38:$str09: Stub.exe 0xacc8:$str09: Stub.exe 0x9a29:$str10: timeout 3 > NUL 0x9919:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x99a9:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
7.2.RegSvcs.exe.3b0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x99ab:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
6.2.teepees.exe.3620000.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
6.2.teepees.exe.3620000.1.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x7b19:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x8e38:$a2: Stub.exe 0x8ec8:$a2: Stub.exe 0x4911:$a3: get_ActivatePong 0x7d31:$a4: vmware 0x7ba9:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x5660:$a6: get_SslClient
6.2.teepees.exe.3620000.1.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x4911:$str01: get_ActivatePong 0x5660:$str02: get_SslClient 0x567c:$str03: get_TcpClient 0x3f1d:$str04: get_SendSync 0x3f6d:$str05: get_IsConnected 0x469c:$str06: set_UseShellExecute 0x7e4f:$str07: Pastebin 0x7ed1:$str08: Select * from AntivirusProduct 0x8e38:$str09: Stub.exe 0x8ec8:$str09: Stub.exe 0x7c29:$str10: timeout 3 > NUL 0x7b19:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x7ba9:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
6.2.teepees.exe.3620000.1.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x7bab:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
6.2.teepees.exe.3620000.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
6.2.teepees.exe.3620000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.2.teepees.exe.3620000.1.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x9919:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x6711:$a3: get_ActivatePong 0x9b31:$a4: vmware 0x99a9:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7460:$a6: get_SslClient
6.2.teepees.exe.3620000.1.raw.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x6711:$str01: get_ActivatePong 0x7460:$str02: get_SslClient 0x747c:$str03: get_TcpClient 0x5d1d:$str04: get_SendSync 0x5d6d:$str05: get_IsConnected 0x649c:$str06: set_UseShellExecute 0x9c4f:$str07: Pastebin 0x9cd1:$str08: Select * from AntivirusProduct 0xac38:$str09: Stub.exe 0xacc8:$str09: Stub.exe 0x9a29:$str10: timeout 3 > NUL 0x9919:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x99a9:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
6.2.teepees.exe.3620000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x99ab:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
2.2.teepees.exe.1b90000.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
2.2.teepees.exe.1b90000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.teepees.exe.1b90000.1.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x9919:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x6711:$a3: get_ActivatePong 0x9b31:$a4: vmware 0x99a9:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7460:$a6: get_SslClient
2.2.teepees.exe.1b90000.1.raw.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x6711:$str01: get_ActivatePong 0x7460:$str02: get_SslClient 0x747c:$str03: get_TcpClient 0x5d1d:$str04: get_SendSync 0x5d6d:$str05: get_IsConnected 0x649c:$str06: set_UseShellExecute 0x9c4f:$str07: Pastebin 0x9cd1:$str08: Select * from AntivirusProduct 0xac38:$str09: Stub.exe 0xacc8:$str09: Stub.exe 0x9a29:$str10: timeout 3 > NUL 0x9919:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x99a9:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
2.2.teepees.exe.1b90000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x99ab:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Click to see the 18 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\teepees.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\teepees.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\teepees.vbs" , ProcessId: 3656, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\teepees.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\teepees.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\teepees.vbs" , ProcessId: 3656, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe, ProcessId: 6804, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\teepees.vbs

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000007.00000002.2378581639.0000000002611000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: AsyncRAT {"Server": "69.174.100.131", "Port": "6606", "Version": "0.5.8", "MutexName": "abkZfsCYRZhk", "Autorun": "false", "Group": "null"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe

ReversingLabs: Detection: 68%

Multi AV Scanner detection for submitted file

Source: 30% Order payment-BLQuote_'PO#385995790.exe

ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 30% Order payment-BLQuote_'PO#385995790.exe

Joe Sandbox ML: detected

Source: 30% Order payment-BLQuote_'PO#385995790.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: teepees.exe, 00000002.00000003.2114125576.0000000003880000.00000004.00001000.00020000.00000000.sdmp, teepees.exe, 00000002.00000003.2114007221.00000000036E0000.00000004.00001000.00020000.00000000.sdmp, teepees.exe, 00000006.00000003.2261765351.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, teepees.exe, 00000006.00000003.2261986687.0000000003C90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: teepees.exe, 00000002.00000003.2114125576.0000000003880000.00000004.00001000.00020000.00000000.sdmp, teepees.exe, 00000002.00000003.2114007221.00000000036E0000.00000004.00001000.00020000.00000000.sdmp, teepees.exe, 00000006.00000003.2261765351.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, teepees.exe, 00000006.00000003.2261986687.0000000003C90000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_0030DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0030DBBE
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_002DC2A2 FindFirstFileExW,	0_2_002DC2A2
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_003168EE FindFirstFileW,FindClose,	0_2_003168EE
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_0031698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0031698F
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_0030D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0030D076
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_0030D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0030D3A9
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_00319642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00319642
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_0031979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0031979D
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_00319B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00319B2B
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_00315C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00315C97
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001EDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	2_2_001EDBBE
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001BC2A2 FindFirstFileExW,	2_2_001BC2A2
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001F68EE FindFirstFileW,FindClose,	2_2_001F68EE
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001F698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	2_2_001F698F
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001ED076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_001ED076
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001ED3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_001ED3A9
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001F9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_001F9642
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001F979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_001F979D
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001F9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	2_2_001F9B2B
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001F5C97 FindFirstFileW,FindNextFileW,FindClose,	2_2_001F5C97

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 7.2.RegSvcs.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.teepees.exe.3620000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.teepees.exe.1b90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2116828702.0000000001B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2267129675.0000000003620000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.5:49716 -> 69.174.100.131:6606

Source: global traffic	TCP traffic: 192.168.2.5:49662 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.5:62250 -> 162.159.36.2:53

Source: Joe Sandbox View

ASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS

Source: unknown

DNS traffic detected: query: 206.23.85.13.in-addr.arpa replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	TCP traffic detected without corresponding DNS query: 69.174.100.131
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe

Code function: 0_2_0031CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_0031CE44

Source: global traffic

DNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 2.2.teepees.exe.1b90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.teepees.exe.3620000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.teepees.exe.3620000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.teepees.exe.1b90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2116828702.0000000001B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2377949969.00000000003B2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2267129675.0000000003620000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: teepees.exe PID: 6804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: teepees.exe PID: 1680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 320, type: MEMORYSTR

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe

Code function: 0_2_0031EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0031EAFF

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_0031ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_0031ED6A
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001FED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		2_2_001FED6A

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe

0_2_0031EAFF

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe

Code function: 0_2_0030AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0030AA57

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_00339576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_00339576
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_00219576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		2_2_00219576

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.teepees.exe.1b90000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 2.2.teepees.exe.1b90000.1.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 2.2.teepees.exe.1b90000.1.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 7.2.RegSvcs.exe.3b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 7.2.RegSvcs.exe.3b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 7.2.RegSvcs.exe.3b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 6.2.teepees.exe.3620000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 6.2.teepees.exe.3620000.1.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 6.2.teepees.exe.3620000.1.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 6.2.teepees.exe.3620000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 6.2.teepees.exe.3620000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 6.2.teepees.exe.3620000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 2.2.teepees.exe.1b90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 2.2.teepees.exe.1b90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 2.2.teepees.exe.1b90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000002.00000002.2116828702.0000000001B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000002.00000002.2116828702.0000000001B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 00000002.00000002.2116828702.0000000001B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000007.00000002.2377949969.00000000003B2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000006.00000002.2267129675.0000000003620000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000006.00000002.2267129675.0000000003620000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 00000006.00000002.2267129675.0000000003620000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 320, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: 30% Order payment-BLQuote_'PO#385995790.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 30% Order payment-BLQuote_'PO#385995790.exe, 00000000.00000003.2082753134.0000000003E41000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2ffeda0c-a
Source: 30% Order payment-BLQuote_'PO#385995790.exe, 00000000.00000003.2082753134.0000000003E41000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_cae3b95d-5
Source: 30% Order payment-BLQuote_'PO#385995790.exe, 00000000.00000000.2046922954.0000000000362000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d6bf2f76-4
Source: 30% Order payment-BLQuote_'PO#385995790.exe, 00000000.00000000.2046922954.0000000000362000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_5790bec9-1
Source: teepees.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: teepees.exe, 00000002.00000000.2083231964.0000000000242000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_cb81c864-6
Source: teepees.exe, 00000002.00000000.2083231964.0000000000242000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_2caf09f6-f
Source: teepees.exe, 00000006.00000000.2234220291.0000000000242000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e5c415bc-4
Source: teepees.exe, 00000006.00000000.2234220291.0000000000242000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_66c0a307-b
Source: 30% Order payment-BLQuote_'PO#385995790.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e18f499c-5
Source: 30% Order payment-BLQuote_'PO#385995790.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_4b668627-1
Source: teepees.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e212fa84-6
Source: teepees.exe.0.dr	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_1f5f8d6a-a

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: 30% Order payment-BLQuote_'PO#385995790.exe

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe

Code function: 0_2_0030D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0030D5EB

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe

Code function: 0_2_00301201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00301201

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_0030E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_0030E8F6
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001EE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		2_2_001EE8F6

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_002ABF40	0_2_002ABF40
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_002A8060	0_2_002A8060
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_00312046	0_2_00312046
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_00308298	0_2_00308298
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_002DE4FF	0_2_002DE4FF
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_002D676B	0_2_002D676B
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_00334873	0_2_00334873
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_002CCAA0	0_2_002CCAA0
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_002ACAF0	0_2_002ACAF0
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_002BCC39	0_2_002BCC39
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_002D6DD9	0_2_002D6DD9
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_002BD064	0_2_002BD064
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_002BB119	0_2_002BB119
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_002A91C0	0_2_002A91C0
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_002C1394	0_2_002C1394
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_002C1706	0_2_002C1706
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_002C781B	0_2_002C781B
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_002A7920	0_2_002A7920
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_002B997D	0_2_002B997D
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_002C19B0	0_2_002C19B0
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_002C7A4A	0_2_002C7A4A
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_002C1C77	0_2_002C1C77
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_002C7CA7	0_2_002C7CA7
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_0032BE44	0_2_0032BE44
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_002D9EEE	0_2_002D9EEE
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_002C1F32	0_2_002C1F32
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_016AB030	0_2_016AB030
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_0018BF40	2_2_0018BF40
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001F2046	2_2_001F2046
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_00188060	2_2_00188060
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001E8298	2_2_001E8298
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001BE4FF	2_2_001BE4FF
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001B676B	2_2_001B676B
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_00214873	2_2_00214873
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001ACAA0	2_2_001ACAA0
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_0018CAF0	2_2_0018CAF0
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_0019CC39	2_2_0019CC39
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001B6DD9	2_2_001B6DD9
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_0019B119	2_2_0019B119
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001891C0	2_2_001891C0
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001A1394	2_2_001A1394
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001A1706	2_2_001A1706
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001A781B	2_2_001A781B
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_00187920	2_2_00187920
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_0019997D	2_2_0019997D
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001A19B0	2_2_001A19B0
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001A7A4A	2_2_001A7A4A
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001A1C77	2_2_001A1C77
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001A7CA7	2_2_001A7CA7
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_0020BE44	2_2_0020BE44
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001B9EEE	2_2_001B9EEE
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001A1F32	2_2_001A1F32
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_00F7A160	2_2_00F7A160
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 6_2_012FA620	6_2_012FA620

Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: String function: 0019F9F2 appears 40 times
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: String function: 001A0A30 appears 46 times
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: String function: 00189CB3 appears 31 times
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: String function: 002BF9F2 appears 40 times
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: String function: 002C0A30 appears 46 times
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: String function: 002A9CB3 appears 31 times

Source: 30% Order payment-BLQuote_'PO#385995790.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.teepees.exe.1b90000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 2.2.teepees.exe.1b90000.1.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 2.2.teepees.exe.1b90000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 7.2.RegSvcs.exe.3b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 7.2.RegSvcs.exe.3b0000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 7.2.RegSvcs.exe.3b0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 6.2.teepees.exe.3620000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 6.2.teepees.exe.3620000.1.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 6.2.teepees.exe.3620000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 6.2.teepees.exe.3620000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 6.2.teepees.exe.3620000.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 6.2.teepees.exe.3620000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 2.2.teepees.exe.1b90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 2.2.teepees.exe.1b90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 2.2.teepees.exe.1b90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000002.00000002.2116828702.0000000001B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000002.00000002.2116828702.0000000001B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 00000002.00000002.2116828702.0000000001B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000007.00000002.2377949969.00000000003B2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000006.00000002.2267129675.0000000003620000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000006.00000002.2267129675.0000000003620000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 00000006.00000002.2267129675.0000000003620000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: RegSvcs.exe PID: 320, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@10/7@1/1

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe

Code function: 0_2_003137B5 GetLastError,FormatMessageW,

0_2_003137B5

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_003010BF AdjustTokenPrivileges,CloseHandle,	0_2_003010BF
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_003016C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_003016C3
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001E10BF AdjustTokenPrivileges,CloseHandle,	2_2_001E10BF
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001E16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	2_2_001E16C3

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe

Code function: 0_2_003151CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_003151CD

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe

Code function: 0_2_0032A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0032A67C

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe

Code function: 0_2_0031648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0031648E

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe

Code function: 0_2_002A42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_002A42A2

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe

File created: C:\Users\user\AppData\Local\exhilaratingly

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\abkZfsCYRZhk

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe

File created: C:\Users\user\AppData\Local\Temp\autE8F7.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\teepees.vbs"

Source: 30% Order payment-BLQuote_'PO#385995790.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 30% Order payment-BLQuote_'PO#385995790.exe

ReversingLabs: Detection: 68%

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe

File read: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe "C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe"
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Process created: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe "C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe"
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\teepees.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe "C:\Users\user\AppData\Local\exhilaratingly\teepees.exe"
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\exhilaratingly\teepees.exe"
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Process created: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe "C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe "C:\Users\user\AppData\Local\exhilaratingly\teepees.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\exhilaratingly\teepees.exe"	Jump to behavior

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: 30% Order payment-BLQuote_'PO#385995790.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 30% Order payment-BLQuote_'PO#385995790.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 30% Order payment-BLQuote_'PO#385995790.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 30% Order payment-BLQuote_'PO#385995790.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 30% Order payment-BLQuote_'PO#385995790.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 30% Order payment-BLQuote_'PO#385995790.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 30% Order payment-BLQuote_'PO#385995790.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: teepees.exe, 00000002.00000003.2114125576.0000000003880000.00000004.00001000.00020000.00000000.sdmp, teepees.exe, 00000002.00000003.2114007221.00000000036E0000.00000004.00001000.00020000.00000000.sdmp, teepees.exe, 00000006.00000003.2261765351.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, teepees.exe, 00000006.00000003.2261986687.0000000003C90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: teepees.exe, 00000002.00000003.2114125576.0000000003880000.00000004.00001000.00020000.00000000.sdmp, teepees.exe, 00000002.00000003.2114007221.00000000036E0000.00000004.00001000.00020000.00000000.sdmp, teepees.exe, 00000006.00000003.2261765351.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, teepees.exe, 00000006.00000003.2261986687.0000000003C90000.00000004.00001000.00020000.00000000.sdmp

Source: 30% Order payment-BLQuote_'PO#385995790.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 30% Order payment-BLQuote_'PO#385995790.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 30% Order payment-BLQuote_'PO#385995790.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 30% Order payment-BLQuote_'PO#385995790.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 30% Order payment-BLQuote_'PO#385995790.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe

Code function: 0_2_002A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002A42DE

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_002C0A76 push ecx; ret	0_2_002C0A89
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_016ABAB8 push es; ret	0_2_016ABABA
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001A0A76 push ecx; ret	2_2_001A0A89

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe

File created: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe

Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 2.2.teepees.exe.1b90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.teepees.exe.3620000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.teepees.exe.3620000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.teepees.exe.1b90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2116828702.0000000001B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2377949969.00000000003B2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2267129675.0000000003620000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: teepees.exe PID: 6804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: teepees.exe PID: 1680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 320, type: MEMORYSTR

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\teepees.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\teepees.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\teepees.vbs

Jump to behavior

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_002BF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_002BF98E
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_00331C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_00331C41
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_0019F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	2_2_0019F98E
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_00211C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	2_2_00211C41

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: teepees.exe PID: 6804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: teepees.exe PID: 1680, type: MEMORYSTR

Yara detected AsyncRAT

Source: Yara match	File source: 2.2.teepees.exe.1b90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.teepees.exe.3620000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.teepees.exe.3620000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.teepees.exe.1b90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2116828702.0000000001B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2377949969.00000000003B2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2267129675.0000000003620000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: teepees.exe PID: 6804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: teepees.exe PID: 1680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 320, type: MEMORYSTR

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep			graph_0-96899

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	API/Special instruction interceptor: Address: F79D84
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	API/Special instruction interceptor: Address: 12FA244

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: teepees.exe, 00000002.00000002.2116828702.0000000001B90000.00000004.00001000.00020000.00000000.sdmp, teepees.exe, 00000006.00000002.2267129675.0000000003620000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2377949969.00000000003B2000.00000040.80000000.00040000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	API coverage: 3.9 %
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	API coverage: 4.1 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_0030DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0030DBBE
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_002DC2A2 FindFirstFileExW,	0_2_002DC2A2
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_003168EE FindFirstFileW,FindClose,	0_2_003168EE
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_0031698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0031698F
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_0030D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0030D076
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_0030D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0030D3A9
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_00319642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00319642
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_0031979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0031979D
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_00319B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00319B2B
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_00315C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00315C97
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001EDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	2_2_001EDBBE
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001BC2A2 FindFirstFileExW,	2_2_001BC2A2
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001F68EE FindFirstFileW,FindClose,	2_2_001F68EE
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001F698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	2_2_001F698F
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001ED076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_001ED076
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001ED3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_001ED3A9
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001F9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_001F9642
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001F979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_001F979D
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001F9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	2_2_001F9B2B
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001F5C97 FindFirstFileW,FindNextFileW,FindClose,	2_2_001F5C97

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe

Code function: 0_2_002A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002A42DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior

Source: wscript.exe, 00000005.00000002.2237292949.000001744D535000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Roami
Source: wscript.exe, 00000005.00000002.2237292949.000001744D535000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: RegSvcs.exe, 00000007.00000002.2377949969.00000000003B2000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: vmware
Source: RegSvcs.exe, 00000003.00000002.3288571423.0000000001618000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe

Code function: 0_2_0031EAA2 BlockInput,

0_2_0031EAA2

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe

Code function: 0_2_002D2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_002D2622

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe

Code function: 0_2_002A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002A42DE

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_002C4CE8 mov eax, dword ptr fs:[00000030h]	0_2_002C4CE8
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_016AAF20 mov eax, dword ptr fs:[00000030h]	0_2_016AAF20
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_016AAEC0 mov eax, dword ptr fs:[00000030h]	0_2_016AAEC0
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_016A9870 mov eax, dword ptr fs:[00000030h]	0_2_016A9870
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001A4CE8 mov eax, dword ptr fs:[00000030h]	2_2_001A4CE8
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_00F7A050 mov eax, dword ptr fs:[00000030h]	2_2_00F7A050
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_00F789A0 mov eax, dword ptr fs:[00000030h]	2_2_00F789A0
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_00F79FF0 mov eax, dword ptr fs:[00000030h]	2_2_00F79FF0
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 6_2_012FA4B0 mov eax, dword ptr fs:[00000030h]	6_2_012FA4B0
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 6_2_012FA510 mov eax, dword ptr fs:[00000030h]	6_2_012FA510
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 6_2_012F8E60 mov eax, dword ptr fs:[00000030h]	6_2_012F8E60

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe

Code function: 0_2_00300B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00300B62

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_002D2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_002D2622
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_002C083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_002C083F
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_002C09D5 SetUnhandledExceptionFilter,	0_2_002C09D5
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_002C0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_002C0C21
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001B2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_001B2622
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001A083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_001A083F
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001A09D5 SetUnhandledExceptionFilter,	2_2_001A09D5
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_001A0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_001A0C21

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 11E3008			Jump to behavior
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 58A008			Jump to behavior

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe

0_2_00301201

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe

Code function: 0_2_002E2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_002E2BA5

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe

Code function: 0_2_0030B226 SendInput,keybd_event,

0_2_0030B226

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe

Code function: 0_2_003222DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_003222DA

Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe "C:\Users\user\AppData\Local\exhilaratingly\teepees.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\exhilaratingly\teepees.exe"	Jump to behavior

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe

0_2_00300B62

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe

Code function: 0_2_00301663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00301663

Source: 30% Order payment-BLQuote_'PO#385995790.exe, teepees.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 30% Order payment-BLQuote_'PO#385995790.exe, teepees.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe

Code function: 0_2_002C0698 cpuid

0_2_002C0698

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe

Code function: 0_2_00318195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00318195

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe

Code function: 0_2_002FD27A GetUserNameW,

0_2_002FD27A

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe

Code function: 0_2_002DB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_002DB952

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe

Code function: 0_2_002A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002A42DE

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 2.2.teepees.exe.1b90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.teepees.exe.3620000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.teepees.exe.3620000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.teepees.exe.1b90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2116828702.0000000001B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2377949969.00000000003B2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2267129675.0000000003620000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: teepees.exe PID: 6804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: teepees.exe PID: 1680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 320, type: MEMORYSTR

Source: teepees.exe, 00000002.00000003.2084553527.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, teepees.exe, 00000002.00000002.2116563469.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, teepees.exe, 00000002.00000003.2084395440.0000000000E0E000.00000004.00000020.00020000.00000000.sdmp, teepees.exe, 00000006.00000002.2266640292.00000000011FE000.00000004.00000020.00020000.00000000.sdmp, teepees.exe, 00000006.00000003.2238442226.0000000001173000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: msmpeng.exe
Source: teepees.exe, 00000006.00000002.2266640292.00000000011FE000.00000004.00000020.00020000.00000000.sdmp, teepees.exe, 00000006.00000003.2238442226.0000000001173000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mcupdate.exe

Source: teepees.exe	Binary or memory string: WIN_81
Source: teepees.exe	Binary or memory string: WIN_XP
Source: teepees.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: teepees.exe	Binary or memory string: WIN_XPe
Source: teepees.exe	Binary or memory string: WIN_VISTA
Source: teepees.exe	Binary or memory string: WIN_7
Source: teepees.exe	Binary or memory string: WIN_8

Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_00321204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	0_2_00321204
Source: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe	Code function: 0_2_00321806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00321806
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_00201204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	2_2_00201204
Source: C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	Code function: 2_2_00201806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	2_2_00201806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	1 Native API	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	12 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Scheduled Task/Job	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	127 System Information Discovery	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	2 Registry Run Keys / Startup Folder	212 Process Injection	1 Masquerading	LSA Secrets	431 Security Software Discovery	SSH	Keylogging	1 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Scheduled Task/Job	2 Valid Accounts	Cached Domain Credentials	111 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	2 Registry Run Keys / Startup Folder	111 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
30% Order payment-BLQuote_'PO#385995790.exe	68%	ReversingLabs	Win32.Trojan.AutoitInject
30% Order payment-BLQuote_'PO#385995790.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\exhilaratingly\teepees.exe	68%	ReversingLabs	Win32.Trojan.AutoitInject

Name	IP	Active	Malicious	Antivirus Detection	Reputation
206.23.85.13.in-addr.arpa	unknown	unknown	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
69.174.100.131	unknown	United States		8100	ASN-QUADRANET-GLOBALUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1586938
Start date and time:	2025-01-09 19:20:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	30% Order payment-BLQuote_'PO#385995790.exe
Detection:	MAL
Classification:	mal100.troj.expl.evad.winEXE@10/7@1/1
EGA Information:	Successful, ratio: 60%
HCA Information:	Successful, ratio: 99% Number of executed functions: 51 Number of non-executed functions: 295
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212, 13.85.23.206, 20.109.210.53
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegSvcs.exe, PID 320 because it is empty
Execution Graph export aborted for target RegSvcs.exe, PID 6300 because it is empty
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 30% Order payment-BLQuote_'PO#385995790.exe

Simulations

Behavior and APIs

Time	Type	Description
19:21:12	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\teepees.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
69.174.100.131	bcUcEm7AqP.exe	Get hash	malicious	AsyncRAT	Browse
	BQ_PO#385995.exe	Get hash	malicious	RedLine, Snake Keylogger, VIP Keylogger, XWorm	Browse
	BQ_PO#385995.exe	Get hash	malicious	RedLine, Snake Keylogger, VIP Keylogger, XWorm	Browse
	Drawing&spec.scr.exe	Get hash	malicious	AsyncRAT	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASN-QUADRANET-GLOBALUS	drop1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	66.63.187.173
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, XWorm, Xmrig	Browse	66.63.187.122
	drop1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	66.63.187.173
	drop1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	66.63.187.173
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	66.63.187.173
	Fantazy.spc.elf	Get hash	malicious	Unknown	Browse	104.223.10.34
	1.elf	Get hash	malicious	Unknown	Browse	72.11.146.74
	Aqua.arm7.elf	Get hash	malicious	Mirai	Browse	193.111.248.108
	Aqua.mips.elf	Get hash	malicious	Unknown	Browse	193.111.248.108

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Temp\Graff

Download File

Process:	C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe
File Type:	data
Category:	dropped
Size (bytes):	46080
Entropy (8bit):	6.801238878274126
Encrypted:	false
SSDEEP:	768:SBduR8BmNaoBIj/4eh6HQhJeGXOEuptt9Jx/T3d7pbUKiXEBs7vW8ERSq:Yy8Bm7ij/Nt9RuLlxT35fm7vERv
MD5:	8A4F25859828C5B3FA6C17BBC656F588
SHA1:	869BD416534CA936FB571E0B34BC193BE033BE70
SHA-256:	FE0454AD725A63EA72A36738B4CADADB744DD4783C2227EFD2168866814929A5
SHA-512:	AEF96DCBC861EE48E67D70678F5E59359100CB0C21DF14E9355853FB008CE5D250FED10756C29B47D36638A0597FD3182DC6C71AAB84F14F82BF32A15C81E7E5
Malicious:	false
Reputation:	low
Preview:	.c.95DQ2SOQZ..O5.B2FAMAE.S07TKN9296DQ2WOQZ24O5JB2FAMAEIS07TK.9298[.<W.X...Ny.cf.(>a5;<WE5&nZSWX+%.5q(GZo\$bv..m,-6.:YAj9296DQ2..QZ~5L5...#AMAEIS07.KL898>DQ.WOQP24O5JB<.AMAeIS0.TKN9r96dQ2WMQZ64O5JB2FEMAEIS07TkO92;6DQ2WOSZr.O5ZB2VAMAEYS0'TKN929&DQ2WOQZ24O5..2F.MAEI.07.LN9296DQ2WOQZ24O5JB2F@MMEIS07TKN9296DQ2WOQZ24O5JB2FAMAEIS07TKN9296DQ2WOQZ24O.JB:FAMAEIS07TKF.29~DQ2WOQZ24O5d6W>5MAE].07TkN92.6DQ0WOQZ24O5JB2FAMaEI3.E'9-929.CQ2W.QZ2<O5J.2FAMAEIS07TKN9r96..@2#>924C5JB2F@MAGIS0.TKN9296DQ2WOQZr4OwJB2FAMAEIS07TKN9..6DQ2WO.Z24M5OB..AM.)IS37TKO92?6DQ2WOQZ24O5JB2FAMAEIS07TKN9296DQ2WOQZ24O5JB2FAM..W....p. 0...)qWr...*-.......x.gS.7.KN9,;.\Q2]eK$!4O1`\0.RMAAcIN#TKJ.,;.PQ2SeK$'4O1`\0.TMAAcIN!TKJ.,;.RQ2SeK$%4O1`\0.VMAAcIN/TKJ.,;.\Q2SeK$+4O1`\0.XMAAcIN-TKJ.(G-DQ6}QS.)4O1`XLZAMEoWQ.+TKJ.(G+DQ6}QS./4O1`h0n.MAO_.3.f5E92=5+n2WE{tA,O5@.(FAIk.az07Rqf929.nQ2QuOZ24g.JB4\|UMAEat07RqD929.lQ2QvWZ24[.<B2Lk.i.IS:D.KN3..4DQ].OQP.Z1+JB6.QMAE7M07P$.923".O2WK{$L;O5Nj%FAGxJIS0.dKN?.<6DQ..OQ\.b=yoBB8QMAAa<07^.m92=..".WO

C:\Users\user\AppData\Local\Temp\aut2D14.tmp

Download File

Process:	C:\Users\user\AppData\Local\exhilaratingly\teepees.exe
File Type:	data
Category:	dropped
Size (bytes):	40552
Entropy (8bit):	7.881796776962672
Encrypted:	false
SSDEEP:	768:rQKiQnYCP8+tU6Ln+bowjKlA/Eh36gWcU51e1bskhs3wrva480KfrAYFaJ:UoUcoTT/EhKpcCA1bs+s3wrS48jA8m
MD5:	AAF7471B3683B052335BA50F235D3D13
SHA1:	D74582B1872A357153B6DFBA8CD70AC3B163A0D9
SHA-256:	F98D04D6A09C43AAF96D16FED927367EE500E9E8C652FD3BF45A64A9129C5A07
SHA-512:	1A0234CB679322C745BA972813883FF4669113CFEDDB0A313E1200DACD7766B59CD91BCAF8E46022CA0BBD667E67BD2E359CF6A0A9B8604FD0FABA0DE1DB5F2C
Malicious:	false
Reputation:	low
Preview:	EA06.......S....2...5.o..5.P.Tj.6.E....z...9.Nf...\.x.M).ZP..i ..8.x.V.s....).=....O.3Y..E....^.+.......Z..$.+.&%m.J..h..A..-f.....Zd._........'.....Q..<....O0 ...x.K7)....,Sj5....h.....3)...u...5.P.U`...S.I.4.&.....2.E.....o...x\|..m4.. !......P.@..FfS....l.j..j.<W~......<&.._...I...y..h.....x..<..=.....q...&R9..e4..Zf.G..0.....iO..Z\|\|/...# ..6kO.q...n.SI.......~.....g....y..... .G`..M.r....n3=..ht.....S.......w..TfU.-.I!.S.6...R..h6:M:GT..r....(...p......!...H.{.P...../...p.{........-..e.ym..6..j}.H..X.V.4.-..Q.J...+....y.L-..m.._...i..s2..ev.^.{.Pe.....(.Pi6....0..6`..=n..7Zx.qg.R.SK.T....... ..l....p....P.T.\n....TNM..3.Ff.J.w...F+S.].6..@...6a7.I<s...E......;..i.-..G.R.a....N...0.j/O..#.)...B.N.....y0..v..B9..i......4.MgR.m..K..m.:.c..xWv.j%^5w.<"].d.j..-.....h[.....+.L....B)4...)...?...2:.".K.N.P....<#QJ\|.h.Mq.%.&..hXb...mD..g...jq..MiTH.".M.....L.A.N.R0..5..<+.....P..x.Z-&....it..k..<l.t..z1....C.$..A...0*M..x.U.p....S.uf....52.Q.

C:\Users\user\AppData\Local\Temp\autE8F7.tmp

Download File

Process:	C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe
File Type:	data
Category:	dropped
Size (bytes):	40552
Entropy (8bit):	7.881796776962672
Encrypted:	false
SSDEEP:	768:rQKiQnYCP8+tU6Ln+bowjKlA/Eh36gWcU51e1bskhs3wrva480KfrAYFaJ:UoUcoTT/EhKpcCA1bs+s3wrS48jA8m
MD5:	AAF7471B3683B052335BA50F235D3D13
SHA1:	D74582B1872A357153B6DFBA8CD70AC3B163A0D9
SHA-256:	F98D04D6A09C43AAF96D16FED927367EE500E9E8C652FD3BF45A64A9129C5A07
SHA-512:	1A0234CB679322C745BA972813883FF4669113CFEDDB0A313E1200DACD7766B59CD91BCAF8E46022CA0BBD667E67BD2E359CF6A0A9B8604FD0FABA0DE1DB5F2C
Malicious:	false
Reputation:	low
Preview:	EA06.......S....2...5.o..5.P.Tj.6.E....z...9.Nf...\.x.M).ZP..i ..8.x.V.s....).=....O.3Y..E....^.+.......Z..$.+.&%m.J..h..A..-f.....Zd._........'.....Q..<....O0 ...x.K7)....,Sj5....h.....3)...u...5.P.U`...S.I.4.&.....2.E.....o...x\|..m4.. !......P.@..FfS....l.j..j.<W~......<&.._...I...y..h.....x..<..=.....q...&R9..e4..Zf.G..0.....iO..Z\|\|/...# ..6kO.q...n.SI.......~.....g....y..... .G`..M.r....n3=..ht.....S.......w..TfU.-.I!.S.6...R..h6:M:GT..r....(...p......!...H.{.P...../...p.{........-..e.ym..6..j}.H..X.V.4.-..Q.J...+....y.L-..m.._...i..s2..ev.^.{.Pe.....(.Pi6....0..6`..=n..7Zx.qg.R.SK.T....... ..l....p....P.T.\n....TNM..3.Ff.J.w...F+S.].6..@...6a7.I<s...E......;..i.-..G.R.a....N...0.j/O..#.)...B.N.....y0..v..B9..i......4.MgR.m..K..m.:.c..xWv.j%^5w.<"].d.j..-.....h[.....+.L....B)4...)...?...2:.".K.N.P....<#QJ\|.h.Mq.%.&..hXb...mD..g...jq..MiTH.".M.....L.A.N.R0..5..<+.....P..x.Z-&....it..k..<l.t..z1....C.$..A...0*M..x.U.p....S.uf....52.Q.

C:\Users\user\AppData\Local\Temp\autF51C.tmp

Download File

Process:	C:\Users\user\AppData\Local\exhilaratingly\teepees.exe
File Type:	data
Category:	dropped
Size (bytes):	40552
Entropy (8bit):	7.881796776962672
Encrypted:	false
SSDEEP:	768:rQKiQnYCP8+tU6Ln+bowjKlA/Eh36gWcU51e1bskhs3wrva480KfrAYFaJ:UoUcoTT/EhKpcCA1bs+s3wrS48jA8m
MD5:	AAF7471B3683B052335BA50F235D3D13
SHA1:	D74582B1872A357153B6DFBA8CD70AC3B163A0D9
SHA-256:	F98D04D6A09C43AAF96D16FED927367EE500E9E8C652FD3BF45A64A9129C5A07
SHA-512:	1A0234CB679322C745BA972813883FF4669113CFEDDB0A313E1200DACD7766B59CD91BCAF8E46022CA0BBD667E67BD2E359CF6A0A9B8604FD0FABA0DE1DB5F2C
Malicious:	false
Preview:	EA06.......S....2...5.o..5.P.Tj.6.E....z...9.Nf...\.x.M).ZP..i ..8.x.V.s....).=....O.3Y..E....^.+.......Z..$.+.&%m.J..h..A..-f.....Zd._........'.....Q..<....O0 ...x.K7)....,Sj5....h.....3)...u...5.P.U`...S.I.4.&.....2.E.....o...x\|..m4.. !......P.@..FfS....l.j..j.<W~......<&.._...I...y..h.....x..<..=.....q...&R9..e4..Zf.G..0.....iO..Z\|\|/...# ..6kO.q...n.SI.......~.....g....y..... .G`..M.r....n3=..ht.....S.......w..TfU.-.I!.S.6...R..h6:M:GT..r....(...p......!...H.{.P...../...p.{........-..e.ym..6..j}.H..X.V.4.-..Q.J...+....y.L-..m.._...i..s2..ev.^.{.Pe.....(.Pi6....0..6`..=n..7Zx.qg.R.SK.T....... ..l....p....P.T.\n....TNM..3.Ff.J.w...F+S.].6..@...6a7.I<s...E......;..i.-..G.R.a....N...0.j/O..#.)...B.N.....y0..v..B9..i......4.MgR.m..K..m.:.c..xWv.j%^5w.<"].d.j..-.....h[.....+.L....B)4...)...?...2:.".K.N.P....<#QJ\|.h.Mq.%.&..hXb...mD..g...jq..MiTH.".M.....L.A.N.R0..5..<+.....P..x.Z-&....it..k..<l.t..z1....C.$..A...0*M..x.U.p....S.uf....52.Q.

C:\Users\user\AppData\Local\exhilaratingly\teepees.exe

Download File

Process:	C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1024512
Entropy (8bit):	6.8136536123000635
Encrypted:	false
SSDEEP:	24576:6qDEvCTbMWu7rQYlBQcBiT6rprG8a8hXks:6TvC/MTQYxsWR7a8
MD5:	4FC60BC5D5EFE63F44146BF1F1BECE0D
SHA1:	B6DFD1478A58CACA13ED041995840EA0250CFF3E
SHA-256:	AAB63D73293024E2C135E11929702E1FD5C2497F5885F26E5A6DC6E6409C91D1
SHA-512:	C90A18D004BB03B3D3EFDDFF4C5C60448D4AA9A50F33E8A23E93AC282E927F7F70C788C19982FB5642218BAA1A6B04CB2852D447AEE767F32E7FA7CF6A7DB6EF
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 68%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L....Ucg..........".................w.............@..................................f....@...@.......@.....................d...\|....@...7.......................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc....7...@...8..................@..@.reloc...u.......v...,..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\teepees.vbs

Download File

Process:	C:\Users\user\AppData\Local\exhilaratingly\teepees.exe
File Type:	data
Category:	dropped
Size (bytes):	286
Entropy (8bit):	3.380464176388977
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfclo5ZsUEZ+lX1Al0Tlcsc6nriIM8lfQVn:DsO+vNlzQ1Al0S4mA2n
MD5:	3A501A9BCCC5203EF2B7BB25974EBE3F
SHA1:	F2421D080CAE1B7B3D75C465C5BB4E13DB2CE252
SHA-256:	14E568CCDD70F77B7EB80C3B9721CF9E9D209EEB289CC20A468DE5D21E3A5058
SHA-512:	D4A09B5D8C65223AC6EC3B3F874E281081E41F65E514DB58D582B5508C7AD3CC2F2BD6DEB38AD061252B4A41F53B2FEA76E1C814B0019C7B71031B45296D8990
Malicious:	true
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.e.x.h.i.l.a.r.a.t.i.n.g.l.y.\.t.e.e.p.e.e.s...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.8136536123000635
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	30% Order payment-BLQuote_'PO#385995790.exe
File size:	1'024'512 bytes
MD5:	4fc60bc5d5efe63f44146bf1f1bece0d
SHA1:	b6dfd1478a58caca13ed041995840ea0250cff3e
SHA256:	aab63d73293024e2c135e11929702e1fd5c2497f5885f26e5a6dc6e6409c91d1
SHA512:	c90a18d004bb03b3d3efddff4c5c60448d4aa9a50f33e8a23e93ac282e927f7f70c788c19982fb5642218baa1a6b04cb2852d447aee767f32e7fa7cf6a7db6ef
SSDEEP:	24576:6qDEvCTbMWu7rQYlBQcBiT6rprG8a8hXks:6TvC/MTQYxsWR7a8
TLSH:	8B25AE027391C062FF9B92334B5AF6115BBC69260123E61F13A81D7ABE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67635592 [Wed Dec 18 23:06:58 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F7F14B24CE3h
jmp 00007F7F14B245EFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F7F14B247CDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F7F14B2479Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F7F14B2738Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F7F14B273D8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F7F14B273C1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x237c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf8000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x237c8	0x23800	aab47a8dce5fae9bc38ea53d023dbecf	False	0.8145906690140845	data	7.579026971101986	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf8000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x1aa8f	data			1.0003754613137483
RT_GROUP_ICON	0xf7248	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xf72c0	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xf72d4	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xf72e8	0x14	data	English	Great Britain	1.25
RT_VERSION	0xf72fc	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xf73d8	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 19:21:23.955931902 CET	49716	6606	192.168.2.5	69.174.100.131
Jan 9, 2025 19:21:23.960752010 CET	6606	49716	69.174.100.131	192.168.2.5
Jan 9, 2025 19:21:23.960824966 CET	49716	6606	192.168.2.5	69.174.100.131
Jan 9, 2025 19:21:23.976464033 CET	49716	6606	192.168.2.5	69.174.100.131
Jan 9, 2025 19:21:23.981275082 CET	6606	49716	69.174.100.131	192.168.2.5
Jan 9, 2025 19:21:24.987946033 CET	49662	53	192.168.2.5	1.1.1.1
Jan 9, 2025 19:21:24.993314028 CET	53	49662	1.1.1.1	192.168.2.5
Jan 9, 2025 19:21:24.993717909 CET	49662	53	192.168.2.5	1.1.1.1
Jan 9, 2025 19:21:24.999138117 CET	53	49662	1.1.1.1	192.168.2.5
Jan 9, 2025 19:21:25.460275888 CET	49662	53	192.168.2.5	1.1.1.1
Jan 9, 2025 19:21:25.465554953 CET	53	49662	1.1.1.1	192.168.2.5
Jan 9, 2025 19:21:25.465661049 CET	49662	53	192.168.2.5	1.1.1.1
Jan 9, 2025 19:21:39.567061901 CET	62250	53	192.168.2.5	162.159.36.2
Jan 9, 2025 19:21:39.572041988 CET	53	62250	162.159.36.2	192.168.2.5
Jan 9, 2025 19:21:39.572153091 CET	62250	53	192.168.2.5	162.159.36.2
Jan 9, 2025 19:21:39.577058077 CET	53	62250	162.159.36.2	192.168.2.5
Jan 9, 2025 19:21:40.037277937 CET	62250	53	192.168.2.5	162.159.36.2
Jan 9, 2025 19:21:40.042396069 CET	53	62250	162.159.36.2	192.168.2.5
Jan 9, 2025 19:21:40.042463064 CET	62250	53	192.168.2.5	162.159.36.2
Jan 9, 2025 19:21:45.379271030 CET	6606	49716	69.174.100.131	192.168.2.5
Jan 9, 2025 19:21:45.379342079 CET	49716	6606	192.168.2.5	69.174.100.131
Jan 9, 2025 19:21:50.405431986 CET	49716	6606	192.168.2.5	69.174.100.131
Jan 9, 2025 19:21:50.405921936 CET	62318	6606	192.168.2.5	69.174.100.131
Jan 9, 2025 19:21:50.410275936 CET	6606	49716	69.174.100.131	192.168.2.5
Jan 9, 2025 19:21:50.410754919 CET	6606	62318	69.174.100.131	192.168.2.5
Jan 9, 2025 19:21:50.410834074 CET	62318	6606	192.168.2.5	69.174.100.131
Jan 9, 2025 19:21:50.411297083 CET	62318	6606	192.168.2.5	69.174.100.131
Jan 9, 2025 19:21:50.416065931 CET	6606	62318	69.174.100.131	192.168.2.5
Jan 9, 2025 19:22:11.797513962 CET	6606	62318	69.174.100.131	192.168.2.5
Jan 9, 2025 19:22:11.797626019 CET	62318	6606	192.168.2.5	69.174.100.131
Jan 9, 2025 19:22:16.809498072 CET	62318	6606	192.168.2.5	69.174.100.131
Jan 9, 2025 19:22:16.809906006 CET	62423	6606	192.168.2.5	69.174.100.131
Jan 9, 2025 19:22:16.814419985 CET	6606	62318	69.174.100.131	192.168.2.5
Jan 9, 2025 19:22:16.814702034 CET	6606	62423	69.174.100.131	192.168.2.5
Jan 9, 2025 19:22:16.814774990 CET	62423	6606	192.168.2.5	69.174.100.131
Jan 9, 2025 19:22:16.815155029 CET	62423	6606	192.168.2.5	69.174.100.131
Jan 9, 2025 19:22:16.819933891 CET	6606	62423	69.174.100.131	192.168.2.5
Jan 9, 2025 19:22:38.172919989 CET	6606	62423	69.174.100.131	192.168.2.5
Jan 9, 2025 19:22:38.173002958 CET	62423	6606	192.168.2.5	69.174.100.131
Jan 9, 2025 19:22:43.184437037 CET	62423	6606	192.168.2.5	69.174.100.131
Jan 9, 2025 19:22:43.184870005 CET	62425	6606	192.168.2.5	69.174.100.131
Jan 9, 2025 19:22:43.189228058 CET	6606	62423	69.174.100.131	192.168.2.5
Jan 9, 2025 19:22:43.189815998 CET	6606	62425	69.174.100.131	192.168.2.5
Jan 9, 2025 19:22:43.189914942 CET	62425	6606	192.168.2.5	69.174.100.131
Jan 9, 2025 19:22:43.190287113 CET	62425	6606	192.168.2.5	69.174.100.131
Jan 9, 2025 19:22:43.195156097 CET	6606	62425	69.174.100.131	192.168.2.5
Jan 9, 2025 19:23:04.569822073 CET	6606	62425	69.174.100.131	192.168.2.5
Jan 9, 2025 19:23:04.570046902 CET	62425	6606	192.168.2.5	69.174.100.131

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 19:21:24.973412991 CET	53	64205	1.1.1.1	192.168.2.5
Jan 9, 2025 19:21:39.566318035 CET	53	56784	162.159.36.2	192.168.2.5
Jan 9, 2025 19:21:40.094227076 CET	54456	53	192.168.2.5	1.1.1.1
Jan 9, 2025 19:21:40.101844072 CET	53	54456	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 9, 2025 19:21:40.094227076 CET	192.168.2.5	1.1.1.1	0xfd35	Standard query (0)	206.23.85.13.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 9, 2025 19:21:40.101844072 CET	1.1.1.1	192.168.2.5	0xfd35	Name error (3)	206.23.85.13.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

Target ID:	0
Start time:	13:21:03
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe"
Imagebase:	0x2a0000
File size:	1'024'512 bytes
MD5 hash:	4FC60BC5D5EFE63F44146BF1F1BECE0D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:21:06
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Local\exhilaratingly\teepees.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe"
Imagebase:	0x180000
File size:	1'024'512 bytes
MD5 hash:	4FC60BC5D5EFE63F44146BF1F1BECE0D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000002.00000002.2116828702.0000000001B90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000002.00000002.2116828702.0000000001B90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000002.00000002.2116828702.0000000001B90000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: rat_win_asyncrat, Description: Detect AsyncRAT based on specific strings, Source: 00000002.00000002.2116828702.0000000001B90000.00000004.00001000.00020000.00000000.sdmp, Author: Sekoia.io Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000002.00000002.2116828702.0000000001B90000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 68%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:21:09
Start date:	09/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe"
Imagebase:	0xeb0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	13:21:20
Start date:	09/01/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\teepees.vbs"
Imagebase:	0x7ff720b50000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:21:21
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Local\exhilaratingly\teepees.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\exhilaratingly\teepees.exe"
Imagebase:	0x180000
File size:	1'024'512 bytes
MD5 hash:	4FC60BC5D5EFE63F44146BF1F1BECE0D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000002.2267129675.0000000003620000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000006.00000002.2267129675.0000000003620000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000006.00000002.2267129675.0000000003620000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: rat_win_asyncrat, Description: Detect AsyncRAT based on specific strings, Source: 00000006.00000002.2267129675.0000000003620000.00000004.00001000.00020000.00000000.sdmp, Author: Sekoia.io Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000006.00000002.2267129675.0000000003620000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	13:21:24
Start date:	09/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\exhilaratingly\teepees.exe"
Imagebase:	0x2e0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000007.00000002.2377949969.00000000003B2000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000007.00000002.2377949969.00000000003B2000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.8%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	4.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	65

Executed Functions

Function 002A42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 002A430D

Part of subcall function 002A6B57: _wcslen.LIBCMT ref: 002A6B6A

GetCurrentProcess.KERNEL32(?,0033CB64,00000000,?,?), ref: 002A4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 002A4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 002A4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 002A4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 002A4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 002A447B
GetSystemInfo.KERNEL32(?,?,?), ref: 002A44A0

Strings

|O, xrefs: 002E36F8
kernel32.dll, xrefs: 002A444F
GetNativeSystemInfo, xrefs: 002A4460

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 70060f9dc822be8af71d37fab86c707814f13862ae0f7d0561f3d33d01ed9b0e
Instruction ID: e5c03ccce893a77c11e02c4e96a7a6598426b047ba65b8b17c5758267f9777f8
Opcode Fuzzy Hash: 70060f9dc822be8af71d37fab86c707814f13862ae0f7d0561f3d33d01ed9b0e
Instruction Fuzzy Hash: 81A1D46BA3A2C0CFE733DF7D7C841957FEC6B66301F045899E08DA3A61D6608598CB21

Function 002A42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,002A50AA,?,?,00000000,00000000), ref: 002A42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,002A50AA,?,?,00000000,00000000), ref: 002A42C9
LoadResource.KERNEL32(?,00000000,?,?,002A50AA,?,?,00000000,00000000,?,?,?,?,?,?,002A4F20), ref: 002E35BE
SizeofResource.KERNEL32(?,00000000,?,?,002A50AA,?,?,00000000,00000000,?,?,?,?,?,?,002A4F20), ref: 002E35D3
LockResource.KERNEL32(002A50AA,?,?,002A50AA,?,?,00000000,00000000,?,?,?,?,?,?,002A4F20,?), ref: 002E35E6

Strings

SCRIPT, xrefs: 002A42BF

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 24392d485e4097029b72fddc94620bbe3000f956b74c3557b1caf05d449dccdd
Instruction ID: 9b1bc5cc9ecec2fdb443fe3b877e719b21a882564a68e0a2be738f09a5583231
Opcode Fuzzy Hash: 24392d485e4097029b72fddc94620bbe3000f956b74c3557b1caf05d449dccdd
Instruction Fuzzy Hash: 66115A71250701AFEB229B65DC88F677BBDEBC6B51F10456AB802E6250DBB1D8108620

Function 002E2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 002A2B6B

Part of subcall function 002A3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00371418,?,002A2E7F,?,?,?,00000000), ref: 002A3A78

Part of subcall function 002A9CB3: _wcslen.LIBCMT ref: 002A9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00362224), ref: 002E2C10
ShellExecuteW.SHELL32(00000000,?,?,00362224), ref: 002E2C17

Strings

runas, xrefs: 002E2C0B

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 02d6c9d67364e0f74c70680506cb9b1d11d84da05ff384ab854bef24a947b007
Instruction ID: 045f37eb6f027264af68bb229137217ea9530932b1a2595ceecfef6568a1b442
Opcode Fuzzy Hash: 02d6c9d67364e0f74c70680506cb9b1d11d84da05ff384ab854bef24a947b007
Instruction Fuzzy Hash: A21129321283459FC716FF29DC51ABEB7A89F97354F44582DF086520A3CF2485ADCB52

Function 0030DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,002E5222), ref: 0030DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0030DBDD
FindFirstFileW.KERNELBASE(?,?), ref: 0030DBEE
FindClose.KERNEL32(00000000), ref: 0030DBFA

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: feb3a41a8aa88e7923e743aaca3ded0d1bf012b596ed399f86265eacedffa497
Instruction ID: ee283c9476a93006b2e0b5bbb2f8844144f4aa5299bfa69e6e3be118f64df5a2
Opcode Fuzzy Hash: feb3a41a8aa88e7923e743aaca3ded0d1bf012b596ed399f86265eacedffa497
Instruction Fuzzy Hash: 2FF0E53182192057D222ABBCBC4D8AB3BAC9E01334F104B02F836D20F0EBB45D54CBD5

Function 002ABF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#7, xrefs: 002F07CE

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#7
API String ID: 3964851224-2913231660
Opcode ID: 23cafa774d88933d7a479494920ae1fc3f24e5529689bd494903fb9274220ea8
Instruction ID: 35505d3143805c02f53e1266ff0ea7a3c6a15a3e5bf7bcc2fa4b55dfbe73d1b5
Opcode Fuzzy Hash: 23cafa774d88933d7a479494920ae1fc3f24e5529689bd494903fb9274220ea8
Instruction Fuzzy Hash: CBA26A706283018FD714DF18C480B2AB7E1BF8A344F24896DE99A8B352DB71EC55CF92

Function 002AD730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 002AD807
timeGetTime.WINMM ref: 002ADA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002ADB28
TranslateMessage.USER32(?), ref: 002ADB7B
DispatchMessageW.USER32(?), ref: 002ADB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002ADB9F
Sleep.KERNEL32(0000000A), ref: 002ADBB1

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: c863beccd0006565cb1eb824a83f7bfb2801100cb5a6c9b7860d7a833365a0fe
Instruction ID: 3248374d68540b6f0f3fa94923cb196be1bed6fa839f9d2d84034bd8529b929f
Opcode Fuzzy Hash: c863beccd0006565cb1eb824a83f7bfb2801100cb5a6c9b7860d7a833365a0fe
Instruction Fuzzy Hash: DB42E230624246DFD729CF24C884BBAF7E4BF47314F144929E59687691DB70E8A8CF92

Function 002A2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 002A2D07
RegisterClassExW.USER32(00000030), ref: 002A2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002A2D42
InitCommonControlsEx.COMCTL32(?), ref: 002A2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002A2D6F
LoadIconW.USER32(000000A9), ref: 002A2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002A2D94

Strings

0, xrefs: 002A2CE9
TaskbarCreated, xrefs: 002A2D37
AutoIt v3 GUI, xrefs: 002A2D23
+, xrefs: 002A2CF0

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 84027167c0018e6051a18377c8d538848221519569b322295355f2c7279c5728
Instruction ID: 5a872b857f8f40fc63c009671298493a3f7235068e4506dab27436f4843f7955
Opcode Fuzzy Hash: 84027167c0018e6051a18377c8d538848221519569b322295355f2c7279c5728
Instruction Fuzzy Hash: 5621F9B5921308AFDB12DFA8EC89BDDBBB8FB08700F00511AFA15B6290D7B14584CF90

Function 002D8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.,, xrefs: 002D903A, 002D8FD0, 002D8FF2

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID:
String ID: .,
API String ID: 0-2608738861
Opcode ID: a4916c686811f2c958b0bffffbecca99ee62d57aa18e4e1be6c1d33ccd2373b3
Instruction ID: d971ee089b6fff90cf7a39cc0dbd2a4e67a3a86ffc4f1755708c842f13938f80
Opcode Fuzzy Hash: a4916c686811f2c958b0bffffbecca99ee62d57aa18e4e1be6c1d33ccd2373b3
Instruction Fuzzy Hash: 89C10474A2434AEFDB21DFA8D841BADBBB5AF09310F14415AF818A7392C7709D91CF61

Function 002E065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002E039A: CreateFileW.KERNELBASE(00000000,00000000,?,002E0704,?,?,00000000,?,002E0704,00000000,0000000C), ref: 002E03B7

GetLastError.KERNEL32 ref: 002E076F
__dosmaperr.LIBCMT ref: 002E0776
GetFileType.KERNELBASE(00000000), ref: 002E0782
GetLastError.KERNEL32 ref: 002E078C
__dosmaperr.LIBCMT ref: 002E0795
CloseHandle.KERNEL32(00000000), ref: 002E07B5
CloseHandle.KERNEL32(?), ref: 002E08FF
GetLastError.KERNEL32 ref: 002E0931
__dosmaperr.LIBCMT ref: 002E0938

Strings

H, xrefs: 002E08BD

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: f8d5bf4b49bb2219355f1575e9b6bac2fe6dcee33783bf44c93460c572eb2a87
Instruction ID: a8486f42bd16e4ec448a606fdaba7e0fa52212736c665b6f1658260995baab4d
Opcode Fuzzy Hash: f8d5bf4b49bb2219355f1575e9b6bac2fe6dcee33783bf44c93460c572eb2a87
Instruction Fuzzy Hash: 7DA13732A241858FDF19EF68DC91BAD7BA5AB06320F14015DF815AF391C7719CA3CB91

Function 002A344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002A3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00371418,?,002A2E7F,?,?,?,00000000), ref: 002A3A78

Part of subcall function 002A3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 002A3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 002A356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 002E318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 002E31CE
RegCloseKey.ADVAPI32(?), ref: 002E3210
_wcslen.LIBCMT ref: 002E3277
_wcslen.LIBCMT ref: 002E3286

Strings

Include, xrefs: 002E3184, 002E31C5
\, xrefs: 002E328C
Software\AutoIt v3\AutoIt, xrefs: 002A3560
\Include\, xrefs: 002A3527

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 7eae084afccec2b72a40e09f9b906f9fde769168a5ad4d878a499604f785a58e
Instruction ID: e9c93f043fd6398bd928f6b45b5ac37b7fdca8aca7a66ba7b679456a5822d3e1
Opcode Fuzzy Hash: 7eae084afccec2b72a40e09f9b906f9fde769168a5ad4d878a499604f785a58e
Instruction Fuzzy Hash: D2719F755243019FD326EF26DC859ABBBE8FF85340F80082EF589971A0DB749A98CF51

Function 002A2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 002A2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 002A2B9D
LoadIconW.USER32(00000063), ref: 002A2BB3
LoadIconW.USER32(000000A4), ref: 002A2BC5
LoadIconW.USER32(000000A2), ref: 002A2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 002A2BEF
RegisterClassExW.USER32(?), ref: 002A2C40

Part of subcall function 002A2CD4: GetSysColorBrush.USER32(0000000F), ref: 002A2D07
Part of subcall function 002A2CD4: RegisterClassExW.USER32(00000030), ref: 002A2D31
Part of subcall function 002A2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002A2D42
Part of subcall function 002A2CD4: InitCommonControlsEx.COMCTL32(?), ref: 002A2D5F
Part of subcall function 002A2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002A2D6F
Part of subcall function 002A2CD4: LoadIconW.USER32(000000A9), ref: 002A2D85
Part of subcall function 002A2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002A2D94

Strings

0, xrefs: 002A2C0F
#, xrefs: 002A2C16
AutoIt v3, xrefs: 002A2C2F

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 9c48f4a4788910a9ea4a10015f3befabdcdcc11ba10c0b02f82ba97295f93872
Instruction ID: 97950c3e864b25611709a9675fe27b3ff3db5aa97ee3f22d55e28ad8100260e0
Opcode Fuzzy Hash: 9c48f4a4788910a9ea4a10015f3befabdcdcc11ba10c0b02f82ba97295f93872
Instruction Fuzzy Hash: 7F21337AE10314AFEB229FA9EC95B9D7FB8FB48B50F00401AF508B6660D7B14584CF90

Function 002A3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,002A316A,?,?), ref: 002A31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,002A316A,?,?), ref: 002A3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 002A3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,002A316A,?,?), ref: 002A3232
CreatePopupMenu.USER32 ref: 002A3246
PostQuitMessage.USER32(00000000), ref: 002A3267

Strings

TaskbarCreated, xrefs: 002A322D

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: aff05faa7ae3cfaf6334ddd32ab76fb50e6012da8b3b929394443f50220ba402
Instruction ID: d5d1a21360134478ab411ac2616e9bd2b86f8d910d5aed19499f02229166e2a2
Opcode Fuzzy Hash: aff05faa7ae3cfaf6334ddd32ab76fb50e6012da8b3b929394443f50220ba402
Instruction Fuzzy Hash: A7417C362B0201ABEB269F3C9C5EB79365DE747340F040115FE0AD61A1CFB4DE649BA1

Function 002ADFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

D%7, xrefs: 002AE4B1
D%7, xrefs: 002F302D
D%7, xrefs: 002AE1E0
D%7, xrefs: 002F2FDA
Variable must be of type 'Object'., xrefs: 002F32B7
D%7D%7, xrefs: 002AE27E

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID:
String ID: D%7$D%7$D%7$D%7$D%7D%7$Variable must be of type 'Object'.
API String ID: 0-4019137033
Opcode ID: e58aed6649467e483f5865add0128be9c97ac0404af2fb3384efd66c2eae86cc
Instruction ID: 97b163b987ac74d463cde3547e666d256149f37cd62100973e3e2113086f9913
Opcode Fuzzy Hash: e58aed6649467e483f5865add0128be9c97ac0404af2fb3384efd66c2eae86cc
Instruction Fuzzy Hash: 58C29D71A20216CFCF24CF58C880AADB7B1FF4A310F258569E905AB351DB75EDA2CB51

Function 016A82E0 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 016A8325

Memory Dump Source

Source File: 00000000.00000002.2085188390.00000000016A7000.00000040.00000020.00020000.00000000.sdmp, Offset: 016A7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16a7000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction ID: 0f4e8c662603bb771f008cb8c56d50d3fce7cc4ebdc3ee5817b4a6e47ddb63f9
Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction Fuzzy Hash: 0851E875A50208FBEF60DFA4CC49FEE7778BF48701F508558F61AEB280DA749A458B60

Function 002A2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002A2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 002A2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,002A1CAD,?), ref: 002A2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,002A1CAD,?), ref: 002A2CCF

Strings

edit, xrefs: 002A2CAC
AutoIt v3, xrefs: 002A2C89, 002A2C8E, 002A2C8F

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 76d0a332957bddd2938135f95a93453a3f909dad0b8304b7f1e4a4a88f7a47b6
Instruction ID: c524922a1180a20bc6adfeb8cbaf53961a26d054f4eadfff3b89acc51552171a
Opcode Fuzzy Hash: 76d0a332957bddd2938135f95a93453a3f909dad0b8304b7f1e4a4a88f7a47b6
Instruction Fuzzy Hash: 0BF0DA7A5503907AFB33172BAC49E773EBDD7C6F50F01505AF908A25A0C6A11890EAB0

Function 00312947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00312C05
DeleteFileW.KERNEL32(?), ref: 00312C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00312C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00312CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00312CC0

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: ecf0e91fa4b6673a2cfdccc062b407454af25faabc5459d956fb4f5f72e683ac
Instruction ID: 032c7d9da5cb2c29aae933ea924f7c594ba68dd81acd182427b6122bd5e04d44
Opcode Fuzzy Hash: ecf0e91fa4b6673a2cfdccc062b407454af25faabc5459d956fb4f5f72e683ac
Instruction Fuzzy Hash: C0B15F71D10129ABDF16DFA4CC85EDFB7BDEF49350F1040AAF609E6141EA309A948FA1

Function 002D5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

JO*, xrefs: 002D5BA8, 002D5C6C

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID:
String ID: JO*
API String ID: 0-773212952
Opcode ID: 7be4152f696530669a47e85cf445ec929ba37143dc671c1ea782f097d5df132e
Instruction ID: b570b325369d4a9fda865e6fbea2fb4aa84ece1914567daebb6dc785bb06daab
Opcode Fuzzy Hash: 7be4152f696530669a47e85cf445ec929ba37143dc671c1ea782f097d5df132e
Instruction Fuzzy Hash: 6B51D071D30A2AAFDB219FA4C945FAEBBB8AF05314F14011BF804A7391D7B18D21DB61

Function 016A9DB0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 016A9CA0: Sleep.KERNELBASE(000001F4), ref: 016A9CB1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 016A9EE5

Strings

N9296DQ2WOQZ24O5JB2FAMAEIS07TK, xrefs: 016A9F65, 016A9F68

Memory Dump Source

Source File: 00000000.00000002.2085188390.00000000016A7000.00000040.00000020.00020000.00000000.sdmp, Offset: 016A7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16a7000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: CreateFileSleep
String ID: N9296DQ2WOQZ24O5JB2FAMAEIS07TK
API String ID: 2694422964-3935212621
Opcode ID: 44e5b87248f09a1938b1b6a010507a5ba0a92823ab499966dc4a4c8c1a0697ae
Instruction ID: 021f38699e116d2624fbf2b33e2b2d1072546154ec3c2db27de463f16acda8fe
Opcode Fuzzy Hash: 44e5b87248f09a1938b1b6a010507a5ba0a92823ab499966dc4a4c8c1a0697ae
Instruction Fuzzy Hash: 6761B530D04288DAEF12D7B8CC58BDEBBB9AF15304F144199E6487B2C1C7B91B49CB65

Function 002A3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,002A3B0F,SwapMouseButtons,00000004,?), ref: 002A3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,002A3B0F,SwapMouseButtons,00000004,?), ref: 002A3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,002A3B0F,SwapMouseButtons,00000004,?), ref: 002A3B83

Strings

Control Panel\Mouse, xrefs: 002A3B3E

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 432713b36e8064335ee105ea100fd4bc23b6385f810c199677cfa7e8f20a81d1
Instruction ID: 495c5d0379b45320a11f7473952b7b5716034cf7ad8a3b866c9a439cc19ca387
Opcode Fuzzy Hash: 432713b36e8064335ee105ea100fd4bc23b6385f810c199677cfa7e8f20a81d1
Instruction Fuzzy Hash: 17115AB5520208FFDB21CFA4DC84AAEB7BDEF01748F104859B801E7110D731DE509760

Function 002A3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 002E33A2

Part of subcall function 002A6B57: _wcslen.LIBCMT ref: 002A6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 002A3A04

Strings

Line: , xrefs: 002E33EB

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: d77559ffd6c637934cfb84fb11a61d8a009b24c02f0974a451632b52acb2b427
Instruction ID: 4b07264028d935d9fdcfab9fd7d8517a0daa450ba4d600221eb2d95346206b06
Opcode Fuzzy Hash: d77559ffd6c637934cfb84fb11a61d8a009b24c02f0974a451632b52acb2b427
Instruction Fuzzy Hash: 3A31C471428301AFD722EB24DC46FDBB7DCAB42710F04455AF59993091DF7496A8CBD2

Function 002A2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 002E2C8C

Part of subcall function 002A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002A3A97,?,?,002A2E7F,?,?,?,00000000), ref: 002A3AC2

Part of subcall function 002A2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002A2DC4

Strings

X, xrefs: 002E2C5A
`e6, xrefs: 002E2C85

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e6
API String ID: 779396738-2130086437
Opcode ID: 881b47932de1bdb15cf4dca32dac636986b5d2cc6c163728df0c1bf8fbc90624
Instruction ID: ea0ab801ed33d1e9001954da983e00e16eeda01577665c453fb6f8e99aca31e2
Opcode Fuzzy Hash: 881b47932de1bdb15cf4dca32dac636986b5d2cc6c163728df0c1bf8fbc90624
Instruction Fuzzy Hash: 59219671A202989BDB02DF99C845BDE7BFC9F49304F00805AE505B7241DFB4999D8FA1

Function 002BFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 002C0668

Part of subcall function 002C32A4: RaiseException.KERNEL32(?,?,?,002C068A,?,00371444,?,?,?,?,?,?,002C068A,002A1129,00368738,002A1129), ref: 002C3304

__CxxThrowException@8.LIBVCRUNTIME ref: 002C0685

Strings

Unknown exception, xrefs: 002C0692

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 7d8b1be489c9794966e29a37a286d7b64cb4efb5e27c30a9b721bcf939857a52
Instruction ID: 7b9125befadc22bc52fa07874df3d8060193529468881d631c48e959eab9a8c2
Opcode Fuzzy Hash: 7d8b1be489c9794966e29a37a286d7b64cb4efb5e27c30a9b721bcf939857a52
Instruction Fuzzy Hash: 4CF0C83492020EB7CF00BE64DC86E9E776C5E00350BA08779F914D5595EF71DA35CAC1

Function 016A89C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 016A8A05
ExitProcess.KERNEL32(00000000), ref: 016A8A24

Strings

D, xrefs: 016A89D1

Memory Dump Source

Source File: 00000000.00000002.2085188390.00000000016A7000.00000040.00000020.00020000.00000000.sdmp, Offset: 016A7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16a7000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: 8ff53cc741f04adc946779470c72492426263afa614c789403871e93d35377f7
Instruction ID: cb1f063e21ad52cb4ae6fa0deb1fd7de235f9873066c4eb3f42650f3a7d028a9
Opcode Fuzzy Hash: 8ff53cc741f04adc946779470c72492426263afa614c789403871e93d35377f7
Instruction Fuzzy Hash: 99F0ECB154024CABDB60EFE4CC49FEE777CBF04705F548508BB0A9A184DA789A088B61

Function 00313017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0031302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00313044

Strings

aut, xrefs: 00313038

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 92672c3bf9c5143117423664c3c51e8e773921316bb442c617520d1b29df1ed1
Instruction ID: f761318fd937135846eae262baeb9d1a16963927ef665280f5a0da1c26a947cb
Opcode Fuzzy Hash: 92672c3bf9c5143117423664c3c51e8e773921316bb442c617520d1b29df1ed1
Instruction Fuzzy Hash: 3CD05EB250032867DE20A7A4AC4EFCB3A6CDB04750F0006A1BA55E2091DBB09984CBD0

Function 00327F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 003282F5
TerminateProcess.KERNEL32(00000000), ref: 003282FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 003284DD

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 1ae41fdd308f2690fa38e9c88ad7709aaf83b0ab26cd53c30c34f54863de028f
Instruction ID: 3ee94ce6e21894116b35949eb82818c08a588aaf22af04345064ec1bda5450fa
Opcode Fuzzy Hash: 1ae41fdd308f2690fa38e9c88ad7709aaf83b0ab26cd53c30c34f54863de028f
Instruction Fuzzy Hash: 53128A71A083119FC715DF28D480B6ABBE5BF89318F15895DE8898B252CB31ED45CF92

Function 002A10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 002A1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 002A1BF4
Part of subcall function 002A1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 002A1BFC
Part of subcall function 002A1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 002A1C07
Part of subcall function 002A1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 002A1C12
Part of subcall function 002A1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 002A1C1A
Part of subcall function 002A1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 002A1C22

Part of subcall function 002A1B4A: RegisterWindowMessageW.USER32(00000004,?,002A12C4), ref: 002A1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 002A136A
OleInitialize.OLE32 ref: 002A1388
CloseHandle.KERNEL32(00000000,00000000), ref: 002E24AB

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 7c0d057d2fac4721b72c42fd94e310c7187d7f2c2b6c3a8eaa245318dee6e7b8
Instruction ID: c6c477e845621cf33d531586b30cfe5c23a2467b3e25572083485f9cb8719833
Opcode Fuzzy Hash: 7c0d057d2fac4721b72c42fd94e310c7187d7f2c2b6c3a8eaa245318dee6e7b8
Instruction Fuzzy Hash: 4471C2BB9212458FC3BADF7DAC866553AE8FB8A364F54812ED40ED7261EB304494CF41

Function 0030C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 002A3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 002A3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0030C259
KillTimer.USER32(?,00000001,?,?), ref: 0030C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0030C270

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 10a02bffe5788c5c8caaa740f6fb25ea2db8a8558158f540411515b0033132d5
Instruction ID: a46de4f232206be7565eec983891eaaefd51b9c8cb6c3c7d86a61dcd4706ccb2
Opcode Fuzzy Hash: 10a02bffe5788c5c8caaa740f6fb25ea2db8a8558158f540411515b0033132d5
Instruction Fuzzy Hash: 44319571915344AFEF339F6488A5BEBBBEC9F06304F00149DE5DAA7282C7745A84CB51

Function 002D86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,002D85CC,?,00368CC8,0000000C), ref: 002D8704
GetLastError.KERNEL32(?,002D85CC,?,00368CC8,0000000C), ref: 002D870E
__dosmaperr.LIBCMT ref: 002D8739

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: bf1a45d0c5ace141ce3d700aa38c1939e381b8f9acb4ca83170b6a90e6e96b18
Instruction ID: bfe6db402941aa8977a9b576c594d15fab5a64c43132bd3c6404ee87bd01e5a6
Opcode Fuzzy Hash: bf1a45d0c5ace141ce3d700aa38c1939e381b8f9acb4ca83170b6a90e6e96b18
Instruction Fuzzy Hash: 10018E33A3427026D2B56B346845B7E6B4D8B81774F39015BF9089B3D2DEE0CCE186D0

Function 002ADB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 002ADB7B
DispatchMessageW.USER32(?), ref: 002ADB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002ADB9F
Sleep.KERNEL32(0000000A), ref: 002ADBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 002F1CC9

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: cc6fc35effe819647285d7f933152668cb83ee023242d2605b45feba72d8a7f6
Instruction ID: c95e319aa836bdd4a0aeedee821def733f640fb658903a6c0463155cbfc2a90f
Opcode Fuzzy Hash: cc6fc35effe819647285d7f933152668cb83ee023242d2605b45feba72d8a7f6
Instruction Fuzzy Hash: 16F05E316643459BEB30CB608C89FEA73ACEB45350F504929E65A930C0DB74A4988B26

Function 00312FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00312CD4,?,?,?,00000004,00000001), ref: 00312FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00312CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00313006
CloseHandle.KERNEL32(00000000,?,00312CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0031300D

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 522c5550e460e92136c2958379cf65190e57ce9c1188008580fb53bff47f668c
Instruction ID: 989611d5c4082297f0a26f56d7b6fb43ab027a3769a328760408881f796fa38c
Opcode Fuzzy Hash: 522c5550e460e92136c2958379cf65190e57ce9c1188008580fb53bff47f668c
Instruction Fuzzy Hash: 22E0CD3669031077D2321755BC4DFCB3E5CD7CAF71F114310F719750D146A0550153A8

Function 002B1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002B17F6

Strings

CALL, xrefs: 002B17C6

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 73d56b500c9ea673f74d46466ff1a8f4ccde92cb452458be9e09134b1d4a8343
Instruction ID: fa384a90ecfa0058c926c1dad728455af8e2342c4e398e85b381c6456820fe72
Opcode Fuzzy Hash: 73d56b500c9ea673f74d46466ff1a8f4ccde92cb452458be9e09134b1d4a8343
Instruction Fuzzy Hash: 2B22AC706282029FD724CF14C494AAABBF1FF85394F64896DF5868B361D771E861CF82

Function 00316EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00316F6B

Part of subcall function 002A4ECB: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00371418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002A4EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00316F5A, 00316F63

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: 64212cdd020a91b46b77f963ba3cd1f5971affde43d4ff05c62147cc87972ed6
Instruction ID: f024d75946fbdbf1d9987cce9e2710367b027fa603b355b15ce86b7dc59b5479
Opcode Fuzzy Hash: 64212cdd020a91b46b77f963ba3cd1f5971affde43d4ff05c62147cc87972ed6
Instruction Fuzzy Hash: 60B1A2315182018FCB19EF24C8919AEB7F5AF99300F05885DF496972A2DF30ED99CF92

Function 00312557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00312587

Strings

EA06, xrefs: 003125B9

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: 53daefaed934981f97629b4f5e4dc278e1e6db7eb94bbc0c7fe79ecd0e1dcec2
Instruction ID: 05d43da1153fee81526f84f41ed5818db6852a7489774a4185fcf1c1787f2ccb
Opcode Fuzzy Hash: 53daefaed934981f97629b4f5e4dc278e1e6db7eb94bbc0c7fe79ecd0e1dcec2
Instruction Fuzzy Hash: 4701B5729442587EDF29C7A8C856FEEBBF89B05301F00465EE552D2181E5B4E6188B60

Function 002DC9BB Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 002D2D74: GetLastError.KERNEL32(?,?,002D5686,002E3CD6,?,00000000,?,002D5B6A,?,?,?,?,?,002CE6D1,?,00368A48), ref: 002D2D78
Part of subcall function 002D2D74: _free.LIBCMT ref: 002D2DAB
Part of subcall function 002D2D74: SetLastError.KERNEL32(00000000,?,?,?,?,002CE6D1,?,00368A48,00000010,002A4F4A,?,?,00000000,002E3CD6), ref: 002D2DEC
Part of subcall function 002D2D74: _abort.LIBCMT ref: 002D2DF2

Part of subcall function 002DCADA: _abort.LIBCMT ref: 002DCB0C
Part of subcall function 002DCADA: _free.LIBCMT ref: 002DCB40

Part of subcall function 002DC74F: GetOEMCP.KERNEL32(00000000), ref: 002DC77A

_free.LIBCMT ref: 002DCA33
_free.LIBCMT ref: 002DCA69

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 3faecf7117a2d52ec9dd58414903e92ad2914a407faed68f1b19c5b0812ce1b2
Instruction ID: f38895284ce85b3b5eae896f93a9be47d4d724135383cfa5db29afa4f4f7d9a8
Opcode Fuzzy Hash: 3faecf7117a2d52ec9dd58414903e92ad2914a407faed68f1b19c5b0812ce1b2
Instruction Fuzzy Hash: 4731E23192424AAFDB11EFA8D441BA9B7F5EF40320F31419BE8049B3A2EB719D50DF50

Function 002A3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 002A3908

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: a1d87ba1de0ca96ca07d2bca7069470779668a9ee5ff679c343cfa3c4d47049a
Instruction ID: abfda21e52bb6349d0bb165e81ceaa7ebe2fdd58706aa31c9823eb2c35c3d5d3
Opcode Fuzzy Hash: a1d87ba1de0ca96ca07d2bca7069470779668a9ee5ff679c343cfa3c4d47049a
Instruction Fuzzy Hash: EE31A271514301DFE721DF28D885B97BBE8FB4A708F00092EF59997240EBB5AA58CB52

Function 016A8A30 Relevance: 1.7, APIs: 1, Instructions: 173COMMON

Download Yara Rule

APIs

Part of subcall function 016A82A0: GetFileAttributesW.KERNELBASE(?), ref: 016A82AB

CreateDirectoryW.KERNELBASE(?,00000000), ref: 016A8BA7

Memory Dump Source

Source File: 00000000.00000002.2085188390.00000000016A7000.00000040.00000020.00020000.00000000.sdmp, Offset: 016A7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16a7000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: 964537527d3a031fe91694378d905544a7ad57eb4da7d0c8b9d73401e783ea20
Instruction ID: 06b809ef23ce59bfe8db59306a0d1a9218798170ef28ac9242a3a53230a107e3
Opcode Fuzzy Hash: 964537527d3a031fe91694378d905544a7ad57eb4da7d0c8b9d73401e783ea20
Instruction Fuzzy Hash: ED617331A1020996EF14EFB0DD44BEF737AEF58700F404569A60DEB290EB759E44CB69

Function 002BFC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 002BFD1F

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 5d0576998cf867ed8e68166349af567b8ebc3160acb26cc6d6076848f6b754d9
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: A6310C75A1010ADBC758CF59D980AA9FBA1FF49340B2486A6E805CF656D731EDD1CBC0

Function 002A4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 002A4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,002A4EDD,?,00371418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002A4E9C
Part of subcall function 002A4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 002A4EAE
Part of subcall function 002A4E90: FreeLibrary.KERNEL32(00000000,?,?,002A4EDD,?,00371418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002A4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00371418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002A4EFD

Part of subcall function 002A4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,002E3CDE,?,00371418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002A4E62
Part of subcall function 002A4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 002A4E74
Part of subcall function 002A4E59: FreeLibrary.KERNEL32(00000000,?,?,002E3CDE,?,00371418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002A4E87

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 8bb9150c6d5e1455e726475f150e85571d96ca0c8c1bba2a6608906d5c8ef628
Instruction ID: 22957edfa30e473dfa3040523e329130c9b114d68606e1f85eb70aa55abd654b
Opcode Fuzzy Hash: 8bb9150c6d5e1455e726475f150e85571d96ca0c8c1bba2a6608906d5c8ef628
Instruction Fuzzy Hash: 15110432630205ABCF14FF60D902FAE77A49F85710F20442EF452E61C1DEB4EA249B50

Function 002D8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 002D8440

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 918c06c4eff1b174140208843d32c4fa15e7fcdbddbda108a54931218ec9d8e9
Instruction ID: 0d27739fcf1bbc47904dc92e7f9cb5c67ffc85676c8de180d42605dd82af65fd
Opcode Fuzzy Hash: 918c06c4eff1b174140208843d32c4fa15e7fcdbddbda108a54931218ec9d8e9
Instruction Fuzzy Hash: F711187590410AAFCB15DF58E941A9A7BF9EF48314F10405AF808AB312DB71EE21CBA5

Function 002CE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: d20db84afd9a81295b00d194be1f6bcb9c7efc6285946fcebf272fc200191ed7
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: C8F0F432531A10D7DA313E798C05F5A339C9F62331F21072EF921922D2DB74E8258EA6

Function 002D3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00371444,?,002BFDF5,?,?,002AA976,00000010,00371440,002A13FC,?,002A13C6,?,002A1129), ref: 002D3852

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 65e40f8667eddf314c3014dccd6ba2e5a99c501ce2bc3c2df69f5eb3f38238d6
Instruction ID: 17986b393d9e3f28a700b058e27a1788a127ae2691e6e1af69a74a97e004d719
Opcode Fuzzy Hash: 65e40f8667eddf314c3014dccd6ba2e5a99c501ce2bc3c2df69f5eb3f38238d6
Instruction Fuzzy Hash: ACE0E53213022656E631AE66DC00F9B364AAB427B0F090127BC44D6690CB50DD21A6E3

Function 002A4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00371418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002A4F6D

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 8ebe38a10df33006b3bda8b8ddbbcba517d2001ca327a658138d9f99b7707380
Instruction ID: 0a49372dddbc30d0781a8090baf469ec6d771a965991e4bb3d5b29fa31c112e6
Opcode Fuzzy Hash: 8ebe38a10df33006b3bda8b8ddbbcba517d2001ca327a658138d9f99b7707380
Instruction Fuzzy Hash: C4F0A071025342CFCB34AF20D490812B7E4BF41319320997EE1DAC2A10CBB1D854DF00

Function 002A2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002A2DC4

Part of subcall function 002A6B57: _wcslen.LIBCMT ref: 002A6B6A

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 5064d16087923c648fbe1767292c7cb7b9c709fba531819addd900b76086dc08
Instruction ID: 003ccb559218bfb0d946227942a085ff7c33da76aad718c71f21ed9b90d95ffe
Opcode Fuzzy Hash: 5064d16087923c648fbe1767292c7cb7b9c709fba531819addd900b76086dc08
Instruction Fuzzy Hash: 72E0CD726002245BCB2192589C05FDA77DDDFC8790F040071FD09E7248DA74AD908A90

Function 00312693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 003126B5

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: c0358a616478cb69d03bb8f42ed1bb546fe0f75abb4954beaf8e9a96ec19808b
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: A0E04FB0609B005FDF3D5A28A851BF777E89F49300F01096EF69B82252E5B268958A4D

Function 002A2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 002A3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 002A3908

Part of subcall function 002AD730: GetInputState.USER32 ref: 002AD807

SetCurrentDirectoryW.KERNEL32(?), ref: 002A2B6B

Part of subcall function 002A30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 002A314E

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 861307b6ab4e48807d20e9dd54c54b0e392313acc816cd3388dae20c8d2f7b13
Instruction ID: eab626c9ea88b8aa9c1d1eb220c48a22de0361e20e20e8bdd2a18c40c02ede67
Opcode Fuzzy Hash: 861307b6ab4e48807d20e9dd54c54b0e392313acc816cd3388dae20c8d2f7b13
Instruction Fuzzy Hash: 2CE026223202040BC608FB39A85257DA35D8BD7351F40153EF04783162CE2845A94B11

Function 016A82A0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 016A82AB

Memory Dump Source

Source File: 00000000.00000002.2085188390.00000000016A7000.00000040.00000020.00020000.00000000.sdmp, Offset: 016A7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16a7000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: 3ab215f41042bf3a26c335087584e1f01211cb46df3a895eee7280835be083bc
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: 1DE08670505608DBDB14CAE88C046B973ACD704311F408A54E506C3281D630ED419A94

Function 002E039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,002E0704,?,?,00000000,?,002E0704,00000000,0000000C), ref: 002E03B7

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8fa8705b958cc55e5efcc4e03a18fa7f0fb86456b902838d3bc142294efc4ef4
Instruction ID: f84ccaf8948da8d82f2e731bbbc1eaf5f7799b3a427cd904429738367882781f
Opcode Fuzzy Hash: 8fa8705b958cc55e5efcc4e03a18fa7f0fb86456b902838d3bc142294efc4ef4
Instruction Fuzzy Hash: BBD06C3205010DBBDF028F84DD46EDA3BAAFB48714F014000BE1866020C732E821AB90

Function 016A8270 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 016A827B

Memory Dump Source

Source File: 00000000.00000002.2085188390.00000000016A7000.00000040.00000020.00020000.00000000.sdmp, Offset: 016A7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16a7000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: e14f119391e4762bf05dd319b871ad1e536dbd26e881df1a2fab5c72c9f0a539
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: 54D0A73090520CEBCB10CFF89C049EA73ACE704321F008758FD15C3280D6319D409B90

Function 002A1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 002A1CBC

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: b69f447ce5f5bbb2819158d5a5336ae7b84e6362c7c41a1f3f504949d00b0241
Instruction ID: ce4be620bca9bf99adf91fc7df387d62bb9c094ad7f38693ac3afbd807dc1ecf
Opcode Fuzzy Hash: b69f447ce5f5bbb2819158d5a5336ae7b84e6362c7c41a1f3f504949d00b0241
Instruction Fuzzy Hash: E7C09B37290304DFF2274795BC4AF11775CA349B10F044001F64D655E3C3A11450D750

Function 016A9C9C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 016A9CB1

Memory Dump Source

Source File: 00000000.00000002.2085188390.00000000016A7000.00000040.00000020.00020000.00000000.sdmp, Offset: 016A7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16a7000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: fb74ed697040196426eaa5650df69d2c39d336b15fb2142b94b9ee689af190a5
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 35E0BF7498010EEFDB00EFA4DA496DE7FB4EF04301F1005A1FD05D7681DB309E548A62

Function 016A9CA0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 016A9CB1

Memory Dump Source

Source File: 00000000.00000002.2085188390.00000000016A7000.00000040.00000020.00020000.00000000.sdmp, Offset: 016A7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16a7000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: f54d3bb31af33e73e4a82fcc039ce54ab38d87b5c21bb76283fd7d81cd4120b7
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: D0E0E67498010EDFDB00EFB4DA4969E7FF4EF04301F100561FD01D2281D6309D508A62

Non-executed Functions

Function 00339576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 002B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002B9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0033961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0033965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0033969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003396C9
SendMessageW.USER32 ref: 003396F2
GetKeyState.USER32(00000011), ref: 0033978B
GetKeyState.USER32(00000009), ref: 00339798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 003397AE
GetKeyState.USER32(00000010), ref: 003397B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003397E9
SendMessageW.USER32 ref: 00339810
SendMessageW.USER32(?,00001030,?,00337E95), ref: 00339918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0033992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00339941
SetCapture.USER32(?), ref: 0033994A
ClientToScreen.USER32(?,?), ref: 003399AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 003399BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003399D6
ReleaseCapture.USER32 ref: 003399E1
GetCursorPos.USER32(?), ref: 00339A19
ScreenToClient.USER32(?,?), ref: 00339A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00339A80
SendMessageW.USER32 ref: 00339AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00339AEB
SendMessageW.USER32 ref: 00339B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00339B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00339B4A
GetCursorPos.USER32(?), ref: 00339B68
ScreenToClient.USER32(?,?), ref: 00339B75
GetParent.USER32(?), ref: 00339B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00339BFA
SendMessageW.USER32 ref: 00339C2B
ClientToScreen.USER32(?,?), ref: 00339C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00339CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00339CDE
SendMessageW.USER32 ref: 00339D01
ClientToScreen.USER32(?,?), ref: 00339D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00339D82

Part of subcall function 002B9944: GetWindowLongW.USER32(?,000000EB), ref: 002B9952

GetWindowLongW.USER32(?,000000F0), ref: 00339E05

Strings

F, xrefs: 00339D07
p#7, xrefs: 00339990
@GUI_DRAGID, xrefs: 0033997D

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#7
API String ID: 3429851547-1404313730
Opcode ID: 0592632d9f7951cc4cec8a744cc0a3791145382ce3da1b1fdf0262f6174289ac
Instruction ID: dd04cbaba25f53b6bf48f3eb4f218a5fa7b1203898c543c22619dd0d129f8326
Opcode Fuzzy Hash: 0592632d9f7951cc4cec8a744cc0a3791145382ce3da1b1fdf0262f6174289ac
Instruction Fuzzy Hash: 6E429D35205201EFD726CF28CC85BAABBE9FF49320F15061AF699972A1D7B1D860CF51

Function 00334873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 003348F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00334908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00334927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0033494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0033495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0033497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 003349AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 003349D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00334A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00334A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00334A7E
IsMenu.USER32(?), ref: 00334A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00334AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00334B20
GetWindowLongW.USER32(?,000000F0), ref: 00334B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00334BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00334C82
wsprintfW.USER32 ref: 00334CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00334CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00334CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00334D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00334D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00334D5A

Strings

%d/%02d/%02d, xrefs: 00334CA8

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 6bf94d29635f972b55615789f34e4fa122ddb75dd8789d4b568883a8eefc9e26
Instruction ID: c1edc58ec633de067930337126399a6050e293aba9e6e091fa286e2d82494b6c
Opcode Fuzzy Hash: 6bf94d29635f972b55615789f34e4fa122ddb75dd8789d4b568883a8eefc9e26
Instruction Fuzzy Hash: 5912F271610214ABEB268F28CD89FAEBBF8EF45350F144129F915EB2E1DB74A941CF50

Function 002BF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 002BF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002FF474
IsIconic.USER32(00000000), ref: 002FF47D
ShowWindow.USER32(00000000,00000009), ref: 002FF48A
SetForegroundWindow.USER32(00000000), ref: 002FF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 002FF4AA
GetCurrentThreadId.KERNEL32 ref: 002FF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 002FF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 002FF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 002FF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 002FF4DE
SetForegroundWindow.USER32(00000000), ref: 002FF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 002FF4F6
keybd_event.USER32(00000012,00000000), ref: 002FF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 002FF50B
keybd_event.USER32(00000012,00000000), ref: 002FF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 002FF519
keybd_event.USER32(00000012,00000000), ref: 002FF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 002FF528
keybd_event.USER32(00000012,00000000), ref: 002FF52D
SetForegroundWindow.USER32(00000000), ref: 002FF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 002FF557

Strings

Shell_TrayWnd, xrefs: 002FF46F

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: a112db316f8a8e51f96d6cc5dfbbb29f5c25bbf159e1f386c4146a17c769788f
Instruction ID: fda71a88b81c46660ea89f9421ee8d40fd2833def262f97c7c9e1ffb8fc3698d
Opcode Fuzzy Hash: a112db316f8a8e51f96d6cc5dfbbb29f5c25bbf159e1f386c4146a17c769788f
Instruction Fuzzy Hash: B2315071A6021CBAEB216BB55D8AFBF7E6CEB44B50F101025FB00F61D1C6B19910AB60

Function 00301201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 003016C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0030170D
Part of subcall function 003016C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0030173A
Part of subcall function 003016C3: GetLastError.KERNEL32 ref: 0030174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00301286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 003012A8
CloseHandle.KERNEL32(?), ref: 003012B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 003012D1
GetProcessWindowStation.USER32 ref: 003012EA
SetProcessWindowStation.USER32(00000000), ref: 003012F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00301310

Part of subcall function 003010BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003011FC), ref: 003010D4
Part of subcall function 003010BF: CloseHandle.KERNEL32(?,?,003011FC), ref: 003010E9

Strings

default, xrefs: 0030130B
Z6, xrefs: 00301392
winsta0, xrefs: 003012CC
, xrefs: 0030125A

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z6
API String ID: 22674027-1014006277
Opcode ID: 5865e190b0e4efeae3a25e4c1fe8a738badd2d4b796edfc9174cd84d1c2ea8ee
Instruction ID: 00d005005e75dd2d1f3fcf45990b68fb439710e6665e6587de8648290178797a
Opcode Fuzzy Hash: 5865e190b0e4efeae3a25e4c1fe8a738badd2d4b796edfc9174cd84d1c2ea8ee
Instruction Fuzzy Hash: 4F81AA71911209AFDF229FA5DC99FEE7BBDEF04704F184129F910B62A0C7758A54DB20

Function 00300B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003010F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00301114
Part of subcall function 003010F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00300B9B,?,?,?), ref: 00301120
Part of subcall function 003010F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00300B9B,?,?,?), ref: 0030112F
Part of subcall function 003010F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00300B9B,?,?,?), ref: 00301136
Part of subcall function 003010F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0030114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00300BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00300C00
GetLengthSid.ADVAPI32(?), ref: 00300C17
GetAce.ADVAPI32(?,00000000,?), ref: 00300C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00300C6D
GetLengthSid.ADVAPI32(?), ref: 00300C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00300C8C
HeapAlloc.KERNEL32(00000000), ref: 00300C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00300CB4
CopySid.ADVAPI32(00000000), ref: 00300CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00300CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00300D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00300D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00300D45
HeapFree.KERNEL32(00000000), ref: 00300D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00300D55
HeapFree.KERNEL32(00000000), ref: 00300D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00300D65
HeapFree.KERNEL32(00000000), ref: 00300D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00300D78
HeapFree.KERNEL32(00000000), ref: 00300D7F

Part of subcall function 00301193: GetProcessHeap.KERNEL32(00000008,00300BB1,?,00000000,?,00300BB1,?), ref: 003011A1
Part of subcall function 00301193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00300BB1,?), ref: 003011A8
Part of subcall function 00301193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00300BB1,?), ref: 003011B7

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 2b1a1963cb072f309f95bacb777c1cf35c3c96b4323c6bf024934260dda391ae
Instruction ID: b0dd5599357128a6143f62c44bf466dbfaa811553f1224755238a5c99adaf7ca
Opcode Fuzzy Hash: 2b1a1963cb072f309f95bacb777c1cf35c3c96b4323c6bf024934260dda391ae
Instruction Fuzzy Hash: 7C71577290120AABDF16DFA4DC88BAEBBBCBF04300F054615F915B6291D771AA05CBB0

Function 0031EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0033CC08), ref: 0031EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0031EB37
GetClipboardData.USER32(0000000D), ref: 0031EB43
CloseClipboard.USER32 ref: 0031EB4F
GlobalLock.KERNEL32(00000000), ref: 0031EB87
CloseClipboard.USER32 ref: 0031EB91
GlobalUnlock.KERNEL32(00000000), ref: 0031EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0031EBC9
GetClipboardData.USER32(00000001), ref: 0031EBD1
GlobalLock.KERNEL32(00000000), ref: 0031EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0031EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0031EC38
GetClipboardData.USER32(0000000F), ref: 0031EC44
GlobalLock.KERNEL32(00000000), ref: 0031EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0031EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0031EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0031ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0031ECF3
CountClipboardFormats.USER32 ref: 0031ED14
CloseClipboard.USER32 ref: 0031ED59

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 634845794a6a347a1807d782f45aa23eb2302762669d56037a3013677f0d8c24
Instruction ID: 6cb100d8af2e8c2f240ae01a6d18172bdac58d1ecc261e80d781e8e698a4e4b2
Opcode Fuzzy Hash: 634845794a6a347a1807d782f45aa23eb2302762669d56037a3013677f0d8c24
Instruction Fuzzy Hash: 386105352083019FD306EF24D899F6A77A8AF89704F08541DF856E72A1CF32DD85CB62

Function 0031698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 003169BE
FindClose.KERNEL32(00000000), ref: 00316A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00316A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00316A75

Part of subcall function 002A9CB3: _wcslen.LIBCMT ref: 002A9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00316AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00316ADF

Strings

%4d, xrefs: 00316BB1
%02d, xrefs: 00316C00, 00316C0A, 00316C5A, 00316CAA, 00316CFA, 00316D4A
%03d, xrefs: 00316DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00316B32
%4d%02d%02d%02d%02d%02d, xrefs: 00316B6A

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 16d2733938ac0b415adca2a810d60eb1858213d3089ed4870812142269cccd50
Instruction ID: dc8a3dc818ec88f08ede2eff64d10c9202d8574bf22f3591e425e67e3613f4e8
Opcode Fuzzy Hash: 16d2733938ac0b415adca2a810d60eb1858213d3089ed4870812142269cccd50
Instruction Fuzzy Hash: C8D17EB2518300AFC714EBA4CD86EABB7ECAF89704F04491EF585D7191EB34DA54CB62

Function 00319642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00319663
GetFileAttributesW.KERNEL32(?), ref: 003196A1
SetFileAttributesW.KERNEL32(?,?), ref: 003196BB
FindNextFileW.KERNEL32(00000000,?), ref: 003196D3
FindClose.KERNEL32(00000000), ref: 003196DE
FindFirstFileW.KERNEL32(*.*,?), ref: 003196FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0031974A
SetCurrentDirectoryW.KERNEL32(00366B7C), ref: 00319768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00319772
FindClose.KERNEL32(00000000), ref: 0031977F
FindClose.KERNEL32(00000000), ref: 0031978F

Strings

*.*, xrefs: 003196F5

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: ad9b4e27c7215a76638d5bdbcd7d72bb6ae9b6a85f6567a1e0d9051813c41f2f
Instruction ID: 1c7ae7516a3ce7cca8526f0fb681b2fd7057fcbadfde654ed2038a68f76b9788
Opcode Fuzzy Hash: ad9b4e27c7215a76638d5bdbcd7d72bb6ae9b6a85f6567a1e0d9051813c41f2f
Instruction Fuzzy Hash: AB31C032510219AADF1AAFB5DC59BDE77ACAF09320F104556F805E31E0DB34DE808B20

Function 0031979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 003197BE
FindNextFileW.KERNEL32(00000000,?), ref: 00319819
FindClose.KERNEL32(00000000), ref: 00319824
FindFirstFileW.KERNEL32(*.*,?), ref: 00319840
SetCurrentDirectoryW.KERNEL32(?), ref: 00319890
SetCurrentDirectoryW.KERNEL32(00366B7C), ref: 003198AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 003198B8
FindClose.KERNEL32(00000000), ref: 003198C5
FindClose.KERNEL32(00000000), ref: 003198D5

Part of subcall function 0030DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0030DB00

Strings

*.*, xrefs: 0031983B

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 9ee1ade586e82015eed8d53a2ee271c01b97e3328db0a189cf47ec963ce12dfa
Instruction ID: a327e5773c86a0e959a65de816e0f110cbc9ca62b37f5caced4e7171b9655bea
Opcode Fuzzy Hash: 9ee1ade586e82015eed8d53a2ee271c01b97e3328db0a189cf47ec963ce12dfa
Instruction Fuzzy Hash: 4331A3325006196EDF16AFB4DC59BDE77ACAF0A320F154166E814E3190DB34D9C5CB60

Function 00318195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00318257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00318267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00318273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00318310
SetCurrentDirectoryW.KERNEL32(?), ref: 00318324
SetCurrentDirectoryW.KERNEL32(?), ref: 00318356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0031838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00318395

Strings

*.*, xrefs: 0031839B

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: a73dc44aef5c2dde0ab54da251e0398f101c28b0342ba5b808147775fcc945e9
Instruction ID: dbcd3e633adaacb8b4ff8544415759d2e351a85ebe4cc6a0046103272eecba90
Opcode Fuzzy Hash: a73dc44aef5c2dde0ab54da251e0398f101c28b0342ba5b808147775fcc945e9
Instruction Fuzzy Hash: 6D6176765182059FCB15EF60C8809AEB3E8FF89310F048D2EF99997251DB31E985CF92

Function 0030D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 002A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002A3A97,?,?,002A2E7F,?,?,?,00000000), ref: 002A3AC2

Part of subcall function 0030E199: GetFileAttributesW.KERNEL32(?,0030CF95), ref: 0030E19A

FindFirstFileW.KERNEL32(?,?), ref: 0030D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0030D1DD
MoveFileW.KERNEL32(?,?), ref: 0030D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0030D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0030D237

Part of subcall function 0030D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0030D21C,?,?), ref: 0030D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0030D253
FindClose.KERNEL32(00000000), ref: 0030D264

Strings

\*.*, xrefs: 0030D0CD, 0030D0D6, 0030D0EB

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: c688a217df169367ea52b3b249bfae40a59ee83da05dbca62f37d80bbe0d4639
Instruction ID: 02e060a7db6d636925ad0a83297b1e14ba3bdc5a3bedeb3c0f111ad0b716f12d
Opcode Fuzzy Hash: c688a217df169367ea52b3b249bfae40a59ee83da05dbca62f37d80bbe0d4639
Instruction Fuzzy Hash: 02614B318021199FCF06EBE0D9A29EEB7B9AF15300F204565E40277191EF349F49CB60

Function 0031ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0031ED91
EmptyClipboard.USER32 ref: 0031ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0031EDAC
CloseClipboard.USER32 ref: 0031EEA3

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 777240e92a2d7c9281bc8d74bbc2222d9cce62c98b0446d2702f7903d67817ac
Instruction ID: 5262a9418718d269bcbae3f3595bb8fe19552f652476bcb1cb17430814876206
Opcode Fuzzy Hash: 777240e92a2d7c9281bc8d74bbc2222d9cce62c98b0446d2702f7903d67817ac
Instruction Fuzzy Hash: 9841F2352146119FE726CF15E888F5ABBE8FF48318F15C099E8199B672C732EC81CB90

Function 0030E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 003016C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0030170D
Part of subcall function 003016C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0030173A
Part of subcall function 003016C3: GetLastError.KERNEL32 ref: 0030174A

ExitWindowsEx.USER32(?,00000000), ref: 0030E932

Strings

, xrefs: 0030E95C
SeShutdownPrivilege, xrefs: 0030E902
, xrefs: 0030E920
@, xrefs: 0030E925

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: c12f179a14500ae2e5d14319a263114bd49e047b8a32ad2178671ffc9e156103
Instruction ID: 72e277653a80f6f0e3ee1562bf0cefdc352f4ed244817c1dd7fc7007e2034d65
Opcode Fuzzy Hash: c12f179a14500ae2e5d14319a263114bd49e047b8a32ad2178671ffc9e156103
Instruction Fuzzy Hash: 5A014933722311ABEB5622B49CE6FBF725CA704741F154D21FC13F21D1D7A95C408290

Function 00321204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00321276
WSAGetLastError.WSOCK32 ref: 00321283
bind.WSOCK32(00000000,?,00000010), ref: 003212BA
WSAGetLastError.WSOCK32 ref: 003212C5
closesocket.WSOCK32(00000000), ref: 003212F4
listen.WSOCK32(00000000,00000005), ref: 00321303
WSAGetLastError.WSOCK32 ref: 0032130D
closesocket.WSOCK32(00000000), ref: 0032133C

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: bc2fc90538ae1ee9f82f12682facc41a2fdfdfcd7a1244972a52542324221a8d
Instruction ID: 2aeeff74fcfc3cf612c563faa679228c34afc6f209d9046ef055442ece46e9c5
Opcode Fuzzy Hash: bc2fc90538ae1ee9f82f12682facc41a2fdfdfcd7a1244972a52542324221a8d
Instruction Fuzzy Hash: 8D41B131A00210DFD711DF24D5C8B2ABBE6AF56318F198488E8569F2A6C771ED81CBE0

Function 002DB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002DB9D4
_free.LIBCMT ref: 002DB9F8
_free.LIBCMT ref: 002DBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00343700), ref: 002DBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0037121C,000000FF,00000000,0000003F,00000000,?,?), ref: 002DBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00371270,000000FF,?,0000003F,00000000,?), ref: 002DBC36
_free.LIBCMT ref: 002DBD4B

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 74e414e357bf86a2c1d3b33ab403330b1061cfe55d8492d9ae8fccce09a08d1f
Instruction ID: 871a96d7fd69868339b44b36ebdb0c40cf83f203e93ebca3eb7240a46e26f5b6
Opcode Fuzzy Hash: 74e414e357bf86a2c1d3b33ab403330b1061cfe55d8492d9ae8fccce09a08d1f
Instruction Fuzzy Hash: 89C13772924246EFCB229F78CC61BAA7BB8EF41310F15419BE494D7352EB309E619B50

Function 0030D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 002A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002A3A97,?,?,002A2E7F,?,?,?,00000000), ref: 002A3AC2

Part of subcall function 0030E199: GetFileAttributesW.KERNEL32(?,0030CF95), ref: 0030E19A

FindFirstFileW.KERNEL32(?,?), ref: 0030D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0030D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0030D481
FindClose.KERNEL32(00000000), ref: 0030D498
FindClose.KERNEL32(00000000), ref: 0030D4A1

Strings

\*.*, xrefs: 0030D3F2

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: a4d7eba38819176303a26fbb78b40d4dd2e6e0ce0cf00bd56002498899ee646b
Instruction ID: 873e84adb1bdadffd09881e2e95987591ae1983fcccf12ae79fc4ef61f403f09
Opcode Fuzzy Hash: a4d7eba38819176303a26fbb78b40d4dd2e6e0ce0cf00bd56002498899ee646b
Instruction Fuzzy Hash: C63180310293519FC706EF65D8A28AFB7E8AE92310F444E1DF4D193191EF34AA19CB63

Function 002DE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 002DE645

Strings

1#QNAN, xrefs: 002DF84B
1#INF, xrefs: 002DF852
1#SNAN, xrefs: 002DF844
1#IND, xrefs: 002DF83D

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 86165e19cb44b7d131f884edc3d7faec301e1282dc2b07566b122cac45b317e3
Instruction ID: 8e3987ed0b7a65d84fd86a52ecfebcb32d5328f2c97cbd29c378f85fae35d916
Opcode Fuzzy Hash: 86165e19cb44b7d131f884edc3d7faec301e1282dc2b07566b122cac45b317e3
Instruction Fuzzy Hash: A0C25971E286298FDF65DE289D407EAB7B9EB44304F1541EBD80EE7240E774AE918F40

Function 0031648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 003164DC
CoInitialize.OLE32(00000000), ref: 00316639
CoCreateInstance.OLE32(0033FCF8,00000000,00000001,0033FB68,?), ref: 00316650
CoUninitialize.OLE32 ref: 003168D4

Strings

.lnk, xrefs: 003164BA, 00316524, 003165E0

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 640cee05681ac6f11c04c9124ee6885954bb0e87bc1899be161afca6a114d832
Instruction ID: 54484af9a0eabb956fe11329b8d28ca188fcaae787e6be3cbb15fcaf4693411f
Opcode Fuzzy Hash: 640cee05681ac6f11c04c9124ee6885954bb0e87bc1899be161afca6a114d832
Instruction Fuzzy Hash: 08D15971518201AFC305EF64C881EABB7E9FF99704F10896DF5958B2A1EB30ED45CB92

Function 003222DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 003222E8

Part of subcall function 0031E4EC: GetWindowRect.USER32(?,?), ref: 0031E504

GetDesktopWindow.USER32 ref: 00322312
GetWindowRect.USER32(00000000), ref: 00322319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00322355
GetCursorPos.USER32(?), ref: 00322381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 003223DF

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 0e6377804099eea6e6bf9544da6fbb8d399ac73256c18a6430f42ebffb65afec
Instruction ID: 62e3ae3def1faa91f53ae32e26c026ace5c58453d08e0e6afd944bc9d0576a63
Opcode Fuzzy Hash: 0e6377804099eea6e6bf9544da6fbb8d399ac73256c18a6430f42ebffb65afec
Instruction Fuzzy Hash: EA31E276505315AFD722DF15DC45B9BB7ADFF88310F000A19F985A7191DB34E908CB92

Function 00319B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 002A9CB3: _wcslen.LIBCMT ref: 002A9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00319B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00319C8B

Part of subcall function 00313874: GetInputState.USER32 ref: 003138CB
Part of subcall function 00313874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00313966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00319BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00319C75

Strings

*.*, xrefs: 00319B5D

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 2c09fc3f52e5b691d104ce0d664d606c28ae4cc02c2a36df05d4a59d074a19b2
Instruction ID: 7b2660047b61e2e1a1ed04a26e1b71537f8a4ca0396a4e8be3296bd0a29373ac
Opcode Fuzzy Hash: 2c09fc3f52e5b691d104ce0d664d606c28ae4cc02c2a36df05d4a59d074a19b2
Instruction Fuzzy Hash: 284151719042199FCF1ADF64C895BEE7BB8EF09310F144156E845A3291DB309E94CFA1

Function 002B997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 002B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002B9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 002B9A4E
GetSysColor.USER32(0000000F), ref: 002B9B23
SetBkColor.GDI32(?,00000000), ref: 002B9B36

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 689dcf84557b1be83d1822430288eab38a2d18def190a0affe8dc107fa5dbfd2
Instruction ID: 60048b626aa9f42dc3d85ebba9d761ebfa6f6af5e0499625cb105765dc945b5d
Opcode Fuzzy Hash: 689dcf84557b1be83d1822430288eab38a2d18def190a0affe8dc107fa5dbfd2
Instruction Fuzzy Hash: 19A12871138409BEE739AE3C8C89EFB765DDB423C0F140129F712CA692CA659DB1D272

Function 00321806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0032304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0032307A
Part of subcall function 0032304E: _wcslen.LIBCMT ref: 0032309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0032185D
WSAGetLastError.WSOCK32 ref: 00321884
bind.WSOCK32(00000000,?,00000010), ref: 003218DB
WSAGetLastError.WSOCK32 ref: 003218E6
closesocket.WSOCK32(00000000), ref: 00321915

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: e8d96749cb788c11469caebd77e8e10091ba29dd945dedbd08d00083e1dd408c
Instruction ID: 2a332e97f99bea91226bb6d282981179e3c9951337f71c481a03926aae3bd078
Opcode Fuzzy Hash: e8d96749cb788c11469caebd77e8e10091ba29dd945dedbd08d00083e1dd408c
Instruction Fuzzy Hash: A551C571A10210AFDB11AF24D8C6F6A77E5AB45718F588058F905AF3D3CB71ED41CBA1

Function 00331C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00331CC0
IsWindowEnabled.USER32 ref: 00331CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00331CDB
IsIconic.USER32 ref: 00331CE9
IsZoomed.USER32 ref: 00331CF7

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: d7d45343de21c0cb4c90cfda76e470560cd054546769f4b22fc632b4f36f2f90
Instruction ID: 8608971c693e2d09faa95b9f12c9c7711122c67c018aabb6575228a7a136272c
Opcode Fuzzy Hash: d7d45343de21c0cb4c90cfda76e470560cd054546769f4b22fc632b4f36f2f90
Instruction Fuzzy Hash: 6E21B5317402105FD7228F2AC8D4B6A7BE9EF85315F19A068E846DB351CB71DC42CB90

Function 002A8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 002E5DF0
VUUU, xrefs: 002A83E8
VUUU, xrefs: 002A843C
ERCP, xrefs: 002A813C
VUUU, xrefs: 002A83FA

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 26c595a20dccf585b6c502054eaaa9e7975ef6d294a50145d78f3573685bd1af
Instruction ID: d7432ee0cf7bae7fc02906e392540ed1e9b6464aba01b926b755793e8ecc0437
Opcode Fuzzy Hash: 26c595a20dccf585b6c502054eaaa9e7975ef6d294a50145d78f3573685bd1af
Instruction Fuzzy Hash: 34A2F370E2026ACBDF24CF59C8447AEB7B1FF55314F6481AAE815A7280EB709DA1CF50

Function 00308298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 003082AA

Strings

|, xrefs: 003082DA
(, xrefs: 003082F0
tb6, xrefs: 003084F4

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: lstrlen
String ID: ($tb6$|
API String ID: 1659193697-3905147825
Opcode ID: 06c8c27a68f999bc96bcc2339fee57f3720a99dab84c029e21eeeb91679a71d4
Instruction ID: efd75a8bed0dee9512229bdfc6a82e675f23afbc562bb08569edd35921c83639
Opcode Fuzzy Hash: 06c8c27a68f999bc96bcc2339fee57f3720a99dab84c029e21eeeb91679a71d4
Instruction Fuzzy Hash: 4E325578A017059FCB29CF19C491A6AB7F0FF48710B15C4AEE49ADB7A1EB70E941CB40

Function 0032A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0032A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0032A6BA

Part of subcall function 002A9CB3: _wcslen.LIBCMT ref: 002A9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0032A79C
CloseHandle.KERNEL32(00000000), ref: 0032A7AB

Part of subcall function 002BCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,002E3303,?), ref: 002BCE8A

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: cc31130008f34a05ec1ce9cc8040f1006cf1b5c2eb776ceed2bc290bf98a5e34
Instruction ID: 259fe5ef684556e0b9e55b05982630ee91ab1eb1080bb1f35ff624d798d65c6b
Opcode Fuzzy Hash: cc31130008f34a05ec1ce9cc8040f1006cf1b5c2eb776ceed2bc290bf98a5e34
Instruction Fuzzy Hash: 65516C71518310AFD711EF24D886A6BBBE8FF89754F00892DF58997252EB30E914CF92

Function 0030AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0030AAAC
SetKeyboardState.USER32(00000080), ref: 0030AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0030AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0030AB88

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: df5e5724f6cb9bf1e46cc5751221f71e52b8b838e5b3c0c2ff26c0791fddb098
Instruction ID: f3e7e2821c677bbea43fdf459e88e03c62aee77626b5781fe281a1925707ef55
Opcode Fuzzy Hash: df5e5724f6cb9bf1e46cc5751221f71e52b8b838e5b3c0c2ff26c0791fddb098
Instruction Fuzzy Hash: D5313D31A42B08AFFF37CB68EC25BFA77AAAB44310F04421AF081561D1D374C981C756

Function 0031CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0031CE89
GetLastError.KERNEL32(?,00000000), ref: 0031CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0031CEFE

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 146b0ef1cedb4c1c0ededeb3174155feac73433148593c710c462ef23eabb042
Instruction ID: 5a7ba573a141536c537be626a57acdbe8ac89de186a0cf355eac9aec922ef576
Opcode Fuzzy Hash: 146b0ef1cedb4c1c0ededeb3174155feac73433148593c710c462ef23eabb042
Instruction Fuzzy Hash: AE21EDB1560305ABDB22CFA5C989BA7B7FCEB04355F10541EE542E2151E734EE858BA0

Function 00315C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00315CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00315D17
FindClose.KERNEL32(?), ref: 00315D5F

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 80a31addac13c7cff5936f82f185f75e0dda0f0444d59b7f8059b6da69f006e3
Instruction ID: 35085ffa56925e38be2b33c7def2d6d281e548bfd0b746bcf5701ed7f9bc69c5
Opcode Fuzzy Hash: 80a31addac13c7cff5936f82f185f75e0dda0f0444d59b7f8059b6da69f006e3
Instruction Fuzzy Hash: 3F519934604601DFC719DF28D494A96B7E4FF4A314F14855EE95A8B3A1CB30E994CF91

Function 002D2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 002D271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 002D2724
UnhandledExceptionFilter.KERNEL32(?), ref: 002D2731

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 35c7619ca0858d2de698d58491d91d3395fd5b0f2f8afa74439de6d84694beca
Instruction ID: c96fd36f62486bfc0397b75708d0ad3cb4f5cd936def6fcec19233f562738f9c
Opcode Fuzzy Hash: 35c7619ca0858d2de698d58491d91d3395fd5b0f2f8afa74439de6d84694beca
Instruction Fuzzy Hash: 8B31D77591121CEBCB21DF64DC88B9DBBB8AF18310F5042DAE41CA7261EB349F958F44

Function 003151CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003151DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00315238
SetErrorMode.KERNEL32(00000000), ref: 003152A1

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 9a4748f0bd9f9592f91b9e0537cf74033f71a1a8e96f3054f70ed6bfae56b338
Instruction ID: 754a3931152e8c9ccc6d00cc33a8d6cd907c7a86d94dfbf3cbffebd4e708fe8c
Opcode Fuzzy Hash: 9a4748f0bd9f9592f91b9e0537cf74033f71a1a8e96f3054f70ed6bfae56b338
Instruction Fuzzy Hash: DB317A35A10518DFDB01DF94D884EADBBB8FF49314F088499E805AB3A2CB31E856CB90

Function 003016C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 002BFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 002C0668
Part of subcall function 002BFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 002C0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0030170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0030173A
GetLastError.KERNEL32 ref: 0030174A

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 08a1d6673ac37b79102f3be2fc3c8cc385adc95a0b9a6e8e8209332c7faef4e0
Instruction ID: f20149dfc868c111ac5d918be79285a640cb25e50e19ac02e8211292a8aa3e3a
Opcode Fuzzy Hash: 08a1d6673ac37b79102f3be2fc3c8cc385adc95a0b9a6e8e8209332c7faef4e0
Instruction Fuzzy Hash: A811BCB2420209AFD718AF54DCC6DAAB7BDEB04B54B20852EE05652281EB70FC418B20

Function 0030D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0030D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0030D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0030D650

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 58bce154b6490f521e116c0d69fbf0bdbf8efbd65b2134690c2e9a37413fc9c1
Instruction ID: 9ab543e42d5a963170c90b36049ae1aba538fc046fd6f252b95902492dc2957c
Opcode Fuzzy Hash: 58bce154b6490f521e116c0d69fbf0bdbf8efbd65b2134690c2e9a37413fc9c1
Instruction Fuzzy Hash: 52115E75E05228BFDB118F95DC85FAFBBBCEB45B60F108115F904F7290D6704A058BA1

Function 00301663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0030168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 003016A1
FreeSid.ADVAPI32(?), ref: 003016B1

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 9bf47147d91a8164b20fed856e010e47cc67c497ce7c051dd343b4cbc73fd4d6
Instruction ID: 04e023518ced7c40bb4c17c33d5faf048c97fa4873f50f24cd6ae09e932f7899
Opcode Fuzzy Hash: 9bf47147d91a8164b20fed856e010e47cc67c497ce7c051dd343b4cbc73fd4d6
Instruction Fuzzy Hash: 8CF0F47195030DFBDB01DFE49D89AAEBBBCEB08704F504565E901E2181E774EA448B50

Function 002C4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(002D28E9,?,002C4CBE,002D28E9,003688B8,0000000C,002C4E15,002D28E9,00000002,00000000,?,002D28E9), ref: 002C4D09
TerminateProcess.KERNEL32(00000000,?,002C4CBE,002D28E9,003688B8,0000000C,002C4E15,002D28E9,00000002,00000000,?,002D28E9), ref: 002C4D10
ExitProcess.KERNEL32 ref: 002C4D22

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 69e3bb74eb3063d3b572284413aedb986a283ed82619e9d4d9add42611eb70da
Instruction ID: 404153c09f4963fae473e030813f183e6744a29b3c4db1f6cf210ea589141f6b
Opcode Fuzzy Hash: 69e3bb74eb3063d3b572284413aedb986a283ed82619e9d4d9add42611eb70da
Instruction Fuzzy Hash: 38E0B631420148ABCF12BF64DD5AF993B6DEB457A1F104518FC069A232CB39DD62DB80

Function 002DC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 002DC36C

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 5148e036de1cbf4635f55ee4b387e104af8049665146eb4dd2b6a596a0bc3ca9
Instruction ID: f9e68d82117c66f24a04cccbbc2c1c579b623aed02bbfe388bae3ea6377f6588
Opcode Fuzzy Hash: 5148e036de1cbf4635f55ee4b387e104af8049665146eb4dd2b6a596a0bc3ca9
Instruction Fuzzy Hash: 09413B7691021AAFCB24DFB9CC4DEBB7778EB84314F2042AAF905D7280E6709D51CB50

Function 002FD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 002FD28C

Strings

X64, xrefs: 002FD2A8

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 70304b79c85936a4677e0b09f7b6c204c9bf6f878c35d4cb82d5a8208d4bc1c5
Instruction ID: c681cf2f86bc7ede12d943f08eccc8c63bbcda5cf1a2c2a322cc53ea52837369
Opcode Fuzzy Hash: 70304b79c85936a4677e0b09f7b6c204c9bf6f878c35d4cb82d5a8208d4bc1c5
Instruction Fuzzy Hash: 28D0C9B482511DEBCB94DB90DCC8DD9B37CBB04345F104551F506A2000D77095488F10

Function 002CCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: f2e75584364e035940988987f1c7dd446e7548d9906605e1194af912e0f373b5
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: D3021D71E102199BDF14CFA9C880BADBBF5EF48314F25426ED819E7384D731AE518B94

Function 002ACAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#7, xrefs: 002ACF7F
Variable is not of type 'Object'., xrefs: 002F0C40

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#7
API String ID: 0-3916304930
Opcode ID: 2735ecd08926aec3f391f0ed3c6c35285ee8fb931c0e06ee2602fbfceaac61bf
Instruction ID: a2e2af1ee0215edfddfb269a1e2cf0036386460ff8ac5121234e3b53ffbe1066
Opcode Fuzzy Hash: 2735ecd08926aec3f391f0ed3c6c35285ee8fb931c0e06ee2602fbfceaac61bf
Instruction Fuzzy Hash: B6328C70920219DFDF14DF90C980AFDB7B5BF06344F24406AE906AB292DB75AE65CF60

Function 003168EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00316918
FindClose.KERNEL32(00000000), ref: 00316961

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: ae9283d301e8d58d945736d40edff7740b6dac3e42eed49474b2858948d65084
Instruction ID: f03bbd350404daebde747466d744ab670c293d2aa7581dd3f640f36ebd192c28
Opcode Fuzzy Hash: ae9283d301e8d58d945736d40edff7740b6dac3e42eed49474b2858948d65084
Instruction Fuzzy Hash: F111D0316142109FC714DF69C885A16BBE4FF89328F15C699E8698F6A2CB34EC45CB90

Function 003137B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00324891,?,?,00000035,?), ref: 003137E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00324891,?,?,00000035,?), ref: 003137F4

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: e3da3218880b871244ad82eab1ea40bb3f7ff5cf0559293677e550889761df4d
Instruction ID: 425fc9d21362438555799ccaa00fc1d373adb802dd0b3b78ff536a2fbaa37929
Opcode Fuzzy Hash: e3da3218880b871244ad82eab1ea40bb3f7ff5cf0559293677e550889761df4d
Instruction Fuzzy Hash: 63F0E5B16153282AEB2117668C8DFEB3AAEEFC9771F000175F509E22C1D9609D44CBB0

Function 0030B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0030B25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 0030B270

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: c89cf89b6baf61eeab3cc35297c03ab32e42eb7d0249fdf278f99b6f26755115
Instruction ID: 1f64c9c5a747a38e2516f38d5243a34a857535ea6c54e8c82c2fbef29930c597
Opcode Fuzzy Hash: c89cf89b6baf61eeab3cc35297c03ab32e42eb7d0249fdf278f99b6f26755115
Instruction Fuzzy Hash: 3BF01D7181424DABDB069FA1C805BAEBBB8FF04305F009409F955A5192C37986119F94

Function 003010BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003011FC), ref: 003010D4
CloseHandle.KERNEL32(?,?,003011FC), ref: 003010E9

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 2a97b463817c591d16a8796dce7d55cd22b4385986b87b257e78662ef9f70187
Instruction ID: 4f2f11a0da5daf7682d01ea10f51413ac261ed488a29787eb3f7533dd1cf8851
Opcode Fuzzy Hash: 2a97b463817c591d16a8796dce7d55cd22b4385986b87b257e78662ef9f70187
Instruction Fuzzy Hash: 58E04F32024600AEE7662B11FD05EB377EDEB04320F10882DF4A5804B1DB62ACA0DB10

Function 002D676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,002D6766,?,?,00000008,?,?,002DFEFE,00000000), ref: 002D6998

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: e1bc2a409fa7f04e3248af602e2930af99dc2e438461c0d8de5e50dc8b81a8ce
Instruction ID: 2834696a4b39045ed673beeefbbf22cb7b1fa893ba254ce80702c24d528e5e6f
Opcode Fuzzy Hash: e1bc2a409fa7f04e3248af602e2930af99dc2e438461c0d8de5e50dc8b81a8ce
Instruction Fuzzy Hash: 90B13A3162060A9FD715CF28C48ABA57BA0FF45364F258659E8D9CF3A2C335EDA5CB40

Function 002BB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 002F851F

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: fdb7d2cc0229f3fccbe9293c017a7745e697ba3f69ed203894e5dc770ec35197
Instruction ID: 4cb9d0d48b80511e7962f8e344fda5be8d1ae3859065ff25a98f4eb3286a5cb3
Opcode Fuzzy Hash: fdb7d2cc0229f3fccbe9293c017a7745e697ba3f69ed203894e5dc770ec35197
Instruction Fuzzy Hash: F91270759202299FCB25CF58C8806FEB7F5FF48350F1081AAE949EB251DB709A91CF90

Function 0031EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0031EABD

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: ebea065a66f5928c147777c9de881832208f91c8eb91ccd0fab0100ccfbf831c
Instruction ID: 4f1e7541d79248124cf18d2542868b3e724c4fcbe22d508afc5e88cc60bf8588
Opcode Fuzzy Hash: ebea065a66f5928c147777c9de881832208f91c8eb91ccd0fab0100ccfbf831c
Instruction Fuzzy Hash: 76E04F322202049FC711EF69D845E9AF7EDAF99760F048416FC4AD7361DB71E8808B91

Function 002C09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,002C03EE), ref: 002C09DA

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b3ab01d44c7e6a3330e8bbc09246d7688e2f958694736a8454f859ba273242db
Instruction ID: 6614aed50da014b6e68d6921d55430499575d71518c6b6f872e84049ecae224f
Opcode Fuzzy Hash: b3ab01d44c7e6a3330e8bbc09246d7688e2f958694736a8454f859ba273242db
Instruction Fuzzy Hash:

Function 002C781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 002C798B

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 4bfe8eeba09fa08e8a204fca246d1eebbd98b8a3ad982b2a12141b613d0e3acf
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 2751676163C6475BDB388D68885EFBE23999F12340F18071DEA82D7282C661DE35EF52

Function 00312046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&7, xrefs: 00312053

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID:
String ID: 0&7
API String ID: 0-2689145513
Opcode ID: 21678339d668f53f4142c2785d6cdbd0e55044561430a0013b481696d944ca0b
Instruction ID: ebb0f4a3e190da626bb0ae37fd6035ef6140ad9609b4c8193bb0342ef4ff9ab4
Opcode Fuzzy Hash: 21678339d668f53f4142c2785d6cdbd0e55044561430a0013b481696d944ca0b
Instruction Fuzzy Hash: 0821A8326205118BD72CCF79C8226BB73E9E758310F15862EE4A7C77D1DE79A944CB40

Function 002D6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ece5c39b187898f1f9d4895ebffd0ad5d4896ee80b2c6dad35eaaa17d5ab4a9f
Instruction ID: ad75c83a062867a87bd3c5a1ec94219cafde7738b725ec0355f4f41b7b3051ff
Opcode Fuzzy Hash: ece5c39b187898f1f9d4895ebffd0ad5d4896ee80b2c6dad35eaaa17d5ab4a9f
Instruction Fuzzy Hash: FE321126D39F014DD7239A34D822336A24DAFB73C5F55D727F81AB9AA5EF28D8934100

Function 002BCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f16f0e33d608967f1f903c2a4676a91b4bebb4d6b6e2b2b857371aebe98c79c
Instruction ID: 2b300155b0c356c673b6405a3be064b4cd59c7d58b3b00d1ac38a3587edf4f5f
Opcode Fuzzy Hash: 7f16f0e33d608967f1f903c2a4676a91b4bebb4d6b6e2b2b857371aebe98c79c
Instruction Fuzzy Hash: 4D32F531A3410E8BDF28CE28C6946BDFBA1EB45394F38857BD649CB295D2309DA1DB40

Function 002A7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbc007c86b9076fd58bba38985e45d2dc69ae43d2023e4bf4dbc3a54423bef95
Instruction ID: 7cea6261e939577728cd8c14dbc91f805798761aca154e75680ef877c9cb17a7
Opcode Fuzzy Hash: cbc007c86b9076fd58bba38985e45d2dc69ae43d2023e4bf4dbc3a54423bef95
Instruction Fuzzy Hash: 3B22E2B0A2061ADFDF14CF65C981AAEB3F5FF45304F604629E812A7291EB75DD20CB64

Function 002A91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e22c59936a1391c72bc93b0f3919c87378c61163ca01cf6c75fbc0a108813d1
Instruction ID: f39cf81c97b93f93a9438007e87d441d4ffacf7ebb6d22fce2271bfef7c698df
Opcode Fuzzy Hash: 4e22c59936a1391c72bc93b0f3919c87378c61163ca01cf6c75fbc0a108813d1
Instruction Fuzzy Hash: B602C6B0A20106EBDF04DF55D981AADB7B5FF44300F618169E8169B391EB71EA70CF91

Function 002C1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 293de7fa31a890b92e40d470ae57812a79537f0005c5dc0d7a5208c41112b41c
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 6C9189721280A349DB2D4A3D8576A3DFFE15A533A131A079EE4F3CA1C6FE24C974D620

Function 002C19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 8f85e0c93a8d118e07885074bf5e2043141fc5ee7debd38510d1501e4a6a4759
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 0C91A9722290E34DDB2D467A857693DFFE15A933A1319079ED4F2CA1C2FD24C974DA20

Function 002C7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09a466d7640acc2b1b1422296244110c81819bd93e40f92f4389dada36e8241e
Instruction ID: a9fde0a72ffbbf268ccf1d9a9f11926b2f138822999030a0c652f5ad5411fdde
Opcode Fuzzy Hash: 09a466d7640acc2b1b1422296244110c81819bd93e40f92f4389dada36e8241e
Instruction Fuzzy Hash: 4861797127870B66DB349E288D95FBE2398EF41718F104B1EE842CB281DA519E72CF55

Function 002C7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f551d7d97a790159602d72240b895ea6ac48ed4becc26c162b5e6c52d000569d
Instruction ID: 20c3ba0e3cb5a738f39e74f23fded70574b9896891ae11f85c04f2d2b0d11974
Opcode Fuzzy Hash: f551d7d97a790159602d72240b895ea6ac48ed4becc26c162b5e6c52d000569d
Instruction Fuzzy Hash: F1617B7223870B67DA384E284856FBF23989F42744F104B5EF943CB281D7629D72CE55

Function 002C1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 689a83bb31ddc7927f6f69156564f2a1ded1d89ff5ed2f7e1f7ef7c5d653b7f9
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 0B81777252D0A349EB2D4A39853693EFFE15E933A131A079DD4F2CA1C3EE24C578D620

Function 002BD064 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c95f9aad7d6e68cc9e9f47c7df32c032a0825f42c0359088fcd7eda4933b115e
Instruction ID: 6d6d809809694cd44c6e64dd24bc048de9bf66ad366eb60608ca162572b1a64c
Opcode Fuzzy Hash: c95f9aad7d6e68cc9e9f47c7df32c032a0825f42c0359088fcd7eda4933b115e
Instruction Fuzzy Hash: 3D51FF7184EBE79FC3179B3488BA084FFB0AD5B61132889DFC1804A5CBD395406ACB5A

Function 00322ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00322B30
DeleteObject.GDI32(00000000), ref: 00322B43
DestroyWindow.USER32 ref: 00322B52
GetDesktopWindow.USER32 ref: 00322B6D
GetWindowRect.USER32(00000000), ref: 00322B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00322CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00322CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00322CF8
GetClientRect.USER32(00000000,?), ref: 00322D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00322D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00322D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00322D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00322D80
GlobalLock.KERNEL32(00000000), ref: 00322D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00322D98
GlobalUnlock.KERNEL32(00000000), ref: 00322DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00322DA8
GlobalFree.KERNEL32(00000000), ref: 00322DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00322DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0033FC38,00000000), ref: 00322DDB
GlobalFree.KERNEL32(00000000), ref: 00322DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00322E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00322E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00322E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0032303F

Strings

, xrefs: 00322FC5
DISPLAY, xrefs: 00322EA2
static, xrefs: 00322D3A, 00322E91
AutoIt v3, xrefs: 00322CF2

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: c004b6dc1741e736dd82ae04c889094e6c08cdfb2ba8e770cbe55399d8f33dc2
Instruction ID: 5369fff382b8867eee533ec98d4351bf32a60e3640b83c910b34cb4ac69c6f79
Opcode Fuzzy Hash: c004b6dc1741e736dd82ae04c889094e6c08cdfb2ba8e770cbe55399d8f33dc2
Instruction Fuzzy Hash: 9D027A76910214AFDB16DFA4DC89EAE7BB9EF49310F048118F915AB2A1CB74ED41CF60

Function 003370D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0033712F
GetSysColorBrush.USER32(0000000F), ref: 00337160
GetSysColor.USER32(0000000F), ref: 0033716C
SetBkColor.GDI32(?,000000FF), ref: 00337186
SelectObject.GDI32(?,?), ref: 00337195
InflateRect.USER32(?,000000FF,000000FF), ref: 003371C0
GetSysColor.USER32(00000010), ref: 003371C8
CreateSolidBrush.GDI32(00000000), ref: 003371CF
FrameRect.USER32(?,?,00000000), ref: 003371DE
DeleteObject.GDI32(00000000), ref: 003371E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00337230
FillRect.USER32(?,?,?), ref: 00337262
GetWindowLongW.USER32(?,000000F0), ref: 00337284

Part of subcall function 003373E8: GetSysColor.USER32(00000012), ref: 00337421
Part of subcall function 003373E8: SetTextColor.GDI32(?,?), ref: 00337425
Part of subcall function 003373E8: GetSysColorBrush.USER32(0000000F), ref: 0033743B
Part of subcall function 003373E8: GetSysColor.USER32(0000000F), ref: 00337446
Part of subcall function 003373E8: GetSysColor.USER32(00000011), ref: 00337463
Part of subcall function 003373E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00337471
Part of subcall function 003373E8: SelectObject.GDI32(?,00000000), ref: 00337482
Part of subcall function 003373E8: SetBkColor.GDI32(?,00000000), ref: 0033748B
Part of subcall function 003373E8: SelectObject.GDI32(?,?), ref: 00337498
Part of subcall function 003373E8: InflateRect.USER32(?,000000FF,000000FF), ref: 003374B7
Part of subcall function 003373E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003374CE
Part of subcall function 003373E8: GetWindowLongW.USER32(00000000,000000F0), ref: 003374DB

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 2a7f8e24e56b4447f794e4183bd61aeb34559feea00f46e92f57e12808251ff5
Instruction ID: a1f3e261846bfc1cfcd97fdd2bf3d744bbd26a7c933f665ea98f3b4c3d1dee87
Opcode Fuzzy Hash: 2a7f8e24e56b4447f794e4183bd61aeb34559feea00f46e92f57e12808251ff5
Instruction Fuzzy Hash: 4CA1B172418301BFDB129F60DC88E6BBBADFF49320F101A19F962A61E1D771E944DB91

Function 002B8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 002B8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 002F6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 002F6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 002F6F43

Part of subcall function 002B8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,002B8BE8,?,00000000,?,?,?,?,002B8BBA,00000000,?), ref: 002B8FC5

SendMessageW.USER32(?,00001053), ref: 002F6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 002F6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 002F6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 002F6FB7

Strings

0, xrefs: 002F6DCF

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 598b9bf4e32ba93918d3902a2f85780a6313edda6a89bb198dfad975dcc344e7
Instruction ID: 4585bf55808965bb0ca152ba6feb5fd590722f50b1337bc88b90465128faef09
Opcode Fuzzy Hash: 598b9bf4e32ba93918d3902a2f85780a6313edda6a89bb198dfad975dcc344e7
Instruction Fuzzy Hash: C912A031220206DFD726DF18C888BB5B7E9FB49340F144569F6899B661CB31ECA2DF91

Function 00322711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0032273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0032286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 003228A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 003228B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00322900
GetClientRect.USER32(00000000,?), ref: 0032290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00322955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00322964
GetStockObject.GDI32(00000011), ref: 00322974
SelectObject.GDI32(00000000,00000000), ref: 00322978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00322988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00322991
DeleteDC.GDI32(00000000), ref: 0032299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 003229C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 003229DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00322A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00322A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00322A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00322A77
GetStockObject.GDI32(00000011), ref: 00322A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00322A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00322A97

Strings

DISPLAY, xrefs: 0032295A
static, xrefs: 0032294F, 00322A71
msctls_progress32, xrefs: 00322A13
AutoIt v3, xrefs: 003228F8

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 52fdf9988dd830ef19c85aba8c794ae729361499f81fa41e27717c279bcde7ee
Instruction ID: 32923e8928ade6ad02675fd8696b771014b38f156a13cf82be0819f3b2fc01ac
Opcode Fuzzy Hash: 52fdf9988dd830ef19c85aba8c794ae729361499f81fa41e27717c279bcde7ee
Instruction Fuzzy Hash: 6BB14B76A10215AFEB15DF68DC8AEAA7BA9EB09710F008114F915E7291DB74ED40CF90

Function 00314ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00314AED
GetDriveTypeW.KERNEL32(?,0033CB68,?,\\.\,0033CC08), ref: 00314BCA
SetErrorMode.KERNEL32(00000000,0033CB68,?,\\.\,0033CC08), ref: 00314D36

Strings

ATAPI, xrefs: 00314C91
MMC, xrefs: 00314CDE
SAS, xrefs: 00314CC9
SATA, xrefs: 00314CD0
USB, xrefs: 00314CB4
ATA, xrefs: 00314C98
SCSI, xrefs: 00314C8A
FileBackedVirtual, xrefs: 00314CEC
Fixed, xrefs: 00314C09
SSD, xrefs: 00314C4A
iSCSI, xrefs: 00314CC2
Unknown, xrefs: 00314BED, 00314C83
Fibre, xrefs: 00314CAD
Removable, xrefs: 00314C10, 00314C15
1394, xrefs: 00314C9F
Virtual, xrefs: 00314CE5
RAMDisk, xrefs: 00314BF4
CDROM, xrefs: 00314BFB
\\.\, xrefs: 00314B3F
RAID, xrefs: 00314CBB
SSA, xrefs: 00314CA6
Network, xrefs: 00314C02
PhysicalDrive, xrefs: 00314B76

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: cccd006132246130679ed5cd83bc4e80463303fca80793be9f7ca73f3c60b915
Instruction ID: f666bd319a22f91f9382c64e4ab8d843f7a17f37aeb554485622986f8eaa028c
Opcode Fuzzy Hash: cccd006132246130679ed5cd83bc4e80463303fca80793be9f7ca73f3c60b915
Instruction Fuzzy Hash: B2619430605205EBCB0BDF24CA82DE9B7A5AB4D780B24C415F806AB69ADF35DDC1DB81

Function 003373E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00337421
SetTextColor.GDI32(?,?), ref: 00337425
GetSysColorBrush.USER32(0000000F), ref: 0033743B
GetSysColor.USER32(0000000F), ref: 00337446
CreateSolidBrush.GDI32(?), ref: 0033744B
GetSysColor.USER32(00000011), ref: 00337463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00337471
SelectObject.GDI32(?,00000000), ref: 00337482
SetBkColor.GDI32(?,00000000), ref: 0033748B
SelectObject.GDI32(?,?), ref: 00337498
InflateRect.USER32(?,000000FF,000000FF), ref: 003374B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003374CE
GetWindowLongW.USER32(00000000,000000F0), ref: 003374DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0033752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00337554
InflateRect.USER32(?,000000FD,000000FD), ref: 00337572
DrawFocusRect.USER32(?,?), ref: 0033757D
GetSysColor.USER32(00000011), ref: 0033758E
SetTextColor.GDI32(?,00000000), ref: 00337596
DrawTextW.USER32(?,003370F5,000000FF,?,00000000), ref: 003375A8
SelectObject.GDI32(?,?), ref: 003375BF
DeleteObject.GDI32(?), ref: 003375CA
SelectObject.GDI32(?,?), ref: 003375D0
DeleteObject.GDI32(?), ref: 003375D5
SetTextColor.GDI32(?,?), ref: 003375DB
SetBkColor.GDI32(?,?), ref: 003375E5

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 10b30b3fa5737f5c445c9c4fd67b24fcc9d2f8df70c8243e9bda9b08189828ff
Instruction ID: 4e6b05607a28d107a4262f4c0a50a6fae2b72bc097409d2a8753e72372919556
Opcode Fuzzy Hash: 10b30b3fa5737f5c445c9c4fd67b24fcc9d2f8df70c8243e9bda9b08189828ff
Instruction Fuzzy Hash: 28616F72D00218AFEF129FA4DC89AEE7FB9EB09320F115115F911BB2A1D775A940DF90

Function 00330FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00331128
GetDesktopWindow.USER32 ref: 0033113D
GetWindowRect.USER32(00000000), ref: 00331144
GetWindowLongW.USER32(?,000000F0), ref: 00331199
DestroyWindow.USER32(?), ref: 003311B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 003311ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0033120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0033121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00331232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00331245
IsWindowVisible.USER32(00000000), ref: 003312A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 003312BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 003312D0
GetWindowRect.USER32(00000000,?), ref: 003312E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0033130E
GetMonitorInfoW.USER32(00000000,?), ref: 00331328
CopyRect.USER32(?,?), ref: 0033133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 003313AA

Strings

(, xrefs: 0033131B
0, xrefs: 003310D3
tooltips_class32, xrefs: 003311E6

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 0f5cc8c254a37fcab523c871b108e33e5b52c6c334d18707fac2cdc8690af3e6
Instruction ID: d8d5a238900a2e5c1a5164bb56e9f868d9befb555441c3881445f476d6d75239
Opcode Fuzzy Hash: 0f5cc8c254a37fcab523c871b108e33e5b52c6c334d18707fac2cdc8690af3e6
Instruction Fuzzy Hash: B5B19C71618341AFD705DF65C885B6BBBE8FF85350F008918F999AB2A1CB71E844CF91

Function 00330241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 003302E5
_wcslen.LIBCMT ref: 0033031F
_wcslen.LIBCMT ref: 00330389
_wcslen.LIBCMT ref: 003303F1
_wcslen.LIBCMT ref: 00330475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 003304C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00330504

Part of subcall function 002BF9F2: _wcslen.LIBCMT ref: 002BF9FD

Part of subcall function 0030223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00302258
Part of subcall function 0030223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0030228A

Strings

GETITEMCOUNT, xrefs: 00330316, 00330337
SELECTALL, xrefs: 00330515
SELECTCLEAR, xrefs: 0033052D
ISSELECTED, xrefs: 003304DD
SELECTINVERT, xrefs: 0033057E
VIEWCHANGE, xrefs: 00330675
GETSELECTED, xrefs: 003305E1
GETSUBITEMCOUNT, xrefs: 00330384, 0033039F
FINDITEM, xrefs: 00330627
SELECT, xrefs: 00330548
GETSELECTEDCOUNT, xrefs: 00330470, 0033048B
DESELECT, xrefs: 0033059C
GETTEXT, xrefs: 003303EC, 00330407

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 7075907b06b1d46077e97bacfb1052fed3db0ce7759e68a355c26d83406835ce
Instruction ID: 520d97040ad542a164e787a35970dc755aef0f9440b3b1c2e7d9cc65945bcf4b
Opcode Fuzzy Hash: 7075907b06b1d46077e97bacfb1052fed3db0ce7759e68a355c26d83406835ce
Instruction Fuzzy Hash: 2EE1E1312182018FC71ADF24C9A192EB3E6FF89314F55895CF896AB7A6DB30ED45CB41

Function 002B8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002B8968
GetSystemMetrics.USER32(00000007), ref: 002B8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002B899B
GetSystemMetrics.USER32(00000008), ref: 002B89A3
GetSystemMetrics.USER32(00000004), ref: 002B89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 002B89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 002B89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 002B8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 002B8A3C
GetClientRect.USER32(00000000,000000FF), ref: 002B8A5A
GetStockObject.GDI32(00000011), ref: 002B8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 002B8A81

Part of subcall function 002B912D: GetCursorPos.USER32(?), ref: 002B9141
Part of subcall function 002B912D: ScreenToClient.USER32(00000000,?), ref: 002B915E
Part of subcall function 002B912D: GetAsyncKeyState.USER32(00000001), ref: 002B9183
Part of subcall function 002B912D: GetAsyncKeyState.USER32(00000002), ref: 002B919D

SetTimer.USER32(00000000,00000000,00000028,002B90FC), ref: 002B8AA8

Strings

AutoIt v3 GUI, xrefs: 002B8A20

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 6cd82a2e5ce66ad423e927e02b45deeabb431dc8d22c872cb6662adddf9532cb
Instruction ID: 8ae74550eac1631f1a7e12d6c118add420ddd061d1104c9671406d5452998295
Opcode Fuzzy Hash: 6cd82a2e5ce66ad423e927e02b45deeabb431dc8d22c872cb6662adddf9532cb
Instruction Fuzzy Hash: 2AB18035A1020AAFDF15DF68CC89BEE7BB8FB48354F104129FA19A7290DB74A851CF51

Function 00300D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003010F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00301114
Part of subcall function 003010F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00300B9B,?,?,?), ref: 00301120
Part of subcall function 003010F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00300B9B,?,?,?), ref: 0030112F
Part of subcall function 003010F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00300B9B,?,?,?), ref: 00301136
Part of subcall function 003010F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0030114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00300DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00300E29
GetLengthSid.ADVAPI32(?), ref: 00300E40
GetAce.ADVAPI32(?,00000000,?), ref: 00300E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00300E96
GetLengthSid.ADVAPI32(?), ref: 00300EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00300EB5
HeapAlloc.KERNEL32(00000000), ref: 00300EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00300EDD
CopySid.ADVAPI32(00000000), ref: 00300EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00300F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00300F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00300F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00300F6E
HeapFree.KERNEL32(00000000), ref: 00300F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00300F7E
HeapFree.KERNEL32(00000000), ref: 00300F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00300F8E
HeapFree.KERNEL32(00000000), ref: 00300F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00300FA1
HeapFree.KERNEL32(00000000), ref: 00300FA8

Part of subcall function 00301193: GetProcessHeap.KERNEL32(00000008,00300BB1,?,00000000,?,00300BB1,?), ref: 003011A1
Part of subcall function 00301193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00300BB1,?), ref: 003011A8
Part of subcall function 00301193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00300BB1,?), ref: 003011B7

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 4ff1bad1440235d1a6d763462b530d7aa4d30fd5b9df64dc5239858794d37a7b
Instruction ID: 4867d204dee79c7603e36cebafe57653d25e7cf0c453496d09c380e1ec6abea5
Opcode Fuzzy Hash: 4ff1bad1440235d1a6d763462b530d7aa4d30fd5b9df64dc5239858794d37a7b
Instruction Fuzzy Hash: F371697290120AEBDF269FA4DC88FAEBBBCBF05301F054215FA59B6191D7319A05DB60

Function 0032C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0032C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0033CC08,00000000,?,00000000,?,?), ref: 0032C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0032C5A4
_wcslen.LIBCMT ref: 0032C5F4
_wcslen.LIBCMT ref: 0032C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0032C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0032C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0032C84D
RegCloseKey.ADVAPI32(?), ref: 0032C881
RegCloseKey.ADVAPI32(00000000), ref: 0032C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0032C960

Strings

REG_DWORD, xrefs: 0032C804
REG_EXPAND_SZ, xrefs: 0032C5CD
REG_QWORD, xrefs: 0032C8C3
REG_SZ, xrefs: 0032C644
REG_MULTI_SZ, xrefs: 0032C6F5
REG_BINARY, xrefs: 0032C913

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 875d07c029ad37fbc3151cb25543f02ea1624e8b2e25454633a47ae52eb49287
Instruction ID: 1c6d735776914adff2b539d785917b7b096b48624ec1830b782585b3b810c1a1
Opcode Fuzzy Hash: 875d07c029ad37fbc3151cb25543f02ea1624e8b2e25454633a47ae52eb49287
Instruction Fuzzy Hash: 341288356242109FCB15EF14D891A2AB7E5FF89714F15889CF88A9B3A2DB31EC45CF81

Function 0033091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 003309C6
_wcslen.LIBCMT ref: 00330A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00330A54
_wcslen.LIBCMT ref: 00330A8A
_wcslen.LIBCMT ref: 00330B06
_wcslen.LIBCMT ref: 00330B81

Part of subcall function 002BF9F2: _wcslen.LIBCMT ref: 002BF9FD

Part of subcall function 00302BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00302BFA

Strings

GETITEMCOUNT, xrefs: 00330C1E
EXPAND, xrefs: 00330BF8
COLLAPSE, xrefs: 00330B01, 00330B1C
EXISTS, xrefs: 00330B7C, 00330B97
ISCHECKED, xrefs: 00330CE1
GETTOTALCOUNT, xrefs: 003309F2, 00330A17
CHECK, xrefs: 00330A85, 00330AA0
GETSELECTED, xrefs: 00330C4E
UNCHECK, xrefs: 00330D3E
GETTEXT, xrefs: 00330C97
SELECT, xrefs: 00330D11

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 7cb13c868c31af705f4cec497b2107108d56ca27300ba9957ae06b254ab44bd6
Instruction ID: b95abed31f5e531be3d485073db85719b1d88a7636622220c1ed8d2dad273de9
Opcode Fuzzy Hash: 7cb13c868c31af705f4cec497b2107108d56ca27300ba9957ae06b254ab44bd6
Instruction Fuzzy Hash: 4EE1D0352183018FC719EF24C4A096AB7E1FF98354F55895CF8969B7A2DB30ED45CB81

Function 0032C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0032B6AE,?,?), ref: 0032C9B5
_wcslen.LIBCMT ref: 0032C9F1
_wcslen.LIBCMT ref: 0032CA68
_wcslen.LIBCMT ref: 0032CA9E
_wcslen.LIBCMT ref: 0032CAF9
_wcslen.LIBCMT ref: 0032CB2F
_wcslen.LIBCMT ref: 0032CB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 0032CA62, 0032CA67
HKCC, xrefs: 0032CBAC
HKEY_CURRENT_USER, xrefs: 0032CBBD
HKU, xrefs: 0032CBF0
HKLM, xrefs: 0032CA98, 0032CA9D
HKEY_CLASSES_ROOT, xrefs: 0032CAF3, 0032CAF8
HKEY_USERS, xrefs: 0032CBDF
HKEY_CURRENT_CONFIG, xrefs: 0032CB79, 0032CB7E
HKCR, xrefs: 0032CB29, 0032CB2E
HKCU, xrefs: 0032CBCE

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 0ccb486cb73db07f8e1a2a1fec69e48bb7e0fb3a9a32ff4f12eb3ee31efaa72c
Instruction ID: 9f3ac1567b2b48c017cf026a306e9b55fd0b993359eb595bfc8a39ec38458bf6
Opcode Fuzzy Hash: 0ccb486cb73db07f8e1a2a1fec69e48bb7e0fb3a9a32ff4f12eb3ee31efaa72c
Instruction Fuzzy Hash: 7F71363263053A8BCB22DE3CED515FF3395AF61794F225128F856A7284EA31CD55C7A0

Function 0033833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0033835A
_wcslen.LIBCMT ref: 0033836E
_wcslen.LIBCMT ref: 00338391
_wcslen.LIBCMT ref: 003383B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 003383F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00335BF2), ref: 0033844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00338487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 003384CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00338501
FreeLibrary.KERNEL32(?), ref: 0033850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0033851D
DestroyIcon.USER32(?,?,?,?,?,00335BF2), ref: 0033852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00338549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00338555

Strings

.exe, xrefs: 00338388
.icl, xrefs: 00338368
.dll, xrefs: 003383AB

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: b8abd80aeee572be129103238df3aecc0e64f0321cbd3f7ef266fcdafcc34511
Instruction ID: 598ca8b136e95d3f494b94f01eee1a7669add24ec842c2490e1780463341e075
Opcode Fuzzy Hash: b8abd80aeee572be129103238df3aecc0e64f0321cbd3f7ef266fcdafcc34511
Instruction Fuzzy Hash: B161CD72910315BAEB16DF65CC81BFF77ACBB09B21F104609F815E61D1DB74AA90CBA0

Function 002A7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#OnAutoItStartRegister, xrefs: 002A7817
#include, xrefs: 002A7847
#notrayicon, xrefs: 002A77E7
#comments-start, xrefs: 002A785F, 002A78B1
#cs, xrefs: 002A7873, 002A78C5
Unterminated group of comments, xrefs: 002E528C
#include-once, xrefs: 002A782F
Bad directive syntax error, xrefs: 002E519A
#comments-end, xrefs: 002A78D9
#pragma compile, xrefs: 002A77D3
', xrefs: 002E5169
", xrefs: 002E5153
#ce, xrefs: 002A78ED
#requireadmin, xrefs: 002A77FF
Cannot parse #include, xrefs: 002E5279

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 553c113a41c819dc46776e8c8c64685d415381808a989aa9ec4414badbd586db
Instruction ID: 0017e0e1d9321534a35a2c3976e639eb00cd0d71a55087571ced33dbb53c3f22
Opcode Fuzzy Hash: 553c113a41c819dc46776e8c8c64685d415381808a989aa9ec4414badbd586db
Instruction Fuzzy Hash: 81810671A74216BBDB21AF61CC42FEE77A8AF16340F044025FD04AA192EF70D971DBA5

Function 00305A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00305A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00305A40
SetWindowTextW.USER32(?,?), ref: 00305A57
GetDlgItem.USER32(?,000003EA), ref: 00305A6C
SetWindowTextW.USER32(00000000,?), ref: 00305A72
GetDlgItem.USER32(?,000003E9), ref: 00305A82
SetWindowTextW.USER32(00000000,?), ref: 00305A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00305AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00305AC3
GetWindowRect.USER32(?,?), ref: 00305ACC
_wcslen.LIBCMT ref: 00305B33
SetWindowTextW.USER32(?,?), ref: 00305B6F
GetDesktopWindow.USER32 ref: 00305B75
GetWindowRect.USER32(00000000), ref: 00305B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00305BD3
GetClientRect.USER32(?,?), ref: 00305BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00305C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00305C2F

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 0b715505081bc3109d46478220e6af5f717c32fe3581fa66fd88ae13db37a30b
Instruction ID: d3164247a20fc00651b2c1540eb08f0326f2a45d807850c8da94f81edee97e9a
Opcode Fuzzy Hash: 0b715505081bc3109d46478220e6af5f717c32fe3581fa66fd88ae13db37a30b
Instruction Fuzzy Hash: 3B715C31A01B09AFDB22DFA8CE95AAFBBF9FF48704F104518E542A25A0D775E944CF50

Function 003030F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0030318D
_wcslen.LIBCMT ref: 003031F8

Strings

INSTANCE, xrefs: 00303453
[6, xrefs: 0030339A
CLASS, xrefs: 00303188, 003031A5
REGEXPCLASS, xrefs: 00303255, 00303266
CLASSNN, xrefs: 003031F3, 00303204
NAME, xrefs: 00303335, 00303346
TEXT, xrefs: 0030347C

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[6
API String ID: 176396367-797229799
Opcode ID: ad90e8a65f11e1f1e9f7188b736f04af1fb76e98801162abb9ba4bbabfffb590
Instruction ID: ab3fffef3cb8f83033004830e86f967c41bcac59a72138c9a93e5e0267598eaa
Opcode Fuzzy Hash: ad90e8a65f11e1f1e9f7188b736f04af1fb76e98801162abb9ba4bbabfffb590
Instruction Fuzzy Hash: 0DE1F731A015169FCB1ADF64C8A1BFEBBB8BF45710F558129E456B7280DF30AE45CB90

Function 002C00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 002C00C6

Part of subcall function 002C00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0037070C,00000FA0,1201F22A,?,?,?,?,002E23B3,000000FF), ref: 002C011C
Part of subcall function 002C00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,002E23B3,000000FF), ref: 002C0127
Part of subcall function 002C00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,002E23B3,000000FF), ref: 002C0138
Part of subcall function 002C00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 002C014E
Part of subcall function 002C00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 002C015C
Part of subcall function 002C00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 002C016A
Part of subcall function 002C00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 002C0195
Part of subcall function 002C00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 002C01A0

___scrt_fastfail.LIBCMT ref: 002C00E7

Part of subcall function 002C00A3: __onexit.LIBCMT ref: 002C00A9

Strings

SleepConditionVariableCS, xrefs: 002C0154
InitializeConditionVariable, xrefs: 002C0148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 002C0122
kernel32.dll, xrefs: 002C0133
WakeAllConditionVariable, xrefs: 002C0162

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: f194602db0fe9324c1361b7bf8719c386b333ad01ff056149eaab2ed91e77a62
Instruction ID: 01509846d477ec560747a6f4dc81274b8fba8e450608554162abb863b9268968
Opcode Fuzzy Hash: f194602db0fe9324c1361b7bf8719c386b333ad01ff056149eaab2ed91e77a62
Instruction Fuzzy Hash: EB21FC32A64751EFD7275F65ACC9F697398DB05B51F04022DF805E2291DBB49C108A50

Function 003144C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0033CC08), ref: 00314527
_wcslen.LIBCMT ref: 0031453B
_wcslen.LIBCMT ref: 00314599
_wcslen.LIBCMT ref: 003145F4
_wcslen.LIBCMT ref: 0031463F
_wcslen.LIBCMT ref: 003146A7

Part of subcall function 002BF9F2: _wcslen.LIBCMT ref: 002BF9FD

GetDriveTypeW.KERNEL32(?,00366BF0,00000061), ref: 00314743

Strings

all, xrefs: 00314531, 00314536
removable, xrefs: 003145EA, 003145EF
fixed, xrefs: 00314635, 0031463A
unknown, xrefs: 00314708
network, xrefs: 0031469D, 003146A2
ramdisk, xrefs: 003146F1
cdrom, xrefs: 0031458F, 00314594

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 9c72a16943367df26349a2e0c45bc3efacefaab0315385759efd3f9f908024a0
Instruction ID: f85ed9fef6a0b67d8dc9bd49a8d81c9e5a84ef18ada9f82b0bad68d105c20ec0
Opcode Fuzzy Hash: 9c72a16943367df26349a2e0c45bc3efacefaab0315385759efd3f9f908024a0
Instruction Fuzzy Hash: 88B106316083029FC719DF28C891AAEB7E5BFAA764F51491DF496C7291DB30DC84CB92

Function 0033911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 002B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002B9BB2

DragQueryPoint.SHELL32(?,?), ref: 00339147

Part of subcall function 00337674: ClientToScreen.USER32(?,?), ref: 0033769A
Part of subcall function 00337674: GetWindowRect.USER32(?,?), ref: 00337710
Part of subcall function 00337674: PtInRect.USER32(?,?,00338B89), ref: 00337720

SendMessageW.USER32(?,000000B0,?,?), ref: 003391B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 003391BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 003391DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00339225
SendMessageW.USER32(?,000000B0,?,?), ref: 0033923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00339255
SendMessageW.USER32(?,000000B1,?,?), ref: 00339277
DragFinish.SHELL32(?), ref: 0033927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00339371

Strings

p#7, xrefs: 003392BB
@GUI_DROPID, xrefs: 0033929E
@GUI_DRAGFILE, xrefs: 00339320
@GUI_DRAGID, xrefs: 003392E9

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#7
API String ID: 221274066-3371469138
Opcode ID: 68c242ddd5954e6cad0e4611cc1d2fb5e873810304ec0696ec50ba6560ae42a1
Instruction ID: 035ab45032c5cb0b95bad10f1073c5f3a9485135b4502ae00f88ddd04c1f2bb6
Opcode Fuzzy Hash: 68c242ddd5954e6cad0e4611cc1d2fb5e873810304ec0696ec50ba6560ae42a1
Instruction Fuzzy Hash: E4618B72108301AFC702EF65DC85EAFBBE8EF89750F00091EF595962A0DB709A59CB52

Function 0032AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0032B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0032B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0032B1D4
_wcslen.LIBCMT ref: 0032B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0032B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0032B236
_wcslen.LIBCMT ref: 0032B332

Part of subcall function 003105A7: GetStdHandle.KERNEL32(000000F6), ref: 003105C6

_wcslen.LIBCMT ref: 0032B34B
_wcslen.LIBCMT ref: 0032B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0032B3B6
GetLastError.KERNEL32(00000000), ref: 0032B407
CloseHandle.KERNEL32(?), ref: 0032B439
CloseHandle.KERNEL32(00000000), ref: 0032B44A
CloseHandle.KERNEL32(00000000), ref: 0032B45C
CloseHandle.KERNEL32(00000000), ref: 0032B46E
CloseHandle.KERNEL32(?), ref: 0032B4E3

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 5110cc3ec311c7a5cf020f850f55ad2e09b5e0b55d8b74ce9e276734b61e11ec
Instruction ID: 82bbf3bf57629686bcbf4c46b2718586b5f048b4cbb819c74e128f8c2f21f98d
Opcode Fuzzy Hash: 5110cc3ec311c7a5cf020f850f55ad2e09b5e0b55d8b74ce9e276734b61e11ec
Instruction Fuzzy Hash: 87F1AB316183109FC716EF24D891B6EBBE5AF85310F19895DF8959B2A2CB30EC44CF92

Function 002A326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00371990), ref: 002E2F8D
GetMenuItemCount.USER32(00371990), ref: 002E303D
GetCursorPos.USER32(?), ref: 002E3081
SetForegroundWindow.USER32(00000000), ref: 002E308A
TrackPopupMenuEx.USER32(00371990,00000000,?,00000000,00000000,00000000), ref: 002E309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 002E30A9

Strings

0, xrefs: 002A327D

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: f52c1a2384f702efbecfd1e06d418654984589763e2177a63a7ec4350254a7cb
Instruction ID: fede9e16b6ae380bb44e029725475ad94e886c79f53ca2507d08b225b66f3ca3
Opcode Fuzzy Hash: f52c1a2384f702efbecfd1e06d418654984589763e2177a63a7ec4350254a7cb
Instruction Fuzzy Hash: 5F71F8316A0256BBFB21CF25CC89F9ABF68FF05324F244216F9156A1E0C7B1AD64CB50

Function 00336CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00336DEB

Part of subcall function 002A6B57: _wcslen.LIBCMT ref: 002A6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00336E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00336E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00336E94
DestroyWindow.USER32(?), ref: 00336EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,002A0000,00000000), ref: 00336EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00336EFD
GetDesktopWindow.USER32 ref: 00336F16
GetWindowRect.USER32(00000000), ref: 00336F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00336F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00336F4D

Part of subcall function 002B9944: GetWindowLongW.USER32(?,000000EB), ref: 002B9952

Strings

0, xrefs: 00336D98
tooltips_class32, xrefs: 00336E58, 00336EDD

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 2e3da5d137b88dec078d150a701892ff73df1c602b505dfed90c62baf87fe273
Instruction ID: 62e822ce58c4fc91fc4e56b0b7eb7904a8c631d9bb6c6afdb503f03e92a83a3a
Opcode Fuzzy Hash: 2e3da5d137b88dec078d150a701892ff73df1c602b505dfed90c62baf87fe273
Instruction Fuzzy Hash: 41716B75104244AFDB22CF18DC95FAABBF9FB89304F04481DFA9997261C770E946CB21

Function 0031C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0031C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0031C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0031C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0031C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0031C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0031C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0031C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0031C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0031C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0031C5F0
InternetCloseHandle.WININET(00000000), ref: 0031C5FB

Strings

, xrefs: 0031C575

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 61c1d8e5817c6c5e3768559ed5fda0a42849c76c36501b8c5c272045f0b8211a
Instruction ID: 290c79c3ca7a0f37c7227bcdab17c8fd16dcb3162ad734ffcc46e48893242f4e
Opcode Fuzzy Hash: 61c1d8e5817c6c5e3768559ed5fda0a42849c76c36501b8c5c272045f0b8211a
Instruction Fuzzy Hash: D05169B1550208BFDB268F61C988ABB7BBDFB09754F006419F945E6210DB34E984DB60

Function 0033856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00338592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003385A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003385AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003385BA
GlobalLock.KERNEL32(00000000), ref: 003385C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003385D7
GlobalUnlock.KERNEL32(00000000), ref: 003385E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003385E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003385F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0033FC38,?), ref: 00338611
GlobalFree.KERNEL32(00000000), ref: 00338621
GetObjectW.GDI32(?,00000018,?), ref: 00338641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00338671
DeleteObject.GDI32(?), ref: 00338699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 003386AF

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 2b2f5dcc6a900935320272bc84caa8e8bd8b2989e22f78cfdfa6a39818900cdd
Instruction ID: 8f5257474a94569c2638d76c41826548d00fa53e546481cbf2e6c3fe2fc78132
Opcode Fuzzy Hash: 2b2f5dcc6a900935320272bc84caa8e8bd8b2989e22f78cfdfa6a39818900cdd
Instruction Fuzzy Hash: DD411975610208AFDB129FA5CC89EAB7BBCFF89711F158458F905E7260DB349D01DB60

Function 003114BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00311502
VariantCopy.OLEAUT32(?,?), ref: 0031150B
VariantClear.OLEAUT32(?), ref: 00311517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 003115FB
VarR8FromDec.OLEAUT32(?,?), ref: 00311657
VariantInit.OLEAUT32(?), ref: 00311708
SysFreeString.OLEAUT32(?), ref: 0031178C
VariantClear.OLEAUT32(?), ref: 003117D8
VariantClear.OLEAUT32(?), ref: 003117E7
VariantInit.OLEAUT32(00000000), ref: 00311823

Strings

Default, xrefs: 003116AF
%4d%02d%02d%02d%02d%02d, xrefs: 00311625

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 22e56a6bebffc05ef6538fa9025510a463a353c20319d0e7178f60d07b4548e7
Instruction ID: fef8ca2ea7df42d1089952771e567fb518deefeeee2e753ab8e1608622dc1771
Opcode Fuzzy Hash: 22e56a6bebffc05ef6538fa9025510a463a353c20319d0e7178f60d07b4548e7
Instruction Fuzzy Hash: FAD13332A10115DFCB1A9F65D884BFDB7BABF4A700F108056F646AB680DB30DC90DB62

Function 0032B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 002A9CB3: _wcslen.LIBCMT ref: 002A9CBD

Part of subcall function 0032C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0032B6AE,?,?), ref: 0032C9B5
Part of subcall function 0032C998: _wcslen.LIBCMT ref: 0032C9F1
Part of subcall function 0032C998: _wcslen.LIBCMT ref: 0032CA68
Part of subcall function 0032C998: _wcslen.LIBCMT ref: 0032CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0032B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0032B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0032B80A
RegCloseKey.ADVAPI32(?), ref: 0032B87E
RegCloseKey.ADVAPI32(?), ref: 0032B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0032B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0032B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0032B922
FreeLibrary.KERNEL32(00000000), ref: 0032B983
RegCloseKey.ADVAPI32(00000000), ref: 0032B994

Strings

RegDeleteKeyExW, xrefs: 0032B8FE
advapi32.dll, xrefs: 0032B8ED

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: af333815c881f68e6955a45ba9c83db6fd3e361359cf4064a5bdf65f83815ca6
Instruction ID: 0e7d1c8ee79c7d5e7d9645ae4bdc6edfed5121c1b2c337de1063f8861d0882ad
Opcode Fuzzy Hash: af333815c881f68e6955a45ba9c83db6fd3e361359cf4064a5bdf65f83815ca6
Instruction Fuzzy Hash: 59C1AB30218251AFD715DF18D494F2AFBE5BF85308F15849CE5AA8B2A2CB31EC45CF91

Function 0032255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 003225D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 003225E8
CreateCompatibleDC.GDI32(?), ref: 003225F4
SelectObject.GDI32(00000000,?), ref: 00322601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0032266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 003226AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 003226D0
SelectObject.GDI32(?,?), ref: 003226D8
DeleteObject.GDI32(?), ref: 003226E1
DeleteDC.GDI32(?), ref: 003226E8
ReleaseDC.USER32(00000000,?), ref: 003226F3

Strings

(, xrefs: 0032268D

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 22f301b07c1815b30415cfb112d381b69e4ed79398dd879e02cc784d1c11692f
Instruction ID: a978a5cfaee0df44963f0dcd0781f69d2e28693b87a99f871f866054b9961b94
Opcode Fuzzy Hash: 22f301b07c1815b30415cfb112d381b69e4ed79398dd879e02cc784d1c11692f
Instruction Fuzzy Hash: 5C61F376D00219EFCF15CFA8DC84AAEBBB9FF48310F208529E955A7250D770A951DF60

Function 002DDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 002DDAA1

Part of subcall function 002DD63C: _free.LIBCMT ref: 002DD659
Part of subcall function 002DD63C: _free.LIBCMT ref: 002DD66B
Part of subcall function 002DD63C: _free.LIBCMT ref: 002DD67D
Part of subcall function 002DD63C: _free.LIBCMT ref: 002DD68F
Part of subcall function 002DD63C: _free.LIBCMT ref: 002DD6A1
Part of subcall function 002DD63C: _free.LIBCMT ref: 002DD6B3
Part of subcall function 002DD63C: _free.LIBCMT ref: 002DD6C5
Part of subcall function 002DD63C: _free.LIBCMT ref: 002DD6D7
Part of subcall function 002DD63C: _free.LIBCMT ref: 002DD6E9
Part of subcall function 002DD63C: _free.LIBCMT ref: 002DD6FB
Part of subcall function 002DD63C: _free.LIBCMT ref: 002DD70D
Part of subcall function 002DD63C: _free.LIBCMT ref: 002DD71F
Part of subcall function 002DD63C: _free.LIBCMT ref: 002DD731

_free.LIBCMT ref: 002DDA96

Part of subcall function 002D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,002DD7D1,00000000,00000000,00000000,00000000,?,002DD7F8,00000000,00000007,00000000,?,002DDBF5,00000000), ref: 002D29DE
Part of subcall function 002D29C8: GetLastError.KERNEL32(00000000,?,002DD7D1,00000000,00000000,00000000,00000000,?,002DD7F8,00000000,00000007,00000000,?,002DDBF5,00000000,00000000), ref: 002D29F0

_free.LIBCMT ref: 002DDAB8
_free.LIBCMT ref: 002DDACD
_free.LIBCMT ref: 002DDAD8
_free.LIBCMT ref: 002DDAFA
_free.LIBCMT ref: 002DDB0D
_free.LIBCMT ref: 002DDB1B
_free.LIBCMT ref: 002DDB26
_free.LIBCMT ref: 002DDB5E
_free.LIBCMT ref: 002DDB65
_free.LIBCMT ref: 002DDB82
_free.LIBCMT ref: 002DDB9A

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: c24f718042f0daafdd0c256654ffe15ba5c2f4aa2538ee567643e4246de6340e
Instruction ID: a0286aa219c6bce1ca1af2d0aebf3397dcfbea398efad9d0264f401289da3f3e
Opcode Fuzzy Hash: c24f718042f0daafdd0c256654ffe15ba5c2f4aa2538ee567643e4246de6340e
Instruction Fuzzy Hash: 07315C31664A06DFEB21AE38E845B9677E8FF10314F25941BE459D7391DE30AC649B20

Function 0030365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0030369C
_wcslen.LIBCMT ref: 003036A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00303797
GetClassNameW.USER32(?,?,00000400), ref: 0030380C
GetDlgCtrlID.USER32(?), ref: 0030385D
GetWindowRect.USER32(?,?), ref: 00303882
GetParent.USER32(?), ref: 003038A0
ScreenToClient.USER32(00000000), ref: 003038A7
GetClassNameW.USER32(?,?,00000100), ref: 00303921
GetWindowTextW.USER32(?,?,00000400), ref: 0030395D

Strings

%s%u, xrefs: 00303734

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: a6652209f4913f37501381d222a722c70ed0cfe5c87bb9da615a419c6929518f
Instruction ID: 79db4590b0349a1844c8ddf68a86995dd0e4aad178b1aa8c5ff45da4ec73953e
Opcode Fuzzy Hash: a6652209f4913f37501381d222a722c70ed0cfe5c87bb9da615a419c6929518f
Instruction Fuzzy Hash: 2691AF71205606AFD71ADF24C8A5FAAF7ACFF44350F008629F999D2190DB30EA59CB91

Function 00304954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00304994
GetWindowTextW.USER32(?,?,00000400), ref: 003049DA
_wcslen.LIBCMT ref: 003049EB
CharUpperBuffW.USER32(?,00000000), ref: 003049F7
_wcsstr.LIBVCRUNTIME ref: 00304A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00304A64
GetWindowTextW.USER32(?,?,00000400), ref: 00304A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00304AE6
GetClassNameW.USER32(?,?,00000400), ref: 00304B20
GetWindowRect.USER32(?,?), ref: 00304B8B

Strings

ThumbnailClass, xrefs: 00304A6F, 00304AF1

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: b35d15a23ccddfc4d8bf4dbfee19305e5b1ceb844f8fedddafb33bfe2281e529
Instruction ID: 361e810f8efc8cbc876f6398c5ce9a7f2d78be2fc5d35669302f43e92c31cd39
Opcode Fuzzy Hash: b35d15a23ccddfc4d8bf4dbfee19305e5b1ceb844f8fedddafb33bfe2281e529
Instruction Fuzzy Hash: 0B91C1B11052059FDB06DF14C995FAA77E8FF84314F048469FE859A0D6EB30EE45CBA1

Function 00338D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002B9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00338D5A
GetFocus.USER32 ref: 00338D6A
GetDlgCtrlID.USER32(00000000), ref: 00338D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00338E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00338ECF
GetMenuItemCount.USER32(?), ref: 00338EEC
GetMenuItemID.USER32(?,00000000), ref: 00338EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00338F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00338F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00338FA1

Strings

0, xrefs: 00338E9F

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 30fffeeaf77b35fe290ac667fcf7e07a90e73a6507a33a69eeae1312dd4bfaa8
Instruction ID: 2788aeb99f5559ed639d2e36d6309b9502ec0dd98cf6b0e52f9217e0fa04b4de
Opcode Fuzzy Hash: 30fffeeaf77b35fe290ac667fcf7e07a90e73a6507a33a69eeae1312dd4bfaa8
Instruction Fuzzy Hash: 0481CF71508301AFD722DF24D8C4AABBBE9FF89754F150A1DF994A7291DB30D940CBA1

Function 0030DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0030DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0030DC46
_wcslen.LIBCMT ref: 0030DC50
_wcsstr.LIBVCRUNTIME ref: 0030DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0030DCBC

Strings

DefaultLangCodepage, xrefs: 0030DD1F
04090000, xrefs: 0030DCF2
StringFileInfo\, xrefs: 0030DC8F
\VarFileInfo\Translation, xrefs: 0030DCB4
%u.%u.%u.%u, xrefs: 0030DD9A

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: a4b7f664dc4c40bb530b7af0ad335b00792be4a506dcae771c6d7c1a9ef242e0
Instruction ID: 819eaf3f6df2a7399551e4b1fb62baddeeee919eb78e14ef2e7bef214b995b07
Opcode Fuzzy Hash: a4b7f664dc4c40bb530b7af0ad335b00792be4a506dcae771c6d7c1a9ef242e0
Instruction Fuzzy Hash: D34101329502007AEB16A7B49C47FFF77ACEF46750F104169F904B61C2EB70DA618BA5

Function 0032CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0032CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0032CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0032CD48

Part of subcall function 0032CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0032CCAA
Part of subcall function 0032CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0032CCBD
Part of subcall function 0032CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0032CCCF
Part of subcall function 0032CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0032CD05
Part of subcall function 0032CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0032CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0032CCF3

Strings

RegDeleteKeyExW, xrefs: 0032CCC9
advapi32.dll, xrefs: 0032CCB8

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 2d5eee3874ffed2018187ee484d072ccad5d509090746ac21701cb84f7558c84
Instruction ID: 1f37f0f4af35acba5d76c4bfed2efdbfbe93e723412cbd17b6c0a510b7d766de
Opcode Fuzzy Hash: 2d5eee3874ffed2018187ee484d072ccad5d509090746ac21701cb84f7558c84
Instruction Fuzzy Hash: 36318C76911138BBDB228B61EC88EFFBB7CEF05740F011165E906E3240DA749E45EBA0

Function 0030E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0030E6B4

Part of subcall function 002BE551: timeGetTime.WINMM(?,?,0030E6D4), ref: 002BE555

Sleep.KERNEL32(0000000A), ref: 0030E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0030E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0030E727
SetActiveWindow.USER32 ref: 0030E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0030E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0030E773
Sleep.KERNEL32(000000FA), ref: 0030E77E
IsWindow.USER32 ref: 0030E78A
EndDialog.USER32(00000000), ref: 0030E79B

Strings

BUTTON, xrefs: 0030E719

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: a61a41f3aee0f7e3247f0ff1ee4e06f49656985dbda5668e0b007b617ec46df6
Instruction ID: 67cfd98f214814d388f2e8125b64c1286ae5801040bf0cf0a7bb0f3dc86f1d38
Opcode Fuzzy Hash: a61a41f3aee0f7e3247f0ff1ee4e06f49656985dbda5668e0b007b617ec46df6
Instruction Fuzzy Hash: C521D571311204AFFB236F20ECD9A263B6DF755748F141825F84AA11F1DBB2AC409B24

Function 0030E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 002A9CB3: _wcslen.LIBCMT ref: 002A9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0030EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0030EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0030EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0030EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0030EAA7

Strings

alias PlayMe, xrefs: 0030EA36
close PlayMe, xrefs: 0030EA6E, 0030EA9B
status PlayMe mode, xrefs: 0030EA58
play PlayMe, xrefs: 0030EAA2
play PlayMe wait, xrefs: 0030EA91
open , xrefs: 0030EA0C

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 8e54ad86bb2fdbb6e3b935364df7c0186a8d56a69d8291e74a772314143cb55a
Instruction ID: 6c71962521721b00fba2ab7be8d89fa8e78e69154d27aa74a22f0f1e79acf7e3
Opcode Fuzzy Hash: 8e54ad86bb2fdbb6e3b935364df7c0186a8d56a69d8291e74a772314143cb55a
Instruction Fuzzy Hash: 0011A331B602597AD721E7A2DC5ADFF6ABCEBD6B40F044829B801A20D4EFB04955C9B0

Function 00305CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00305CE2
GetWindowRect.USER32(00000000,?), ref: 00305CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00305D59
GetDlgItem.USER32(?,00000002), ref: 00305D69
GetWindowRect.USER32(00000000,?), ref: 00305D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00305DCF
GetDlgItem.USER32(?,000003E9), ref: 00305DDD
GetWindowRect.USER32(00000000,?), ref: 00305DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00305E31
GetDlgItem.USER32(?,000003EA), ref: 00305E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00305E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00305E67

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: e96740c3009cd01e2d291c1a7073bbcdeadd6322b5496ad7969da91125644297
Instruction ID: f4e7a3e581d7f04d2642b26ef237c93983bb3109f4666b63228c934a44081a59
Opcode Fuzzy Hash: e96740c3009cd01e2d291c1a7073bbcdeadd6322b5496ad7969da91125644297
Instruction Fuzzy Hash: 4D513CB0B10619AFDF19CF68CD99AAEBBB9FB48300F148129F915E6290D7709E00CF50

Function 002B8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 002B8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,002B8BE8,?,00000000,?,?,?,?,002B8BBA,00000000,?), ref: 002B8FC5

DestroyWindow.USER32(?), ref: 002B8C81
KillTimer.USER32(00000000,?,?,?,?,002B8BBA,00000000,?), ref: 002B8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 002F6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,002B8BBA,00000000,?), ref: 002F69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,002B8BBA,00000000,?), ref: 002F69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,002B8BBA,00000000), ref: 002F69D4
DeleteObject.GDI32(00000000), ref: 002F69E6

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 383aa5f8658ea6bed06b8953b31715eb535c165df289917c1745daad59f5c5e3
Instruction ID: 9ea4b2b74edd7ad698d3d6ee3a9543c4f92e7abf89abdc749b76e70e21f61149
Opcode Fuzzy Hash: 383aa5f8658ea6bed06b8953b31715eb535c165df289917c1745daad59f5c5e3
Instruction Fuzzy Hash: 7661C032131606DFCB3A8F18C948BB5BBF9FB41392F144529E14A96560CB71ACE1DF90

Function 002B9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 002B9944: GetWindowLongW.USER32(?,000000EB), ref: 002B9952

GetSysColor.USER32(0000000F), ref: 002B9862

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 53cd471388fae17bd6afa2a6fb67b93188e69d65f1e17b455951098c0548d119
Instruction ID: 6dcb1590c15b350e65910ea0a723cc410626e1550e9cbc6dc032f999e5eb2c5b
Opcode Fuzzy Hash: 53cd471388fae17bd6afa2a6fb67b93188e69d65f1e17b455951098c0548d119
Instruction Fuzzy Hash: 6441D331524645AFDB215F389C88BF93BB9EB063B0F144619FBA2971E1C7719C92DB10

Function 003096E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,002EF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00309717
LoadStringW.USER32(00000000,?,002EF7F8,00000001), ref: 00309720

Part of subcall function 002A9CB3: _wcslen.LIBCMT ref: 002A9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,002EF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00309742
LoadStringW.USER32(00000000,?,002EF7F8,00000001), ref: 00309745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00309866

Strings

Line %d:, xrefs: 003097A0
Error: , xrefs: 0030981D
Line %d (File "%s"):, xrefs: 0030978F
%s (%d) : ==> %s: %s %s, xrefs: 0030984A
^ ERROR, xrefs: 003097FB

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 2ce00f90e03aada1b393d78f841006811536afa21e5e305b86e8e8990c80d59f
Instruction ID: 2a2be6998012a2345204d58c998e7cb51d1bca7e69c6d05dba02093ed207d348
Opcode Fuzzy Hash: 2ce00f90e03aada1b393d78f841006811536afa21e5e305b86e8e8990c80d59f
Instruction Fuzzy Hash: 9F413B72810219ABCF06EBA1CE96EEE7778AF15340F104065F60572092EF356F58CFA1

Function 003006DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 002A6B57: _wcslen.LIBCMT ref: 002A6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 003007A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 003007BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 003007DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00300804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0030082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00300837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0030083C

Strings

\IPC$, xrefs: 00300784
\CLSID, xrefs: 00300724
SOFTWARE\Classes\, xrefs: 0030070E

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 742beef2cb1d7fa50206e0d9b65e08ba39efa4777e3a280304c1cbed94a72990
Instruction ID: 533da9977ce341542415d1d24723707e8ce805b02d9bdbe62feaab60454fd48d
Opcode Fuzzy Hash: 742beef2cb1d7fa50206e0d9b65e08ba39efa4777e3a280304c1cbed94a72990
Instruction Fuzzy Hash: 6B410772C20229ABCF16EBA4DC959EEB778BF04750F054169E801B31A1EB349E54CFA0

Function 00323C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00323C5C
CoInitialize.OLE32(00000000), ref: 00323C8A
CoUninitialize.OLE32 ref: 00323C94
_wcslen.LIBCMT ref: 00323D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00323DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00323ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00323F0E
CoGetObject.OLE32(?,00000000,0033FB98,?), ref: 00323F2D
SetErrorMode.KERNEL32(00000000), ref: 00323F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00323FC4
VariantClear.OLEAUT32(?), ref: 00323FD8

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 36ccbb23c0f832b3ff4902a7c16b7c62bd9ee8382ccb349e9838f3628292de72
Instruction ID: b80066b22302511d45902d50149494073d5bc577628e39b584de36c8456b5bf3
Opcode Fuzzy Hash: 36ccbb23c0f832b3ff4902a7c16b7c62bd9ee8382ccb349e9838f3628292de72
Instruction Fuzzy Hash: F7C15571608315AFC702DF68D88492BBBE9FF89748F10491DF98A9B251DB34EE05CB52

Function 00317A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00317AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00317B8F
SHGetDesktopFolder.SHELL32(?), ref: 00317BA3
CoCreateInstance.OLE32(0033FD08,00000000,00000001,00366E6C,?), ref: 00317BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00317C74
CoTaskMemFree.OLE32(?,?), ref: 00317CCC
SHBrowseForFolderW.SHELL32(?), ref: 00317D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00317D7A
CoTaskMemFree.OLE32(00000000), ref: 00317D81
CoTaskMemFree.OLE32(00000000), ref: 00317DD6
CoUninitialize.OLE32 ref: 00317DDC

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 4e48642ecba5e5147d85e9ac6ddd051d7d260366af74d840cf518894f98724ba
Instruction ID: 7d2b1b0e3e8b7fe76c9e14577bc0e3f14547b7fbc3f25af49fa360f4bc34a597
Opcode Fuzzy Hash: 4e48642ecba5e5147d85e9ac6ddd051d7d260366af74d840cf518894f98724ba
Instruction Fuzzy Hash: 3BC11C75A14109AFCB15DF64C884DAEBBF9FF48314F148499E8169B261DB30EE85CB90

Function 0033541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00335504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00335515
CharNextW.USER32(00000158), ref: 00335544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00335585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0033559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003355AC

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: ee51a2ae40343594a273b393456b2279b4df2cdf73ccadf7add878d9a3d731ed
Instruction ID: 46823f0499107408a8a9fc166cf959da49fe8b01b3e0b283ab95cf170513b084
Opcode Fuzzy Hash: ee51a2ae40343594a273b393456b2279b4df2cdf73ccadf7add878d9a3d731ed
Instruction Fuzzy Hash: F661BC71904608AFDF22CF55CCC5AFE7BB9EB0A321F158145F925AB290D7749A80DB60

Function 002FFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 002FFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 002FFB08
VariantInit.OLEAUT32(?), ref: 002FFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 002FFB3A
VariantCopy.OLEAUT32(?,?), ref: 002FFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 002FFBA1
VariantClear.OLEAUT32(?), ref: 002FFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 002FFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 002FFBCC
VariantClear.OLEAUT32(?), ref: 002FFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 002FFBE9

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 6097c3472f5c6cbd29b2000b4f293296088539200bd7c329123eeccdd5a842ae
Instruction ID: 7966451e25d50b63ae8320fbb1a181e9edee20b01de32b3d529ce33a0bf2b277
Opcode Fuzzy Hash: 6097c3472f5c6cbd29b2000b4f293296088539200bd7c329123eeccdd5a842ae
Instruction Fuzzy Hash: 8A415D35A102199FCB01DFA5D9949FEBBB9FF08384F008079E956A7261DB30A955CFA0

Function 00309C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00309CA1
GetAsyncKeyState.USER32(000000A0), ref: 00309D22
GetKeyState.USER32(000000A0), ref: 00309D3D
GetAsyncKeyState.USER32(000000A1), ref: 00309D57
GetKeyState.USER32(000000A1), ref: 00309D6C
GetAsyncKeyState.USER32(00000011), ref: 00309D84
GetKeyState.USER32(00000011), ref: 00309D96
GetAsyncKeyState.USER32(00000012), ref: 00309DAE
GetKeyState.USER32(00000012), ref: 00309DC0
GetAsyncKeyState.USER32(0000005B), ref: 00309DD8
GetKeyState.USER32(0000005B), ref: 00309DEA

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 4538f950960e5872fb2c3a6c35b366bf2edc0262fcbef4cf66e133558b0451b9
Instruction ID: b18cb18a1bb45b74de60cf3ab45a30498c64ca463df7841bc216010fcceaf845
Opcode Fuzzy Hash: 4538f950960e5872fb2c3a6c35b366bf2edc0262fcbef4cf66e133558b0451b9
Instruction Fuzzy Hash: 3241E9349467C96DFF338764C8643B6BEA06F12344F09805BDAC6565C3DBA49DC8C792

Function 0032055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 003205BC
inet_addr.WSOCK32(?), ref: 0032061C
gethostbyname.WSOCK32(?), ref: 00320628
IcmpCreateFile.IPHLPAPI ref: 00320636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 003206C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 003206E5
IcmpCloseHandle.IPHLPAPI(?), ref: 003207B9
WSACleanup.WSOCK32 ref: 003207BF

Strings

Ping, xrefs: 00320676

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: d9a1988b8fdf50b47ebeb3aa4fe9e8eb04a2a645d9d635873f08c4e996bd66fc
Instruction ID: aedfc4751b1e3c9949da9f7bfcfad648691a53efa8415174e321514a0430f561
Opcode Fuzzy Hash: d9a1988b8fdf50b47ebeb3aa4fe9e8eb04a2a645d9d635873f08c4e996bd66fc
Instruction Fuzzy Hash: F891AD356082119FD326CF19E888F1ABBE4EF45318F1585A9F4699B6A3C730EC49CF91

Function 00328CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00328CF3

Part of subcall function 00308E54: _wcslen.LIBCMT ref: 00308E77

_wcslen.LIBCMT ref: 00328D4E
_wcslen.LIBCMT ref: 00328D9C
_wcslen.LIBCMT ref: 00328DDC
_wcslen.LIBCMT ref: 00328E6E

Strings

winapi, xrefs: 00328D96, 00328D9B
stdcall, xrefs: 00328DD6, 00328DDB
none, xrefs: 00328E65, 00328E6A
cdecl, xrefs: 00328D48, 00328D4D

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 813b1a3340d25be8c4dc607e26a73b18b622793ed6a359e46ea5d9d60b39f214
Instruction ID: 72e476f42570f8cdc73733272fabd7e86294c22685964879f9951dd0a3f37971
Opcode Fuzzy Hash: 813b1a3340d25be8c4dc607e26a73b18b622793ed6a359e46ea5d9d60b39f214
Instruction Fuzzy Hash: 3551D332A011269BCF15DF6CD9509BEB3A5BF65724B224229E426E72C4DF30DD44CB90

Function 0032372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00323774
CoUninitialize.OLE32 ref: 0032377F
CoCreateInstance.OLE32(?,00000000,00000017,0033FB78,?), ref: 003237D9
IIDFromString.OLE32(?,?), ref: 0032384C
VariantInit.OLEAUT32(?), ref: 003238E4
VariantClear.OLEAUT32(?), ref: 00323936

Strings

NULL Pointer assignment, xrefs: 0032381E
Invalid parameter, xrefs: 00323865
Failed to create object, xrefs: 003237E4, 0032389A

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 7b271bb28cdba338b743fb31bf60fffea040b268ff209945643b094eff8c9e7d
Instruction ID: 535f4b4d67caa0bd42934f92760c363f8b16b82d4ba1667af1a09ae8a7dc39d4
Opcode Fuzzy Hash: 7b271bb28cdba338b743fb31bf60fffea040b268ff209945643b094eff8c9e7d
Instruction Fuzzy Hash: E961D471608321AFD712DF64D888FAAB7E8EF49714F10480DF9859B291D774EE48CB92

Function 00338B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002B9BB2

Part of subcall function 002B912D: GetCursorPos.USER32(?), ref: 002B9141
Part of subcall function 002B912D: ScreenToClient.USER32(00000000,?), ref: 002B915E
Part of subcall function 002B912D: GetAsyncKeyState.USER32(00000001), ref: 002B9183
Part of subcall function 002B912D: GetAsyncKeyState.USER32(00000002), ref: 002B919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00338B6B
ImageList_EndDrag.COMCTL32 ref: 00338B71
ReleaseCapture.USER32 ref: 00338B77
SetWindowTextW.USER32(?,00000000), ref: 00338C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00338C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00338CFF

Strings

p#7, xrefs: 00338C71
@GUI_DROPID, xrefs: 00338C51
@GUI_DRAGFILE, xrefs: 00338C9A

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#7
API String ID: 1924731296-3292170530
Opcode ID: 9c05c4a679511b46ac02a75ed4c7cc748a39ff7153018c9b160e16e804aae95d
Instruction ID: 7a4a72312cce20f2a57c14acbec2aa22197caeeb89d0b243fecdf980fc16de02
Opcode Fuzzy Hash: 9c05c4a679511b46ac02a75ed4c7cc748a39ff7153018c9b160e16e804aae95d
Instruction Fuzzy Hash: D651AC71114300AFD715DF14CC96FAAB7E8FB89714F00062DFA96A72E1CB70A954CBA2

Function 00313388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 003133CF

Part of subcall function 002A9CB3: _wcslen.LIBCMT ref: 002A9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 003133F0

Strings

Error: , xrefs: 003134D1
^ ERROR , xrefs: 0031349E
"%s" (%d) : ==> %s:, xrefs: 00313522
Incorrect parameters to object property !, xrefs: 003134AB
Line %d (File "%s"):, xrefs: 00313443, 0031345C
"%s" (%d) : ==> %s:%s%s, xrefs: 00313504

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 39c04f3a1a0a3a8052050f70d52d327d412c2f39aa4045979ffe64db260893f8
Instruction ID: c1ba28b5e26e88211153ed5e8a337253f53ec36f31d4708b25e9a6561c56b95b
Opcode Fuzzy Hash: 39c04f3a1a0a3a8052050f70d52d327d412c2f39aa4045979ffe64db260893f8
Instruction Fuzzy Hash: B5519E72910209ABDF1AEBA1CD46EEEB779AF09740F104065F50572092EF356FA8CF60

Function 0030B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0030B5FC
_wcslen.LIBCMT ref: 0030B608
_wcslen.LIBCMT ref: 0030B64D
_wcslen.LIBCMT ref: 0030B68C
_wcslen.LIBCMT ref: 0030B6C7

Strings

EXISTS, xrefs: 0030B686, 0030B68B
APPEND, xrefs: 0030B6C1, 0030B6C6
KEYS, xrefs: 0030B647, 0030B64C
REMOVE, xrefs: 0030B602, 0030B607

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 8e8608aa9742017aac5ab9cedd8e89c33f368d3b9f239c4667f29a3cd5747043
Instruction ID: 6a67872a0b61b45cb7b41ebd489f406d325d4d6e1542c58e1c1f0a53d0206b25
Opcode Fuzzy Hash: 8e8608aa9742017aac5ab9cedd8e89c33f368d3b9f239c4667f29a3cd5747043
Instruction Fuzzy Hash: 2341DD32A0212B9BCB115F7DC8B15BFF7A5AF61B54B254229E461D72C4E732CD81C790

Function 00315393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003153A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00315416
GetLastError.KERNEL32 ref: 00315420
SetErrorMode.KERNEL32(00000000,READY), ref: 003154A7

Strings

READY, xrefs: 00315460, 00315468
READONLY, xrefs: 00315452
INVALID, xrefs: 00315459
UNKNOWN, xrefs: 00315444
NOTREADY, xrefs: 0031544B

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: f075c16755e1e9d871df5b47ca413b2144b3f60b171c8ce48508b683f9aacc48
Instruction ID: 2366bf8fd51f9a1bff42542a5824f3551c83cffa60bfc60cc424a8b13feefdcc
Opcode Fuzzy Hash: f075c16755e1e9d871df5b47ca413b2144b3f60b171c8ce48508b683f9aacc48
Instruction Fuzzy Hash: 1F31CE39A00604DFCB16DF69C485AEABBB8EF89305F148065E405DB292DF71DDC2CB90

Function 00333C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00333C79
SetMenu.USER32(?,00000000), ref: 00333C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00333D10
IsMenu.USER32(?), ref: 00333D24
CreatePopupMenu.USER32 ref: 00333D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00333D5B
DrawMenuBar.USER32 ref: 00333D63

Strings

0, xrefs: 00333C54
F, xrefs: 00333D4E

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: df828a42365c36554e29f94f9452e9b158e48ad561244e59389f80d0305b578f
Instruction ID: 75b1061b1d36c52a1dda7006901641582927ef1b450bc916e4469c343bab662b
Opcode Fuzzy Hash: df828a42365c36554e29f94f9452e9b158e48ad561244e59389f80d0305b578f
Instruction Fuzzy Hash: B2415A75A01209EFDB25CF65D884EEA7BB9FF4A350F154029F946A7360D730AA10CF94

Function 00333A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00333A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00333AA0
GetWindowLongW.USER32(?,000000F0), ref: 00333AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00333AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00333B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00333BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00333BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00333BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00333BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00333C13

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 64872223d52725b7705b6abc12f4e278732e8920b61a7766549d9eb8f249ce01
Instruction ID: 15ee6bf0122af921654f6330c0eb500fd0deffd50b5d149d4adf89501b246298
Opcode Fuzzy Hash: 64872223d52725b7705b6abc12f4e278732e8920b61a7766549d9eb8f249ce01
Instruction Fuzzy Hash: 2D616D75900248AFDB22DFA8CC81EEEB7F8EF09700F144199FA15A7291D774AE45DB50

Function 0030B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0030B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0030A1E1,?,00000001), ref: 0030B165
GetWindowThreadProcessId.USER32(00000000), ref: 0030B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0030A1E1,?,00000001), ref: 0030B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0030B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0030A1E1,?,00000001), ref: 0030B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0030A1E1,?,00000001), ref: 0030B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0030A1E1,?,00000001), ref: 0030B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0030A1E1,?,00000001), ref: 0030B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0030A1E1,?,00000001), ref: 0030B21D

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: e806509c0922a5b158dd2f68ecad55788d3b79bfaf11bcb1b406a65238f6f57b
Instruction ID: 93c052c7a33079fc2bbb141df041263fe47880f03142040c78469bdbdbc383d1
Opcode Fuzzy Hash: e806509c0922a5b158dd2f68ecad55788d3b79bfaf11bcb1b406a65238f6f57b
Instruction Fuzzy Hash: D431A271511208BFDB239F28DC99BADBBADBB61311F154805FA06D61D0D7B4DE808F60

Function 002D2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 002D2C94

Part of subcall function 002D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,002DD7D1,00000000,00000000,00000000,00000000,?,002DD7F8,00000000,00000007,00000000,?,002DDBF5,00000000), ref: 002D29DE
Part of subcall function 002D29C8: GetLastError.KERNEL32(00000000,?,002DD7D1,00000000,00000000,00000000,00000000,?,002DD7F8,00000000,00000007,00000000,?,002DDBF5,00000000,00000000), ref: 002D29F0

_free.LIBCMT ref: 002D2CA0
_free.LIBCMT ref: 002D2CAB
_free.LIBCMT ref: 002D2CB6
_free.LIBCMT ref: 002D2CC1
_free.LIBCMT ref: 002D2CCC
_free.LIBCMT ref: 002D2CD7
_free.LIBCMT ref: 002D2CE2
_free.LIBCMT ref: 002D2CED
_free.LIBCMT ref: 002D2CFB

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c8fd1dde3ffe7c44d6ec5174f1076bbaf1f92657638c5909f7d35deb0602ec6f
Instruction ID: 530c5aac9b342b03ee37c071efb0392a2af5fc271b8a1280ab5500a2a79a9f0d
Opcode Fuzzy Hash: c8fd1dde3ffe7c44d6ec5174f1076bbaf1f92657638c5909f7d35deb0602ec6f
Instruction Fuzzy Hash: 3A119276120108EFCB02EF54D892DDD3BA5BF15350F6154A6FA489B322DA31EE64AF90

Function 002A1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 002A1459
OleUninitialize.OLE32(?,00000000), ref: 002A14F8
UnregisterHotKey.USER32(?), ref: 002A16DD
DestroyWindow.USER32(?), ref: 002E24B9
FreeLibrary.KERNEL32(?), ref: 002E251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 002E254B

Strings

close all, xrefs: 002A1454

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 947cc248fb60765497b47608f3909cd04c25d1b0db8b94bf09c7a2992a560803
Instruction ID: cebe84091b9d4c0273c68deaa9ccce5a115a01ed9ca17cdcf220234106089846
Opcode Fuzzy Hash: 947cc248fb60765497b47608f3909cd04c25d1b0db8b94bf09c7a2992a560803
Instruction Fuzzy Hash: 38D16931721212CFCB19EF15C999A69F7A8BF06710F5442ADE44AAB251CF30AD76CF50

Function 002A5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 002A5C7A

Part of subcall function 002A5D0A: GetClientRect.USER32(?,?), ref: 002A5D30
Part of subcall function 002A5D0A: GetWindowRect.USER32(?,?), ref: 002A5D71
Part of subcall function 002A5D0A: ScreenToClient.USER32(?,?), ref: 002A5D99

GetDC.USER32 ref: 002E46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 002E4708
SelectObject.GDI32(00000000,00000000), ref: 002E4716
SelectObject.GDI32(00000000,00000000), ref: 002E472B
ReleaseDC.USER32(?,00000000), ref: 002E4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 002E47C4

Strings

U, xrefs: 002E4693

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 913572581455f698f7955af4bd87406d84af1bf2821c7eb395688381315f70f5
Instruction ID: faff47b7340b2a48de13f1f6326eb7b8d1755b825b52cae2d4eb06c3e0d42b25
Opcode Fuzzy Hash: 913572581455f698f7955af4bd87406d84af1bf2821c7eb395688381315f70f5
Instruction Fuzzy Hash: 13712631420246DFCF22DF65C984ABABBB6FF4A320F54426AED555A166C730CC61DF90

Function 0031359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 003135E4

Part of subcall function 002A9CB3: _wcslen.LIBCMT ref: 002A9CBD

LoadStringW.USER32(00372390,?,00000FFF,?), ref: 0031360A

Strings

Error: , xrefs: 003136EF
"%s" (%d) : ==> %s:, xrefs: 00313742
Line %d (File "%s"):, xrefs: 0031366B
"%s" (%d) : ==> %s:%s%s, xrefs: 00313724
^ ERROR, xrefs: 003136C9

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: f9b96a51c73efaa85fcbaba1e4fbb3cdaa93fddba7286cfcf022e3341c49df83
Instruction ID: 3a273b1ec1e7618d383cf06161643613aecb4bd8f1cacabce7ff85925c463a64
Opcode Fuzzy Hash: f9b96a51c73efaa85fcbaba1e4fbb3cdaa93fddba7286cfcf022e3341c49df83
Instruction Fuzzy Hash: 61516172810219ABDF16EBA1CC42EEDBB79EF05340F144165F10572191EF311AE9DFA0

Function 0031C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0031C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0031C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0031C2CA
GetLastError.KERNEL32 ref: 0031C322
SetEvent.KERNEL32(?), ref: 0031C336
InternetCloseHandle.WININET(00000000), ref: 0031C341

Strings

, xrefs: 0031C2BB

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: fe96931edc5425d4976b4a1c42cf9dc549d83b60d893f178ebbde3eb4b1377ac
Instruction ID: d38e61e50fc879ac4f64f4b25cc2af2fdb4346b51cc655f5259639da2bcca4b3
Opcode Fuzzy Hash: fe96931edc5425d4976b4a1c42cf9dc549d83b60d893f178ebbde3eb4b1377ac
Instruction Fuzzy Hash: 8C31C0B5560204AFDB279F658C88AEB7BFCEB0D740F04A91DF456E2200DB34DD858B60

Function 0030989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,002E3AAF,?,?,Bad directive syntax error,0033CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 003098BC
LoadStringW.USER32(00000000,?,002E3AAF,?), ref: 003098C3

Part of subcall function 002A9CB3: _wcslen.LIBCMT ref: 002A9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00309987

Strings

Line %d:, xrefs: 00309912
Error: , xrefs: 00309955
Line %d (File "%s"):, xrefs: 0030992D
., xrefs: 0030996D
%s (%d) : ==> %s.: %s %s, xrefs: 003098F1

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 008cff0059b3a5030498ba227a4d785173c0742af1d2aec51b38fa7817ba6d7f
Instruction ID: df638cea9baf10cba64c419f1abd1bea46def6960b469a095f1d899d01461933
Opcode Fuzzy Hash: 008cff0059b3a5030498ba227a4d785173c0742af1d2aec51b38fa7817ba6d7f
Instruction Fuzzy Hash: 3D218D3281021AABCF12EF91CC56EEE7739FF19340F04846AF515660A2EF719A68DF50

Function 0030209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 003020AB
GetClassNameW.USER32(00000000,?,00000100), ref: 003020C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0030214D

Strings

SHELLDLL_DefView, xrefs: 003020CC
largeicons, xrefs: 003020E1
smallicons, xrefs: 00302115
details, xrefs: 003020FB
list, xrefs: 0030212F

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: d5a9159dd4dc3ba65f08c418c72b7ef0dac690793c6c38d58e762d1d1353638c
Instruction ID: bcb36c26219c73dc3cde07a1b982e409d41727ea3114a8943bc082ffce5bda64
Opcode Fuzzy Hash: d5a9159dd4dc3ba65f08c418c72b7ef0dac690793c6c38d58e762d1d1353638c
Instruction Fuzzy Hash: 6D113676298306B9FA1B2620DC2FDE7739CDB04324F20412AFB08A54D1EA61A8125B14

Function 002DCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 002DCEB7
_free.LIBCMT ref: 002DCF22
_free.LIBCMT ref: 002DCF48
_free.LIBCMT ref: 002DCF71
_free.LIBCMT ref: 002DCFA9
_free.LIBCMT ref: 002DCFDA
_free.LIBCMT ref: 002DD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 002DD09C
_free.LIBCMT ref: 002DD0B5

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 8887f5d36b1551d715843b6eddbbc02a1e64ca98ff764427919cd84578386f49
Instruction ID: 3e227ed4d646123fe2164f6b9f9d76a7fe8549c8df119550c23bfa26ea6496fd
Opcode Fuzzy Hash: 8887f5d36b1551d715843b6eddbbc02a1e64ca98ff764427919cd84578386f49
Instruction Fuzzy Hash: 726146B1924303EFDB35AFB4D885AA97BA9EF01310F24416FF94497381E6319D25DB90

Function 002B8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 002F6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 002F68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 002F68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 002F68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 002F68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,002B8874,00000000,00000000,00000000,000000FF,00000000), ref: 002F6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 002F691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,002B8874,00000000,00000000,00000000,000000FF,00000000), ref: 002F692D

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 5c7eeca406f66efc0b98ac69243b2bee3ec90340220f36cf15310804e39af69f
Instruction ID: e49d33e578ebf0200d8d0975dd8f56d498be066d5e395955f9cce24e87cd994e
Opcode Fuzzy Hash: 5c7eeca406f66efc0b98ac69243b2bee3ec90340220f36cf15310804e39af69f
Instruction Fuzzy Hash: F5519070620209EFDB21CF24CC95FAA77B9EB44794F144528FA56D7290DBB0E9A0DB50

Function 0031C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0031C182
GetLastError.KERNEL32 ref: 0031C195
SetEvent.KERNEL32(?), ref: 0031C1A9

Part of subcall function 0031C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0031C272
Part of subcall function 0031C253: GetLastError.KERNEL32 ref: 0031C322
Part of subcall function 0031C253: SetEvent.KERNEL32(?), ref: 0031C336
Part of subcall function 0031C253: InternetCloseHandle.WININET(00000000), ref: 0031C341

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: b44b62d1e0b047d0309bcb74131bad171806f06c6d3852a5063ae6f016279024
Instruction ID: 9b92ad44d236bb653197633fddcd980b036a1ae899ed3a8ed20feffbd67c5f0f
Opcode Fuzzy Hash: b44b62d1e0b047d0309bcb74131bad171806f06c6d3852a5063ae6f016279024
Instruction Fuzzy Hash: B6319C712A0605AFDB269FA5DC44AAABBFCFF1C300F04682DF95696610C730E855DB60

Function 003025A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00303A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00303A57
Part of subcall function 00303A3D: GetCurrentThreadId.KERNEL32 ref: 00303A5E
Part of subcall function 00303A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003025B3), ref: 00303A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 003025BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 003025DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 003025DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 003025E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00302601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00302605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0030260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00302623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00302627

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 098e02718b8308e6c72b244e037bf2a48cb33adb2bf53b1ed4b3db783cde4128
Instruction ID: 609ecb3d9e9a5720430ffb36eec0ce2ac519328e719ccc5a1415fdf87c5263f7
Opcode Fuzzy Hash: 098e02718b8308e6c72b244e037bf2a48cb33adb2bf53b1ed4b3db783cde4128
Instruction Fuzzy Hash: D201D4317A0214BBFB1167689CCEF5A7F5DDB4EB12F101001F358BE0D1C9E224449B6A

Function 00301803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00301449,?,?,00000000), ref: 0030180C
HeapAlloc.KERNEL32(00000000,?,00301449,?,?,00000000), ref: 00301813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00301449,?,?,00000000), ref: 00301828
GetCurrentProcess.KERNEL32(?,00000000,?,00301449,?,?,00000000), ref: 00301830
DuplicateHandle.KERNEL32(00000000,?,00301449,?,?,00000000), ref: 00301833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00301449,?,?,00000000), ref: 00301843
GetCurrentProcess.KERNEL32(00301449,00000000,?,00301449,?,?,00000000), ref: 0030184B
DuplicateHandle.KERNEL32(00000000,?,00301449,?,?,00000000), ref: 0030184E
CreateThread.KERNEL32(00000000,00000000,00301874,00000000,00000000,00000000), ref: 00301868

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: d129953132f2323ea94b2ec2c418300c9c8f5df1cb276918276c44ed3e049cae
Instruction ID: 070b72483baae10fb3fbe5acfdb11b66074da84ecbf0332be452e69a7a24c37a
Opcode Fuzzy Hash: d129953132f2323ea94b2ec2c418300c9c8f5df1cb276918276c44ed3e049cae
Instruction Fuzzy Hash: E101BBB5650308BFE711ABA5DC8DF6B3BACEB89B11F009411FA05EB1A1CA74D810DB20

Function 0032A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0030D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0030D501
Part of subcall function 0030D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0030D50F
Part of subcall function 0030D4DC: CloseHandle.KERNEL32(00000000), ref: 0030D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0032A16D
GetLastError.KERNEL32 ref: 0032A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0032A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0032A268
GetLastError.KERNEL32(00000000), ref: 0032A273
CloseHandle.KERNEL32(00000000), ref: 0032A2C4

Strings

SeDebugPrivilege, xrefs: 0032A18F

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 54b55a5790318635b2b409ec7ceb809e1f14750167a82e13ae1d02bce8860035
Instruction ID: 03802f12b34a7225455e3ef5a085cdca7422f359a0dcc199e895a4cef480820c
Opcode Fuzzy Hash: 54b55a5790318635b2b409ec7ceb809e1f14750167a82e13ae1d02bce8860035
Instruction Fuzzy Hash: F261BE302047529FD721DF14D494F16BBE5AF44318F19848CE4668BBA3CB76EC45CB92

Function 00333886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00333925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0033393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00333954
_wcslen.LIBCMT ref: 00333999
SendMessageW.USER32(?,00001057,00000000,?), ref: 003339C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 003339F4

Strings

SysListView32, xrefs: 003338F7

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 32fd9635bafe52c39e05b8cdd0de50e6ad323c764652939201dbf330e4019c5d
Instruction ID: 1d7a5f977bba6f428e98505a70cb203ed07163c6d84456ad5761e02885229518
Opcode Fuzzy Hash: 32fd9635bafe52c39e05b8cdd0de50e6ad323c764652939201dbf330e4019c5d
Instruction Fuzzy Hash: EB41B471A00218ABEF229F64CC89FEA77A9FF08350F154526F958E7281D771DD94CB90

Function 0030BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0030BCFD
IsMenu.USER32(00000000), ref: 0030BD1D
CreatePopupMenu.USER32 ref: 0030BD53
GetMenuItemCount.USER32(015064C0), ref: 0030BDA4
InsertMenuItemW.USER32(015064C0,?,00000001,00000030), ref: 0030BDCC

Strings

2, xrefs: 0030BD37
0, xrefs: 0030BCA8

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 402d301b4d94a803209b35f0c73e110d73136d72c1227a0d1cf62c5e830e6d48
Instruction ID: 12831e76a7e63bb2cee8d8aa1c531c7308604b1016ca4df8c2c6aec562161c4e
Opcode Fuzzy Hash: 402d301b4d94a803209b35f0c73e110d73136d72c1227a0d1cf62c5e830e6d48
Instruction Fuzzy Hash: CF51AF70A02206DBDF12DFA9D8E4BAEFBF8EF45314F148259E411AB2E1D7709944CB61

Function 002C2D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 002C2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 002C2D53
_ValidateLocalCookies.LIBCMT ref: 002C2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 002C2E0C
_ValidateLocalCookies.LIBCMT ref: 002C2E61

Strings

&H,, xrefs: 002C2DFE, 002C2E07, 002C2E18
csm, xrefs: 002C2DF6

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H,$csm
API String ID: 1170836740-3703960198
Opcode ID: 62a03ab6990524678cd61998b7b4d50b33110b4582cdedd921521a6e193f46ca
Instruction ID: 4e97e3bf3e065e5cd7faae7950b715338a95bf98a6187d1897a19d48e2054d70
Opcode Fuzzy Hash: 62a03ab6990524678cd61998b7b4d50b33110b4582cdedd921521a6e193f46ca
Instruction Fuzzy Hash: AA41A434A20209EBCF10DF68C845F9EBBB5BF45324F148259E8156B352DB71AA29CFD0

Function 0030C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0030C913

Strings

blank, xrefs: 0030C895
question, xrefs: 0030C8CC
warning, xrefs: 0030C8FC
stop, xrefs: 0030C8E4
info, xrefs: 0030C8B4

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: b96716e2c3cd76bec90ba2a4c1ac59325bed2b33d10e1f11bb06a302fa3a4ee9
Instruction ID: b0359fb81923ddcba1089888e5ac72f87a5116dc07f1741f9f4b1374ab8d58a6
Opcode Fuzzy Hash: b96716e2c3cd76bec90ba2a4c1ac59325bed2b33d10e1f11bb06a302fa3a4ee9
Instruction Fuzzy Hash: A3113D316AA306BAE7076B149CA3DEB379CDF15354F20522EF904A61C2D7B05D005668

Function 0030ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0030ED2A
_wcslen.LIBCMT ref: 0030ED3B
_wcslen.LIBCMT ref: 0030ED79
_wcslen.LIBCMT ref: 0030EDAF
_wcslen.LIBCMT ref: 0030EDDF
_wcslen.LIBCMT ref: 0030EDEF
_wcslen.LIBCMT ref: 0030EE2B
_wcslen.LIBCMT ref: 0030EE5A

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 8f6c1a2aae46c4704d06c13396997c6da2939b59719380480dfad3dfbb7df0ef
Instruction ID: 6f365e2ad6325ed1f1ff687c2f377c4dc9619ce58c0bccb6ad7f9ee65e9cb460
Opcode Fuzzy Hash: 8f6c1a2aae46c4704d06c13396997c6da2939b59719380480dfad3dfbb7df0ef
Instruction Fuzzy Hash: 8B41C565D2115875CB11FBF4C88AECFB3A8AF05300F004A66E918E3162FB34D265C7E6

Function 002BF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,002F682C,00000004,00000000,00000000), ref: 002BF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,002F682C,00000004,00000000,00000000), ref: 002FF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,002F682C,00000004,00000000,00000000), ref: 002FF454

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: a65a5e5effab4a6db88675d426f9107dde8ddc91448954e4cea363aedb285238
Instruction ID: e33b6db83fc2500a18e651b28c865390092457baabdd683c92e56f11c3c86474
Opcode Fuzzy Hash: a65a5e5effab4a6db88675d426f9107dde8ddc91448954e4cea363aedb285238
Instruction Fuzzy Hash: 76413931238AC1FAC7F98F298F887BABB95AF463D4F14443CE64752560C671A8A0CB11

Function 00332D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00332D1B
GetDC.USER32(00000000), ref: 00332D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00332D2E
ReleaseDC.USER32(00000000,00000000), ref: 00332D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00332D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00332D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00335A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00332DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00332DE1

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: dd102ea8233b94bf770d90670cbf3d8d190ed7323bf77d1f06cffbbe146fe528
Instruction ID: 9b20ce790c7b5f8d751445e8a883b18916c1971e645312393bb9e6773326d5de
Opcode Fuzzy Hash: dd102ea8233b94bf770d90670cbf3d8d190ed7323bf77d1f06cffbbe146fe528
Instruction Fuzzy Hash: 1D317F72211214BFEB124F50CC8AFEB3BADEF09715F044055FE08AA2A1C6759C50C7A4

Function 00305622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00305637
_memcmp.LIBVCRUNTIME ref: 00305659
_memcmp.LIBVCRUNTIME ref: 00305671
_memcmp.LIBVCRUNTIME ref: 00305684
_memcmp.LIBVCRUNTIME ref: 0030569E
_memcmp.LIBVCRUNTIME ref: 003056B1
_memcmp.LIBVCRUNTIME ref: 003056C9
_memcmp.LIBVCRUNTIME ref: 003056E4

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: ec018a53b2867bb7b415fa8d4395dc3a54192300c47829305f3db795921032b5
Instruction ID: 58c5b3fb39ab1021d7a7c42576351fb7c749e92d2246e2fcf90d181bc44f5ea9
Opcode Fuzzy Hash: ec018a53b2867bb7b415fa8d4395dc3a54192300c47829305f3db795921032b5
Instruction Fuzzy Hash: B521C861A82A0D7BD21655108EA3FFB235CAE21789F841024FD045BAC2F722ED20CDA5

Function 00324FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0032502E, 00325383
Not an Object type, xrefs: 00325007

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 7c19d7f7243b131e97dec70227c87fae96905e6fab86a8d02ec9fa298f4cf37e
Instruction ID: aa0cb39665226ea10503a18aed70105543327d2b33525c6ad5bda261b3fedec9
Opcode Fuzzy Hash: 7c19d7f7243b131e97dec70227c87fae96905e6fab86a8d02ec9fa298f4cf37e
Instruction Fuzzy Hash: 18D1D275A0061A9FDF11CFA8E880BAEB7B5BF48344F158469E915EB280D770EE41CB90

Function 002E1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,002E17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 002E15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,002E17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 002E1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,002E17FB,?,002E17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 002E16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,002E17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 002E16FB

Part of subcall function 002D3820: RtlAllocateHeap.NTDLL(00000000,?,00371444,?,002BFDF5,?,?,002AA976,00000010,00371440,002A13FC,?,002A13C6,?,002A1129), ref: 002D3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,002E17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 002E1777
__freea.LIBCMT ref: 002E17A2
__freea.LIBCMT ref: 002E17AE

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 5cca41caf2f9908cf1e0ac032edc52a32de95135cab0474af6d2a25f26f80be4
Instruction ID: f2ed99ab49535c23d7828c0b223d6271676fc273f7b964d0b7ca4c1a80450725
Opcode Fuzzy Hash: 5cca41caf2f9908cf1e0ac032edc52a32de95135cab0474af6d2a25f26f80be4
Instruction Fuzzy Hash: A891B671E702969ADF208E66CC91EEEBBB9AF49710F984579E801E7181D735CC70CB60

Function 00324523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00324648
VariantInit.OLEAUT32(?), ref: 00324749
VariantClear.OLEAUT32(?), ref: 00324753
VariantClear.OLEAUT32(?), ref: 003247B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 003245D8, 00324706, 003247BE
Incorrect Object type in FOR..IN loop, xrefs: 0032472C

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: e78447464f30b973c5756a5ba0b0cebd765814282a6283ca9958aa78e83aa055
Instruction ID: 1215051f0ce69168514e5b63d147cae6b5b8eb07862a04c058dc22a6af4faa47
Opcode Fuzzy Hash: e78447464f30b973c5756a5ba0b0cebd765814282a6283ca9958aa78e83aa055
Instruction Fuzzy Hash: D4919471A00225AFDF25CFA5DC84FAEBBB8EF46714F108559F525AB280D7709941CFA0

Function 00311187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0031125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00311284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 003112A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 003112D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0031135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 003113C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00311430

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 810270a26f0a98923ba080fd6f713b6ab22ee570e3154ec3b5a15fdd2c8501e9
Instruction ID: 44d2340488fb9f10357e86f6045323267028df100a5d003ff06fd79c97ed12a8
Opcode Fuzzy Hash: 810270a26f0a98923ba080fd6f713b6ab22ee570e3154ec3b5a15fdd2c8501e9
Instruction Fuzzy Hash: FA913675A00219AFDB0ADF95D884BFEB7B9FF09710F114429E610EB291DB74A981CF90

Function 002B948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 207bee0ce910f667e243622a5ee31f94516e0715fc4b5f927448f3aa7ebe3a90
Instruction ID: 89dc5ae43ee824bee79d54e020b714636157fffcd09af247719e2a4f7716b0fb
Opcode Fuzzy Hash: 207bee0ce910f667e243622a5ee31f94516e0715fc4b5f927448f3aa7ebe3a90
Instruction Fuzzy Hash: 97914571D5020AEFCB11CFA9CC84AEEBBB8FF49360F148055E611B7251D374AA91CB60

Function 00323947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0032396B
CharUpperBuffW.USER32(?,?), ref: 00323A7A
_wcslen.LIBCMT ref: 00323A8A
VariantClear.OLEAUT32(?), ref: 00323C1F

Part of subcall function 00310CDF: VariantInit.OLEAUT32(00000000), ref: 00310D1F
Part of subcall function 00310CDF: VariantCopy.OLEAUT32(?,?), ref: 00310D28
Part of subcall function 00310CDF: VariantClear.OLEAUT32(?), ref: 00310D34

Strings

Incorrect Parameter format, xrefs: 003239A6, 00323BA1
AUTOIT.ERROR, xrefs: 00323A80, 00323A85

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: a5a38874ea7311985fa9551fa1affd070314c01568acbfe46d524e36f01fdf2f
Instruction ID: 71c54a643a2d9216b7f894d2a717c9619f3fbb5eeb13da578601b61d046625fb
Opcode Fuzzy Hash: a5a38874ea7311985fa9551fa1affd070314c01568acbfe46d524e36f01fdf2f
Instruction Fuzzy Hash: 53915574A183119FC705EF28D48096AB7E5BF89714F04882EF88A9B351DB34EE45CF92

Function 00324BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0030000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,002FFF41,80070057,?,?,?,0030035E), ref: 0030002B
Part of subcall function 0030000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002FFF41,80070057,?,?), ref: 00300046
Part of subcall function 0030000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002FFF41,80070057,?,?), ref: 00300054
Part of subcall function 0030000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002FFF41,80070057,?), ref: 00300064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00324C51
_wcslen.LIBCMT ref: 00324D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00324DCF
CoTaskMemFree.OLE32(?), ref: 00324DDA

Strings

NULL Pointer assignment, xrefs: 00324E23, 00324E52

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: babb7e434ab061882b144a230b4b2449d4b401d842fbbd07bcf0a972d7520452
Instruction ID: 9a96edff6c2a3ce2caaf0361e0bdd098a97ca2f5a5985bd76e8e74a1a222f857
Opcode Fuzzy Hash: babb7e434ab061882b144a230b4b2449d4b401d842fbbd07bcf0a972d7520452
Instruction Fuzzy Hash: 82911771D0022DAFDF15DFA4D891AEEB7B8BF08310F108569E915BB251DB349A54CF60

Function 003320FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00332183
GetMenuItemCount.USER32(00000000), ref: 003321B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 003321DD
_wcslen.LIBCMT ref: 00332213
GetMenuItemID.USER32(?,?), ref: 0033224D
GetSubMenu.USER32(?,?), ref: 0033225B

Part of subcall function 00303A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00303A57
Part of subcall function 00303A3D: GetCurrentThreadId.KERNEL32 ref: 00303A5E
Part of subcall function 00303A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003025B3), ref: 00303A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 003322E3

Part of subcall function 0030E97B: Sleep.KERNEL32 ref: 0030E9F3

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 183e8e63d6a5d21938150af54d55aebba2036ed9d53b02d386bf66141cc4c945
Instruction ID: cce23e187c3e239021d6e923adb85241dde9bbe6ab4fef3a0a5d6be9f0a7339c
Opcode Fuzzy Hash: 183e8e63d6a5d21938150af54d55aebba2036ed9d53b02d386bf66141cc4c945
Instruction Fuzzy Hash: 12718B35E00205AFCB52EF65C885AAFB7F5AF49310F158859E816EB351DB34EE418F90

Function 0030AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0030AEF9
GetKeyboardState.USER32(?), ref: 0030AF0E
SetKeyboardState.USER32(?), ref: 0030AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0030AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0030AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0030AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0030B020

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 529bd096576510b8c562c9cafd248689c945ef3a3a9e5d9e5504211aaadd002f
Instruction ID: a755a86ee0cb494cc1d8014971956bc2a7fdb7eff280c0ca30773851b710fe89
Opcode Fuzzy Hash: 529bd096576510b8c562c9cafd248689c945ef3a3a9e5d9e5504211aaadd002f
Instruction Fuzzy Hash: C451B3A0615BD63DFB378334CC65BBBBEE95B06304F098589E1D9998C2C398ACC4D751

Function 0030ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0030AD19
GetKeyboardState.USER32(?), ref: 0030AD2E
SetKeyboardState.USER32(?), ref: 0030AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0030ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0030ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0030AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0030AE38

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: b3bab72b5ad05a23263c5f8573e1892f125b38dce7b34a9ede34b0924fe70118
Instruction ID: 90c11d5c02e4fbff2d6975afc7c5a17ba7f60b4488e7bc9205a689ecb4cd0e40
Opcode Fuzzy Hash: b3bab72b5ad05a23263c5f8573e1892f125b38dce7b34a9ede34b0924fe70118
Instruction Fuzzy Hash: F451F6A150ABD53DFB338334DCB5B7ABEA85B46300F088489E1D55A8C3D394EC88E752

Function 002D542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(002E3CD6,?,?,?,?,?,?,?,?,002D5BA3,?,?,002E3CD6,?,?), ref: 002D5470
__fassign.LIBCMT ref: 002D54EB
__fassign.LIBCMT ref: 002D5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,002E3CD6,00000005,00000000,00000000), ref: 002D552C
WriteFile.KERNEL32(?,002E3CD6,00000000,002D5BA3,00000000,?,?,?,?,?,?,?,?,?,002D5BA3,?), ref: 002D554B
WriteFile.KERNEL32(?,?,00000001,002D5BA3,00000000,?,?,?,?,?,?,?,?,?,002D5BA3,?), ref: 002D5584

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: b7c6ff1ffa44f3645591cf4f9d5fde69710efe164670159154c74b9e84b3417c
Instruction ID: fa82e9806e7f0f4947a892c57ae869339fd0b16df62cf5423d643e16b901c1ef
Opcode Fuzzy Hash: b7c6ff1ffa44f3645591cf4f9d5fde69710efe164670159154c74b9e84b3417c
Instruction Fuzzy Hash: AB51B170A10659AFDB12CFA8E885AEEBBF9EF08300F14411BF555E7391D6709E61CB60

Function 003210B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0032304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0032307A
Part of subcall function 0032304E: _wcslen.LIBCMT ref: 0032309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00321112
WSAGetLastError.WSOCK32 ref: 00321121
WSAGetLastError.WSOCK32 ref: 003211C9
closesocket.WSOCK32(00000000), ref: 003211F9

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: ec83ba927e79b7e5e94c87cb2cc1bd315935025aa212d68059acaa788d5afab1
Instruction ID: 69a9f56d36845e6bc33f60253acd9b8206532acd7604c7baf30655c259c4e213
Opcode Fuzzy Hash: ec83ba927e79b7e5e94c87cb2cc1bd315935025aa212d68059acaa788d5afab1
Instruction Fuzzy Hash: E541F431600214AFDB129F24D885BAAB7E9FF45324F148059FD05AB292C774BE51CBE1

Function 0030CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0030DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0030CF22,?), ref: 0030DDFD

Part of subcall function 0030DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0030CF22,?), ref: 0030DE16

lstrcmpiW.KERNEL32(?,?), ref: 0030CF45
MoveFileW.KERNEL32(?,?), ref: 0030CF7F
_wcslen.LIBCMT ref: 0030D005
_wcslen.LIBCMT ref: 0030D01B
SHFileOperationW.SHELL32(?), ref: 0030D061

Strings

\*.*, xrefs: 0030CFF3

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 97dee98b3d0df34bb86538be5736219e541800b73f661773716c753b181d94d4
Instruction ID: 1eb1c24b45236f8920df9aa30b22d6b829944df957e41a6d452b94b4ddf5ed8a
Opcode Fuzzy Hash: 97dee98b3d0df34bb86538be5736219e541800b73f661773716c753b181d94d4
Instruction Fuzzy Hash: 7A4176B19162195FDF13EBA4C991EDEB7FCAF08380F0000E6E505EB182EA34A684CF51

Function 00332DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00332E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00332E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00332E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00332EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00332EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00332EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00332F0B

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 8f4c8d2ee1504dde448c6267408f2a14c142e5e9dbd1dc53f85c6da527202ddd
Instruction ID: 4850a591d931236fc660003b0f1b7d2674cd695af501831b1cf051d5bbf33682
Opcode Fuzzy Hash: 8f4c8d2ee1504dde448c6267408f2a14c142e5e9dbd1dc53f85c6da527202ddd
Instruction Fuzzy Hash: 3C3106356042509FDB22CF58DCC6F6677E9FB4A710F1A1164FA449F2B1CB71A881DB41

Function 00307726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00307769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0030778F
SysAllocString.OLEAUT32(00000000), ref: 00307792
SysAllocString.OLEAUT32(?), ref: 003077B0
SysFreeString.OLEAUT32(?), ref: 003077B9
StringFromGUID2.OLE32(?,?,00000028), ref: 003077DE
SysAllocString.OLEAUT32(?), ref: 003077EC

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: ec5ebf1e5ea5be2e2b439e7d0ba1ef6d68f1e461e5ca517f6252bb17c2b7c859
Instruction ID: ef169c280da258cef1a767d6d98c07acc04c9a8461aa2fd5715a24737c1c67b8
Opcode Fuzzy Hash: ec5ebf1e5ea5be2e2b439e7d0ba1ef6d68f1e461e5ca517f6252bb17c2b7c859
Instruction Fuzzy Hash: AB21D676A05219AFDF12DFA8CC88CFB73ACEB097A4B008025FA14DB190D670EC418B60

Function 003077FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00307842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00307868
SysAllocString.OLEAUT32(00000000), ref: 0030786B
SysAllocString.OLEAUT32 ref: 0030788C
SysFreeString.OLEAUT32 ref: 00307895
StringFromGUID2.OLE32(?,?,00000028), ref: 003078AF
SysAllocString.OLEAUT32(?), ref: 003078BD

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: eb8fa3a9473abab942d224f3eda6d7a2eaafe94a60cb1d73a4a4f67109836845
Instruction ID: a73b5dc58d3989bc8c6728da5f2b426754cad31a38c925f070f282d3d234e68f
Opcode Fuzzy Hash: eb8fa3a9473abab942d224f3eda6d7a2eaafe94a60cb1d73a4a4f67109836845
Instruction Fuzzy Hash: 8121A132A09204AFDB129FB8DC9DDBA77ECEB08360B10C125F915DB2A1D674EC41CB64

Function 003104D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 003104F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0031052E

Strings

nul, xrefs: 00310567

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: e034227b1a651a4b40a6c1bfad975eba7fa11d956b866ee982c8d253253121cf
Instruction ID: d3c8828f216adb815b068c2a11ce5ea39ad970eeaa96f5dfa99ee187201dceeb
Opcode Fuzzy Hash: e034227b1a651a4b40a6c1bfad975eba7fa11d956b866ee982c8d253253121cf
Instruction Fuzzy Hash: DD21A2755043059BCF299F28DC44ADA77A9AF49720F204A18F8A1E61E0D7B099D0CF20

Function 003105A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 003105C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00310601

Strings

nul, xrefs: 00310639

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: ba8cbdb96b2bd65c8afc8a6b78caf550181ebf4ed97b35e0bacde8b011d7c692
Instruction ID: 67daaded1046df23ddddd8b45f45ded483ffb7aa4a9836514b1c728d4a804322
Opcode Fuzzy Hash: ba8cbdb96b2bd65c8afc8a6b78caf550181ebf4ed97b35e0bacde8b011d7c692
Instruction Fuzzy Hash: 102153755003059BDB2A9F69DC44ADA77E8EF99720F204A19F8A1E72D0D7F099E0CB50

Function 003340AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002A600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 002A604C
Part of subcall function 002A600E: GetStockObject.GDI32(00000011), ref: 002A6060
Part of subcall function 002A600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 002A606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00334112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0033411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0033412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00334139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00334145

Strings

Msctls_Progress32, xrefs: 003340E3

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 93e6ff5369b8ba0c24420e9f4b2ed421b4f2d0fe14b49bd34e6f6d50cd1b85a0
Instruction ID: 15e177a00b88f6089c83078bd71c241ef2172463af22944e89abe9c76dba4ffc
Opcode Fuzzy Hash: 93e6ff5369b8ba0c24420e9f4b2ed421b4f2d0fe14b49bd34e6f6d50cd1b85a0
Instruction Fuzzy Hash: 5E11B2B2150219BFEF228F64CC86EE77F5DEF08798F014111FA18A6150CB729C61DBA4

Function 002DD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 002DD7A3: _free.LIBCMT ref: 002DD7CC

_free.LIBCMT ref: 002DD82D

Part of subcall function 002D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,002DD7D1,00000000,00000000,00000000,00000000,?,002DD7F8,00000000,00000007,00000000,?,002DDBF5,00000000), ref: 002D29DE
Part of subcall function 002D29C8: GetLastError.KERNEL32(00000000,?,002DD7D1,00000000,00000000,00000000,00000000,?,002DD7F8,00000000,00000007,00000000,?,002DDBF5,00000000,00000000), ref: 002D29F0

_free.LIBCMT ref: 002DD838
_free.LIBCMT ref: 002DD843
_free.LIBCMT ref: 002DD897
_free.LIBCMT ref: 002DD8A2
_free.LIBCMT ref: 002DD8AD
_free.LIBCMT ref: 002DD8B8

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: efecbf4575a97c111e534b1c6c530823a1df9b19cfff9c7ad3dec6b6e1577ab1
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: BF115171564F04EAE521BFB0CC47FCBBBDC6F10700F401826B29DA6292DA65BD255E50

Function 0030DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0030DA74
LoadStringW.USER32(00000000), ref: 0030DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0030DA91
LoadStringW.USER32(00000000), ref: 0030DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0030DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0030DAB9

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: fcc95fa3d6b507c618d31fe4d25581678e77e0f777c68c40a0f4f634e8918b27
Instruction ID: 38a6e3e0241f19a49710cf9f84627582e6f4e77dce0e32f378400a830ad4f307
Opcode Fuzzy Hash: fcc95fa3d6b507c618d31fe4d25581678e77e0f777c68c40a0f4f634e8918b27
Instruction Fuzzy Hash: 43016DF69102087FE712ABA49DC9EEB326CEB08301F405496B746F2081EA749E848F74

Function 0031096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(014FF188,014FF188), ref: 0031097B
EnterCriticalSection.KERNEL32(014FF168,00000000), ref: 0031098D
TerminateThread.KERNEL32(00540050,000001F6), ref: 0031099B
WaitForSingleObject.KERNEL32(00540050,000003E8), ref: 003109A9
CloseHandle.KERNEL32(00540050), ref: 003109B8
InterlockedExchange.KERNEL32(014FF188,000001F6), ref: 003109C8
LeaveCriticalSection.KERNEL32(014FF168), ref: 003109CF

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: c485b2868ba3ead92eb1c5a79f1f8e6409a28b0d8240e47af1fde7f0877dba75
Instruction ID: 596af0a936f7e59b8a47d3c9d416b3e617d44d5576b297c205a0d128fd29c02d
Opcode Fuzzy Hash: c485b2868ba3ead92eb1c5a79f1f8e6409a28b0d8240e47af1fde7f0877dba75
Instruction Fuzzy Hash: F6F0CD31452512ABDB565B94EEC9AD67A39BF05702F402415F101A08A1C7B594B5CF90

Function 00321C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00321DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00321DE1
WSAGetLastError.WSOCK32 ref: 00321DF2
htons.WSOCK32(?,?,?,?,?), ref: 00321EDB
inet_ntoa.WSOCK32(?), ref: 00321E8C

Part of subcall function 003039E8: _strlen.LIBCMT ref: 003039F2

Part of subcall function 00323224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0031EC0C), ref: 00323240

_strlen.LIBCMT ref: 00321F35

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: ebd87a759e1a6b3258556c633bf3f3f57f13d53745dfe0d9ca242c4149215682
Instruction ID: 3b24732a56509fe300aa72eb1c5a436d338b02f8575d1b36d15d71b324d13c35
Opcode Fuzzy Hash: ebd87a759e1a6b3258556c633bf3f3f57f13d53745dfe0d9ca242c4149215682
Instruction Fuzzy Hash: 3FB10031204310AFC325DF24D985E2A7BE5AF95318F598A4CF46A5F2E2CB31ED42CB91

Function 002D01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 002D00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002D00D6
__allrem.LIBCMT ref: 002D00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002D010B
__allrem.LIBCMT ref: 002D0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002D0140

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 0ed4ed9643aa7bdc793622447c7f925a4919b2d9335d9fd5e1234625bd4932ba
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: EE81E472A20706ABE7209E69CC81B6A73A9EF41324F24423FF455D77D1E7B0DD208B90

Function 002D61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,002C82D9,002C82D9,?,?,?,002D644F,00000001,00000001,8BE85006), ref: 002D6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,002D644F,00000001,00000001,8BE85006,?,?,?), ref: 002D62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 002D63D8
__freea.LIBCMT ref: 002D63E5

Part of subcall function 002D3820: RtlAllocateHeap.NTDLL(00000000,?,00371444,?,002BFDF5,?,?,002AA976,00000010,00371440,002A13FC,?,002A13C6,?,002A1129), ref: 002D3852

__freea.LIBCMT ref: 002D63EE
__freea.LIBCMT ref: 002D6413

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 7dbe052aa484515ac2ba19b77f2a4d3bb47096a32281d55cc8f603b7d8703f11
Instruction ID: 419c5bacdad41b57e2e5c63a920cf0bed0fdd56f0eef92613b0ca53840093417
Opcode Fuzzy Hash: 7dbe052aa484515ac2ba19b77f2a4d3bb47096a32281d55cc8f603b7d8703f11
Instruction Fuzzy Hash: 29510372A20217ABDB258FA4CC89EBF77A9EF44B10F14436AFC05D6241DB34DC64DA60

Function 0032BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 002A9CB3: _wcslen.LIBCMT ref: 002A9CBD

Part of subcall function 0032C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0032B6AE,?,?), ref: 0032C9B5
Part of subcall function 0032C998: _wcslen.LIBCMT ref: 0032C9F1
Part of subcall function 0032C998: _wcslen.LIBCMT ref: 0032CA68
Part of subcall function 0032C998: _wcslen.LIBCMT ref: 0032CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0032BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0032BD25
RegCloseKey.ADVAPI32(00000000), ref: 0032BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0032BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0032BDF3
RegCloseKey.ADVAPI32(?), ref: 0032BDFF

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 6efd5edc7704d0d10b5c87e9518a628bc9d6fd7f07ff62412eb0be0444633af7
Instruction ID: 3c2f77486898009ad9ae5a6c824ac0c588d6e1c4ee8f0730a52545aa4ab0d05b
Opcode Fuzzy Hash: 6efd5edc7704d0d10b5c87e9518a628bc9d6fd7f07ff62412eb0be0444633af7
Instruction Fuzzy Hash: 8F81AB30218241AFC715DF24D881E6ABBE9FF85308F15896CF5598B2A2DB31ED45CB92

Function 002FF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 002FF7B9
SysAllocString.OLEAUT32(00000001), ref: 002FF860
VariantCopy.OLEAUT32(002FFA64,00000000), ref: 002FF889
VariantClear.OLEAUT32(002FFA64), ref: 002FF8AD
VariantCopy.OLEAUT32(002FFA64,00000000), ref: 002FF8B1
VariantClear.OLEAUT32(?), ref: 002FF8BB

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 68f43710d93b7fc0246270af1475fcb48dccc75f8d66f1a61095a8d698994fdb
Instruction ID: 56030067bacd0d5095bef9e658a3599c4aa7dc02534309d6f509d8bfb8c86075
Opcode Fuzzy Hash: 68f43710d93b7fc0246270af1475fcb48dccc75f8d66f1a61095a8d698994fdb
Instruction Fuzzy Hash: 4251E531530318AACF90AF65D995B39F3A8EF45790F209476EA01DF292DBF08C60DB56

Function 0031910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 002A7620: _wcslen.LIBCMT ref: 002A7625

Part of subcall function 002A6B57: _wcslen.LIBCMT ref: 002A6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 003194E5
_wcslen.LIBCMT ref: 00319506
_wcslen.LIBCMT ref: 0031952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00319585

Strings

X, xrefs: 00319412

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 3d597ab77217b805c2f253470a2d0110ce6fcdef89a05fdc75ad4bfe26bb64d5
Instruction ID: 73f16cfac595596066bceb6b62222a6b39b5709a579cd7244e28bdb39002de28
Opcode Fuzzy Hash: 3d597ab77217b805c2f253470a2d0110ce6fcdef89a05fdc75ad4bfe26bb64d5
Instruction Fuzzy Hash: 05E1C3315183408FC719DF24C891BAAB7E5BF89314F05896DF8999B2A2DB30DD45CF92

Function 002B920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 002B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002B9BB2

BeginPaint.USER32(?,?,?), ref: 002B9241
GetWindowRect.USER32(?,?), ref: 002B92A5
ScreenToClient.USER32(?,?), ref: 002B92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 002B92D3
EndPaint.USER32(?,?,?,?,?), ref: 002B9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 002F71EA

Part of subcall function 002B9339: BeginPath.GDI32(00000000), ref: 002B9357

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: e7c72304921d4a94e22d6001a83c56bcb173cdb9c242af288cb6244d2a6f4659
Instruction ID: 6c3f91f5528ddc498178d2d2c99550a96802355dac9cabd1cb178c4da19bc178
Opcode Fuzzy Hash: e7c72304921d4a94e22d6001a83c56bcb173cdb9c242af288cb6244d2a6f4659
Instruction Fuzzy Hash: F341A131524201AFD722DF28CCC5FBA7BB8EB463A0F140269FA68971A1C7719895DB61

Function 003107EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0031080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00310847
EnterCriticalSection.KERNEL32(?), ref: 00310863
LeaveCriticalSection.KERNEL32(?), ref: 003108DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 003108F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00310921

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 5ca3090dc3d8bc01bb37f751938d07b4f047d3c7082a6805ea06d7b93626f016
Instruction ID: 80c84e109bcfd8560848043c1c6c0f0cba4d1cc46256a130a397869fd49b8e87
Opcode Fuzzy Hash: 5ca3090dc3d8bc01bb37f751938d07b4f047d3c7082a6805ea06d7b93626f016
Instruction Fuzzy Hash: 9E416D71910205EBDF199F64DC85AAA77B9FF08310F1440A9ED00EA297D770DEA4DFA0

Function 003381DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,002FF3AB,00000000,?,?,00000000,?,002F682C,00000004,00000000,00000000), ref: 0033824C
EnableWindow.USER32(00000000,00000000), ref: 00338272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 003382D1
ShowWindow.USER32(00000000,00000004), ref: 003382E5
EnableWindow.USER32(00000000,00000001), ref: 0033830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0033832F

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 513762b4d96b9f3cf1b186cb03ff28a743c27a159ce44b0752dd12ff89bd6777
Instruction ID: d8945666da5d93586df6001955d61a66f5b2f7c491b4e81e3d62cc055c6d8bf2
Opcode Fuzzy Hash: 513762b4d96b9f3cf1b186cb03ff28a743c27a159ce44b0752dd12ff89bd6777
Instruction Fuzzy Hash: 14418339601744AFDB23CF15C8D9BA57BF4BB0A714F195169FA089B262CB31A841CB50

Function 00304C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00304C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00304CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00304CEA
_wcslen.LIBCMT ref: 00304D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00304D10
_wcsstr.LIBVCRUNTIME ref: 00304D1A

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: de0c13d8d0dea2bc8dfc56581d9a87992e663ce86d9f9a390a6373d6d333649a
Instruction ID: 24edfac986033ff629a95f1b30c5c48ddf361eccdfe8b03181ea44a735719384
Opcode Fuzzy Hash: de0c13d8d0dea2bc8dfc56581d9a87992e663ce86d9f9a390a6373d6d333649a
Instruction Fuzzy Hash: 672129B1205200BBEB169B39AC5AE7BBB9CDF45750F14802DF905DA1D2EA71CE5087A0

Function 0031581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 002A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002A3A97,?,?,002A2E7F,?,?,?,00000000), ref: 002A3AC2

_wcslen.LIBCMT ref: 0031587B
CoInitialize.OLE32(00000000), ref: 00315995
CoCreateInstance.OLE32(0033FCF8,00000000,00000001,0033FB68,?), ref: 003159AE
CoUninitialize.OLE32 ref: 003159CC

Strings

.lnk, xrefs: 00315876, 003158C1, 00315985

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: bd3be9c2e5669bdeaadebcc7005ae33ddc49efbb4eb08a0aa4f6b99ffdec58a9
Instruction ID: 7cc9f81cd58bde0ac9b1ce2d77c2b7e1de4f40067da7be2f00e0d84ce30ca590
Opcode Fuzzy Hash: bd3be9c2e5669bdeaadebcc7005ae33ddc49efbb4eb08a0aa4f6b99ffdec58a9
Instruction Fuzzy Hash: 81D16471A08601DFC719DF24C480A6ABBE5EF89710F15895DF88A9B361DB31EC85CF92

Function 0030175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00300FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00300FCA
Part of subcall function 00300FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00300FD6
Part of subcall function 00300FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00300FE5
Part of subcall function 00300FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00300FEC
Part of subcall function 00300FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00301002

GetLengthSid.ADVAPI32(?,00000000,00301335), ref: 003017AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 003017BA
HeapAlloc.KERNEL32(00000000), ref: 003017C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 003017DA
GetProcessHeap.KERNEL32(00000000,00000000,00301335), ref: 003017EE
HeapFree.KERNEL32(00000000), ref: 003017F5

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 1accf9a9290294b820180653a8c3b5b75df176bfdbfbc773f60cbabb5ebcf02c
Instruction ID: 7129a0924e26427b7a92f0d5ceec7ce049ab49f1eaa08959b467bb68133dc6e1
Opcode Fuzzy Hash: 1accf9a9290294b820180653a8c3b5b75df176bfdbfbc773f60cbabb5ebcf02c
Instruction Fuzzy Hash: 3511BE32912205FFDB269FA4CC99BAE7BEDEB45755F104018F481A7290C736A940DB60

Function 003014CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 003014FF
OpenProcessToken.ADVAPI32(00000000), ref: 00301506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00301515
CloseHandle.KERNEL32(00000004), ref: 00301520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0030154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00301563

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 1097f851524fca4f1b8e91484e108e48c352b31130ebc994b1b756f4df9232ac
Instruction ID: 50a961232c5f6158dd8df5fde99d142d209907d31e758a3aeaf28ba39976bd69
Opcode Fuzzy Hash: 1097f851524fca4f1b8e91484e108e48c352b31130ebc994b1b756f4df9232ac
Instruction Fuzzy Hash: 7C112672501249AFDF128FA8DD89BDE7BADEF49748F054025FA05A20A0C375CE64DB60

Function 002C3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,002C3379,002C2FE5), ref: 002C3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 002C339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 002C33B7
SetLastError.KERNEL32(00000000,?,002C3379,002C2FE5), ref: 002C3409

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 092d768bf0014cfa2af0fb0e0030b5c74e001ad40b3d3a1d29e66ea8b80f03c5
Instruction ID: da317eeab7a02b7ffb99e79b5e3c5753a3e8a5c2da94407baf27a982081841c6
Opcode Fuzzy Hash: 092d768bf0014cfa2af0fb0e0030b5c74e001ad40b3d3a1d29e66ea8b80f03c5
Instruction Fuzzy Hash: 8401F53223C352AEE6266B747C95F662A9CDB05379B30C72DF410821F0EF618D2159C8

Function 002D2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,002D5686,002E3CD6,?,00000000,?,002D5B6A,?,?,?,?,?,002CE6D1,?,00368A48), ref: 002D2D78
_free.LIBCMT ref: 002D2DAB
_free.LIBCMT ref: 002D2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,002CE6D1,?,00368A48,00000010,002A4F4A,?,?,00000000,002E3CD6), ref: 002D2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,002CE6D1,?,00368A48,00000010,002A4F4A,?,?,00000000,002E3CD6), ref: 002D2DEC
_abort.LIBCMT ref: 002D2DF2

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 9c8939c36c5a7928f1042c140f65091615c0e4c0f5eeddb3857e9445c5e27042
Instruction ID: d68250b17718bdfc31de4dedbb927541bdf87a2541bc06958c338180a379ba94
Opcode Fuzzy Hash: 9c8939c36c5a7928f1042c140f65091615c0e4c0f5eeddb3857e9445c5e27042
Instruction Fuzzy Hash: 03F0A935534601E7C2236734AC0AE5A255AABE27B1F244417F864A2395EE648C395671

Function 00338A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 002B9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 002B9693
Part of subcall function 002B9639: SelectObject.GDI32(?,00000000), ref: 002B96A2
Part of subcall function 002B9639: BeginPath.GDI32(?), ref: 002B96B9
Part of subcall function 002B9639: SelectObject.GDI32(?,00000000), ref: 002B96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00338A4E
LineTo.GDI32(?,00000003,00000000), ref: 00338A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00338A70
LineTo.GDI32(?,00000000,00000003), ref: 00338A80
EndPath.GDI32(?), ref: 00338A90
StrokePath.GDI32(?), ref: 00338AA0

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: ecbd71d18b0767fb7b9c10a66150413094206cc06fce6e84265d6618ca70406c
Instruction ID: c8b29afb38c3ade4fb4d59ab9a5b94d7f5e5aaca13a2b91df69401f1949a6129
Opcode Fuzzy Hash: ecbd71d18b0767fb7b9c10a66150413094206cc06fce6e84265d6618ca70406c
Instruction Fuzzy Hash: 1711C97601014DFFDB129F94DC88EEA7F6DEB08354F048012BA19AA1A1C7719D95DFA0

Function 003051FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00305218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00305229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00305230
ReleaseDC.USER32(00000000,00000000), ref: 00305238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0030524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00305261

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 9d2186245b97b26424c5342c238184d528327b4c1585728a9f9f6db2bdc444e4
Instruction ID: 3fe12744408ec2f1a018fc07926afd8d1f16c4f1da57a4b2aa68a0dc8e85fb29
Opcode Fuzzy Hash: 9d2186245b97b26424c5342c238184d528327b4c1585728a9f9f6db2bdc444e4
Instruction Fuzzy Hash: 98014F75E01718BBEB119BA59C89A5EBFBCEF48751F044465FA04E7291D6709800CFA0

Function 002A1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 002A1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 002A1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 002A1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 002A1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 002A1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 002A1C22

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 72bee56ae3c9ba4f12f23c8d4806fe0dfc6f35ba474042a1ce62424815c78279
Instruction ID: 660e66fbdb97137d4b4156bca178586f17bd3036c9801e66596f2096623b6381
Opcode Fuzzy Hash: 72bee56ae3c9ba4f12f23c8d4806fe0dfc6f35ba474042a1ce62424815c78279
Instruction Fuzzy Hash: D10167B0902B5ABDE3008F6A8C85B52FFA8FF19354F04411BA15C4BA42C7F5A864CBE5

Function 0030EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0030EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0030EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0030EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0030EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0030EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0030EB75

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 1b60d27af3b2d8323023939bf419166d125c1ee328e478533da1cbeac1cfdbcb
Instruction ID: 718297f6d03608a270e9ad14ce843f9de59aa007a99573d647dee759e4b42970
Opcode Fuzzy Hash: 1b60d27af3b2d8323023939bf419166d125c1ee328e478533da1cbeac1cfdbcb
Instruction Fuzzy Hash: 86F0BE72610118BBE7225B629C8EEEF7E7CEFCBB11F001158F601E1090D7A01A01D7B4

Function 002F7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 002F7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 002F7469
GetWindowDC.USER32(?), ref: 002F7475
GetPixel.GDI32(00000000,?,?), ref: 002F7484
ReleaseDC.USER32(?,00000000), ref: 002F7496
GetSysColor.USER32(00000005), ref: 002F74B0

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: d68d5601f9e7990126fb40e020f74e15e26711c8d289fcc787f743743bfcba6f
Instruction ID: 2bbf1da49b81d5e3e6618e8c397116acc71e8caf90f9add11075349d87e88f71
Opcode Fuzzy Hash: d68d5601f9e7990126fb40e020f74e15e26711c8d289fcc787f743743bfcba6f
Instruction Fuzzy Hash: 9D01AD32420209EFEB125F64DC49BFABBB9FF04351F141060FA15A20A0CB311EA1EB10

Function 00301874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0030187F
UnloadUserProfile.USERENV(?,?), ref: 0030188B
CloseHandle.KERNEL32(?), ref: 00301894
CloseHandle.KERNEL32(?), ref: 0030189C
GetProcessHeap.KERNEL32(00000000,?), ref: 003018A5
HeapFree.KERNEL32(00000000), ref: 003018AC

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 9c974332679872aef78f7c8413bc669648fc12c8224de65d7b87b4565803145f
Instruction ID: 8ffd7eb4df16994b5b84f184ee610bd1493a60a4731bcc546235031bc8794a1a
Opcode Fuzzy Hash: 9c974332679872aef78f7c8413bc669648fc12c8224de65d7b87b4565803145f
Instruction Fuzzy Hash: 2EE0C236414101BBDA025BA1ED8C90ABB2DFB49B22F109220F225A1070CB329430EB50

Function 002ABBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002ABEB3

Strings

D%7D%7, xrefs: 002ABCA5
D%7, xrefs: 002ABDED, 002ABD91, 002ABD1B
D%7, xrefs: 002ABE9A
D%7, xrefs: 002ABCA2

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%7$D%7$D%7$D%7D%7
API String ID: 1385522511-2665458907
Opcode ID: f4552bfda5cba3832f5007b172c7c0e69a7e65e38acf7dcf3c6806ca0f4acd2b
Instruction ID: 0c31d618a5ad54f472e3eb6e60ade5aa17d29ef071e28af79238ed03ceba640d
Opcode Fuzzy Hash: f4552bfda5cba3832f5007b172c7c0e69a7e65e38acf7dcf3c6806ca0f4acd2b
Instruction Fuzzy Hash: B9916E75A20206CFCB15CF59C090AAAB7F2FF5A310F24415ED5459B352DB71ADA1CF90

Function 00327B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 002C0242: EnterCriticalSection.KERNEL32(0037070C,00371884,?,?,002B198B,00372518,?,?,?,002A12F9,00000000), ref: 002C024D
Part of subcall function 002C0242: LeaveCriticalSection.KERNEL32(0037070C,?,002B198B,00372518,?,?,?,002A12F9,00000000), ref: 002C028A

Part of subcall function 002A9CB3: _wcslen.LIBCMT ref: 002A9CBD

Part of subcall function 002C00A3: __onexit.LIBCMT ref: 002C00A9

__Init_thread_footer.LIBCMT ref: 00327BFB

Part of subcall function 002C01F8: EnterCriticalSection.KERNEL32(0037070C,?,?,002B8747,00372514), ref: 002C0202
Part of subcall function 002C01F8: LeaveCriticalSection.KERNEL32(0037070C,?,002B8747,00372514), ref: 002C0235

Strings

5, xrefs: 00327C78
Variable must be of type 'Object'., xrefs: 00327C3A
G, xrefs: 00327C7F
+T/, xrefs: 00327E2E

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T/$5$G$Variable must be of type 'Object'.
API String ID: 535116098-2112414540
Opcode ID: b8a62fb2c89f9339df9b9d9c1d1980ea06f00d25f89c401d1f59118dde114ca2
Instruction ID: 0b55aba5c1b8fee8483dbaf71c6c54238d6e76b26770e5c7b51068dad2ab3b2c
Opcode Fuzzy Hash: b8a62fb2c89f9339df9b9d9c1d1980ea06f00d25f89c401d1f59118dde114ca2
Instruction Fuzzy Hash: D9919D74A04229EFCB16EF54E891DBDB7B5FF49300F148059F806AB2A2DB71AE41CB51

Function 0030C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002A7620: _wcslen.LIBCMT ref: 002A7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0030C6EE
_wcslen.LIBCMT ref: 0030C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0030C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0030C7CA

Strings

0, xrefs: 0030C6AF

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 4bb247bd88897667095be411e447edc9839e8e88cb93eacd89db99fa5abb9eea
Instruction ID: 26857e6af4c59c7079c6cd96357e1da6c0acfddf721f30bff4b3321ea5ccb1eb
Opcode Fuzzy Hash: 4bb247bd88897667095be411e447edc9839e8e88cb93eacd89db99fa5abb9eea
Instruction Fuzzy Hash: EF51E0716263009FD7629F28C8A4BABB7E8AF45710F042B29F995D21E0DB60D804CF52

Function 0032AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0032AEA3

Part of subcall function 002A7620: _wcslen.LIBCMT ref: 002A7625

GetProcessId.KERNEL32(00000000), ref: 0032AF38
CloseHandle.KERNEL32(00000000), ref: 0032AF67

Strings

<, xrefs: 0032AE6B
@, xrefs: 0032AE72

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: dab2d4dc04e2a2f4a1417a01104d7eb273de2b99876c74d7b437c5eda77d1454
Instruction ID: dec5bcc3c7dea86dc920d14b897ebc0a81e0a1fd490cb3d7665f5a6f6b3dec8d
Opcode Fuzzy Hash: dab2d4dc04e2a2f4a1417a01104d7eb273de2b99876c74d7b437c5eda77d1454
Instruction Fuzzy Hash: DD718771A10A24DFCB15EF54D884A9EBBF4BF09310F058499E816AB362CB34ED55CF91

Function 0030719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00307206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0030723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0030724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 003072CF

Strings

DllGetClassObject, xrefs: 00307242

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 6e0f11071d23f1f523ef18e9c86778b0bf25df366a5e307947fc84da8c5a54c5
Instruction ID: 24729e2601da04224503fd2df9b1c1f0be39ebcbff3a6808d3417f780ea6f5cc
Opcode Fuzzy Hash: 6e0f11071d23f1f523ef18e9c86778b0bf25df366a5e307947fc84da8c5a54c5
Instruction Fuzzy Hash: 7B418CB1E05204EFDB16CF54C894A9A7BADEF44310F1584A9BD059F28AD7B1ED40CBA0

Function 00332F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00332F8D
LoadLibraryW.KERNEL32(?), ref: 00332F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00332FA9
DestroyWindow.USER32(?), ref: 00332FB1

Strings

SysAnimate32, xrefs: 00332F68

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: ea1baec8ae45b88ed0d28ef93d3c069f5ec47ef581332d3b0dd7c35fbc3a451d
Instruction ID: 67f47383df957b57f46d827cdf59d1d6e133cb50af8de8b6f25c73abe35a14a2
Opcode Fuzzy Hash: ea1baec8ae45b88ed0d28ef93d3c069f5ec47ef581332d3b0dd7c35fbc3a451d
Instruction Fuzzy Hash: C721FD72204205ABEF224F64DCC0EBB77BDEF59324F120218FA10E6190C731DC919B60

Function 002C4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,002C4D1E,002D28E9,?,002C4CBE,002D28E9,003688B8,0000000C,002C4E15,002D28E9,00000002), ref: 002C4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 002C4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,002C4D1E,002D28E9,?,002C4CBE,002D28E9,003688B8,0000000C,002C4E15,002D28E9,00000002,00000000), ref: 002C4DC3

Strings

mscoree.dll, xrefs: 002C4D86
CorExitProcess, xrefs: 002C4D98

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: f7ac73b6d49e06ce6700e2542ab03e4ceda3c9e23b3d4e8a15230e23c1a8d4bd
Instruction ID: 728321c3c7964b8ac7a6a045a10e695473495671f177fb20ea51e9289446478a
Opcode Fuzzy Hash: f7ac73b6d49e06ce6700e2542ab03e4ceda3c9e23b3d4e8a15230e23c1a8d4bd
Instruction Fuzzy Hash: F0F04435A60209BBDB166F90DC49FEEBFF9EF44751F000198F906A6150CB745A50DB91

Function 002FD3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 002FD3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 002FD3BF
FreeLibrary.KERNEL32(00000000), ref: 002FD3E5

Strings

GetSystemWow64DirectoryW, xrefs: 002FD3B9
X64, xrefs: 002FD2A8

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: e6c4000e37c7f80e6b248aebfdde9f6bbf8a6bfcfe669cf4dcdf61629e43a2d2
Instruction ID: ff85864eaf486d48dba8c81ec2d2a11ef9b4ac217d58d37761e424289eafd5d6
Opcode Fuzzy Hash: e6c4000e37c7f80e6b248aebfdde9f6bbf8a6bfcfe669cf4dcdf61629e43a2d2
Instruction Fuzzy Hash: 3EF05C3983552A8BE7725B10CC949B9F315AF10781F54D4B4FB02F2015DBA0CC609BC3

Function 002A4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,002A4EDD,?,00371418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002A4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 002A4EAE
FreeLibrary.KERNEL32(00000000,?,?,002A4EDD,?,00371418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002A4EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 002A4EA8
kernel32.dll, xrefs: 002A4E94

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 2ffb68ad2ae1675f424a037fc391ea2261ff3eff4c0ac19bf394cc3cb041497b
Instruction ID: 4732bfd8b35cab94a1aa04c38ca63a69305e8839b44804a3ba34e0e348ed4753
Opcode Fuzzy Hash: 2ffb68ad2ae1675f424a037fc391ea2261ff3eff4c0ac19bf394cc3cb041497b
Instruction Fuzzy Hash: D8E08636E215235B92232B256C58A5BA558AFC3B62F050115FD02F2110DFA0CD0152E0

Function 002A4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,002E3CDE,?,00371418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002A4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 002A4E74
FreeLibrary.KERNEL32(00000000,?,?,002E3CDE,?,00371418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002A4E87

Strings

kernel32.dll, xrefs: 002A4E5B
Wow64RevertWow64FsRedirection, xrefs: 002A4E6E

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 3d68bc3a89067066592210f11fb3313edc67f974885adc3e855dd5a463b728d5
Instruction ID: 5b08ca3b8a230c81dbb4a3842994d49ac6480339cde8530f35fbe0689efc3a28
Opcode Fuzzy Hash: 3d68bc3a89067066592210f11fb3313edc67f974885adc3e855dd5a463b728d5
Instruction Fuzzy Hash: E9D0C2369226225746232F247C08DCBAA1CAFC3B11B050111F902F2114CFA0CD1192D0

Function 0032A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0032A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0032A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0032A468
CloseHandle.KERNEL32(?), ref: 0032A63D

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: c123446ea1a662d9e0e85402f47692212b975b98fd46b69eaed7aa017fa326b7
Instruction ID: 13e33148ba597047d19b820105b35e62e1bbbae0617ef3818eb73bc1239ca0b6
Opcode Fuzzy Hash: c123446ea1a662d9e0e85402f47692212b975b98fd46b69eaed7aa017fa326b7
Instruction Fuzzy Hash: 30A1BC71614700AFD721DF24D886F2AB7E5AF84714F14881DF99A9B292DBB0EC418F82

Function 002DBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00343700), ref: 002DBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0037121C,000000FF,00000000,0000003F,00000000,?,?), ref: 002DBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00371270,000000FF,?,0000003F,00000000,?), ref: 002DBC36
_free.LIBCMT ref: 002DBB7F

Part of subcall function 002D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,002DD7D1,00000000,00000000,00000000,00000000,?,002DD7F8,00000000,00000007,00000000,?,002DDBF5,00000000), ref: 002D29DE
Part of subcall function 002D29C8: GetLastError.KERNEL32(00000000,?,002DD7D1,00000000,00000000,00000000,00000000,?,002DD7F8,00000000,00000007,00000000,?,002DDBF5,00000000,00000000), ref: 002D29F0

_free.LIBCMT ref: 002DBD4B

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 3c66ec5c1fc00f1247479b372fe6045fc7a3993d19b4e9bab99447bf3ef47ec4
Instruction ID: bb45092156acdf75f6ae92e914a4052abd908df372dbb2d796aa623d840e343a
Opcode Fuzzy Hash: 3c66ec5c1fc00f1247479b372fe6045fc7a3993d19b4e9bab99447bf3ef47ec4
Instruction Fuzzy Hash: 7751D472920209EFCB22EF699C919AAB7BCEB40310F11466BE454D7391EB709E609B50

Function 0030E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0030DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0030CF22,?), ref: 0030DDFD

Part of subcall function 0030DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0030CF22,?), ref: 0030DE16

Part of subcall function 0030E199: GetFileAttributesW.KERNEL32(?,0030CF95), ref: 0030E19A

lstrcmpiW.KERNEL32(?,?), ref: 0030E473
MoveFileW.KERNEL32(?,?), ref: 0030E4AC
_wcslen.LIBCMT ref: 0030E5EB
_wcslen.LIBCMT ref: 0030E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0030E650

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 8519f979a9404809163dc91505d4c25b33d70479b85bb08f5b41c8476a42172f
Instruction ID: 1897ca2de1b9efe8b410e5a91d6f2b285a28d6658bc382a784495ade11f1c263
Opcode Fuzzy Hash: 8519f979a9404809163dc91505d4c25b33d70479b85bb08f5b41c8476a42172f
Instruction Fuzzy Hash: 0F5192B25093445BC725EB90DC91ADFB3DCAF85340F004D1EF689D3191EF75A6888B66

Function 0032B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 002A9CB3: _wcslen.LIBCMT ref: 002A9CBD

Part of subcall function 0032C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0032B6AE,?,?), ref: 0032C9B5
Part of subcall function 0032C998: _wcslen.LIBCMT ref: 0032C9F1
Part of subcall function 0032C998: _wcslen.LIBCMT ref: 0032CA68
Part of subcall function 0032C998: _wcslen.LIBCMT ref: 0032CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0032BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0032BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0032BB63
RegCloseKey.ADVAPI32(?,?), ref: 0032BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0032BBB3

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 3ad0710aee6c2d3008e99b8b0c91d596dab65bc7a4dc0133c88485ae316ee8c7
Instruction ID: 809ae438f8a94e551d26218e5112076d4a43cd5f9384ef505af93562fbd39f72
Opcode Fuzzy Hash: 3ad0710aee6c2d3008e99b8b0c91d596dab65bc7a4dc0133c88485ae316ee8c7
Instruction Fuzzy Hash: 8A61BF31218241AFC315DF24D490E2ABBE9FF85308F14855CF4998B2A2CB31ED45CF92

Function 00308BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00308BCD
VariantClear.OLEAUT32 ref: 00308C3E
VariantClear.OLEAUT32 ref: 00308C9D
VariantClear.OLEAUT32(?), ref: 00308D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00308D3B

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: f59be9c0c66762f5f5a9aa2b82f8a51783fcdfb02b8dde1ca39f937dda35cefe
Instruction ID: 1830f77f07c1461c87f15f407023416aa129bb398aa154495e4768a53acd6172
Opcode Fuzzy Hash: f59be9c0c66762f5f5a9aa2b82f8a51783fcdfb02b8dde1ca39f937dda35cefe
Instruction Fuzzy Hash: F05167B1A11219EFCB11CF28C894AAAB7F8FF89310F118659E945EB350E730E911CF90

Function 00318AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00318BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00318BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00318C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00318C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00318C5F

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 98e67d7e1fe759b8301b02fddc6f2e312f8ce7be7642afc5ed71f4d74070e892
Instruction ID: 85b07b1be2e442611e840392bae219ede38bdd34cbfe9e09fe4d3166f5587d03
Opcode Fuzzy Hash: 98e67d7e1fe759b8301b02fddc6f2e312f8ce7be7642afc5ed71f4d74070e892
Instruction Fuzzy Hash: 5E514835A10215AFCB05DF64C881AAEBBF5FF49314F088458E849AB362DB35ED61CF94

Function 00328EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00328F40
GetProcAddress.KERNEL32(00000000,?), ref: 00328FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00328FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00329032
FreeLibrary.KERNEL32(00000000), ref: 00329052

Part of subcall function 002BF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00311043,?,7529E610), ref: 002BF6E6
Part of subcall function 002BF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,002FFA64,00000000,00000000,?,?,00311043,?,7529E610,?,002FFA64), ref: 002BF70D

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: a8cbfeebbed6b144b94c09fc342fa867e7288337b7e283939166b0f737699489
Instruction ID: 6b76b6bd8f56079dadcac26200125419845993eec70e7fa725cbdc6ab2ee8921
Opcode Fuzzy Hash: a8cbfeebbed6b144b94c09fc342fa867e7288337b7e283939166b0f737699489
Instruction Fuzzy Hash: CA512835A01215DFC712DF68D4949ADBBB5FF49314F098099E80AAB362DB31ED85CF90

Function 00336B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00336C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00336C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00336C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0031AB79,00000000,00000000), ref: 00336C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00336CC7

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 161186637785d4ee70f781338f385945d6000e067f87ace8cb25223f8a4be97b
Instruction ID: 5b03a9add747ab70cee7a34da5badd3d9179476d2843458537f5fa57d8c707d9
Opcode Fuzzy Hash: 161186637785d4ee70f781338f385945d6000e067f87ace8cb25223f8a4be97b
Instruction Fuzzy Hash: 7B41FB35604104BFDB26CF29CCD6FA9BBA9EB0A350F159228FD55A72E0C371ED41CA50

Function 002D2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002D20C3
_free.LIBCMT ref: 002D20E3

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 2cb4cffdb6aa195fa904c93688ff2acda14c106bfccb57f747016dd7aeb5871e
Instruction ID: df9f6f8a4b0558c0f35d45118b166a96a50f39ef545dcfcd9108af94309dc599
Opcode Fuzzy Hash: 2cb4cffdb6aa195fa904c93688ff2acda14c106bfccb57f747016dd7aeb5871e
Instruction Fuzzy Hash: B941E432A20200EFCB24DF78C880A6DB7B5EF98314F1585AAE515EB392D631ED15CB80

Function 002B912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 002B9141
ScreenToClient.USER32(00000000,?), ref: 002B915E
GetAsyncKeyState.USER32(00000001), ref: 002B9183
GetAsyncKeyState.USER32(00000002), ref: 002B919D

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: f68c3759bb4ea579be05f707623e237c852dea3fb1612480d4b8479c775ef0d7
Instruction ID: e40a8240950c0073de836512404ce00379c69d443cfc69767b97ad8e456ed098
Opcode Fuzzy Hash: f68c3759bb4ea579be05f707623e237c852dea3fb1612480d4b8479c775ef0d7
Instruction Fuzzy Hash: 67417F3192850BFBDF059F68C844BFEB774FF05360F208229E529A6290C77059A4DF51

Function 00313874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 003138CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00313922
TranslateMessage.USER32(?), ref: 0031394B
DispatchMessageW.USER32(?), ref: 00313955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00313966

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 169a7836e410febb24760d07d33b530d0c90408db6fd5202342fcaa6c62b2e98
Instruction ID: c61188d6dd6e7e579dd1accba41c6cf06eb35478c2a9590024b5593193fbdf3a
Opcode Fuzzy Hash: 169a7836e410febb24760d07d33b530d0c90408db6fd5202342fcaa6c62b2e98
Instruction Fuzzy Hash: AC31D5719143419EEB3FCB359849FF63BACEB0E300F050569E466920A0E3B4AAC5CB52

Function 0031CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0031C21E,00000000), ref: 0031CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0031CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0031C21E,00000000), ref: 0031CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0031C21E,00000000), ref: 0031CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0031C21E,00000000), ref: 0031CFF2

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: caa02cb8a668d255f1141afbe5694999e53d38845c4834d573f1249765822677
Instruction ID: 8a1179fd6258fd1d201aa8843273160bf17937321fc56f258bb81845e75869bc
Opcode Fuzzy Hash: caa02cb8a668d255f1141afbe5694999e53d38845c4834d573f1249765822677
Instruction Fuzzy Hash: D3317F71560205AFDB29DFA5C884AEBBBFDEB18350F10542EF516E2141D730ED82DB60

Function 00301901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00301915
PostMessageW.USER32(00000001,00000201,00000001), ref: 003019C1
Sleep.KERNEL32(00000000,?,?,?), ref: 003019C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 003019DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 003019E2

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: da569e15b859c0d4f2ad8ca687068017b8dc8b5a7cebf3740431acc54c71b844
Instruction ID: 8b267e749b6371ae56594ef563afc1de4b4d9a388de92c4161cd380c3ff61a71
Opcode Fuzzy Hash: da569e15b859c0d4f2ad8ca687068017b8dc8b5a7cebf3740431acc54c71b844
Instruction Fuzzy Hash: 3531D172A00219EFCB01CFA8CDA9ADE7BB9EB05315F104229F921AB2D1C7709D44DB90

Function 00335706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00335745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0033579D
_wcslen.LIBCMT ref: 003357AF
_wcslen.LIBCMT ref: 003357BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00335816

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 77d5d84348ec0197b09b179536c0d47cb04085f963bfdf0ecbd9394429258e57
Instruction ID: c6bb61f763ed9658d7965b1bdd6d6a6eb35803772b53484f587cf8e230989b1a
Opcode Fuzzy Hash: 77d5d84348ec0197b09b179536c0d47cb04085f963bfdf0ecbd9394429258e57
Instruction Fuzzy Hash: 72219671914618DADB229F65CCC5AEEB7BCFF04724F108256F919EB180D7708985CF50

Function 00320930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00320951
GetForegroundWindow.USER32 ref: 00320968
GetDC.USER32(00000000), ref: 003209A4
GetPixel.GDI32(00000000,?,00000003), ref: 003209B0
ReleaseDC.USER32(00000000,00000003), ref: 003209E8

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: d955fa906edff384102bc1d37d5b54d99c02e71ebfbabfb28b25ce2b5df66598
Instruction ID: e444fb65ccf2e099ad984e12d9841cfa3a938c37774c04d22ddbab144d7f339e
Opcode Fuzzy Hash: d955fa906edff384102bc1d37d5b54d99c02e71ebfbabfb28b25ce2b5df66598
Instruction Fuzzy Hash: 72218E35A10214AFD709EF65D885AAEBBF9EF49700F048069E84AE7762CB30AC44CF50

Function 002DCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 002DCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 002DCDE9

Part of subcall function 002D3820: RtlAllocateHeap.NTDLL(00000000,?,00371444,?,002BFDF5,?,?,002AA976,00000010,00371440,002A13FC,?,002A13C6,?,002A1129), ref: 002D3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 002DCE0F
_free.LIBCMT ref: 002DCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 002DCE31

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 1c6571db7fb10a44509c38549e1d3085bbc80710739de33ebbe9b4f29509edb1
Instruction ID: 9d52a12d91c9f1cc143a55a3054d960c6007451f40ab1de8a570bbef32dc137a
Opcode Fuzzy Hash: 1c6571db7fb10a44509c38549e1d3085bbc80710739de33ebbe9b4f29509edb1
Instruction Fuzzy Hash: D001FCB66212177F23211ABA6C8CD7BBB6DDEC6BA1735412BFD05D7300DA608D21D6B0

Function 002B9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 002B9693
SelectObject.GDI32(?,00000000), ref: 002B96A2
BeginPath.GDI32(?), ref: 002B96B9
SelectObject.GDI32(?,00000000), ref: 002B96E2

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: d9b06126387e6f9a1d5048aa64a5ac4fef4d461f9c50f54a9a498f1d0d7f1de0
Instruction ID: f6040e61e5c64e5e605b8a643b676bee105463a350dac4506f362a72a6ad378a
Opcode Fuzzy Hash: d9b06126387e6f9a1d5048aa64a5ac4fef4d461f9c50f54a9a498f1d0d7f1de0
Instruction Fuzzy Hash: AA216032831206EBDB229F28DC557E97BACBB11395F10021AF614A61A1D37098E2DF90

Function 00305711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00305726
_memcmp.LIBVCRUNTIME ref: 00305744
_memcmp.LIBVCRUNTIME ref: 00305757
_memcmp.LIBVCRUNTIME ref: 0030576F
_memcmp.LIBVCRUNTIME ref: 00305787

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: aabd4e7810fbf9d192f7e9ec358b497b6b453d64d22dbfe85e4ca101f73b9b06
Instruction ID: 1fb569d0d924bbe7889d2dc0b70cf184abb642ee9fc60b104ea25cc26b19e2da
Opcode Fuzzy Hash: aabd4e7810fbf9d192f7e9ec358b497b6b453d64d22dbfe85e4ca101f73b9b06
Instruction Fuzzy Hash: 3D01B5A1682A09BFD71A55109E92FFB735C9F32B98F404024FD049B6C2F760ED20DAA5

Function 002D2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,002CF2DE,002D3863,00371444,?,002BFDF5,?,?,002AA976,00000010,00371440,002A13FC,?,002A13C6), ref: 002D2DFD
_free.LIBCMT ref: 002D2E32
_free.LIBCMT ref: 002D2E59
SetLastError.KERNEL32(00000000,002A1129), ref: 002D2E66
SetLastError.KERNEL32(00000000,002A1129), ref: 002D2E6F

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: a5083e0ad22af90bd26b97206d068f7006b6053ed230178aa688896db73a682f
Instruction ID: 1764fcacff5428033353028c2673c2d16dfd1711457bb49e6d58b96165ea253a
Opcode Fuzzy Hash: a5083e0ad22af90bd26b97206d068f7006b6053ed230178aa688896db73a682f
Instruction Fuzzy Hash: CC014936530641EBC6136B346C89D2B275DABF13B2F244427F860A3393EAB4DC394520

Function 0030000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,002FFF41,80070057,?,?,?,0030035E), ref: 0030002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002FFF41,80070057,?,?), ref: 00300046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002FFF41,80070057,?,?), ref: 00300054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002FFF41,80070057,?), ref: 00300064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002FFF41,80070057,?,?), ref: 00300070

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 7b3126248c77e278fc0d3ed1a8ea567807130b8708c504961840edfcd93b9c53
Instruction ID: 3876916008e2f74dc1153ee831c96078a12f4db83a5524a3a41aa1501cadedbc
Opcode Fuzzy Hash: 7b3126248c77e278fc0d3ed1a8ea567807130b8708c504961840edfcd93b9c53
Instruction Fuzzy Hash: A501F276611204BFDB124F68DC48BAE7AEDEF44351F104024F805E6250DB71CE408BA0

Function 0030E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0030E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0030E9A5
Sleep.KERNEL32(00000000), ref: 0030E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0030E9B7
Sleep.KERNEL32 ref: 0030E9F3

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 01eee4851680dab294bdeaa85fb4e278d192bb61e7299a64787ed2cf340af412
Instruction ID: 6fe62862f88746a71a51d423fe838ef3302d2be8c133176921f86843f86b9080
Opcode Fuzzy Hash: 01eee4851680dab294bdeaa85fb4e278d192bb61e7299a64787ed2cf340af412
Instruction Fuzzy Hash: 83016D31D12629DBCF019FE5DCA96DDBB7CFF08301F010946E502B2190CB349554CBA1

Function 003010F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00301114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00300B9B,?,?,?), ref: 00301120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00300B9B,?,?,?), ref: 0030112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00300B9B,?,?,?), ref: 00301136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0030114D

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 1b3b2a7b1bd0cb196114e1a43e196b50909156e521d16d7f72e19d42e0b7bd61
Instruction ID: 706d6e7bca452d871ad9e37b7b98f40b022e695e42fd107ec3c4db666aac5bbc
Opcode Fuzzy Hash: 1b3b2a7b1bd0cb196114e1a43e196b50909156e521d16d7f72e19d42e0b7bd61
Instruction Fuzzy Hash: A1016979601205BFDB164FA4DC89A6A3B6EEF893A0F210418FA41E33A0DA31DC009B60

Function 00300FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00300FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00300FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00300FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00300FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00301002

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 3298ed2907500ad41a9ec9f7cea3f9003defeeb6fc789c8cb9ebf7fc63804a03
Instruction ID: 322ee86952cbaf3c3297ae4e8e2a7cc4e79ea0193b39372e0dcff12e1620616c
Opcode Fuzzy Hash: 3298ed2907500ad41a9ec9f7cea3f9003defeeb6fc789c8cb9ebf7fc63804a03
Instruction Fuzzy Hash: C0F06D39211301EBDB234FA4DC8DF563BADEF89762F114414FA85E7291CA70DC508B60

Function 00301014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0030102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00301036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00301045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0030104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00301062

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: e0179b2c8960432a8c67b22f5e4e4ddfaae1caa9ece283c3cb93724c03b79a13
Instruction ID: 39a2a6c903ced014b995b260e2376d9ed3d8080423b6f4fbd39f3a887ece3156
Opcode Fuzzy Hash: e0179b2c8960432a8c67b22f5e4e4ddfaae1caa9ece283c3cb93724c03b79a13
Instruction Fuzzy Hash: AAF06D39211301EBDB235FA4EC99F563BADEF89761F110414FA85E7290CA70D8508B60

Function 0031030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0031017D,?,003132FC,?,00000001,002E2592,?), ref: 00310324
CloseHandle.KERNEL32(?,?,?,?,0031017D,?,003132FC,?,00000001,002E2592,?), ref: 00310331
CloseHandle.KERNEL32(?,?,?,?,0031017D,?,003132FC,?,00000001,002E2592,?), ref: 0031033E
CloseHandle.KERNEL32(?,?,?,?,0031017D,?,003132FC,?,00000001,002E2592,?), ref: 0031034B
CloseHandle.KERNEL32(?,?,?,?,0031017D,?,003132FC,?,00000001,002E2592,?), ref: 00310358
CloseHandle.KERNEL32(?,?,?,?,0031017D,?,003132FC,?,00000001,002E2592,?), ref: 00310365

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 70ac8653183be8e06cb75423a860e35b43142c70d730e8ebb28f63315649553a
Instruction ID: 58a15bd94df509d5ec143c16500a12911df42afa2ff4dbd749eaa6db1570b8ba
Opcode Fuzzy Hash: 70ac8653183be8e06cb75423a860e35b43142c70d730e8ebb28f63315649553a
Instruction Fuzzy Hash: 9601E276800B018FC73AAF66D880442F7F9BF543153068E3FD1A252930C3B0A995CF80

Function 002DD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002DD752

Part of subcall function 002D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,002DD7D1,00000000,00000000,00000000,00000000,?,002DD7F8,00000000,00000007,00000000,?,002DDBF5,00000000), ref: 002D29DE
Part of subcall function 002D29C8: GetLastError.KERNEL32(00000000,?,002DD7D1,00000000,00000000,00000000,00000000,?,002DD7F8,00000000,00000007,00000000,?,002DDBF5,00000000,00000000), ref: 002D29F0

_free.LIBCMT ref: 002DD764
_free.LIBCMT ref: 002DD776
_free.LIBCMT ref: 002DD788
_free.LIBCMT ref: 002DD79A

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9156ca29502b0e02248acea4658dab356d31c6b38057a0f51d36978ee9b32ae8
Instruction ID: c8cc658c823cb1cdd142763f0a61b6c64b693180a4f3c42a7d2fac3e89d2da40
Opcode Fuzzy Hash: 9156ca29502b0e02248acea4658dab356d31c6b38057a0f51d36978ee9b32ae8
Instruction Fuzzy Hash: 48F06232574605EBD622EF64F9C1C66B7DDBB44310BA46847F098D7701C730FC908A64

Function 00305C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00305C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00305C6F
MessageBeep.USER32(00000000), ref: 00305C87
KillTimer.USER32(?,0000040A), ref: 00305CA3
EndDialog.USER32(?,00000001), ref: 00305CBD

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 2f41d1d4355cd0b525f45297d861a1320e47f578195c29448693f0cf0f2ed292
Instruction ID: 20c1c9a936fc388800ea9ef3533a28858db4bd07415bbb338655a187a08cca5c
Opcode Fuzzy Hash: 2f41d1d4355cd0b525f45297d861a1320e47f578195c29448693f0cf0f2ed292
Instruction Fuzzy Hash: 8C018131511B04ABFB229B10DE9FFA67BBCBB00B05F042559B583B14E1DBF4A9848F90

Function 002D22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 002D22BE

Part of subcall function 002D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,002DD7D1,00000000,00000000,00000000,00000000,?,002DD7F8,00000000,00000007,00000000,?,002DDBF5,00000000), ref: 002D29DE
Part of subcall function 002D29C8: GetLastError.KERNEL32(00000000,?,002DD7D1,00000000,00000000,00000000,00000000,?,002DD7F8,00000000,00000007,00000000,?,002DDBF5,00000000,00000000), ref: 002D29F0

_free.LIBCMT ref: 002D22D0
_free.LIBCMT ref: 002D22E3
_free.LIBCMT ref: 002D22F4
_free.LIBCMT ref: 002D2305

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4e478bf06db019178c43516213aa7d3aa40cddd720615486f3f53f79f251660e
Instruction ID: 9fd6a869e0f3ea13702c7eb7ffed3bc1f495fc1f34ccb04299df21ff358c4c1e
Opcode Fuzzy Hash: 4e478bf06db019178c43516213aa7d3aa40cddd720615486f3f53f79f251660e
Instruction Fuzzy Hash: 15F03A75820120CB8737AF68BC118983B6CB728760F14690BF418D33B2CB700CA5BFA5

Function 002B95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 002B95D4
StrokeAndFillPath.GDI32(?,?,002F71F7,00000000,?,?,?), ref: 002B95F0
SelectObject.GDI32(?,00000000), ref: 002B9603
DeleteObject.GDI32 ref: 002B9616
StrokePath.GDI32(?), ref: 002B9631

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 91ac0cec393c1f34ec823011fb8f6e18e7f9401a190b6879698eca776fd34eee
Instruction ID: 28a28f54a3a314383657db7078857b8b2b360cda0122d78e68f52edf73f8e9c1
Opcode Fuzzy Hash: 91ac0cec393c1f34ec823011fb8f6e18e7f9401a190b6879698eca776fd34eee
Instruction Fuzzy Hash: 77F0C932025245EBDB275F69ED5C7A43F6DAB02362F048214F669650F0C77089E6DFA0

Function 002D0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 002D10F9
__freea.LIBCMT ref: 002D1117

Part of subcall function 002D1537: _free.LIBCMT ref: 002D154F

Strings

am/pm, xrefs: 002D117A
a/p, xrefs: 002D11DE

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 4fee597820fc1a569e7b64416dc7f0311deb5c7424e6fdeb6f97af7b6178ef4e
Instruction ID: 9a332091d559a89f8fca4258ec952b69d740ed2d73fcc4aaddb7d68bf8b5bcbf
Opcode Fuzzy Hash: 4fee597820fc1a569e7b64416dc7f0311deb5c7424e6fdeb6f97af7b6178ef4e
Instruction Fuzzy Hash: 98D10131930206EADB689F68C885BFAB7B1EF05300F28419BE9059BF51D3759DB0CB91

Function 003261D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 002C0242: EnterCriticalSection.KERNEL32(0037070C,00371884,?,?,002B198B,00372518,?,?,?,002A12F9,00000000), ref: 002C024D
Part of subcall function 002C0242: LeaveCriticalSection.KERNEL32(0037070C,?,002B198B,00372518,?,?,?,002A12F9,00000000), ref: 002C028A

Part of subcall function 002C00A3: __onexit.LIBCMT ref: 002C00A9

__Init_thread_footer.LIBCMT ref: 00326238

Part of subcall function 002C01F8: EnterCriticalSection.KERNEL32(0037070C,?,?,002B8747,00372514), ref: 002C0202
Part of subcall function 002C01F8: LeaveCriticalSection.KERNEL32(0037070C,?,002B8747,00372514), ref: 002C0235

Part of subcall function 0031359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 003135E4
Part of subcall function 0031359C: LoadStringW.USER32(00372390,?,00000FFF,?), ref: 0031360A

Strings

x#7, xrefs: 0032636F
x#7, xrefs: 0032633A
x#7, xrefs: 00326353

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#7$x#7$x#7
API String ID: 1072379062-2188912019
Opcode ID: 00f6ed545feab6dfe6a6870ede584fff82ec347f3552ae42b5769860e95353d1
Instruction ID: adf8e18d6bf2c04553cad6ac38008cdea6f0c5e5e46a2e56a11c842d223d2fbc
Opcode Fuzzy Hash: 00f6ed545feab6dfe6a6870ede584fff82ec347f3552ae42b5769860e95353d1
Instruction Fuzzy Hash: A3C1CE71A00215AFCB26EF58D892EBEB7B9FF49300F118069F9459B291DB70ED54CB90

Function 002D8A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 002D8B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 002D8B7A
__dosmaperr.LIBCMT ref: 002D8B81

Strings

.,, xrefs: 002D8A63

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .,
API String ID: 2434981716-2608738861
Opcode ID: a75304a66f5fa47a1091cd8c060fe65eb7335461880845bd2696842fc94aadb3
Instruction ID: f076fb1b2d5f8c04d9d3e4b637a6e0e8768d2bf27bf9c37340465215a12185eb
Opcode Fuzzy Hash: a75304a66f5fa47a1091cd8c060fe65eb7335461880845bd2696842fc94aadb3
Instruction Fuzzy Hash: 33416E71624185AFDB259F28C890A7D7FE5DB45308F28819BF885C7342DE71CC229750

Function 00302716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0030B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003021D0,?,?,00000034,00000800,?,00000034), ref: 0030B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00302760

Part of subcall function 0030B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003021FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0030B3F8

Part of subcall function 0030B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0030B355
Part of subcall function 0030B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00302194,00000034,?,?,00001004,00000000,00000000), ref: 0030B365
Part of subcall function 0030B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00302194,00000034,?,?,00001004,00000000,00000000), ref: 0030B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003027CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0030281A

Strings

@, xrefs: 00302832

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 69b202c5a5c7148be0e6a2e28ee8115aa56e83366e6a54d41dc8772ae22b381b
Instruction ID: 38d026208a8497769a40528f48e5a65ec4a29ee00e8630e74bd4101f90c187e8
Opcode Fuzzy Hash: 69b202c5a5c7148be0e6a2e28ee8115aa56e83366e6a54d41dc8772ae22b381b
Instruction Fuzzy Hash: A6414E76901218AFDB11DFA4CD96AEEFBB8EF09700F108095FA55B7181DB706E45CBA0

Function 002D172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe,00000104), ref: 002D1769
_free.LIBCMT ref: 002D1834
_free.LIBCMT ref: 002D183E

Strings

C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe, xrefs: 002D1760, 002D1767, 002D1796, 002D17CE

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\30% Order payment-BLQuote_'PO#385995790.exe
API String ID: 2506810119-2574226260
Opcode ID: d44253c294acd96fab1c98bdab95fcefe6cf9cd3a6781097e81a34f867d9df35
Instruction ID: 4b364a9f7fc48ff192e0aa898588759da96b0b3cb91529849278f3a8f7595c15
Opcode Fuzzy Hash: d44253c294acd96fab1c98bdab95fcefe6cf9cd3a6781097e81a34f867d9df35
Instruction Fuzzy Hash: F8317E75A10219FBEB22DF999885D9EBBBCEB85310F104167F804D7711D7B08E60DB90

Function 0030C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0030C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0030C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00371990,015064C0), ref: 0030C395

Strings

0, xrefs: 0030C2DF

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 151726d2e87b803b3ae1bfc50eb116cba5a332cd53968720815f93a69e852f91
Instruction ID: 35235b92bfa9bb29d900092ba9b42e99ede230d3c4223e126b72029840b5e86b
Opcode Fuzzy Hash: 151726d2e87b803b3ae1bfc50eb116cba5a332cd53968720815f93a69e852f91
Instruction Fuzzy Hash: 9141D0352253019FDB22DF25D894B5ABBE8AF85320F009B9DF9A5972D1C734E804CB62

Function 00334416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0033CC08,00000000,?,?,?,?), ref: 003344AA
GetWindowLongW.USER32 ref: 003344C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 003344D7

Strings

SysTreeView32, xrefs: 0033447C

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: da9549030ab8a694c254100fc284ba42c77b27f7f5ab2342d625ed73a2826664
Instruction ID: 0a2545bb32ae28ef8895612632cb97e8d933681a77a645575f3e07b1e54af285
Opcode Fuzzy Hash: da9549030ab8a694c254100fc284ba42c77b27f7f5ab2342d625ed73a2826664
Instruction Fuzzy Hash: 4D319E32210205AFEB229F38DC85BEA77A9EF09334F254725F975A21D0DB74EC909B50

Function 00306E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00306EED
VariantCopyInd.OLEAUT32(?,?), ref: 00306F08
VariantClear.OLEAUT32(?), ref: 00306F12

Strings

*j0, xrefs: 00306E8B, 00306E90, 00306EF8

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j0
API String ID: 2173805711-1934666149
Opcode ID: 9a20f1b4c47dd8b7346eb445821908c4b6dbc4f2d69815ffb967ca84ff1739de
Instruction ID: b03aaa8bbc3f122ddf731e634743c779955844cb7f6799ea8c107e82a3b8c5e9
Opcode Fuzzy Hash: 9a20f1b4c47dd8b7346eb445821908c4b6dbc4f2d69815ffb967ca84ff1739de
Instruction Fuzzy Hash: 54317371615246DFCB07AFA4E8A29BD777AEF45700F1014A9F9024B2E6CB349932DF90

Function 0032304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0032335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00323077,?,?), ref: 00323378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0032307A
_wcslen.LIBCMT ref: 0032309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00323106

Strings

255.255.255.255, xrefs: 00323095, 0032309A

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: da5b008f9caaf51479d2798c025c99fe2f9d5d7d71a2da865cc89519bbf30858
Instruction ID: 7db665641aef205d0f7cefbd824b5ee0f3082f2f1bad32c4e3f68091fc6f0bce
Opcode Fuzzy Hash: da5b008f9caaf51479d2798c025c99fe2f9d5d7d71a2da865cc89519bbf30858
Instruction Fuzzy Hash: 9131D2392042219FC712DF68D486EAA77E0EF14318F25C059E9168B392CB39EE41CB70

Function 00334653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00334705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00334713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0033471A

Strings

msctls_updown32, xrefs: 00334684

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: b62ac14c15fd6d700af862daf7082767a676ed3408eb6f7a219fbcc557573f26
Instruction ID: 8495c90b5f615e2e277fd63878af792475362a1b36844fddff0c6840c4220468
Opcode Fuzzy Hash: b62ac14c15fd6d700af862daf7082767a676ed3408eb6f7a219fbcc557573f26
Instruction Fuzzy Hash: B7215CB5600208AFDB12DF68DCC1DA737ADEB5A3A8F150059FA159B291CB70FC61CA60

Function 003095AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0030961D

Strings

#OnAutoItStartRegister, xrefs: 003095F3
#notrayicon, xrefs: 003095B7
#requireadmin, xrefs: 003095D9

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: f45cb24e4c6ed03c26752fa8ecdc9fe4401fcd33d7c2a073bd5d9b9362671438
Instruction ID: fde4fe142ca82ec23bf01bb25e22ea724804272f392954baeced86df9b58e70d
Opcode Fuzzy Hash: f45cb24e4c6ed03c26752fa8ecdc9fe4401fcd33d7c2a073bd5d9b9362671438
Instruction Fuzzy Hash: 742165722166106AC333BA259C22FBBB39C9F92320F40402BF949970C2EB62AD51C6D5

Function 003337B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00333840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00333850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00333876

Strings

Listbox, xrefs: 0033380F

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 51571aaf3a2bce2ab1ac7557029006803ee6b857606d3b1afe5a89c68c03a13c
Instruction ID: c87d2e43bf6ec10773623686eb6b740076f155333db0d42a57dfa742853b3945
Opcode Fuzzy Hash: 51571aaf3a2bce2ab1ac7557029006803ee6b857606d3b1afe5a89c68c03a13c
Instruction Fuzzy Hash: 0A218172610218BBEF229F54DC85FBB376EEF89764F11C124F9159B190CA71DC528BA0

Function 003149F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00314A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00314A5C
SetErrorMode.KERNEL32(00000000,?,?,0033CC08), ref: 00314AD0

Strings

%lu, xrefs: 00314A6F

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 53961adf6a989f37bf6b97cd9678de8e858851926e9ce648933b516e16c6dc1a
Instruction ID: 77718a6e57fa5051636731498981bb0e1369811d891b75b293fb973ebc46ec1f
Opcode Fuzzy Hash: 53961adf6a989f37bf6b97cd9678de8e858851926e9ce648933b516e16c6dc1a
Instruction Fuzzy Hash: 56319175A00108AFDB11DF54C881EAA7BF8EF09308F1580A5F909EB252DB71EE85CF61

Function 003341EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0033424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00334264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00334271

Strings

msctls_trackbar32, xrefs: 00334226

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: b3a718f40fa5c2f961fe9ccdcffd0f02fa9fb9fad78eba1da7f0b7f1e8d5af63
Instruction ID: a0b83094bc0ba424b0cd3dda8f44c3e577a2f9f5d0d41cb7687dc8f4533e9442
Opcode Fuzzy Hash: b3a718f40fa5c2f961fe9ccdcffd0f02fa9fb9fad78eba1da7f0b7f1e8d5af63
Instruction Fuzzy Hash: 0011C631240248BFEF225F69CC46FAB7BACEF95B54F120514FA55E60A0D671EC519B10

Function 00302F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002A6B57: _wcslen.LIBCMT ref: 002A6B6A

Part of subcall function 00302DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00302DC5
Part of subcall function 00302DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00302DD6
Part of subcall function 00302DA7: GetCurrentThreadId.KERNEL32 ref: 00302DDD
Part of subcall function 00302DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00302DE4

GetFocus.USER32 ref: 00302F78

Part of subcall function 00302DEE: GetParent.USER32(00000000), ref: 00302DF9

GetClassNameW.USER32(?,?,00000100), ref: 00302FC3
EnumChildWindows.USER32(?,0030303B), ref: 00302FEB

Strings

%s%d, xrefs: 00302FFF

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 8bedc83674c8cb3213422bce25713152bb39f1ea54f096a7b425bae1fb093648
Instruction ID: dbcf276e91098b1385ab12e97c6ec8df99bc5cb37a812585d2f6a36cd0ccee46
Opcode Fuzzy Hash: 8bedc83674c8cb3213422bce25713152bb39f1ea54f096a7b425bae1fb093648
Instruction Fuzzy Hash: B811D2712012056BCF027F648CDAEEE776EAF84304F045075F90AAB192DF3099058B70

Function 00335882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 003358C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 003358EE
DrawMenuBar.USER32(?), ref: 003358FD

Strings

0, xrefs: 0033588F

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 658d1c4a9cfada7a8b86eb92a0b83ea2460b99095cdc1ac36be96b3c1001d883
Instruction ID: d1f351343fba515f1876d3dadbebf7da1b7250c68852d13929ef5475745aece9
Opcode Fuzzy Hash: 658d1c4a9cfada7a8b86eb92a0b83ea2460b99095cdc1ac36be96b3c1001d883
Instruction Fuzzy Hash: 81014032510218EFDB629F12DC85BEEBBB9FF45361F108099E849D6151DB348A94DF31

Function 0030007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41adeddde2b72929610813821a9d3efcf8c9feea64acdbe0c94883d2e3490b17
Instruction ID: 733d80f8184cf369d9f0eac0e13f35b42dab91a0198dd56687b58d0abfeb65ff
Opcode Fuzzy Hash: 41adeddde2b72929610813821a9d3efcf8c9feea64acdbe0c94883d2e3490b17
Instruction Fuzzy Hash: B3C12B75A0120AEFDB1ACF94C8A4BAEB7B9FF48704F118598E505EB291D731DE41CB90

Function 0032342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00323459
CoUninitialize.OLE32 ref: 00323463
VariantInit.OLEAUT32(?), ref: 0032346E
VariantClear.OLEAUT32(?), ref: 0032371B

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: b991a9c1b40fc426cd571071fb687f7d4eedb7046a6861174f4c8f406be5e866
Instruction ID: a014154fc3669a55c8e1a64979a055e699f7a1ab7b85e11ebc19dd64e7d4da89
Opcode Fuzzy Hash: b991a9c1b40fc426cd571071fb687f7d4eedb7046a6861174f4c8f406be5e866
Instruction Fuzzy Hash: 86A17B756143109FC701EF28C885A2AB7E9FF89710F148859F98A9B362DB34EE05CF91

Function 00300436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0033FC08,?), ref: 003005F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0033FC08,?), ref: 00300608
CLSIDFromProgID.OLE32(?,?,00000000,0033CC40,000000FF,?,00000000,00000800,00000000,?,0033FC08,?), ref: 0030062D
_memcmp.LIBVCRUNTIME ref: 0030064E

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: fa7ffe763e36631bb97bf2ae16298f0bc32528b7d37f442857433133af7ffa7c
Instruction ID: 8dc3ce37638c8730ec5e6f40903a71f231538edca26792027682115127e44e8c
Opcode Fuzzy Hash: fa7ffe763e36631bb97bf2ae16298f0bc32528b7d37f442857433133af7ffa7c
Instruction Fuzzy Hash: 4A812A71A00109EFCB05DF94C994EEEB7B9FF89315F204598E506AB290DB71AE46CF60

Function 002E1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002E14C0

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 6578c3f094cae82c5ad08f362d99fd7f25acc62582d95305826f3423abbd9a96
Instruction ID: 21cdf0af055d95297c29d335b44c45127f5bfc796ca8474d56d3aae889e3f958
Opcode Fuzzy Hash: 6578c3f094cae82c5ad08f362d99fd7f25acc62582d95305826f3423abbd9a96
Instruction Fuzzy Hash: B4413D316B05919BDB216FBA8C46BAE3AA5EF41330F544236F818D23D2E6744C719A62

Function 00336278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0150F150,?), ref: 003362E2
ScreenToClient.USER32(?,?), ref: 00336315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00336382

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 5201549534b204da01fa4edc3583f7f2c23ffb92dc5ff352e08d8190b8bd95ed
Instruction ID: 84162bdfb8221dc2d372335b0e614cc912dbda7c6a813380b5db5579aa92b18a
Opcode Fuzzy Hash: 5201549534b204da01fa4edc3583f7f2c23ffb92dc5ff352e08d8190b8bd95ed
Instruction Fuzzy Hash: 93512A75A00209AFCB22DF68D8C29AE7BB5EF45360F118659F9559B2A0D730ED81CB90

Function 00321AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00321AFD
WSAGetLastError.WSOCK32 ref: 00321B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00321B8A
WSAGetLastError.WSOCK32 ref: 00321B94

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: aab3ae39bae1226c25cbd46892b08ecfeb426d76867c8cd8fe9fe6652131d607
Instruction ID: 350350121f5ae07a09b8d94a1b14e1578bf7c5b2ba2300e6107e0d7b5a33efe3
Opcode Fuzzy Hash: aab3ae39bae1226c25cbd46892b08ecfeb426d76867c8cd8fe9fe6652131d607
Instruction Fuzzy Hash: 5041E234600210AFE721AF24D886F2A77E5AF45718F548488FA1A9F7D3DB72ED41CB90

Function 002DB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c24b1dbb35a9ddd5113a0c5cfa93a96ef05dcba02911e2f1e560e79a482f393
Instruction ID: 1bc38fc1ca5b71f6e4b77e72c0e2f5b7cf5ecbb37e44c8521be24e6cb8478571
Opcode Fuzzy Hash: 1c24b1dbb35a9ddd5113a0c5cfa93a96ef05dcba02911e2f1e560e79a482f393
Instruction Fuzzy Hash: 8E410676A20344EFD725DF38C851B6ABBA9EB88710F11452FF501DB381D7719D218B90

Function 003156D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00315783
GetLastError.KERNEL32(?,00000000), ref: 003157A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 003157CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 003157FA

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 98805a922be6a53b94acc890f07b9e006452b044dc3143b203e3cca7792de8d6
Instruction ID: 93bab8d2b69d04e81d04b65d65b68f17f34e0410bebd11492edc3e4ab24ef5a8
Opcode Fuzzy Hash: 98805a922be6a53b94acc890f07b9e006452b044dc3143b203e3cca7792de8d6
Instruction Fuzzy Hash: B8412E35610610DFCB16EF15C485A5EBBE2AF89320F198488EC4AAB362CB34FD54CF91

Function 002DD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,002C6D71,00000000,00000000,002C82D9,?,002C82D9,?,00000001,002C6D71,?,00000001,002C82D9,002C82D9), ref: 002DD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 002DD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 002DD9AB
__freea.LIBCMT ref: 002DD9B4

Part of subcall function 002D3820: RtlAllocateHeap.NTDLL(00000000,?,00371444,?,002BFDF5,?,?,002AA976,00000010,00371440,002A13FC,?,002A13C6,?,002A1129), ref: 002D3852

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 6ad2ebc2776cdd68b3da03ec979038bd809fdbf8f2fca12adf79aafa0ec97fb8
Instruction ID: 0dc679a6cd49ec498fb5a5fcd23a65fd863121766584abbd6f5c37aecd5d6032
Opcode Fuzzy Hash: 6ad2ebc2776cdd68b3da03ec979038bd809fdbf8f2fca12adf79aafa0ec97fb8
Instruction Fuzzy Hash: B031D272A2060AABDF25DF64DC91EEE7BA5EB40310F054269FC04D7250EB36DD60CB90

Function 003352C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00335352
GetWindowLongW.USER32(?,000000F0), ref: 00335375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00335382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003353A8

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: ac57d432c4845f0f2d58ac14960f63044ff762b9351b9bd9b347d057249d8429
Instruction ID: 310aee235976f17553833ed0b69d9839fca1d2ceaa59486c8453f1d688cd3ada
Opcode Fuzzy Hash: ac57d432c4845f0f2d58ac14960f63044ff762b9351b9bd9b347d057249d8429
Instruction Fuzzy Hash: BC31A539A55A08EFEB339F14CCC6BE87769EB053B0F595101FA11961E1C7B09D80DB81

Function 0030AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 0030ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0030AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0030AC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 0030ACC6

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 1e28848000baa38351257ec37fbb306e96d01730aebc863edc41b082a3b13e03
Instruction ID: ab3bf1f3105f49de89451a999924102413bed6c892888ba699bbb5e65b733d86
Opcode Fuzzy Hash: 1e28848000baa38351257ec37fbb306e96d01730aebc863edc41b082a3b13e03
Instruction Fuzzy Hash: 3F312870A05B18AFFF37CB65AC257FF7BA9AB45310F0A431AE485D61D1C37489818792

Function 00337674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0033769A
GetWindowRect.USER32(?,?), ref: 00337710
PtInRect.USER32(?,?,00338B89), ref: 00337720
MessageBeep.USER32(00000000), ref: 0033778C

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 36afe2e3957f3be8fc131e55757534001604587247035398e97abfb98a8c3546
Instruction ID: 17e0ed00848cb7956aaa810e75cef55c1f5ea9f70d3279075c91800c277a476c
Opcode Fuzzy Hash: 36afe2e3957f3be8fc131e55757534001604587247035398e97abfb98a8c3546
Instruction Fuzzy Hash: D2417CB5605214AFCB23CF58C8D5EA9B7F9BB49354F1940A8E5159B261C730A942CB90

Function 003316DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 003316EB

Part of subcall function 00303A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00303A57
Part of subcall function 00303A3D: GetCurrentThreadId.KERNEL32 ref: 00303A5E
Part of subcall function 00303A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003025B3), ref: 00303A65

GetCaretPos.USER32(?), ref: 003316FF
ClientToScreen.USER32(00000000,?), ref: 0033174C
GetForegroundWindow.USER32 ref: 00331752

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 6ad18cced25223ed6db8e66e5b038effa876398006389365a9530910e4cc541d
Instruction ID: 4f3f7f5792019308feb24815f25b154c769fd62e6e792e351f66fdd26bb185e3
Opcode Fuzzy Hash: 6ad18cced25223ed6db8e66e5b038effa876398006389365a9530910e4cc541d
Instruction Fuzzy Hash: 4C313E71D10149AFC705DFA9C8C18AEB7FDEF49304B5480AAE415E7211EB319E45CFA0

Function 0030D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0030D501
Process32FirstW.KERNEL32(00000000,?), ref: 0030D50F
Process32NextW.KERNEL32(00000000,?), ref: 0030D52F
CloseHandle.KERNEL32(00000000), ref: 0030D5DC

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 4762be66aa50fd8c658db9f59be8674f745f980e787360b8cff829fdac254c09
Instruction ID: 4682b42dfc2c337c89c83b68fac2b14fbf07e0ae08cf57d5af84e2b77a8b8f71
Opcode Fuzzy Hash: 4762be66aa50fd8c658db9f59be8674f745f980e787360b8cff829fdac254c09
Instruction Fuzzy Hash: 6731A2711083009FD301EF54CC95AAFBBF8EF9A354F14092DF581961A2EF719959CB92

Function 00338FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002B9BB2

GetCursorPos.USER32(?), ref: 00339001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,002F7711,?,?,?,?,?), ref: 00339016
GetCursorPos.USER32(?), ref: 0033905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,002F7711,?,?,?), ref: 00339094

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: f23cd38a0d5e08143f0cbc07cfca9266d8b14dc6d4611406845fb6bfc19bae02
Instruction ID: e060b1a371f13515673c86e491b7b199b1b5aaeca4cc50357a32e85f109d24e1
Opcode Fuzzy Hash: f23cd38a0d5e08143f0cbc07cfca9266d8b14dc6d4611406845fb6bfc19bae02
Instruction Fuzzy Hash: 37219F36600118EFDB2B8F98C898FEA7BB9EB4A351F144096F90557261C7719D90DB60

Function 0030D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0033CB68), ref: 0030D2FB
GetLastError.KERNEL32 ref: 0030D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0030D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0033CB68), ref: 0030D376

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 762ad4b497c938c4d6c712f623fa9bd79bb9155baded1c6bbbabfe574f2acdc5
Instruction ID: 4a7f33f59ca572c608288ec984b21fe24cea9975fbd52759f8503646098c64e3
Opcode Fuzzy Hash: 762ad4b497c938c4d6c712f623fa9bd79bb9155baded1c6bbbabfe574f2acdc5
Instruction Fuzzy Hash: 2121DE7451A3019FC701EF68C8918ABB7E8EE5A364F104A5DF499D32E1DB30D94ACB93

Function 00301571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00301014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0030102A
Part of subcall function 00301014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00301036
Part of subcall function 00301014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00301045
Part of subcall function 00301014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0030104C
Part of subcall function 00301014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00301062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 003015BE
_memcmp.LIBVCRUNTIME ref: 003015E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00301617
HeapFree.KERNEL32(00000000), ref: 0030161E

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: b900d05b9867212083050b48fcffc472c8b0738d0b93a56f6d6953f128e7c561
Instruction ID: 5c9bd7931a76ceec2734483155c6ec0ed27f057821ae322e5c8604397693a116
Opcode Fuzzy Hash: b900d05b9867212083050b48fcffc472c8b0738d0b93a56f6d6953f128e7c561
Instruction Fuzzy Hash: C721CF31E01108EFDF11DFA8CD55BEEB7B8EF40344F094459E841AB281E731AA44DBA0

Function 00332782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0033280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00332824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00332832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00332840

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 4a57dc4d54be76c140275a14ee24d2e8c2f945d16db0cb45ebea64590fd33560
Instruction ID: 853a1d1d320fb8afcdae1e8eb497dce399f07d02bd64608deaae0f9b257dce37
Opcode Fuzzy Hash: 4a57dc4d54be76c140275a14ee24d2e8c2f945d16db0cb45ebea64590fd33560
Instruction Fuzzy Hash: E821D331214111AFD7169B24C895FAB7B99BF46324F158158F4268F6E3CB75FC82CB90

Function 003078F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00308D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0030790A,?,000000FF,?,00308754,00000000,?,0000001C,?,?), ref: 00308D8C
Part of subcall function 00308D7D: lstrcpyW.KERNEL32(00000000,?,?,0030790A,?,000000FF,?,00308754,00000000,?,0000001C,?,?,00000000), ref: 00308DB2
Part of subcall function 00308D7D: lstrcmpiW.KERNEL32(00000000,?,0030790A,?,000000FF,?,00308754,00000000,?,0000001C,?,?), ref: 00308DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00308754,00000000,?,0000001C,?,?,00000000), ref: 00307923
lstrcpyW.KERNEL32(00000000,?,?,00308754,00000000,?,0000001C,?,?,00000000), ref: 00307949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00308754,00000000,?,0000001C,?,?,00000000), ref: 00307984

Strings

cdecl, xrefs: 0030797B

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: d0757798ccf3ceb74855a6f7dd246343b3dc00ca435b7f46767d6f0db31a26ed
Instruction ID: ff2ccffda67aa0e3c81341104b583371aa38f2a259472bf559e4505395eeb73e
Opcode Fuzzy Hash: d0757798ccf3ceb74855a6f7dd246343b3dc00ca435b7f46767d6f0db31a26ed
Instruction Fuzzy Hash: 3E11293A601301ABCB165F34CC55D7B77A9FF45390B00402AF842CB2A4EB31D811D7A1

Function 00337CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00337D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00337D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00337D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0031B7AD,00000000), ref: 00337D6B

Part of subcall function 002B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002B9BB2

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 54385b9796449ac0441ced140a8cd8a16ce00035c4b98e3edddafa1653934bf0
Instruction ID: 8a2bc960c0c7ca173161063f192736a98fdbd69c44d760b6ea8bf592643dd5d8
Opcode Fuzzy Hash: 54385b9796449ac0441ced140a8cd8a16ce00035c4b98e3edddafa1653934bf0
Instruction Fuzzy Hash: 0C11E472114654AFCB228F28CC84EA63BA8AF46360F168324F939D72F0D7308D51DB80

Function 00335660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 003356BB
_wcslen.LIBCMT ref: 003356CD
_wcslen.LIBCMT ref: 003356D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00335816

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: ad2fedabf8796c87273733b98b09b50372f6c695e1103001d319485f446a0b7b
Instruction ID: f329b4813955a8ab727be56d5f94ebee8e8ac89e16d12dbbeb43bd39b3f9996e
Opcode Fuzzy Hash: ad2fedabf8796c87273733b98b09b50372f6c695e1103001d319485f446a0b7b
Instruction Fuzzy Hash: FE11D071A04618A6DB22DF65CCC6AEE77ACEF11760F50416AF915D6081EB70CA84CF60

Function 00301A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00301A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00301A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00301A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00301A8A

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: df8b6a884d0732bc9be87687d143b7f0ac73b2d730f2f227ed61671123259562
Instruction ID: 88f1dc4694972831093bf1c78f765b0222f10b8ab5a4ad5c1ef3601eba7b24d3
Opcode Fuzzy Hash: df8b6a884d0732bc9be87687d143b7f0ac73b2d730f2f227ed61671123259562
Instruction Fuzzy Hash: 6811FA3AA01219FFEB119BA5CD85FADFB78EB04750F210091E604B7290D671AE50DB94

Function 0030E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0030E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0030E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0030E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0030E24D

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 5f83b9c8566bdd7af7cdc6acbc7150b36f05ee47ffc749945c9e1cccd564d871
Instruction ID: 6a5944b0b0aef67cd9da7847ab79f4a9ba827693b1e4eb211a87b82fd0ea37af
Opcode Fuzzy Hash: 5f83b9c8566bdd7af7cdc6acbc7150b36f05ee47ffc749945c9e1cccd564d871
Instruction Fuzzy Hash: 29110876E05218BBD7139BACDC49A9E7FACAB45324F004619F824E32D1D274C90087A0

Function 002CD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,002CCFF9,00000000,00000004,00000000), ref: 002CD218
GetLastError.KERNEL32 ref: 002CD224
__dosmaperr.LIBCMT ref: 002CD22B
ResumeThread.KERNEL32(00000000), ref: 002CD249

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: eb880168f5298f0c5c3114b6ddbea83bff6d78a0d3226888bc2605fb0edb5bc0
Instruction ID: 5df8f6d759d4bb0cb090c5370b1041a827f50682a1105de0864cf145216e98b7
Opcode Fuzzy Hash: eb880168f5298f0c5c3114b6ddbea83bff6d78a0d3226888bc2605fb0edb5bc0
Instruction Fuzzy Hash: 7B01C476825205BBD7115FA5DC09FAA7A6DDF81330F20032DFD29961D1CBB1C921DBA1

Function 002A600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 002A604C
GetStockObject.GDI32(00000011), ref: 002A6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 002A606A

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: f8363a92aed8cb21600ca1a1f98f8efcc99a20cde26e3257f554beafab636e4c
Instruction ID: df93c9efac9e436795864ae4ec2cf722fd8ce1d991559f85c24e497f165e3d85
Opcode Fuzzy Hash: f8363a92aed8cb21600ca1a1f98f8efcc99a20cde26e3257f554beafab636e4c
Instruction Fuzzy Hash: 36116173521549FFEF125FA49C48EEABB6DFF09354F090215FA1452110DB729CA0DB90

Function 002C3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 002C3B56

Part of subcall function 002C3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 002C3AD2
Part of subcall function 002C3AA3: ___AdjustPointer.LIBCMT ref: 002C3AED

_UnwindNestedFrames.LIBCMT ref: 002C3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 002C3B7C
CallCatchBlock.LIBVCRUNTIME ref: 002C3BA4

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 1260d583453abaf5674146ecfa2f8aca5738448fed3a66c7365016e2e2518de0
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: BD01D732110149BBDF12AE95CC46EEB7B6DEF58758F048618FE4856121C632E971DFA0

Function 002D3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,002A13C6,00000000,00000000,?,002D301A,002A13C6,00000000,00000000,00000000,?,002D328B,00000006,FlsSetValue), ref: 002D30A5
GetLastError.KERNEL32(?,002D301A,002A13C6,00000000,00000000,00000000,?,002D328B,00000006,FlsSetValue,00342290,FlsSetValue,00000000,00000364,?,002D2E46), ref: 002D30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,002D301A,002A13C6,00000000,00000000,00000000,?,002D328B,00000006,FlsSetValue,00342290,FlsSetValue,00000000), ref: 002D30BF

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: b05d259f05e66796ebd6af8e3c019124394a92ea9580780212a947c96805b1f0
Instruction ID: 374c72e80e6f174244fa7c9e5d5db4c5c120a1143feef128dabda911d445b1ea
Opcode Fuzzy Hash: b05d259f05e66796ebd6af8e3c019124394a92ea9580780212a947c96805b1f0
Instruction Fuzzy Hash: E501B136731222ABCB228A68EC849577B9CAB05B62F140621F906E7240C761DD11C6E1

Function 00307464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0030747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00307497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 003074AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 003074CA

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 92b468e341b95f09951c57b078057a0f9620b3c86f8cff7ffdd2620c1ff2fa05
Instruction ID: 66ede1766554fe303a112e6aca6a57f831ff6a42cc5f333335c253fd9c9d2d29
Opcode Fuzzy Hash: 92b468e341b95f09951c57b078057a0f9620b3c86f8cff7ffdd2620c1ff2fa05
Instruction Fuzzy Hash: FD11C0B5A16314AFE7228F16EC58FA27FFCEB00B00F108569A656E6591D7B0F904DB60

Function 0030B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0030ACD3,?,00008000), ref: 0030B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0030ACD3,?,00008000), ref: 0030B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0030ACD3,?,00008000), ref: 0030B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0030ACD3,?,00008000), ref: 0030B126

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: b9b982a993997251d34df945399f905c7523cd5e0e6f7563037bf7a918b7d61b
Instruction ID: f0830609122de7385bf0a11e9f1a13df9bf5dc210c653a04d9687e331e6d9906
Opcode Fuzzy Hash: b9b982a993997251d34df945399f905c7523cd5e0e6f7563037bf7a918b7d61b
Instruction Fuzzy Hash: 4E116D31C1252CE7CF06AFE4E9A9AEEFB78FF0A711F114085D981B2181CB3056609B91

Function 00302DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00302DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00302DD6
GetCurrentThreadId.KERNEL32 ref: 00302DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00302DE4

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: fd50e53393fcb35fcb2bc772783fb327815ac1ffa46865c4c483d2aa619243cf
Instruction ID: afa1f0bd9915cc08485fcbf386561fdebe6b81ec739dc792df9983b1474fb4cc
Opcode Fuzzy Hash: fd50e53393fcb35fcb2bc772783fb327815ac1ffa46865c4c483d2aa619243cf
Instruction Fuzzy Hash: 59E09271512224BBDB221B729C4EFEB3E6CFF42BA1F041015F105E10809AA4C840C7B0

Function 00338863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 002B9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 002B9693
Part of subcall function 002B9639: SelectObject.GDI32(?,00000000), ref: 002B96A2
Part of subcall function 002B9639: BeginPath.GDI32(?), ref: 002B96B9
Part of subcall function 002B9639: SelectObject.GDI32(?,00000000), ref: 002B96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00338887
LineTo.GDI32(?,?,?), ref: 00338894
EndPath.GDI32(?), ref: 003388A4
StrokePath.GDI32(?), ref: 003388B2

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 2e75262f55c55f148589e950dff6a7ea1117d74f9a8eb9995aa288ce2f9cf140
Instruction ID: 393cef5d1a96f760a7c287e4c89398a5be148f7575951ad77213739a331b9cad
Opcode Fuzzy Hash: 2e75262f55c55f148589e950dff6a7ea1117d74f9a8eb9995aa288ce2f9cf140
Instruction Fuzzy Hash: A6F03A36065658BADB135F98AC49FCA3B6DAF06310F048000FB12750E2C7755561DFE5

Function 002B98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 002B98CC
SetTextColor.GDI32(?,?), ref: 002B98D6
SetBkMode.GDI32(?,00000001), ref: 002B98E9
GetStockObject.GDI32(00000005), ref: 002B98F1

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 58e6ba525df9aa8163077338a68932662c431b296093ab998d43e234e75bea54
Instruction ID: 6ab91b72f3c002e295ab1d1ce4d43754cfc3d257c6548b257396b617356ba4cf
Opcode Fuzzy Hash: 58e6ba525df9aa8163077338a68932662c431b296093ab998d43e234e75bea54
Instruction Fuzzy Hash: 88E06531654644AADB225F75AC49BE87F24AB12375F048219F7F5640E1C37146509B10

Function 0030162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00301634
OpenThreadToken.ADVAPI32(00000000,?,?,?,003011D9), ref: 0030163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,003011D9), ref: 00301648
OpenProcessToken.ADVAPI32(00000000,?,?,?,003011D9), ref: 0030164F

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: f57bd4f2227f3b917e0e7519b32049bce81149b9a7baa660427c811b5de68bb7
Instruction ID: 65975d56303d29681d64e21c1e7ab4ff94517df7d4d1b1b0e0f5f818d33505e1
Opcode Fuzzy Hash: f57bd4f2227f3b917e0e7519b32049bce81149b9a7baa660427c811b5de68bb7
Instruction Fuzzy Hash: 45E08C32612211EBDB211FA0AE8DB873B7CBF447A2F158808F645E9080E7388444CB60

Function 002FD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 002FD858
GetDC.USER32(00000000), ref: 002FD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 002FD882
ReleaseDC.USER32(?), ref: 002FD8A3

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 0795526f5944ef703bd08a4349434716502a211a19a45e4d8bb0cc9e15435b1f
Instruction ID: 8d1c7a9a73716254dbde26cc4323c698573c240b870250a37b8a797e5f470ac7
Opcode Fuzzy Hash: 0795526f5944ef703bd08a4349434716502a211a19a45e4d8bb0cc9e15435b1f
Instruction Fuzzy Hash: ADE01AB1820204DFCB42AFA0D88D66DBBBAFB08310F249419F846F7260CB788951EF40

Function 002FD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 002FD86C
GetDC.USER32(00000000), ref: 002FD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 002FD882
ReleaseDC.USER32(?), ref: 002FD8A3

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: fd59c560d081de16844a49266ae52179a1ee7d07424aafaec32786017b591067
Instruction ID: 4e65b23193e2db281691e722c491a46d858da97c2013802dfa6f94969a3476a8
Opcode Fuzzy Hash: fd59c560d081de16844a49266ae52179a1ee7d07424aafaec32786017b591067
Instruction Fuzzy Hash: 35E01A71820200DFCB42AFA0D88D66DBBB9BB08310F149409F846F7260CB389911DF40

Function 00314D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 002A7620: _wcslen.LIBCMT ref: 002A7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00314ED4

Strings

*, xrefs: 00314E10
LPT, xrefs: 00314DFB

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 9b90c95c04e083f02da7df8f515f0e3c3d3f7737031938fb711b1ca5ae33a0e6
Instruction ID: 2b6e8f402af910169185076b81cd3acec4f13dedd338eda8a64cb067fefaecc1
Opcode Fuzzy Hash: 9b90c95c04e083f02da7df8f515f0e3c3d3f7737031938fb711b1ca5ae33a0e6
Instruction Fuzzy Hash: F8915075A002049FCB19DF58C484EE9BBF5BF49304F198099E80A9F7A2D735ED86CB91

Function 002CE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 002CE30D

Strings

pow, xrefs: 002CE2E5, 002CE302

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: e1fbc1518bb8179554e1fb16975a2acb787e82d3239547d399064e1ee498accb
Instruction ID: 8f252ba38f4a589605aae453c1e975ac8ad514963a7432a0ebac74fca88e11d1
Opcode Fuzzy Hash: e1fbc1518bb8179554e1fb16975a2acb787e82d3239547d399064e1ee498accb
Instruction Fuzzy Hash: E9517A61A3C20396CF167F14CD01B7A2BA8AF40740F604E9EE495473A9FF3D9CB59A46

Function 00327771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(002F569E,00000000,?,0033CC08,?,00000000,00000000), ref: 003278DD

Part of subcall function 002A6B57: _wcslen.LIBCMT ref: 002A6B6A

CharUpperBuffW.USER32(002F569E,00000000,?,0033CC08,00000000,?,00000000,00000000), ref: 0032783B

Strings

<s6, xrefs: 003277C8

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s6
API String ID: 3544283678-429423178
Opcode ID: 11482f98d619e63af027a95f4da88eecaf510765deaa93c35146a526d491592f
Instruction ID: 8ea4c6a4ccdc4e6597a814f27f32d47d70253ce35daa86bffa3e0f8b6e3ead10
Opcode Fuzzy Hash: 11482f98d619e63af027a95f4da88eecaf510765deaa93c35146a526d491592f
Instruction Fuzzy Hash: 6D616B36924229ABCF06EBA4DC92DFEB378BF15300F544125F542B7091EF349A59CBA0

Function 002BE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 002BE1B1

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 495d2020b417d3513f7defdb97203fcbf36784a1afd20f7d2e0eeb1c1f815ac3
Instruction ID: 8149edef0edb3ee077f0e46b77565086ccaa82b426a265198cbde6c0ba7bb1b1
Opcode Fuzzy Hash: 495d2020b417d3513f7defdb97203fcbf36784a1afd20f7d2e0eeb1c1f815ac3
Instruction Fuzzy Hash: 2B51353552024ADFDF16EF28C4816FAFBA4EF25390F254065ED519B2E0DB349D62CB90

Function 002BF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 002BF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 002BF2BB

Strings

@, xrefs: 002BF2AF

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 25d8cfaf5412fb5dd364ecc18a5278f5d840f0f4de05a65bc26ad61f7fbc3629
Instruction ID: bda336676a1c54fca0a7d72dcc6568b90a44c8c690878d512451c613b5deb5a0
Opcode Fuzzy Hash: 25d8cfaf5412fb5dd364ecc18a5278f5d840f0f4de05a65bc26ad61f7fbc3629
Instruction Fuzzy Hash: 795124714287449FD320AF10DC86BABBBF8FB85300F81885DF299811A5EF708539CB66

Function 00325745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 003257E0
_wcslen.LIBCMT ref: 003257EC

Strings

CALLARGARRAY, xrefs: 003257E6, 003257EB

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 8317257bb6b21f6449d9e6111d47dbac93d91c7281bc11f4af1e15384d9096e8
Instruction ID: dcaedeb6003e58176307080e3345f5d67989742392ddbbd93a45919bdc97ee2f
Opcode Fuzzy Hash: 8317257bb6b21f6449d9e6111d47dbac93d91c7281bc11f4af1e15384d9096e8
Instruction Fuzzy Hash: F041B135E102299FCB05DFA9D8818FEBBB5FF59360F114029E505AB251DB709E81CF90

Function 0031D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0031D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0031D13A

Strings

|, xrefs: 0031D10B

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 58cf4c891e32a5dc22a5e9c763662c97ee40f19e16b400f2a5ca284c9a84f60c
Instruction ID: b8d12c10a5b122c84f79648de7891c040d4bb92138422e278900d59a8cd69064
Opcode Fuzzy Hash: 58cf4c891e32a5dc22a5e9c763662c97ee40f19e16b400f2a5ca284c9a84f60c
Instruction Fuzzy Hash: 27311971D10219ABCF15EFA4CD85EEEBFB9FF0A300F000029E815A6162DB35AA56CF50

Function 0033356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00333621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0033365C

Strings

static, xrefs: 003335BC

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: ba6ba4150df57df17e273d1a51b9919979072e4de5652796cc60ec1ab7688125
Instruction ID: 69a5da9f442c7538b5479cb68cd4f8ade225d5280d5f62d006e0faa1675df14b
Opcode Fuzzy Hash: ba6ba4150df57df17e273d1a51b9919979072e4de5652796cc60ec1ab7688125
Instruction Fuzzy Hash: 88319071110204AEDB129F68DCC1EFB73A9FF49720F119619F8A5D7290DA34ED91CB60

Function 00334537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0033461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00334634

Strings

', xrefs: 0033458E

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: cf44e5c66a96e7df5e06544e7fc40596443ebab337d99fb112b9ec15fb4ce2b6
Instruction ID: b221ee975ee101bbf31799805a32326e5512ebc413131ab6f89f1ea0044b8faf
Opcode Fuzzy Hash: cf44e5c66a96e7df5e06544e7fc40596443ebab337d99fb112b9ec15fb4ce2b6
Instruction Fuzzy Hash: 5D313875E003099FEB15CFA9C981BDABBB9FF0A300F14406AE904AB341D770A941CF90

Function 003331EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0033327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00333287

Strings

Combobox, xrefs: 00333249

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: d41ffeff3c3764323672ec9dd62852ec9de885dda7b242dec4a9d392f4aeff7b
Instruction ID: 6054e1938b2788916245fcf4ad42efc0265b7e95853b4b0121266547f28c71b8
Opcode Fuzzy Hash: d41ffeff3c3764323672ec9dd62852ec9de885dda7b242dec4a9d392f4aeff7b
Instruction Fuzzy Hash: 8A11B2717002087FEF229F54DCC5EBB7B6EEB94364F118628F918DB290D6719D618B60

Function 00333710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 002A600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 002A604C
Part of subcall function 002A600E: GetStockObject.GDI32(00000011), ref: 002A6060
Part of subcall function 002A600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 002A606A

GetWindowRect.USER32(00000000,?), ref: 0033377A
GetSysColor.USER32(00000012), ref: 00333794

Strings

static, xrefs: 00333757

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 4fda816387e2eeaee3b6a9bb87a2d7f97e3227b0dcda4dbd5437a95fb96a3988
Instruction ID: c139dbd785c49efc5cba73650b7a285f76fdb51781e00d4d20f94768aaca30fe
Opcode Fuzzy Hash: 4fda816387e2eeaee3b6a9bb87a2d7f97e3227b0dcda4dbd5437a95fb96a3988
Instruction Fuzzy Hash: 6C113AB2610209AFDF12DFA8CC86EFA7BB8FB09314F015514F955E2250D735E8619B50

Function 0031CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0031CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0031CDA6

Strings

<local>, xrefs: 0031CD66

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: b7c3cc05b3f850b6d9d2a9bc72e1c2f175b9bb6df9ef831a7cfd22c4f2df9003
Instruction ID: e2d70e4efa1bd2d78e4feb74c379f4482bb9093bc2a080df3797eb49897e7901
Opcode Fuzzy Hash: b7c3cc05b3f850b6d9d2a9bc72e1c2f175b9bb6df9ef831a7cfd22c4f2df9003
Instruction Fuzzy Hash: 431106712A16317AD73E4B669C85EE7BE6CEF167A4F006226F10993080D3709880D6F0

Function 00333429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 003334AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 003334BA

Strings

edit, xrefs: 0033348F

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: a0136136b83c5e86d55c2400e8393aad911623a432e8bf1af55ef49be39ff7fc
Instruction ID: 316292555fa406b1a09e8f83ada6b5a04c0873d4e32b7c35cd7e72d77cdd0297
Opcode Fuzzy Hash: a0136136b83c5e86d55c2400e8393aad911623a432e8bf1af55ef49be39ff7fc
Instruction Fuzzy Hash: 86116A71110208ABEB238F65DC85ABB376EEB05374F528324F965A71E0C771DC919B60

Function 00306C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 002A9CB3: _wcslen.LIBCMT ref: 002A9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00306CB6
_wcslen.LIBCMT ref: 00306CC2

Strings

STOP, xrefs: 00306CBC, 00306CC1

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: d43910665afa64609fa889f1894139b8fd2fd2fa6544393dba17ce5c356f5e49
Instruction ID: df503774d1933b028f1b5d487c0272927b2a91ecf48b344d533e01e98472f92d
Opcode Fuzzy Hash: d43910665afa64609fa889f1894139b8fd2fd2fa6544393dba17ce5c356f5e49
Instruction Fuzzy Hash: 1C012B326115268BDB12DFBDDCA29BF33B9FF61710B010535E452971D8EB31D860C650

Function 00301CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002A9CB3: _wcslen.LIBCMT ref: 002A9CBD

Part of subcall function 00303CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00303CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00301D4C

Strings

ComboBox, xrefs: 00301CEB
ListBox, xrefs: 00301D16

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: e7fcb7dc9b351f85eaeffafce7d830d33a3a4a68bfd4c60ea88ca34440f4e2c7
Instruction ID: 35acad69d49f8e2b14047cd574a73fba78c42de5c4f8d45798ab0e0ca3564d1a
Opcode Fuzzy Hash: e7fcb7dc9b351f85eaeffafce7d830d33a3a4a68bfd4c60ea88ca34440f4e2c7
Instruction Fuzzy Hash: 5E01D871612214ABCB06FBA4CC61CFE7368EB47350F04051AF822672C1EE3059188B60

Function 00301BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002A9CB3: _wcslen.LIBCMT ref: 002A9CBD

Part of subcall function 00303CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00303CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00301C46

Strings

ComboBox, xrefs: 00301BE5
ListBox, xrefs: 00301C10

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 28181c0fa9423e7411585c7882c6c049934c46b6567e233e787f6168451d9d7e
Instruction ID: d567f4962406b028690737c443f61c7d0cdf161456b8914d3ea3e73a682457f0
Opcode Fuzzy Hash: 28181c0fa9423e7411585c7882c6c049934c46b6567e233e787f6168451d9d7e
Instruction Fuzzy Hash: 7F01A7756921046BDB0AEB90C9629FF77AC9B16340F140019F506772C1EE24DE5886B1

Function 00301C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002A9CB3: _wcslen.LIBCMT ref: 002A9CBD

Part of subcall function 00303CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00303CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00301CC8

Strings

ComboBox, xrefs: 00301C69
ListBox, xrefs: 00301C94

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 424cb7ec1bc658102ec3f5fb7e8bde7dcb5671d0e30a134f784fb0667da0baee
Instruction ID: 9b0ff7814663504e0121ea0ba671bd782560e214e7991d1305553e98be6c588b
Opcode Fuzzy Hash: 424cb7ec1bc658102ec3f5fb7e8bde7dcb5671d0e30a134f784fb0667da0baee
Instruction Fuzzy Hash: DB01F9717821186BEB06EBA1CA22EFF73AC9B12380F140015F802B72C1EE20DF18C671

Function 002BA4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002BA529

Part of subcall function 002A9CB3: _wcslen.LIBCMT ref: 002A9CBD

Strings

,%7, xrefs: 002BA509
3y/, xrefs: 002BA545, 002BA54D, 002BA552

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%7$3y/
API String ID: 2551934079-2369839299
Opcode ID: 167c59b23ddda8cbfc580cc6769d19d88c4148f27699afe856e3de8bba309e6f
Instruction ID: 04d0a1b4498a88e5d8c86151f3451d2f8c9ef5a36024b46a05af6effd87393d8
Opcode Fuzzy Hash: 167c59b23ddda8cbfc580cc6769d19d88c4148f27699afe856e3de8bba309e6f
Instruction Fuzzy Hash: B1017B32B306108BC621F768DC47FDD7368DB067A0F804018F50A171C2DE509E618F97

Function 00338172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00373018,0037305C), ref: 003381BF
CloseHandle.KERNEL32 ref: 003381D1

Strings

\07, xrefs: 0033818A

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \07
API String ID: 3712363035-4246510906
Opcode ID: c7102fd6e7d3657075b759b5e110db75047be8453dd4412313aca32a58233ad9
Instruction ID: cede2bf76dd5879b803845963ceabfef417f9e81d37841d5d3e4404e119d8970
Opcode Fuzzy Hash: c7102fd6e7d3657075b759b5e110db75047be8453dd4412313aca32a58233ad9
Instruction Fuzzy Hash: 13F082F6650300BEE3326761AC85FB73A5CDB05750F004464BB0DE61A2DA7D8E54A7F9

Function 0032747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00327493
_wcslen.LIBCMT ref: 003274B9

Strings

3, 3, 16, 1, xrefs: 00327483

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 7824fc4cf6c6d80c94d847e11d9e3eb1f1208dd981333c8d62d2ea6470846ef8
Instruction ID: b069778d4d9d376039476c87472614ddd36e49b8d64383c26439a9cdc1726a1b
Opcode Fuzzy Hash: 7824fc4cf6c6d80c94d847e11d9e3eb1f1208dd981333c8d62d2ea6470846ef8
Instruction Fuzzy Hash: 7EE02B26614270109232327BBCC5EBF5689EFC5750710192FF981C226AEAA48DA193A0

Function 00300B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00300B23

Strings

AutoIt, xrefs: 00300B17
Error allocating memory., xrefs: 00300B1C

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 02fc01f419d79a3473ecc3340470544d6c43cd5c05089cf355122b671e325cfd
Instruction ID: 53408af79ede5afb68919a15a5819e371539251c8221e93b858b9e659173bb2b
Opcode Fuzzy Hash: 02fc01f419d79a3473ecc3340470544d6c43cd5c05089cf355122b671e325cfd
Instruction Fuzzy Hash: 71E0D8312643182AD21536947C43FC97A848F05B51F10042AFB58654C38BD1A4A04BA9

Function 002C0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 002BF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,002C0D71,?,?,?,002A100A), ref: 002BF7CE

IsDebuggerPresent.KERNEL32(?,?,?,002A100A), ref: 002C0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,002A100A), ref: 002C0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 002C0D7F

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 39ec96ea9ecc3d2cb21ce867ae55f1dd986dbda27da19640af30c1fe723e7eec
Instruction ID: c893f764e416aa78e13420612ba7728c3c024153c2822caaf65283a641ed011a
Opcode Fuzzy Hash: 39ec96ea9ecc3d2cb21ce867ae55f1dd986dbda27da19640af30c1fe723e7eec
Instruction Fuzzy Hash: D1E06D746203118FE7719FB8D884B927BE4EF00B40F004A6DE886C6655DBB4E484CB91

Function 002BE398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002BE3D5

Strings

8%7, xrefs: 002BE3CA
0%7, xrefs: 002BE3B5

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%7$8%7
API String ID: 1385522511-604599190
Opcode ID: 1b1be695e1336d2a94479b7f6ed3e9891bd4cd8743d971cc1a37ccd3ef6c6dc7
Instruction ID: 8a497b9fbc938ffbdd101d021bf8f7780cfd8d23f55cd3a349cbcc411a846fb9
Opcode Fuzzy Hash: 1b1be695e1336d2a94479b7f6ed3e9891bd4cd8743d971cc1a37ccd3ef6c6dc7
Instruction Fuzzy Hash: 6AE02031430910CBCE269718B494EDDB395EB0E334F1151E8F119471D39B7458918B45

Function 002FD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 002FD220

Strings

X64, xrefs: 002FD2A8
%.3d, xrefs: 002FD22B

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: deaef393c8840841c9d4da899d23fada9c6bc20d69c11b33ba66ce3fee3a8b9d
Instruction ID: 965ae36d1e1149ce7b0b6b2a6f00b2693b2a5d4d272a227ce7cdfd277ac07a44
Opcode Fuzzy Hash: deaef393c8840841c9d4da899d23fada9c6bc20d69c11b33ba66ce3fee3a8b9d
Instruction Fuzzy Hash: EAD0126183810CEACB9097D0CD458FAF37DAB08381F608472FE06E1042E664D5286BA1

Function 00332322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0033232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0033233F

Part of subcall function 0030E97B: Sleep.KERNEL32 ref: 0030E9F3

Strings

Shell_TrayWnd, xrefs: 00332325

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: a3b63ca4b3c0195e1782c4d0f3cc9d99cd1c344fd437222dd53dc2f04ac6cb4e
Instruction ID: 7022fe8399b323eac63a130fa688cb5b1903032ab823e1cd2cc08efa3739b7a4
Opcode Fuzzy Hash: a3b63ca4b3c0195e1782c4d0f3cc9d99cd1c344fd437222dd53dc2f04ac6cb4e
Instruction Fuzzy Hash: C0D012363A5310B7E665B771DC5FFC7BA189B41B10F005916B745BA1E4C9F4A801CB54

Function 00332356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0033236C
PostMessageW.USER32(00000000), ref: 00332373

Part of subcall function 0030E97B: Sleep.KERNEL32 ref: 0030E9F3

Strings

Shell_TrayWnd, xrefs: 00332365

Memory Dump Source

Source File: 00000000.00000002.2084112780.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2084064351.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.000000000033C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084222581.0000000000362000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084328282.000000000036C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2084373034.0000000000374000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_30% Order payment-BLQuote_'PO#385995790.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 78743070dbf5f8ad413f92ff1c4bfc70c409c677f49e09e21b942d8ebbaa4dff
Instruction ID: da74ab3fd49972e4ee842fe8d837af10728e335e273f5a4dfe5377ffa6bbad32
Opcode Fuzzy Hash: 78743070dbf5f8ad413f92ff1c4bfc70c409c677f49e09e21b942d8ebbaa4dff
Instruction Fuzzy Hash: 17D0C9323913107AE666A7719C4FFC6B6189B45B10F005916B645BA1E4C9A4A8018B58

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 30% Order payment-BLQuote_'PO#385995790.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

C:\Users\user\AppData\Local\Temp\Graff

C:\Users\user\AppData\Local\Temp\aut2D14.tmp

C:\Users\user\AppData\Local\Temp\autE8F7.tmp

C:\Users\user\AppData\Local\Temp\autF51C.tmp

C:\Users\user\AppData\Local\exhilaratingly\teepees.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\teepees.vbs

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
30% Order payment-BLQuote_'PO#385995790.exe

Function 002A42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 002A42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 002E2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 002A2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 002D8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300
COMMONLIBRARYCODE

Function 002E065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 002A344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 002A2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 002A3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 016A82E0 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Function 002A2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 00312947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre