Edit tour

Windows Analysis Report
QUOTATION#090125-ELITEMARINE.exe

Overview

General Information

Sample name:	QUOTATION#090125-ELITEMARINE.exe
Analysis ID:	1589910
MD5:	906f9e9c186a8d6fffaefe87e3c7d5b8
SHA1:	819df47445095666a46b56045414238ffa334c23
SHA256:	dc1e9dc86c50317fac50c8a486c87d1344afda4c79ae4e2567db7916b31d6c52
Tags:	exeRedLineStealeruser-lowmal3
Infos:

Detection

MassLogger RAT, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected MassLogger RAT

Yara detected PureLog Stealer

Yara detected Telegram RAT

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

QUOTATION#090125-ELITEMARINE.exe (PID: 7596 cmdline: "C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe" MD5: 906F9E9C186A8D6FFFAEFE87E3C7D5B8)

RegSvcs.exe (PID: 7652 cmdline: "C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "info@kianaenergy.com", "Password": "@kiana@energy", "Server": "mail.kianaenergy.com", "To": "chuckc.wmtubewire@outlook.com", "Port": 587}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1339078423.0000000003440000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 8E 88 44 24 2B 88 44 24 2F B0 F0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000002.00000002.2584228187.0000000005430000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000002.00000002.2584228187.0000000005430000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2584228187.0000000005430000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.2584228187.0000000005430000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.2584228187.0000000005430000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c72c:$a1: get_encryptedPassword 0x1c700:$a2: get_encryptedUsername 0x1c7c4:$a3: get_timePasswordChanged 0x1c6dc:$a4: get_passwordField 0x1c742:$a5: set_encryptedPassword 0x1c50f:$a7: get_logins 0x1ba7d:$a8: GetOutlookPasswords 0x1af91:$a9: StartKeylogger 0x199eb:$a10: KeyLoggerEventArgs 0x199ba:$a11: KeyLoggerEventArgsEventHandler 0x1c5e3:$a13: _encryptedPassword
00000002.00000002.2584228187.0000000005430000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20e5b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20359:$a3: \Google\Chrome\User Data\Default\Login Data 0x20667:$a4: \Orbitum\User Data\Default\Login Data 0x2145f:$a5: \Kometa\User Data\Default\Login Data
00000002.00000002.2579836602.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 8E 88 44 24 2B 88 44 24 2F B0 F0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000002.00000002.2581989059.0000000003FB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000002.00000002.2581989059.0000000003FB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2581989059.0000000003FB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.2581989059.0000000003FB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.2581989059.0000000003FB1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x21b84:$a1: get_encryptedPassword 0x49cbc:$a1: get_encryptedPassword 0x21b58:$a2: get_encryptedUsername 0x49c90:$a2: get_encryptedUsername 0x21c1c:$a3: get_timePasswordChanged 0x49d54:$a3: get_timePasswordChanged 0x21b34:$a4: get_passwordField 0x49c6c:$a4: get_passwordField 0x21b9a:$a5: set_encryptedPassword 0x49cd2:$a5: set_encryptedPassword 0x21967:$a7: get_logins 0x49a9f:$a7: get_logins 0x20ed5:$a8: GetOutlookPasswords 0x4900d:$a8: GetOutlookPasswords 0x203e9:$a9: StartKeylogger 0x48521:$a9: StartKeylogger 0x1ee43:$a10: KeyLoggerEventArgs 0x46f7b:$a10: KeyLoggerEventArgs 0x1ee12:$a11: KeyLoggerEventArgsEventHandler 0x46f4a:$a11: KeyLoggerEventArgsEventHandler 0x21a3b:$a13: _encryptedPassword
00000002.00000002.2580653616.0000000002CF0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000002.00000002.2580653616.0000000002CF0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2580653616.0000000002CF0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.2580653616.0000000002CF0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.2580653616.0000000002CF0000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5e1e2:$a1: get_encryptedPassword 0x5e1b6:$a2: get_encryptedUsername 0x5e27a:$a3: get_timePasswordChanged 0x5e192:$a4: get_passwordField 0x5e1f8:$a5: set_encryptedPassword 0x5dfc5:$a7: get_logins 0x5d533:$a8: GetOutlookPasswords 0x5ca47:$a9: StartKeylogger 0x5b4a1:$a10: KeyLoggerEventArgs 0x5b470:$a11: KeyLoggerEventArgsEventHandler 0x5e099:$a13: _encryptedPassword
00000002.00000002.2580832290.0000000003171000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2580832290.0000000003171000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.2580717648.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000002.00000002.2580717648.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2580717648.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.2580717648.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.2580717648.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1d614:$a1: get_encryptedPassword 0x1d5e8:$a2: get_encryptedUsername 0x1d6ac:$a3: get_timePasswordChanged 0x1d5c4:$a4: get_passwordField 0x1d62a:$a5: set_encryptedPassword 0x1d3f7:$a7: get_logins 0x1c965:$a8: GetOutlookPasswords 0x1be79:$a9: StartKeylogger 0x1a8d3:$a10: KeyLoggerEventArgs 0x1a8a2:$a11: KeyLoggerEventArgsEventHandler 0x1d4cb:$a13: _encryptedPassword
00000002.00000002.2580717648.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21d43:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x21241:$a3: \Google\Chrome\User Data\Default\Login Data 0x2154f:$a4: \Orbitum\User Data\Default\Login Data 0x22347:$a5: \Kometa\User Data\Default\Login Data
Process Memory Space: RegSvcs.exe PID: 7652	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 7652	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7652	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 7652	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 7652	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x228c4:$a1: get_encryptedPassword 0x3c233:$a1: get_encryptedPassword 0x4afb6:$a1: get_encryptedPassword 0x8c4a8:$a1: get_encryptedPassword 0x22898:$a2: get_encryptedUsername 0x3c207:$a2: get_encryptedUsername 0x4af8a:$a2: get_encryptedUsername 0x8c47c:$a2: get_encryptedUsername 0x2295c:$a3: get_timePasswordChanged 0x3c2cb:$a3: get_timePasswordChanged 0x4b04e:$a3: get_timePasswordChanged 0x8c540:$a3: get_timePasswordChanged 0x22874:$a4: get_passwordField 0x3c1e3:$a4: get_passwordField 0x4af66:$a4: get_passwordField 0x8c458:$a4: get_passwordField 0x228da:$a5: set_encryptedPassword 0x3c249:$a5: set_encryptedPassword 0x4afcc:$a5: set_encryptedPassword 0x8c4be:$a5: set_encryptedPassword 0x226b0:$a7: get_logins
Click to see the 26 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 8E 88 44 24 2B 88 44 24 2F B0 F0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
2.2.RegSvcs.exe.5430000.8.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.5430000.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.5430000.8.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.5430000.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.5430000.8.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c72c:$a1: get_encryptedPassword 0x1c700:$a2: get_encryptedUsername 0x1c7c4:$a3: get_timePasswordChanged 0x1c6dc:$a4: get_passwordField 0x1c742:$a5: set_encryptedPassword 0x1c50f:$a7: get_logins 0x1ba7d:$a8: GetOutlookPasswords 0x1af91:$a9: StartKeylogger 0x199eb:$a10: KeyLoggerEventArgs 0x199ba:$a11: KeyLoggerEventArgsEventHandler 0x1c5e3:$a13: _encryptedPassword
2.2.RegSvcs.exe.5430000.8.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20e5b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20359:$a3: \Google\Chrome\User Data\Default\Login Data 0x20667:$a4: \Orbitum\User Data\Default\Login Data 0x2145f:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.2d30bce.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.2d30bce.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2d30bce.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2d30bce.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2d30bce.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1d614:$a1: get_encryptedPassword 0x1d5e8:$a2: get_encryptedUsername 0x1d6ac:$a3: get_timePasswordChanged 0x1d5c4:$a4: get_passwordField 0x1d62a:$a5: set_encryptedPassword 0x1d3f7:$a7: get_logins 0x1c965:$a8: GetOutlookPasswords 0x1be79:$a9: StartKeylogger 0x1a8d3:$a10: KeyLoggerEventArgs 0x1a8a2:$a11: KeyLoggerEventArgsEventHandler 0x1d4cb:$a13: _encryptedPassword
2.2.RegSvcs.exe.2d30bce.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21d43:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x21241:$a3: \Google\Chrome\User Data\Default\Login Data 0x2154f:$a4: \Orbitum\User Data\Default\Login Data 0x22347:$a5: \Kometa\User Data\Default\Login Data
0.2.QUOTATION#090125-ELITEMARINE.exe.3440000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 8E 88 44 24 2B 88 44 24 2F B0 F0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
2.2.RegSvcs.exe.2ee0000.4.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.2ee0000.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2ee0000.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2ee0000.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2ee0000.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1d614:$a1: get_encryptedPassword 0x1d5e8:$a2: get_encryptedUsername 0x1d6ac:$a3: get_timePasswordChanged 0x1d5c4:$a4: get_passwordField 0x1d62a:$a5: set_encryptedPassword 0x1d3f7:$a7: get_logins 0x1c965:$a8: GetOutlookPasswords 0x1be79:$a9: StartKeylogger 0x1a8d3:$a10: KeyLoggerEventArgs 0x1a8a2:$a11: KeyLoggerEventArgsEventHandler 0x1d4cb:$a13: _encryptedPassword
2.2.RegSvcs.exe.2ee0000.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21d43:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x21241:$a3: \Google\Chrome\User Data\Default\Login Data 0x2154f:$a4: \Orbitum\User Data\Default\Login Data 0x22347:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.3fb6458.5.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.3fb6458.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.3fb6458.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.3fb6458.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.3fb6458.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1a92c:$a1: get_encryptedPassword 0x1a900:$a2: get_encryptedUsername 0x1a9c4:$a3: get_timePasswordChanged 0x1a8dc:$a4: get_passwordField 0x1a942:$a5: set_encryptedPassword 0x1a70f:$a7: get_logins 0x19c7d:$a8: GetOutlookPasswords 0x19191:$a9: StartKeylogger 0x17beb:$a10: KeyLoggerEventArgs 0x17bba:$a11: KeyLoggerEventArgsEventHandler 0x1a7e3:$a13: _encryptedPassword
2.2.RegSvcs.exe.3fb6458.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1f05b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e559:$a3: \Google\Chrome\User Data\Default\Login Data 0x1e867:$a4: \Orbitum\User Data\Default\Login Data 0x1f65f:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.3fde590.7.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.3fde590.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.3fde590.7.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.3fde590.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.3fde590.7.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c72c:$a1: get_encryptedPassword 0x1c700:$a2: get_encryptedUsername 0x1c7c4:$a3: get_timePasswordChanged 0x1c6dc:$a4: get_passwordField 0x1c742:$a5: set_encryptedPassword 0x1c50f:$a7: get_logins 0x1ba7d:$a8: GetOutlookPasswords 0x1af91:$a9: StartKeylogger 0x199eb:$a10: KeyLoggerEventArgs 0x199ba:$a11: KeyLoggerEventArgsEventHandler 0x1c5e3:$a13: _encryptedPassword
2.2.RegSvcs.exe.3fde590.7.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20e5b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20359:$a3: \Google\Chrome\User Data\Default\Login Data 0x20667:$a4: \Orbitum\User Data\Default\Login Data 0x2145f:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.2d31ab6.2.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.2d31ab6.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2d31ab6.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2d31ab6.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2d31ab6.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1a92c:$a1: get_encryptedPassword 0x1a900:$a2: get_encryptedUsername 0x1a9c4:$a3: get_timePasswordChanged 0x1a8dc:$a4: get_passwordField 0x1a942:$a5: set_encryptedPassword 0x1a70f:$a7: get_logins 0x19c7d:$a8: GetOutlookPasswords 0x19191:$a9: StartKeylogger 0x17beb:$a10: KeyLoggerEventArgs 0x17bba:$a11: KeyLoggerEventArgsEventHandler 0x1a7e3:$a13: _encryptedPassword
2.2.RegSvcs.exe.2d31ab6.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1f05b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e559:$a3: \Google\Chrome\User Data\Default\Login Data 0x1e867:$a4: \Orbitum\User Data\Default\Login Data 0x1f65f:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.2d31ab6.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.2d31ab6.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2d31ab6.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2d31ab6.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2d31ab6.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c72c:$a1: get_encryptedPassword 0x1c700:$a2: get_encryptedUsername 0x1c7c4:$a3: get_timePasswordChanged 0x1c6dc:$a4: get_passwordField 0x1c742:$a5: set_encryptedPassword 0x1c50f:$a7: get_logins 0x1ba7d:$a8: GetOutlookPasswords 0x1af91:$a9: StartKeylogger 0x199eb:$a10: KeyLoggerEventArgs 0x199ba:$a11: KeyLoggerEventArgsEventHandler 0x1c5e3:$a13: _encryptedPassword
2.2.RegSvcs.exe.2d31ab6.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20e5b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20359:$a3: \Google\Chrome\User Data\Default\Login Data 0x20667:$a4: \Orbitum\User Data\Default\Login Data 0x2145f:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.5430000.8.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.5430000.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.5430000.8.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.5430000.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.5430000.8.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1a92c:$a1: get_encryptedPassword 0x1a900:$a2: get_encryptedUsername 0x1a9c4:$a3: get_timePasswordChanged 0x1a8dc:$a4: get_passwordField 0x1a942:$a5: set_encryptedPassword 0x1a70f:$a7: get_logins 0x19c7d:$a8: GetOutlookPasswords 0x19191:$a9: StartKeylogger 0x17beb:$a10: KeyLoggerEventArgs 0x17bba:$a11: KeyLoggerEventArgsEventHandler 0x1a7e3:$a13: _encryptedPassword
2.2.RegSvcs.exe.5430000.8.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1f05b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e559:$a3: \Google\Chrome\User Data\Default\Login Data 0x1e867:$a4: \Orbitum\User Data\Default\Login Data 0x1f65f:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.2ee0000.4.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.2ee0000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2ee0000.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2ee0000.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2ee0000.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1b814:$a1: get_encryptedPassword 0x1b7e8:$a2: get_encryptedUsername 0x1b8ac:$a3: get_timePasswordChanged 0x1b7c4:$a4: get_passwordField 0x1b82a:$a5: set_encryptedPassword 0x1b5f7:$a7: get_logins 0x1ab65:$a8: GetOutlookPasswords 0x1a079:$a9: StartKeylogger 0x18ad3:$a10: KeyLoggerEventArgs 0x18aa2:$a11: KeyLoggerEventArgsEventHandler 0x1b6cb:$a13: _encryptedPassword
2.2.RegSvcs.exe.2ee0000.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1ff43:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1f441:$a3: \Google\Chrome\User Data\Default\Login Data 0x1f74f:$a4: \Orbitum\User Data\Default\Login Data 0x20547:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.3fde590.7.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.3fde590.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.3fde590.7.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.3fde590.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.3fde590.7.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1a92c:$a1: get_encryptedPassword 0x1a900:$a2: get_encryptedUsername 0x1a9c4:$a3: get_timePasswordChanged 0x1a8dc:$a4: get_passwordField 0x1a942:$a5: set_encryptedPassword 0x1a70f:$a7: get_logins 0x19c7d:$a8: GetOutlookPasswords 0x19191:$a9: StartKeylogger 0x17beb:$a10: KeyLoggerEventArgs 0x17bba:$a11: KeyLoggerEventArgsEventHandler 0x1a7e3:$a13: _encryptedPassword
2.2.RegSvcs.exe.3fde590.7.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1f05b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e559:$a3: \Google\Chrome\User Data\Default\Login Data 0x1e867:$a4: \Orbitum\User Data\Default\Login Data 0x1f65f:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.3fb5570.6.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.3fb5570.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.3fb5570.6.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.3fb5570.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.3fb5570.6.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1b814:$a1: get_encryptedPassword 0x1b7e8:$a2: get_encryptedUsername 0x1b8ac:$a3: get_timePasswordChanged 0x1b7c4:$a4: get_passwordField 0x1b82a:$a5: set_encryptedPassword 0x1b5f7:$a7: get_logins 0x1ab65:$a8: GetOutlookPasswords 0x1a079:$a9: StartKeylogger 0x18ad3:$a10: KeyLoggerEventArgs 0x18aa2:$a11: KeyLoggerEventArgsEventHandler 0x1b6cb:$a13: _encryptedPassword
2.2.RegSvcs.exe.3fb5570.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1ff43:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1f441:$a3: \Google\Chrome\User Data\Default\Login Data 0x1f74f:$a4: \Orbitum\User Data\Default\Login Data 0x20547:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 8E 88 44 24 2B 88 44 24 2F B0 F0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
2.2.RegSvcs.exe.3fb6458.5.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.3fb6458.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.3fb6458.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.3fb6458.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.3fb6458.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c72c:$a1: get_encryptedPassword 0x44864:$a1: get_encryptedPassword 0x1c700:$a2: get_encryptedUsername 0x44838:$a2: get_encryptedUsername 0x1c7c4:$a3: get_timePasswordChanged 0x448fc:$a3: get_timePasswordChanged 0x1c6dc:$a4: get_passwordField 0x44814:$a4: get_passwordField 0x1c742:$a5: set_encryptedPassword 0x4487a:$a5: set_encryptedPassword 0x1c50f:$a7: get_logins 0x44647:$a7: get_logins 0x1ba7d:$a8: GetOutlookPasswords 0x43bb5:$a8: GetOutlookPasswords 0x1af91:$a9: StartKeylogger 0x430c9:$a9: StartKeylogger 0x199eb:$a10: KeyLoggerEventArgs 0x41b23:$a10: KeyLoggerEventArgs 0x199ba:$a11: KeyLoggerEventArgsEventHandler 0x41af2:$a11: KeyLoggerEventArgsEventHandler 0x1c5e3:$a13: _encryptedPassword
2.2.RegSvcs.exe.3fb6458.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20e5b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48f93:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20359:$a3: \Google\Chrome\User Data\Default\Login Data 0x48491:$a3: \Google\Chrome\User Data\Default\Login Data 0x20667:$a4: \Orbitum\User Data\Default\Login Data 0x4879f:$a4: \Orbitum\User Data\Default\Login Data 0x2145f:$a5: \Kometa\User Data\Default\Login Data 0x49597:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.2d30bce.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.2d30bce.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2d30bce.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2d30bce.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2d30bce.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1b814:$a1: get_encryptedPassword 0x1b7e8:$a2: get_encryptedUsername 0x1b8ac:$a3: get_timePasswordChanged 0x1b7c4:$a4: get_passwordField 0x1b82a:$a5: set_encryptedPassword 0x1b5f7:$a7: get_logins 0x1ab65:$a8: GetOutlookPasswords 0x1a079:$a9: StartKeylogger 0x18ad3:$a10: KeyLoggerEventArgs 0x18aa2:$a11: KeyLoggerEventArgsEventHandler 0x1b6cb:$a13: _encryptedPassword
2.2.RegSvcs.exe.2d30bce.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1ff43:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1f441:$a3: \Google\Chrome\User Data\Default\Login Data 0x1f74f:$a4: \Orbitum\User Data\Default\Login Data 0x20547:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.2ee0ee8.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.2ee0ee8.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2ee0ee8.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2ee0ee8.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2ee0ee8.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1a92c:$a1: get_encryptedPassword 0x1a900:$a2: get_encryptedUsername 0x1a9c4:$a3: get_timePasswordChanged 0x1a8dc:$a4: get_passwordField 0x1a942:$a5: set_encryptedPassword 0x1a70f:$a7: get_logins 0x19c7d:$a8: GetOutlookPasswords 0x19191:$a9: StartKeylogger 0x17beb:$a10: KeyLoggerEventArgs 0x17bba:$a11: KeyLoggerEventArgsEventHandler 0x1a7e3:$a13: _encryptedPassword
2.2.RegSvcs.exe.2ee0ee8.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1f05b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e559:$a3: \Google\Chrome\User Data\Default\Login Data 0x1e867:$a4: \Orbitum\User Data\Default\Login Data 0x1f65f:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.2ee0ee8.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.2ee0ee8.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2ee0ee8.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2ee0ee8.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2ee0ee8.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c72c:$a1: get_encryptedPassword 0x1c700:$a2: get_encryptedUsername 0x1c7c4:$a3: get_timePasswordChanged 0x1c6dc:$a4: get_passwordField 0x1c742:$a5: set_encryptedPassword 0x1c50f:$a7: get_logins 0x1ba7d:$a8: GetOutlookPasswords 0x1af91:$a9: StartKeylogger 0x199eb:$a10: KeyLoggerEventArgs 0x199ba:$a11: KeyLoggerEventArgsEventHandler 0x1c5e3:$a13: _encryptedPassword
2.2.RegSvcs.exe.2ee0ee8.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20e5b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20359:$a3: \Google\Chrome\User Data\Default\Login Data 0x20667:$a4: \Orbitum\User Data\Default\Login Data 0x2145f:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.3fb5570.6.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.3fb5570.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.3fb5570.6.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.3fb5570.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.3fb5570.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1d614:$a1: get_encryptedPassword 0x4574c:$a1: get_encryptedPassword 0x1d5e8:$a2: get_encryptedUsername 0x45720:$a2: get_encryptedUsername 0x1d6ac:$a3: get_timePasswordChanged 0x457e4:$a3: get_timePasswordChanged 0x1d5c4:$a4: get_passwordField 0x456fc:$a4: get_passwordField 0x1d62a:$a5: set_encryptedPassword 0x45762:$a5: set_encryptedPassword 0x1d3f7:$a7: get_logins 0x4552f:$a7: get_logins 0x1c965:$a8: GetOutlookPasswords 0x44a9d:$a8: GetOutlookPasswords 0x1be79:$a9: StartKeylogger 0x43fb1:$a9: StartKeylogger 0x1a8d3:$a10: KeyLoggerEventArgs 0x42a0b:$a10: KeyLoggerEventArgs 0x1a8a2:$a11: KeyLoggerEventArgsEventHandler 0x429da:$a11: KeyLoggerEventArgsEventHandler 0x1d4cb:$a13: _encryptedPassword
2.2.RegSvcs.exe.3fb5570.6.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21d43:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49e7b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x21241:$a3: \Google\Chrome\User Data\Default\Login Data 0x49379:$a3: \Google\Chrome\User Data\Default\Login Data 0x2154f:$a4: \Orbitum\User Data\Default\Login Data 0x49687:$a4: \Orbitum\User Data\Default\Login Data 0x22347:$a5: \Kometa\User Data\Default\Login Data 0x4a47f:$a5: \Kometa\User Data\Default\Login Data
Click to see the 94 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 5.144.131.244, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 7652, Protocol: tcp, SourceIp: 192.168.2.11, SourceIsIpv6: false, SourcePort: 49755

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T10:16:14.403798+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49708	132.226.247.73	80	TCP
2025-01-13T10:16:20.653932+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49708	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: QUOTATION#090125-ELITEMARINE.exe

Avira: detected

Found malware configuration

Source: 2.2.RegSvcs.exe.2d31ab6.2.raw.unpack

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "info@kianaenergy.com", "Password": "@kiana@energy", "Server": "mail.kianaenergy.com", "To": "chuckc.wmtubewire@outlook.com", "Port": 587}

Multi AV Scanner detection for submitted file

Source: QUOTATION#090125-ELITEMARINE.exe	Virustotal: Detection: 41%			Perma Link
Source: QUOTATION#090125-ELITEMARINE.exe	ReversingLabs: Detection: 71%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: QUOTATION#090125-ELITEMARINE.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: QUOTATION#090125-ELITEMARINE.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.11:49714 version: TLS 1.0

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.2581989059.0000000003FB1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2580653616.0000000002CF0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2580717648.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: QUOTATION#090125-ELITEMARINE.exe, 00000000.00000003.1325073855.0000000003790000.00000004.00001000.00020000.00000000.sdmp, QUOTATION#090125-ELITEMARINE.exe, 00000000.00000003.1323666809.00000000035F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: QUOTATION#090125-ELITEMARINE.exe, 00000000.00000003.1325073855.0000000003790000.00000004.00001000.00020000.00000000.sdmp, QUOTATION#090125-ELITEMARINE.exe, 00000000.00000003.1323666809.00000000035F0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_0084C2A2 FindFirstFileExW,	0_2_0084C2A2
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_008868EE FindFirstFileW,FindClose,	0_2_008868EE
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_0088698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0088698F
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_0087D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0087D076
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_0087D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0087D3A9
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_00889642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00889642
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_0088979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0088979D
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_0087DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0087DBBE
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_00889B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00889B2B
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_00885C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00885C97

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	2_2_010ADE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 054749D7h	2_2_054745B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05474281h	2_2_05473FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0547F9C9h	2_2_0547F720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0547F119h	2_2_0547EE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 054749D7h	2_2_05474904
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0547FE21h	2_2_0547FB78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0547ECC1h	2_2_0547EA18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0547F571h	2_2_0547F2C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05B99060h	2_2_05B98DB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05B9C028h	2_2_05B9BD80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05B9C482h	2_2_05B9C1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05B9E878h	2_2_05B9E5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05B9BBD0h	2_2_05B9B928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05B9DFC8h	2_2_05B9DD20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05B9E420h	2_2_05B9E178
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05B9B778h	2_2_05B9B4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05B9DB70h	2_2_05B9D8C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05B9AEC8h	2_2_05B9AC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05B9D2C0h	2_2_05B9D018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05B9B320h	2_2_05B9B078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05B9D718h	2_2_05B9D470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05B9037Dh	2_2_05B90040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05B92A40h	2_2_05B92798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05B92E98h	2_2_05B92BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05B98C08h	2_2_05B987E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05B9AA70h	2_2_05B9A7C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05B9CE68h	2_2_05B9CBC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05B9A1C0h	2_2_05B99F18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05B9A618h	2_2_05B9A370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05B9CA10h	2_2_05B9C768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05B925E8h	2_2_05B92340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05B91D38h	2_2_05B91A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05B9F128h	2_2_05B9EE80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05B92190h	2_2_05B91EE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05B99D68h	2_2_05B99AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05B918E0h	2_2_05B91638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05B9ECD0h	2_2_05B9EA28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05B90EC2h	2_2_05B90E18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05B994B8h	2_2_05B99210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05B90EC2h	2_2_05B90E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05B99910h	2_2_05B99668

Source: global traffic

TCP traffic: 192.168.2.11:49755 -> 5.144.131.244:587

Source: global traffic

HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1
Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View

ASN Name: HOSTIRAN-NETWORKIR HOSTIRAN-NETWORKIR

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49708 -> 132.226.247.73:80

Source: global traffic

TCP traffic: 192.168.2.11:49755 -> 5.144.131.244:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.11:49714 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe

Code function: 0_2_0088CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_0088CE44

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: mail.kianaenergy.com

Source: RegSvcs.exe, 00000002.00000002.2580832290.000000000309C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000002.00000002.2580832290.0000000003090000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2580832290.000000000309C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2580832290.0000000003171000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000002.00000002.2580832290.0000000003019000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000002.00000002.2581989059.0000000003FB1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2580653616.0000000002CF0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2584228187.0000000005430000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2580717648.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000002.00000002.2580832290.0000000003171000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://kianaenergy.com
Source: RegSvcs.exe, 00000002.00000002.2580832290.0000000003171000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.kianaenergy.com
Source: RegSvcs.exe, 00000002.00000002.2584653190.0000000005772000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2580832290.0000000003171000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r10.i.lencr.org/0-
Source: RegSvcs.exe, 00000002.00000002.2584653190.0000000005772000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2580832290.0000000003171000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r10.o.lencr.org0#
Source: RegSvcs.exe, 00000002.00000002.2580832290.00000000030B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000002.00000002.2580832290.0000000003019000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000002.00000002.2584653190.0000000005772000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2580832290.0000000003171000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: RegSvcs.exe, 00000002.00000002.2584653190.0000000005772000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2580832290.0000000003171000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: RegSvcs.exe, 00000002.00000002.2580832290.0000000003171000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: RegSvcs.exe, 00000002.00000002.2581989059.0000000003FB1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2580653616.0000000002CF0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2584228187.0000000005430000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2580717648.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: RegSvcs.exe, 00000002.00000002.2580832290.000000000309C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: RegSvcs.exe, 00000002.00000002.2581989059.0000000003FB1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2580653616.0000000002CF0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2584228187.0000000005430000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2580832290.000000000309C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2580717648.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000002.00000002.2580832290.000000000309C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l

Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe

Code function: 0_2_0088EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0088EAFF

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe

Code function: 0_2_0088ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0088ED6A

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe

0_2_0088EAFF

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe

Code function: 0_2_0087AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0087AA57

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe

Code function: 0_2_008A9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_008A9576

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.RegSvcs.exe.5430000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.5430000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2d30bce.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2d30bce.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.QUOTATION#090125-ELITEMARINE.exe.3440000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.RegSvcs.exe.2ee0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2ee0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.3fb6458.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.3fb6458.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.3fde590.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.3fde590.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2d31ab6.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2d31ab6.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2d31ab6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2d31ab6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.5430000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.5430000.8.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2ee0000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2ee0000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.3fde590.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.3fde590.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.3fb5570.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.3fb5570.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.RegSvcs.exe.3fb6458.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.3fb6458.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2d30bce.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2d30bce.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2ee0ee8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2ee0ee8.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2ee0ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2ee0ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.3fb5570.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.3fb5570.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000000.00000002.1339078423.0000000003440000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000002.00000002.2584228187.0000000005430000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.2584228187.0000000005430000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.2579836602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000002.00000002.2581989059.0000000003FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.2580653616.0000000002CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.2580717648.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.2580717648.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: Process Memory Space: RegSvcs.exe PID: 7652, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: QUOTATION#090125-ELITEMARINE.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: QUOTATION#090125-ELITEMARINE.exe, 00000000.00000000.1312767871.00000000008D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_3de037a4-0
Source: QUOTATION#090125-ELITEMARINE.exe, 00000000.00000000.1312767871.00000000008D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_25c0d22f-b
Source: QUOTATION#090125-ELITEMARINE.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_c78067dd-b
Source: QUOTATION#090125-ELITEMARINE.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_5cf096ba-0

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: QUOTATION#090125-ELITEMARINE.exe

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe

Code function: 0_2_0087D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0087D5EB

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe

Code function: 0_2_00871201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00871201

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe

Code function: 0_2_0087E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0087E8F6

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_00882046	0_2_00882046
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_00818060	0_2_00818060
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_00878298	0_2_00878298
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_0084E4FF	0_2_0084E4FF
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_0084676B	0_2_0084676B
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_008A4873	0_2_008A4873
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_0083CAA0	0_2_0083CAA0
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_0081CAF0	0_2_0081CAF0
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_0082CC39	0_2_0082CC39
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_00846DD9	0_2_00846DD9
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_008191C0	0_2_008191C0
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_0082B119	0_2_0082B119
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_00831394	0_2_00831394
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_00831706	0_2_00831706
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_0083781B	0_2_0083781B
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_008319B0	0_2_008319B0
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_00817920	0_2_00817920
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_0082997D	0_2_0082997D
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_00837A4A	0_2_00837A4A
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_00837CA7	0_2_00837CA7
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_00831C77	0_2_00831C77
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_00849EEE	0_2_00849EEE
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_0089BE44	0_2_0089BE44
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_00831F32	0_2_00831F32
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_00E02350	0_2_00E02350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00408C60	2_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040DC11	2_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00407C3F	2_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00418CCC	2_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00406CA0	2_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004028B0	2_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041A4BE	2_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00418244	2_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00401650	2_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00402F20	2_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004193C4	2_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00418788	2_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00402F89	2_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00402B90	2_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004073A0	2_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_010A116D	2_2_010A116D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_010A11A8	2_2_010A11A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_010A1437	2_2_010A1437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_010A1448	2_2_010A1448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05476CB0	2_2_05476CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05473FD0	2_2_05473FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0547AFB0	2_2_0547AFB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0547B8A0	2_2_0547B8A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05477D7C	2_2_05477D7C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05476CA1	2_2_05476CA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0547F70F	2_2_0547F70F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0547F720	2_2_0547F720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05473FC0	2_2_05473FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0547EE61	2_2_0547EE61
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0547EE70	2_2_0547EE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0547B1D0	2_2_0547B1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0547A828	2_2_0547A828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0547FB68	2_2_0547FB68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0547FB78	2_2_0547FB78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0547EA08	2_2_0547EA08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0547EA18	2_2_0547EA18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0547F2C8	2_2_0547F2C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0547F2BA	2_2_0547F2BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B962C8	2_2_05B962C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B98DB8	2_2_05B98DB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B98DA8	2_2_05B98DA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B9BD80	2_2_05B9BD80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B9C1D8	2_2_05B9C1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B9E5D0	2_2_05B9E5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B9C1C8	2_2_05B9C1C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B9E5C1	2_2_05B9E5C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B9B928	2_2_05B9B928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B9DD20	2_2_05B9DD20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B9B918	2_2_05B9B918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B9DD11	2_2_05B9DD11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B9E178	2_2_05B9E178
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B9BD70	2_2_05B9BD70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B95568	2_2_05B95568
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B9E168	2_2_05B9E168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B9D8BA	2_2_05B9D8BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B9B4D0	2_2_05B9B4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B9D8C8	2_2_05B9D8C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B9B4C1	2_2_05B9B4C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B9AC20	2_2_05B9AC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B9D018	2_2_05B9D018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B9AC10	2_2_05B9AC10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B9D009	2_2_05B9D009
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B90006	2_2_05B90006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B9B078	2_2_05B9B078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B9D470	2_2_05B9D470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B9B068	2_2_05B9B068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B9D461	2_2_05B9D461
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B93048	2_2_05B93048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B90040	2_2_05B90040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B9A7B9	2_2_05B9A7B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B9CBB0	2_2_05B9CBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B92798	2_2_05B92798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B92788	2_2_05B92788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B92BF0	2_2_05B92BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B987E8	2_2_05B987E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B92BE0	2_2_05B92BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B9A7C8	2_2_05B9A7C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B9CBC0	2_2_05B9CBC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B92331	2_2_05B92331
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B99F18	2_2_05B99F18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B99F09	2_2_05B99F09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B9A370	2_2_05B9A370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B9C768	2_2_05B9C768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B9A360	2_2_05B9A360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B9C757	2_2_05B9C757
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B92340	2_2_05B92340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B99AB0	2_2_05B99AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B906A0	2_2_05B906A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B90691	2_2_05B90691
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B91A90	2_2_05B91A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B9EE80	2_2_05B9EE80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B91A80	2_2_05B91A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B91EE8	2_2_05B91EE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B91ED8	2_2_05B91ED8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B99AC0	2_2_05B99AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B91638	2_2_05B91638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B9EA28	2_2_05B9EA28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B91627	2_2_05B91627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B9EA18	2_2_05B9EA18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B99210	2_2_05B99210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B99200	2_2_05B99200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B9EE70	2_2_05B9EE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B99668	2_2_05B99668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05B9965A	2_2_05B9965A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: String function: 00830A30 appears 46 times
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: String function: 00819CB3 appears 31 times
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: String function: 0082F9F2 appears 40 times

Source: QUOTATION#090125-ELITEMARINE.exe, 00000000.00000002.1339078423.0000000003440000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs QUOTATION#090125-ELITEMARINE.exe
Source: QUOTATION#090125-ELITEMARINE.exe, 00000000.00000003.1325073855.00000000038BD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs QUOTATION#090125-ELITEMARINE.exe
Source: QUOTATION#090125-ELITEMARINE.exe, 00000000.00000003.1323666809.0000000003713000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs QUOTATION#090125-ELITEMARINE.exe

Source: QUOTATION#090125-ELITEMARINE.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.RegSvcs.exe.5430000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.5430000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2d30bce.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2d30bce.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.QUOTATION#090125-ELITEMARINE.exe.3440000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.RegSvcs.exe.2ee0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2ee0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.3fb6458.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.3fb6458.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.3fde590.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.3fde590.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2d31ab6.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2d31ab6.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2d31ab6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2d31ab6.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.5430000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.5430000.8.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2ee0000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2ee0000.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.3fde590.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.3fde590.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.3fb5570.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.3fb5570.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.RegSvcs.exe.3fb6458.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.3fb6458.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2d30bce.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2d30bce.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2ee0ee8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2ee0ee8.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2ee0ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2ee0ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.3fb5570.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.3fb5570.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.1339078423.0000000003440000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000002.00000002.2584228187.0000000005430000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.2584228187.0000000005430000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.2579836602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000002.00000002.2581989059.0000000003FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.2580653616.0000000002CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.2580717648.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.2580717648.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: RegSvcs.exe PID: 7652, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@3/3

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe

Code function: 0_2_008837B5 GetLastError,FormatMessageW,

0_2_008837B5

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_008710BF AdjustTokenPrivileges,CloseHandle,		0_2_008710BF
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_008716C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_008716C3

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe

Code function: 0_2_008851CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_008851CD

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe

Code function: 0_2_0089A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0089A67C

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe

Code function: 0_2_0088648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0088648E

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe

Code function: 0_2_008142A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_008142A2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe

File created: C:\Users\user\AppData\Local\Temp\intemeration

Jump to behavior

Source: QUOTATION#090125-ELITEMARINE.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.2580832290.000000000312E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2580832290.000000000310B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2580832290.0000000003119000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2581989059.000000000402E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2580832290.00000000030FB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2580832290.000000000313A000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: QUOTATION#090125-ELITEMARINE.exe	Virustotal: Detection: 41%
Source: QUOTATION#090125-ELITEMARINE.exe	ReversingLabs: Detection: 71%

Source: unknown	Process created: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe "C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe"
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe"
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe"	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: QUOTATION#090125-ELITEMARINE.exe

Static file information: File size 1577472 > 1048576

Source: QUOTATION#090125-ELITEMARINE.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: QUOTATION#090125-ELITEMARINE.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: QUOTATION#090125-ELITEMARINE.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: QUOTATION#090125-ELITEMARINE.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: QUOTATION#090125-ELITEMARINE.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: QUOTATION#090125-ELITEMARINE.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: QUOTATION#090125-ELITEMARINE.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.2581989059.0000000003FB1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2580653616.0000000002CF0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2580717648.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: QUOTATION#090125-ELITEMARINE.exe, 00000000.00000003.1325073855.0000000003790000.00000004.00001000.00020000.00000000.sdmp, QUOTATION#090125-ELITEMARINE.exe, 00000000.00000003.1323666809.00000000035F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: QUOTATION#090125-ELITEMARINE.exe, 00000000.00000003.1325073855.0000000003790000.00000004.00001000.00020000.00000000.sdmp, QUOTATION#090125-ELITEMARINE.exe, 00000000.00000003.1323666809.00000000035F0000.00000004.00001000.00020000.00000000.sdmp

Source: QUOTATION#090125-ELITEMARINE.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: QUOTATION#090125-ELITEMARINE.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: QUOTATION#090125-ELITEMARINE.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: QUOTATION#090125-ELITEMARINE.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: QUOTATION#090125-ELITEMARINE.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe

Code function: 0_2_008142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008142DE

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_00830A76 push ecx; ret	0_2_00830A89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041C40C push cs; iretd	2_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00423149 push eax; ret	2_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041C50E push cs; iretd	2_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004231C8 push eax; ret	2_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040E21D push ecx; ret	2_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041C6BE push ebx; ret	2_2_0041C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_010A5296 push esi; ret	2_2_010A5299
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05473EF8 pushfd ; ret	2_2_05473EF9

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_0082F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0082F98E
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_008A1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_008A1C41

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: RegSvcs.exe PID: 7652, type: MEMORYSTR

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-97473

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe

API/Special instruction interceptor: Address: E01F74

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: QUOTATION#090125-ELITEMARINE.exe, 00000000.00000003.1314828791.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, QUOTATION#090125-ELITEMARINE.exe, 00000000.00000002.1334612131.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: PROCMON.EXE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

2_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1882			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7965			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe

API coverage: 3.3 %

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_0084C2A2 FindFirstFileExW,	0_2_0084C2A2
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_008868EE FindFirstFileW,FindClose,	0_2_008868EE
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_0088698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0088698F
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_0087D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0087D076
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_0087D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0087D3A9
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_00889642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00889642
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_0088979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0088979D
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_0087DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0087DBBE
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_00889B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00889B2B
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_00885C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00885C97

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe

Code function: 0_2_008142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008142DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99198	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98896	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98776	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96795	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96686	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96567	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96298	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95934	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95592	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95046	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94280	Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.2580355309.0000000001131000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 2_2_0547AFB0 LdrInitializeThunk,

2_2_0547AFB0

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe

Code function: 0_2_0088EAA2 BlockInput,

0_2_0088EAA2

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe

Code function: 0_2_00842622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00842622

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

2_2_004019F0

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe

Code function: 0_2_008142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008142DE

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_00834CE8 mov eax, dword ptr fs:[00000030h]	0_2_00834CE8
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_00E021E0 mov eax, dword ptr fs:[00000030h]	0_2_00E021E0
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_00E02240 mov eax, dword ptr fs:[00000030h]	0_2_00E02240
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_00E00B70 mov eax, dword ptr fs:[00000030h]	0_2_00E00B70

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe

Code function: 0_2_00870B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00870B62

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_00842622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00842622
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_0083083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0083083F
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_008309D5 SetUnhandledExceptionFilter,	0_2_008309D5
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_00830C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00830C21
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004123F1 SetUnhandledExceptionFilter,	2_2_004123F1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: CA7008

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe

0_2_00871201

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe

Code function: 0_2_00852BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00852BA5

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe

Code function: 0_2_0087B226 SendInput,keybd_event,

0_2_0087B226

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe

Code function: 0_2_008922DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_008922DA

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe"

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe

0_2_00870B62

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe

Code function: 0_2_00871663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00871663

Source: QUOTATION#090125-ELITEMARINE.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: QUOTATION#090125-ELITEMARINE.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe

Code function: 0_2_00830698 cpuid

0_2_00830698

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

2_2_00417A20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe

Code function: 0_2_00888195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00888195

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe

Code function: 0_2_0086D27A GetUserNameW,

0_2_0086D27A

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe

Code function: 0_2_0084B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0084B952

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe

Code function: 0_2_008142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008142DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Binary or memory string: procmon.exe

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 2.2.RegSvcs.exe.5430000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d30bce.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3fb6458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3fde590.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d31ab6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d31ab6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5430000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3fde590.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3fb5570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3fb6458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d30bce.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3fb5570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2584228187.0000000005430000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2581989059.0000000003FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2580653616.0000000002CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2580717648.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7652, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 2.2.RegSvcs.exe.5430000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d30bce.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3fb6458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3fde590.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d31ab6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d31ab6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5430000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3fde590.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3fb5570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3fb6458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d30bce.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3fb5570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2584228187.0000000005430000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2581989059.0000000003FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2580653616.0000000002CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2580717648.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 2.2.RegSvcs.exe.5430000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d30bce.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3fb6458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3fde590.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d31ab6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d31ab6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5430000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3fde590.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3fb5570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3fb6458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d30bce.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3fb5570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2584228187.0000000005430000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2581989059.0000000003FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2580653616.0000000002CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2580832290.0000000003171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2580717648.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7652, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: QUOTATION#090125-ELITEMARINE.exe	Binary or memory string: WIN_81
Source: QUOTATION#090125-ELITEMARINE.exe	Binary or memory string: WIN_XP
Source: QUOTATION#090125-ELITEMARINE.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: QUOTATION#090125-ELITEMARINE.exe	Binary or memory string: WIN_XPe
Source: QUOTATION#090125-ELITEMARINE.exe	Binary or memory string: WIN_VISTA
Source: QUOTATION#090125-ELITEMARINE.exe	Binary or memory string: WIN_7
Source: QUOTATION#090125-ELITEMARINE.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 2.2.RegSvcs.exe.5430000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d30bce.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3fb6458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3fde590.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d31ab6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d31ab6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5430000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3fde590.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3fb5570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3fb6458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d30bce.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3fb5570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2584228187.0000000005430000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2581989059.0000000003FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2580653616.0000000002CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2580832290.0000000003171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2580717648.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7652, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 2.2.RegSvcs.exe.5430000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d30bce.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3fb6458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3fde590.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d31ab6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d31ab6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5430000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3fde590.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3fb5570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3fb6458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d30bce.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3fb5570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2584228187.0000000005430000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2581989059.0000000003FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2580653616.0000000002CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2580717648.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7652, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 2.2.RegSvcs.exe.5430000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d30bce.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3fb6458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3fde590.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d31ab6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d31ab6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5430000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3fde590.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3fb5570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3fb6458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d30bce.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3fb5570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2584228187.0000000005430000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2581989059.0000000003FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2580653616.0000000002CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2580717648.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 2.2.RegSvcs.exe.5430000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d30bce.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3fb6458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3fde590.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d31ab6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d31ab6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5430000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3fde590.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3fb5570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3fb6458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d30bce.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ee0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3fb5570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2584228187.0000000005430000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2581989059.0000000003FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2580653616.0000000002CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2580832290.0000000003171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2580717648.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7652, type: MEMORYSTR

Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_00891204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00891204
Source: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe	Code function: 0_2_00891806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00891806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	137 System Information Discovery	Distributed Component Object Model	21 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	341 Security Software Discovery	SSH	3 Clipboard Data	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	111 Virtualization/Sandbox Evasion	Cached Domain Credentials	111 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
QUOTATION#090125-ELITEMARINE.exe	42%	Virustotal		Browse
QUOTATION#090125-ELITEMARINE.exe	71%	ReversingLabs	Win32.Worm.DorkBot
QUOTATION#090125-ELITEMARINE.exe	100%	Avira	DR/AutoIt.Gen8
QUOTATION#090125-ELITEMARINE.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://mail.kianaenergy.com	0%	Avira URL Cloud	safe
http://kianaenergy.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
kianaenergy.com	5.144.131.244	true	true	unknown
reallyfreegeoip.org	104.21.80.1	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
mail.kianaenergy.com	unknown	unknown	true	unknown
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189l	RegSvcs.exe, 00000002.00000002.2580832290.000000000309C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://kianaenergy.com	RegSvcs.exe, 00000002.00000002.2580832290.0000000003171000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot	RegSvcs.exe, 00000002.00000002.2580832290.0000000003171000.00000004.00000800.00020000.00000000.sdmp	false		high
http://r10.i.lencr.org/0-	RegSvcs.exe, 00000002.00000002.2584653190.0000000005772000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2580832290.0000000003171000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	RegSvcs.exe, 00000002.00000002.2584653190.0000000005772000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2580832290.0000000003171000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	RegSvcs.exe, 00000002.00000002.2584653190.0000000005772000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2580832290.0000000003171000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	RegSvcs.exe, 00000002.00000002.2581989059.0000000003FB1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2580653616.0000000002CF0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2584228187.0000000005430000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2580717648.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp	false		high
http://reallyfreegeoip.org	RegSvcs.exe, 00000002.00000002.2580832290.00000000030B8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	RegSvcs.exe, 00000002.00000002.2580832290.000000000309C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://r10.o.lencr.org0#	RegSvcs.exe, 00000002.00000002.2584653190.0000000005772000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2580832290.0000000003171000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	RegSvcs.exe, 00000002.00000002.2580832290.0000000003090000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2580832290.000000000309C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2580832290.0000000003171000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	RegSvcs.exe, 00000002.00000002.2580832290.000000000309C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://mail.kianaenergy.com	RegSvcs.exe, 00000002.00000002.2580832290.0000000003171000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.2580832290.0000000003019000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot-/sendDocument?chat_id=	RegSvcs.exe, 00000002.00000002.2581989059.0000000003FB1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2580653616.0000000002CF0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2584228187.0000000005430000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2580717648.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	RegSvcs.exe, 00000002.00000002.2581989059.0000000003FB1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2580653616.0000000002CF0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2584228187.0000000005430000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2580832290.000000000309C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2580717648.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
5.144.131.244	kianaenergy.com	Iran (ISLAMIC Republic Of)	59441	HOSTIRAN-NETWORKIR	true
104.21.80.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
132.226.247.73	checkip.dyndns.com	United States	16989	UTMEMUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589910
Start date and time:	2025-01-13 10:15:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	QUOTATION#090125-ELITEMARINE.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 46 Number of non-executed functions: 296
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.12.23.50
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:16:19	API Interceptor	52x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.80.1	QsBdpe1gK5.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.masterqq.pro/vfw3/
	NFhRxwbegd.exe	Get hash	malicious	FormBook	Browse	www.aziziyeescortg.xyz/2pcx/
	qlG7x91YXH.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/0hqe/
	6uHfmjGMfL.exe	Get hash	malicious	Amadey	Browse	clientservices.sgoogleapis.observer/api/index.php
	http://l.instagram.com/?0bfd7a413579bfc47b11c1f19890162e=f171d759fb3a033e4eb430517cad3aef&e=ATP3gbWvTZYJbEDeh7rUkhPx4FjctqZcqx8JLHQOt3eCFNBI8ssZ853B2RmMWetLJ63KaZJU&s=1&u=https%3A%2F%2Fbusiness.instagram.com%2Fmicro_site%2Furl%2F%3Fevent_type%3Dclick%26site%3Digb%26destination%3Dhttps%253A%252F%252Fwww.facebook.com%252Fads%252Fig_redirect%252F%253Fd%253DAd8U5WMN2AM7K-NrvRBs3gyfr9DHeZ3ist33ENX9eJBJWMRBAaOOij4rbjtu42P4dXhL8YyD-jl0LZtS1wkFu-DRtZrPI1zyuzAYXXYv3uJfsc2GuuhHJZr0iVcLluY7-XzYStW8tPCtY7q5OaN0ZR5NezqONJHNCe212u1Fk3V5I6c8mMsj53lfF9nQIFCpMtE%2526a%253D1%2526hash%253DAd_y5usHyEC86F8X	Get hash	malicious	Unknown	Browse	my.cradaygo.com/smmylet
	SW_48912.scr.exe	Get hash	malicious	FormBook	Browse	www.dejikenkyu.cyou/pmpa/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	hiranetwork.com/administrator/index.php
	downloader2.hta	Get hash	malicious	XWorm	Browse	2k8u3.org/wininit.exe
132.226.247.73	Order_list.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	rlPy5vt1Dg.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	wZ6VEnOkie.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	tNXl4XhgmV.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	4AMVusDMPP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	TjoY7n65om.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	Order_list.scr.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Receipt-2502-AJL2024.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	nfKqna8HuC.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	mnXS9meqtB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	aS39AS7b0P.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	gGI2gVBI0f.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	ZpYFG94D4C.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	h8izmpp1ZM.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	x8M2g1Xxhz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
reallyfreegeoip.org	Order_list.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	Receipt-2502-AJL2024.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	mnXS9meqtB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.16.1
	aS39AS7b0P.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	gGI2gVBI0f.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	ZpYFG94D4C.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	h8izmpp1ZM.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	x8M2g1Xxhz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	c7WJL1gt32.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HOSTIRAN-NETWORKIR	IDR-500000000.pdf	Get hash	malicious	Unknown	Browse	5.144.130.41
	DHL airwaybill # 6913321715 & BL Draft copy.exe	Get hash	malicious	FormBook	Browse	5.144.130.52
	p4LNUqyKZM.exe	Get hash	malicious	FormBook	Browse	5.144.130.52
	PO_987654345678.exe	Get hash	malicious	FormBook	Browse	5.144.130.52
	DOCUMENTS.vbs	Get hash	malicious	AgentTesla	Browse	5.144.130.41
	INV20240828.exe	Get hash	malicious	FormBook	Browse	5.144.130.52
	Payment-Details.scr.exe	Get hash	malicious	AgentTesla	Browse	5.144.130.41
	rDHL_PT563857935689275783656385FV-GDS3535353.bat	Get hash	malicious	FormBook, GuLoader	Browse	185.83.114.124
	rFV-452747284IN.bat	Get hash	malicious	FormBook, GuLoader	Browse	185.83.114.124
	Shipping Docs.rdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	5.144.130.49
CLOUDFLARENETUS	Order_list.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	Receipt-2502-AJL2024.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	invnoIL438805.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	g6.elf	Get hash	malicious	Unknown	Browse	1.1.1.1
	http://communication.investecprivatebank.co.za/Marketing/DocFusion/Headers/PBHeaderBanner.jpg	Get hash	malicious	Unknown	Browse	104.21.96.1
	CSZ inquiry for MH raw material.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	g3.elf	Get hash	malicious	Unknown	Browse	1.1.1.1
	1001-13.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	24010-KAPSON.exe	Get hash	malicious	Azorult, GuLoader	Browse	104.21.32.1
UTMEMUS	Order_list.scr.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Receipt-2502-AJL2024.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	c7WJL1gt32.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	rlPy5vt1Dg.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	wZ6VEnOkie.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	tNXl4XhgmV.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	MBOaS3GRtF.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Order_list.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	Receipt-2502-AJL2024.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	Loader.exe	Get hash	malicious	Unknown	Browse	104.21.80.1
	mnXS9meqtB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
	aS39AS7b0P.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	gGI2gVBI0f.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	ZpYFG94D4C.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	h8izmpp1ZM.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	x8M2g1Xxhz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1

Process:	C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe
File Type:	data
Category:	dropped
Size (bytes):	209408
Entropy (8bit):	7.861273637761882
Encrypted:	false
SSDEEP:	6144:NrlskSeNVA/Gluojto9oFODaHDJ6UEmyOmm:hlskSneluoa9o+ajJtyO9
MD5:	4C2E90B9770661FAF9FF64D0995B0916
SHA1:	2510EB0A498C509CE22D08C9A6B86E2F1C0D915C
SHA-256:	D30666D109D39AE8C02258D0EE5CEB744AED2E7C7B34138B063C1C2EA65D96E7
SHA-512:	6381CE0D16EB1F19AB9105EFB0166CCD908DF4F015CAB1215C4C81D9906CE1F1BA3E453F97EDC709E0542BD47063EBC70186556185BBEA2AB56745677F09CE53
Malicious:	false
Reputation:	low
Preview:	...S5LN7E2RB..MW.U0GNH6H.R3LOPM8S6LN7A2RB42MWQU0GNH6HGR3LOPM.S6L@(.<R.=.l.P..f. _;g"A#(",UsU- Y.Fr Q.?"?uY)n.y.g?\(*~@5Y.LN7A2RB\".z}$.9b9.6k#.2}s2FlG.0<..,iE.3{ .N.?.Hzd<MP>.3.p_2.F.L`aOL`&.+b.- .9.,3LOPM8S6LN7A2RB4.#..U0GN.sHG.2HO$.8.6LN7A2RB.2nVZT9GN.7HG.2LOPM8\|.LN7Q2RB.3MWQ.0G^H6HER3IOPM8S6LK7A2RB42M.RU0CNH.sER1LO.M8C6L^7A2RR42]WQU0GNX6HGR3LOPM8S.YL7.2RB4ROW.D1GNH6HGR3LOPM8S6LN7A2RB42M..T0[NH6HGR3LOPM8S6LN7A2RB42MWQU.JLHvHGR3LOPM8S6L.6A.SB42MWQU0GNH6HGR3LOPM8S6LN7oF7:@2MWI.1GNX6HG.2LOTM8S6LN7A2RB42MwQUPi<,W<&R3."PM8.7LNYA2R.52MWQU0GNH6HGRsLO.c\2B-N7A.bB42mUQU&GNH<JGR3LOPM8S6LN7.2R..@>%2U0G.Y7HG21LOBL8S.NN7A2RB42MWQU0.NHvHGR3LOPM8S6LN7A2RB42MWQU0GNH6HGR3LOPM8S6LN7A2RB42MWQU0GNH6HGR3LOPM8S6LN7A2RB42MWQU0GNH6HGR3LOPM8S6LN7A2RB42MWQU0GNH6HGR3LOPM8S6LN7A2RB42MWQU0GNH6HGR3LOPM8S6LN7A2RB42MWQU0GNH6HGR3LOPM8S6LN7A2RB42MWQU0GNH6HGR3LOPM8S6LN7A2RB42MWQU0GNH6HGR3LOPM8S6LN7A2RB42MWQU0GNH6HGR3LOPM8S6LN7A2RB42MWQU0GNH6HGR3LOPM8S6LN7A2RB42MWQU0GNH6HGR3LOPM8S6LN7A2RB42MWQU0GNH6HGR3LOPM8S6LN7A2RB42

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.3268163822375305
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	QUOTATION#090125-ELITEMARINE.exe
File size:	1'577'472 bytes
MD5:	906f9e9c186a8d6fffaefe87e3c7d5b8
SHA1:	819df47445095666a46b56045414238ffa334c23
SHA256:	dc1e9dc86c50317fac50c8a486c87d1344afda4c79ae4e2567db7916b31d6c52
SHA512:	82000769232be8edb2da8f7aa74f32f75592f390485a4f6e6adf0f3fa8061a7917398c544f4b78a4e378bd7c101874e1b07bd5f3e411c06904d635188ddfb4ed
SSDEEP:	49152:oTvC/MTQYxsWR7aWH3N50VVc+O9B9+p8:gjTQYxsWRPdKc+A++
TLSH:	6F75E1023791C062FF9B95330BA6F31197BC6D260527A51F13982DB9BE705B11A3E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	333333ab693b9b98

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67805A64 [Thu Jan 9 23:23:16 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F5E98B48B93h
jmp 00007F5E98B4849Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F5E98B4867Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F5E98B4864Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F5E98B4B23Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F5E98B4B288h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F5E98B4B271h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xaa654	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x17f000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xaa654	0xaa800	e64860ce65aa5289d548f009dd026463	False	0.9103323749083577	data	7.860159876839495	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x17f000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd4548	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd4670	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd4798	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd48c0	0x10d8b	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	Great Britain	0.9989130907351854
RT_ICON	0xe564c	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	English	Great Britain	0.42335561339169525
RT_ICON	0xf5e74	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	English	Great Britain	0.5058455361360416
RT_ICON	0xfa09c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	Great Britain	0.5346473029045643
RT_ICON	0xfc644	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	Great Britain	0.6055347091932458
RT_ICON	0xfd6ec	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	Great Britain	0.7225177304964538
RT_MENU	0xfdb54	0x50	data	English	Great Britain	0.9
RT_STRING	0xfdba4	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xfe138	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xfe7c4	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xfec54	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xff250	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xff8ac	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xffd14	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xffe6c	0x7e284	data			1.000321244726555
RT_GROUP_ICON	0x17e0f0	0x5a	Targa image data - Map 32 x 3467 x 1 +1	English	Great Britain	0.7888888888888889
RT_GROUP_ICON	0x17e14c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x17e160	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x17e174	0x14	data	English	Great Britain	1.25
RT_VERSION	0x17e188	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x17e264	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-13T10:16:14.403798+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49708	132.226.247.73	80	TCP
2025-01-13T10:16:20.653932+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49708	132.226.247.73	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 10:16:13.453305960 CET	49708	80	192.168.2.11	132.226.247.73
Jan 13, 2025 10:16:13.458184958 CET	80	49708	132.226.247.73	192.168.2.11
Jan 13, 2025 10:16:13.458256006 CET	49708	80	192.168.2.11	132.226.247.73
Jan 13, 2025 10:16:13.458507061 CET	49708	80	192.168.2.11	132.226.247.73
Jan 13, 2025 10:16:13.463372946 CET	80	49708	132.226.247.73	192.168.2.11
Jan 13, 2025 10:16:14.139590979 CET	80	49708	132.226.247.73	192.168.2.11
Jan 13, 2025 10:16:14.147010088 CET	49708	80	192.168.2.11	132.226.247.73
Jan 13, 2025 10:16:14.151809931 CET	80	49708	132.226.247.73	192.168.2.11
Jan 13, 2025 10:16:14.357867002 CET	80	49708	132.226.247.73	192.168.2.11
Jan 13, 2025 10:16:14.367578030 CET	49714	443	192.168.2.11	104.21.80.1
Jan 13, 2025 10:16:14.367604971 CET	443	49714	104.21.80.1	192.168.2.11
Jan 13, 2025 10:16:14.367696047 CET	49714	443	192.168.2.11	104.21.80.1
Jan 13, 2025 10:16:14.403798103 CET	49708	80	192.168.2.11	132.226.247.73
Jan 13, 2025 10:16:14.414191961 CET	49714	443	192.168.2.11	104.21.80.1
Jan 13, 2025 10:16:14.414208889 CET	443	49714	104.21.80.1	192.168.2.11
Jan 13, 2025 10:16:14.900353909 CET	443	49714	104.21.80.1	192.168.2.11
Jan 13, 2025 10:16:14.900525093 CET	49714	443	192.168.2.11	104.21.80.1
Jan 13, 2025 10:16:14.920197010 CET	49714	443	192.168.2.11	104.21.80.1
Jan 13, 2025 10:16:14.920216084 CET	443	49714	104.21.80.1	192.168.2.11
Jan 13, 2025 10:16:14.920595884 CET	443	49714	104.21.80.1	192.168.2.11
Jan 13, 2025 10:16:14.966295958 CET	49714	443	192.168.2.11	104.21.80.1
Jan 13, 2025 10:16:15.019618034 CET	49714	443	192.168.2.11	104.21.80.1
Jan 13, 2025 10:16:15.063338041 CET	443	49714	104.21.80.1	192.168.2.11
Jan 13, 2025 10:16:15.130562067 CET	443	49714	104.21.80.1	192.168.2.11
Jan 13, 2025 10:16:15.130631924 CET	443	49714	104.21.80.1	192.168.2.11
Jan 13, 2025 10:16:15.130677938 CET	49714	443	192.168.2.11	104.21.80.1
Jan 13, 2025 10:16:15.156369925 CET	49714	443	192.168.2.11	104.21.80.1
Jan 13, 2025 10:16:20.401273012 CET	49708	80	192.168.2.11	132.226.247.73
Jan 13, 2025 10:16:20.406083107 CET	80	49708	132.226.247.73	192.168.2.11
Jan 13, 2025 10:16:20.611578941 CET	80	49708	132.226.247.73	192.168.2.11
Jan 13, 2025 10:16:20.653932095 CET	49708	80	192.168.2.11	132.226.247.73
Jan 13, 2025 10:16:20.878169060 CET	49755	587	192.168.2.11	5.144.131.244
Jan 13, 2025 10:16:20.883021116 CET	587	49755	5.144.131.244	192.168.2.11
Jan 13, 2025 10:16:20.883903980 CET	49755	587	192.168.2.11	5.144.131.244
Jan 13, 2025 10:16:22.170334101 CET	587	49755	5.144.131.244	192.168.2.11
Jan 13, 2025 10:16:22.170558929 CET	49755	587	192.168.2.11	5.144.131.244
Jan 13, 2025 10:16:22.175437927 CET	587	49755	5.144.131.244	192.168.2.11
Jan 13, 2025 10:16:22.434111118 CET	587	49755	5.144.131.244	192.168.2.11
Jan 13, 2025 10:16:22.434370041 CET	49755	587	192.168.2.11	5.144.131.244
Jan 13, 2025 10:16:22.439290047 CET	587	49755	5.144.131.244	192.168.2.11
Jan 13, 2025 10:16:22.699342012 CET	587	49755	5.144.131.244	192.168.2.11
Jan 13, 2025 10:16:22.701401949 CET	49755	587	192.168.2.11	5.144.131.244
Jan 13, 2025 10:16:22.706163883 CET	587	49755	5.144.131.244	192.168.2.11
Jan 13, 2025 10:16:22.985271931 CET	587	49755	5.144.131.244	192.168.2.11
Jan 13, 2025 10:16:22.985310078 CET	587	49755	5.144.131.244	192.168.2.11
Jan 13, 2025 10:16:22.985332966 CET	587	49755	5.144.131.244	192.168.2.11
Jan 13, 2025 10:16:22.985454082 CET	49755	587	192.168.2.11	5.144.131.244
Jan 13, 2025 10:16:23.062712908 CET	49755	587	192.168.2.11	5.144.131.244
Jan 13, 2025 10:16:23.067656994 CET	587	49755	5.144.131.244	192.168.2.11
Jan 13, 2025 10:16:23.326919079 CET	587	49755	5.144.131.244	192.168.2.11
Jan 13, 2025 10:16:23.339975119 CET	49755	587	192.168.2.11	5.144.131.244
Jan 13, 2025 10:16:23.344901085 CET	587	49755	5.144.131.244	192.168.2.11
Jan 13, 2025 10:16:23.603121996 CET	587	49755	5.144.131.244	192.168.2.11
Jan 13, 2025 10:16:23.625205040 CET	49755	587	192.168.2.11	5.144.131.244
Jan 13, 2025 10:16:23.630153894 CET	587	49755	5.144.131.244	192.168.2.11
Jan 13, 2025 10:16:23.888322115 CET	587	49755	5.144.131.244	192.168.2.11
Jan 13, 2025 10:16:23.893539906 CET	49755	587	192.168.2.11	5.144.131.244
Jan 13, 2025 10:16:23.898453951 CET	587	49755	5.144.131.244	192.168.2.11
Jan 13, 2025 10:16:25.186707020 CET	587	49755	5.144.131.244	192.168.2.11
Jan 13, 2025 10:16:25.186981916 CET	49755	587	192.168.2.11	5.144.131.244
Jan 13, 2025 10:16:25.192589045 CET	587	49755	5.144.131.244	192.168.2.11
Jan 13, 2025 10:16:25.450824022 CET	587	49755	5.144.131.244	192.168.2.11
Jan 13, 2025 10:16:25.451270103 CET	49755	587	192.168.2.11	5.144.131.244
Jan 13, 2025 10:16:25.457494974 CET	587	49755	5.144.131.244	192.168.2.11
Jan 13, 2025 10:16:25.719532013 CET	587	49755	5.144.131.244	192.168.2.11
Jan 13, 2025 10:16:25.719759941 CET	49755	587	192.168.2.11	5.144.131.244
Jan 13, 2025 10:16:25.725625992 CET	587	49755	5.144.131.244	192.168.2.11
Jan 13, 2025 10:16:25.982306004 CET	587	49755	5.144.131.244	192.168.2.11
Jan 13, 2025 10:16:25.990300894 CET	49755	587	192.168.2.11	5.144.131.244
Jan 13, 2025 10:16:25.990428925 CET	49755	587	192.168.2.11	5.144.131.244
Jan 13, 2025 10:16:25.990474939 CET	49755	587	192.168.2.11	5.144.131.244
Jan 13, 2025 10:16:25.990516901 CET	49755	587	192.168.2.11	5.144.131.244
Jan 13, 2025 10:16:25.990601063 CET	49755	587	192.168.2.11	5.144.131.244
Jan 13, 2025 10:16:25.990633965 CET	49755	587	192.168.2.11	5.144.131.244
Jan 13, 2025 10:16:25.990649939 CET	49755	587	192.168.2.11	5.144.131.244
Jan 13, 2025 10:16:25.990674973 CET	49755	587	192.168.2.11	5.144.131.244
Jan 13, 2025 10:16:25.995366096 CET	587	49755	5.144.131.244	192.168.2.11
Jan 13, 2025 10:16:25.995382071 CET	587	49755	5.144.131.244	192.168.2.11
Jan 13, 2025 10:16:25.995390892 CET	587	49755	5.144.131.244	192.168.2.11
Jan 13, 2025 10:16:25.995403051 CET	587	49755	5.144.131.244	192.168.2.11
Jan 13, 2025 10:16:25.995428085 CET	587	49755	5.144.131.244	192.168.2.11
Jan 13, 2025 10:16:25.995436907 CET	587	49755	5.144.131.244	192.168.2.11
Jan 13, 2025 10:16:25.995532990 CET	587	49755	5.144.131.244	192.168.2.11
Jan 13, 2025 10:16:25.995542049 CET	587	49755	5.144.131.244	192.168.2.11
Jan 13, 2025 10:16:25.995552063 CET	587	49755	5.144.131.244	192.168.2.11
Jan 13, 2025 10:16:25.995560884 CET	587	49755	5.144.131.244	192.168.2.11
Jan 13, 2025 10:16:26.437422037 CET	587	49755	5.144.131.244	192.168.2.11
Jan 13, 2025 10:16:26.481941938 CET	49755	587	192.168.2.11	5.144.131.244
Jan 13, 2025 10:17:10.623142004 CET	49708	80	192.168.2.11	132.226.247.73
Jan 13, 2025 10:17:10.628390074 CET	80	49708	132.226.247.73	192.168.2.11
Jan 13, 2025 10:17:10.628504992 CET	49708	80	192.168.2.11	132.226.247.73
Jan 13, 2025 10:18:00.639163971 CET	49755	587	192.168.2.11	5.144.131.244
Jan 13, 2025 10:18:00.644344091 CET	587	49755	5.144.131.244	192.168.2.11
Jan 13, 2025 10:18:00.904772043 CET	587	49755	5.144.131.244	192.168.2.11
Jan 13, 2025 10:18:00.906138897 CET	49755	587	192.168.2.11	5.144.131.244

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 10:16:13.440279007 CET	58422	53	192.168.2.11	1.1.1.1
Jan 13, 2025 10:16:13.447438955 CET	53	58422	1.1.1.1	192.168.2.11
Jan 13, 2025 10:16:14.359457970 CET	64149	53	192.168.2.11	1.1.1.1
Jan 13, 2025 10:16:14.366719961 CET	53	64149	1.1.1.1	192.168.2.11
Jan 13, 2025 10:16:20.619976044 CET	65165	53	192.168.2.11	1.1.1.1
Jan 13, 2025 10:16:20.876511097 CET	53	65165	1.1.1.1	192.168.2.11

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 13, 2025 10:16:13.440279007 CET	192.168.2.11	1.1.1.1	0x358c	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:16:14.359457970 CET	192.168.2.11	1.1.1.1	0xc8d6	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:16:20.619976044 CET	192.168.2.11	1.1.1.1	0x8398	Standard query (0)	mail.kianaenergy.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 13, 2025 10:16:13.447438955 CET	1.1.1.1	192.168.2.11	0x358c	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 13, 2025 10:16:13.447438955 CET	1.1.1.1	192.168.2.11	0x358c	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:16:13.447438955 CET	1.1.1.1	192.168.2.11	0x358c	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:16:13.447438955 CET	1.1.1.1	192.168.2.11	0x358c	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:16:13.447438955 CET	1.1.1.1	192.168.2.11	0x358c	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:16:13.447438955 CET	1.1.1.1	192.168.2.11	0x358c	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:16:14.366719961 CET	1.1.1.1	192.168.2.11	0xc8d6	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:16:14.366719961 CET	1.1.1.1	192.168.2.11	0xc8d6	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:16:14.366719961 CET	1.1.1.1	192.168.2.11	0xc8d6	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:16:14.366719961 CET	1.1.1.1	192.168.2.11	0xc8d6	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:16:14.366719961 CET	1.1.1.1	192.168.2.11	0xc8d6	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:16:14.366719961 CET	1.1.1.1	192.168.2.11	0xc8d6	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:16:14.366719961 CET	1.1.1.1	192.168.2.11	0xc8d6	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:16:20.876511097 CET	1.1.1.1	192.168.2.11	0x8398	No error (0)	mail.kianaenergy.com	kianaenergy.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 13, 2025 10:16:20.876511097 CET	1.1.1.1	192.168.2.11	0x8398	No error (0)	kianaenergy.com		5.144.131.244	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.11	49708	132.226.247.73	80	7652	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:16:13.458507061 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 10:16:14.139590979 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 09:16:14 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 13, 2025 10:16:14.147010088 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 13, 2025 10:16:14.357867002 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 09:16:14 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 13, 2025 10:16:20.401273012 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 13, 2025 10:16:20.611578941 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 09:16:20 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.11	49714	104.21.80.1	443	7652	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 09:16:15 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-13 09:16:15 UTC	857	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 09:16:15 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2074564 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rZSO2M2DLuT1RYGbO8Y64h52qqdO7YOuyEZ7XyOjwMnSuVjYM%2FF0j5FE7R8GYtXMMcCiKhP%2FdWTwpKi8fcL9bdTOtLpbFMg0fSvKzagleDAmb0%2BRpjpITgjWcMZeGE70zs9Vm%2BzC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901449522ad80f36-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1444&min_rtt=1436&rtt_var=556&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1937624&cwnd=231&unsent_bytes=0&cid=5b13ed528d5c2539&ts=249&x=0"
2025-01-13 09:16:15 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 13, 2025 10:16:22.170334101 CET	587	49755	5.144.131.244	192.168.2.11	220-linux33.centraldnserver.com ESMTP Exim 4.96.2 #2 Mon, 13 Jan 2025 12:46:22 +0330 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jan 13, 2025 10:16:22.170558929 CET	49755	587	192.168.2.11	5.144.131.244	EHLO 172892
Jan 13, 2025 10:16:22.434111118 CET	587	49755	5.144.131.244	192.168.2.11	250-linux33.centraldnserver.com Hello 172892 [8.46.123.189] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Jan 13, 2025 10:16:22.434370041 CET	49755	587	192.168.2.11	5.144.131.244	STARTTLS
Jan 13, 2025 10:16:22.699342012 CET	587	49755	5.144.131.244	192.168.2.11	220 TLS go ahead

Target ID:	0
Start time:	04:16:09
Start date:	13/01/2025
Path:	C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe"
Imagebase:	0x810000
File size:	1'577'472 bytes
MD5 hash:	906F9E9C186A8D6FFFAEFE87E3C7D5B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.1339078423.0000000003440000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:16:10
Start date:	13/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe"
Imagebase:	0xa50000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.2584228187.0000000005430000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2584228187.0000000005430000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2584228187.0000000005430000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.2584228187.0000000005430000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2584228187.0000000005430000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.2584228187.0000000005430000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000002.00000002.2579836602.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.2581989059.0000000003FB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2581989059.0000000003FB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2581989059.0000000003FB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.2581989059.0000000003FB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2581989059.0000000003FB1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.2580653616.0000000002CF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2580653616.0000000002CF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2580653616.0000000002CF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.2580653616.0000000002CF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2580653616.0000000002CF0000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2580832290.0000000003171000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2580832290.0000000003171000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.2580717648.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2580717648.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2580717648.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.2580717648.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2580717648.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.2580717648.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.8%
Dynamic/Decrypted Code Coverage:	2.3%
Signature Coverage:	3%
Total number of Nodes:	1673
Total number of Limit Nodes:	48

Executed Functions

Function 008142DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0081430D

Part of subcall function 00816B57: _wcslen.LIBCMT ref: 00816B6A

GetCurrentProcess.KERNEL32(?,008ACB64,00000000,?,?), ref: 00814422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00814429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00814454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00814466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00814474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0081447B
GetSystemInfo.KERNEL32(?,?,?), ref: 008144A0

Strings

kernel32.dll, xrefs: 0081444F
GetNativeSystemInfo, xrefs: 00814460
|O, xrefs: 008536F8

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 9faee72a2a55bbe90d7303b3da3e735a3651f48f8e7c83d054a1454f8bb3573a
Instruction ID: 83609f7703a0f45fb60c0adcb8e95cb608e57befc78751362fbb09c8a3d61a69
Opcode Fuzzy Hash: 9faee72a2a55bbe90d7303b3da3e735a3651f48f8e7c83d054a1454f8bb3573a
Instruction Fuzzy Hash: EEA1C37290A2C4EFCF11C7697CC85DA7FE8FB26745B0858A9D481DBB22D6384948CB35

Function 008142A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,008150AA,?,?,00000000,00000000), ref: 008142B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,008150AA,?,?,00000000,00000000), ref: 008142C9
LoadResource.KERNEL32(?,00000000,?,?,008150AA,?,?,00000000,00000000,?,?,?,?,?,?,00814F20), ref: 008535BE
SizeofResource.KERNEL32(?,00000000,?,?,008150AA,?,?,00000000,00000000,?,?,?,?,?,?,00814F20), ref: 008535D3
LockResource.KERNEL32(008150AA,?,?,008150AA,?,?,00000000,00000000,?,?,?,?,?,?,00814F20,?), ref: 008535E6

Strings

SCRIPT, xrefs: 008142BF

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 4420bf8b017cd4477b433d04a7f6e9f39d6b510a0ed5a9b8fa21bfcde4889206
Instruction ID: 69d716e3ada662d585f3211412857fb945031fe3a45963813708d1a083984510
Opcode Fuzzy Hash: 4420bf8b017cd4477b433d04a7f6e9f39d6b510a0ed5a9b8fa21bfcde4889206
Instruction Fuzzy Hash: FD117C70200701BFE7218B65DC48F677BBEFFC6B51F104169B412D6650DBB2D8408620

Function 00852BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00812B6B

Part of subcall function 00813A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,008E1418,?,00812E7F,?,?,?,00000000), ref: 00813A78

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,008D2224), ref: 00852C10
ShellExecuteW.SHELL32(00000000,?,?,008D2224), ref: 00852C17

Strings

runas, xrefs: 00852C0B

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 98f1a919cee97a846f589b9065a53f8640c7be0a9649baa03c6e815f9c2d084e
Instruction ID: 66f61813ab1327c40b520d8b595b8889a53824e410f03777f951900cf97477be
Opcode Fuzzy Hash: 98f1a919cee97a846f589b9065a53f8640c7be0a9649baa03c6e815f9c2d084e
Instruction Fuzzy Hash: 0A11D531108345AACB04FF68E8559EEB7ADFF96310F44042EF192C22A2CF318AC98753

Function 0081D730 Relevance: 21.6, APIs: 14, Instructions: 623windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0081D807
timeGetTime.WINMM ref: 0081DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0081DB28
TranslateMessage.USER32(?), ref: 0081DB7B
DispatchMessageW.USER32(?), ref: 0081DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0081DB9F
Sleep.KERNEL32(0000000A), ref: 0081DBB1

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 0073b2a5114e282ff2819043c17c024a95383f71ce2791eca4a4b1e3c1271b79
Instruction ID: d87a02332ad2e66c82f2d7ae1ea759e4c9b6a081758c75e86d1e8f0a20b231cd
Opcode Fuzzy Hash: 0073b2a5114e282ff2819043c17c024a95383f71ce2791eca4a4b1e3c1271b79
Instruction Fuzzy Hash: 66421430608745DFDB29CF28C884BAABBE8FF46314F15456DE456CB291D774E884CB92

Function 00812CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00812D07
RegisterClassExW.USER32(00000030), ref: 00812D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00812D42
InitCommonControlsEx.COMCTL32(?), ref: 00812D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00812D6F
LoadIconW.USER32(000000A9), ref: 00812D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00812D94

Strings

TaskbarCreated, xrefs: 00812D37
AutoIt v3 GUI, xrefs: 00812D23
0, xrefs: 00812CE9
+, xrefs: 00812CF0

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 682686a0f6687b36f11884cf974afd1c46cd5898393dfc308a56ce5c5cbced41
Instruction ID: 628822a5554d6cb8edb4362ea3450451fe2105f5ac1dc94147edf4f15b93f7f0
Opcode Fuzzy Hash: 682686a0f6687b36f11884cf974afd1c46cd5898393dfc308a56ce5c5cbced41
Instruction Fuzzy Hash: 9F21C3B5901258AFEF00EFA8E889BDDBFB4FB09700F00811AF611AA6A0D7B55544CF91

Function 0085065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0085039A: CreateFileW.KERNELBASE(00000000,00000000,?,00850704,?,?,00000000,?,00850704,00000000,0000000C), ref: 008503B7

GetLastError.KERNEL32 ref: 0085076F
__dosmaperr.LIBCMT ref: 00850776
GetFileType.KERNELBASE(00000000), ref: 00850782
GetLastError.KERNEL32 ref: 0085078C
__dosmaperr.LIBCMT ref: 00850795
CloseHandle.KERNEL32(00000000), ref: 008507B5
CloseHandle.KERNEL32(?), ref: 008508FF
GetLastError.KERNEL32 ref: 00850931
__dosmaperr.LIBCMT ref: 00850938

Strings

H, xrefs: 008508BD

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 3b8ccc0a1b299a2f75b48142b519e28bd13b8578578e8cfc0dc729c3b3d19f08
Instruction ID: 47fc44fd7cfb72e10186c9529a0974024ee4aa2580bce8a5832cd7e1a42ffff3
Opcode Fuzzy Hash: 3b8ccc0a1b299a2f75b48142b519e28bd13b8578578e8cfc0dc729c3b3d19f08
Instruction Fuzzy Hash: E0A10332A001488FDF19AF68D891BAE7BA0FB46325F140159FC11DF392DA71981ACF92

Function 0081344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00813A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,008E1418,?,00812E7F,?,?,?,00000000), ref: 00813A78

Part of subcall function 00813357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00813379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0081356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0085318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 008531CE
RegCloseKey.ADVAPI32(?), ref: 00853210
_wcslen.LIBCMT ref: 00853277
_wcslen.LIBCMT ref: 00853286

Strings

\Include\, xrefs: 00813527
\, xrefs: 0085328C
Software\AutoIt v3\AutoIt, xrefs: 00813560
Include, xrefs: 00853184, 008531C5

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: b60b3205f59501072285bef3a3f644bd2cae9c75ab883a39bab7d529f0f26561
Instruction ID: f5a8d1759333075e14b3b029efbc512ade884b2e4a35cdfcecd61951b6ce5cc8
Opcode Fuzzy Hash: b60b3205f59501072285bef3a3f644bd2cae9c75ab883a39bab7d529f0f26561
Instruction Fuzzy Hash: 697149714043419EC314EF69EC829ABBBECFF85750F40052EF595D6271EB749A88CB62

Function 00812B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00812B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00812B9D
LoadIconW.USER32(00000063), ref: 00812BB3
LoadIconW.USER32(000000A4), ref: 00812BC5
LoadIconW.USER32(000000A2), ref: 00812BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00812BEF
RegisterClassExW.USER32(?), ref: 00812C40

Part of subcall function 00812CD4: GetSysColorBrush.USER32(0000000F), ref: 00812D07
Part of subcall function 00812CD4: RegisterClassExW.USER32(00000030), ref: 00812D31
Part of subcall function 00812CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00812D42
Part of subcall function 00812CD4: InitCommonControlsEx.COMCTL32(?), ref: 00812D5F
Part of subcall function 00812CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00812D6F
Part of subcall function 00812CD4: LoadIconW.USER32(000000A9), ref: 00812D85
Part of subcall function 00812CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00812D94

Strings

#, xrefs: 00812C16
0, xrefs: 00812C0F
AutoIt v3, xrefs: 00812C2F

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 841ce70046bb376a8f7a34d3b337825a25546d0dcf586d5a8153c974930ca005
Instruction ID: 566497f35cd73b0777b6a1893f9670088470f49acf367bad21f69e2654847f03
Opcode Fuzzy Hash: 841ce70046bb376a8f7a34d3b337825a25546d0dcf586d5a8153c974930ca005
Instruction Fuzzy Hash: 8F211A74E00358AFDF109FA9EC99AAD7FB4FB48B50F04401AF600AABA0D7B91540CF90

Function 00813170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0081316A,?,?), ref: 008131D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0081316A,?,?), ref: 00813204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00813227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0081316A,?,?), ref: 00813232
CreatePopupMenu.USER32 ref: 00813246
PostQuitMessage.USER32(00000000), ref: 00813267

Strings

TaskbarCreated, xrefs: 0081322D

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: c032a49f4d6a3bbb6d8b05cb31ef993f42502d18908bbce722400976e20d3638
Instruction ID: e8f68c7162b920a4dcbb59bf89ff49f55794255c27d25def45f7c6c9e18b1f70
Opcode Fuzzy Hash: c032a49f4d6a3bbb6d8b05cb31ef993f42502d18908bbce722400976e20d3638
Instruction Fuzzy Hash: 0A411531240248ABEF156B7C9D4EBFD3A5DFF06345F040125F912CA6A2CB759AC497A2

Function 00E01330 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00E01401
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00E01627

Memory Dump Source

Source File: 00000000.00000002.1337076469.0000000000DFE000.00000040.00000020.00020000.00000000.sdmp, Offset: 00DFE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfe000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 640a513b0a1dc75cf27b9d1dcd7263df352c7e5bc7e4f1208c2f85c57f315c64
Instruction ID: d3a23b4df5324d7161e4579506b9a29ba91db351505a3f910e531c75efbb6f05
Opcode Fuzzy Hash: 640a513b0a1dc75cf27b9d1dcd7263df352c7e5bc7e4f1208c2f85c57f315c64
Instruction Fuzzy Hash: 48A1F574E00209EBDB14CFA4C894BEEB7B5FF48309F209599E215BB2C0D7759A81CB55

Function 00812C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00812C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00812CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00811CAD,?), ref: 00812CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00811CAD,?), ref: 00812CCF

Strings

AutoIt v3, xrefs: 00812C89, 00812C8E, 00812C8F
edit, xrefs: 00812CAC

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: ad81e5eb9d52156ebea3113c01fd9f0ac2ad7f11d57f8bf1234f731d13d37831
Instruction ID: 447cfe78fe1fbf10c62469f5e124a9c3062d706b740986cf57ab7e71c8df0eaa
Opcode Fuzzy Hash: ad81e5eb9d52156ebea3113c01fd9f0ac2ad7f11d57f8bf1234f731d13d37831
Instruction Fuzzy Hash: D4F0DA755402D07AEB311717AC8CE772EBDF7C7F50B04005AFA00AAAA0C6791851DBB0

Function 00E010B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 163
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E00FA0: Sleep.KERNELBASE(000001F4), ref: 00E00FB1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00E01220

Strings

PM8S6LN7A2RB42MWQU0GNH6HGR3LO, xrefs: 00E01289, 00E0128C

Memory Dump Source

Source File: 00000000.00000002.1337076469.0000000000DFE000.00000040.00000020.00020000.00000000.sdmp, Offset: 00DFE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfe000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: CreateFileSleep
String ID: PM8S6LN7A2RB42MWQU0GNH6HGR3LO
API String ID: 2694422964-3816193324
Opcode ID: f7245d0c853ff34f82ec1a208e513796a8070d08942284d4a543a227879d79d3
Instruction ID: db89975ec6f64130da1cf92810dc50ed40a383a8903d19dd8277153544ad5b43
Opcode Fuzzy Hash: f7245d0c853ff34f82ec1a208e513796a8070d08942284d4a543a227879d79d3
Instruction Fuzzy Hash: F8718570D1428CDAEF11DBE4C845BEEBBB5AF19304F044199E248BB2C1D7B90B85CBA5

Function 00813B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00813B0F,SwapMouseButtons,00000004,?), ref: 00813B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00813B0F,SwapMouseButtons,00000004,?), ref: 00813B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00813B0F,SwapMouseButtons,00000004,?), ref: 00813B83

Strings

Control Panel\Mouse, xrefs: 00813B3E

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 555d6b3fcd49969f67b2f031193bb0affcdf75a59aa527396e03a057a4bc27dd
Instruction ID: e4202eb08fc690a025dcae76af8a2a199f1c21b9492d0237cb49944bb0a52f58
Opcode Fuzzy Hash: 555d6b3fcd49969f67b2f031193bb0affcdf75a59aa527396e03a057a4bc27dd
Instruction Fuzzy Hash: 4A112AB5514208FFDB208FA5DC44AEFB7BCFF05754B104459A805D7110E2319E809760

Function 00DFFFA0 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00E007CD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00E007F1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00E00813

Memory Dump Source

Source File: 00000000.00000002.1337076469.0000000000DFE000.00000040.00000020.00020000.00000000.sdmp, Offset: 00DFE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfe000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 3007ae169ef8b9d8c61beb8ea063371979b6b354134e23f449e077085ff78b4f
Instruction ID: e76fb96a1412a6146ffc4c6a27ba002cad7ff661e38d2543b00b34d41499e722
Opcode Fuzzy Hash: 3007ae169ef8b9d8c61beb8ea063371979b6b354134e23f449e077085ff78b4f
Instruction Fuzzy Hash: 7B62F930A142589BEB24CFA4C851BDEB376EF58304F1091A9E10DFB2D0E7799E81CB59

Function 0081DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 008632B7

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: cc004233284b9c54faeae12399cd499bf56d9b4feab697b12d1a6f841c2e12fb
Instruction ID: 4592eadd0ac73b6ca2aa409e1ab54e7e6c9543c23afa4b504255d20140d78115
Opcode Fuzzy Hash: cc004233284b9c54faeae12399cd499bf56d9b4feab697b12d1a6f841c2e12fb
Instruction Fuzzy Hash: DDC27871A00218CFCB24CF58D880AAEB7B9FF18314F258569ED56EB391D375AD81CB91

Function 00813923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 008533A2

Part of subcall function 00816B57: _wcslen.LIBCMT ref: 00816B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00813A04

Strings

Line: , xrefs: 008533EB

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 79c4ff7a8bef5b1557412ac69c929e2ea214119a7160a4e9f2b7dcce91eccc40
Instruction ID: f7ad172ad9bc62a971c3ad22bb4163d1ca81f594d342531531b8b6e67d2663e2
Opcode Fuzzy Hash: 79c4ff7a8bef5b1557412ac69c929e2ea214119a7160a4e9f2b7dcce91eccc40
Instruction Fuzzy Hash: 0C31C071408344AAD721EB24DC49BEBB7ECFF45710F00452AF5A9D2291EB749A88C7C3

Function 0082FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00830668

Part of subcall function 008332A4: RaiseException.KERNEL32(?,?,?,0083068A,?,008E1444,?,?,?,?,?,?,0083068A,00811129,008D8738,00811129), ref: 00833304

__CxxThrowException@8.LIBVCRUNTIME ref: 00830685

Strings

Unknown exception, xrefs: 00830692

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: b349aa85ba7754f1ce463447f176c6fea66af6ac60b8cf84455cd6e920e2d1ee
Instruction ID: 1f9b1c075e757b0c57d5e5ec75beab75df3d570fc0cbec9dc52cbe26caf9fadc
Opcode Fuzzy Hash: b349aa85ba7754f1ce463447f176c6fea66af6ac60b8cf84455cd6e920e2d1ee
Instruction Fuzzy Hash: A9F04F2490030DA78B00B6A8E856D9E776CFE90354FA04531BA24D6696EF71EAA5C9C2

Function 00897F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 008982F5
TerminateProcess.KERNEL32(00000000), ref: 008982FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 008984DD

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 25818f7ff90d621d2e3b071e5801e4b84ac644b1960943acc41ac035efb0a4c2
Instruction ID: fc728ab48081ec8caff71a07e61676510e0e4bcd891129968d3492562147a6fc
Opcode Fuzzy Hash: 25818f7ff90d621d2e3b071e5801e4b84ac644b1960943acc41ac035efb0a4c2
Instruction Fuzzy Hash: D4125B71A08301DFDB14DF28C484B6ABBE5FF85318F18895DE899CB252DB31E945CB92

Function 008110F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00811BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00811BF4
Part of subcall function 00811BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00811BFC
Part of subcall function 00811BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00811C07
Part of subcall function 00811BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00811C12
Part of subcall function 00811BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00811C1A
Part of subcall function 00811BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00811C22

Part of subcall function 00811B4A: RegisterWindowMessageW.USER32(00000004,?,008112C4), ref: 00811BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0081136A
OleInitialize.OLE32 ref: 00811388
CloseHandle.KERNEL32(00000000,00000000), ref: 008524AB

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 24e58012ed208df091b6660051aaf3a2b42754bdf5f9e1f218d0fb831be494d4
Instruction ID: 66d4253fc68642f6b399582e29ff7a58a7c123836cabdb7bf200b394822f1d9c
Opcode Fuzzy Hash: 24e58012ed208df091b6660051aaf3a2b42754bdf5f9e1f218d0fb831be494d4
Instruction Fuzzy Hash: 9071AFB49113908ECF84DFBAADCD6993AE5FB8A344754823AD51ACF361EB304485CF45

Function 008486AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,008485CC,?,008D8CC8,0000000C), ref: 00848704
GetLastError.KERNEL32(?,008485CC,?,008D8CC8,0000000C), ref: 0084870E
__dosmaperr.LIBCMT ref: 00848739

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: db788b946ae34a1d4d492087b42fa33999ba9d5eb0589ff29ed1a6bd95a1e252
Instruction ID: abc4768bce2ce1454c727ceb15ec90634cc95136e9de1e95ad79b4375931a4f1
Opcode Fuzzy Hash: db788b946ae34a1d4d492087b42fa33999ba9d5eb0589ff29ed1a6bd95a1e252
Instruction Fuzzy Hash: 45016B33A04268A7D6A166386889B7F6749FB93778F3A0119F804CB2D3DEA08C818191

Function 00821310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 008217F6

Strings

CALL, xrefs: 008217C6

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 1e5840979cbcd0e5bfebdbefc7aefe2c45e9e08e0bc415ac0e7d8d147d235a7a
Instruction ID: 3965bec3a115e1f5181c90ba785362d21301c1595a8de88dc52a889709fe5612
Opcode Fuzzy Hash: 1e5840979cbcd0e5bfebdbefc7aefe2c45e9e08e0bc415ac0e7d8d147d235a7a
Instruction Fuzzy Hash: AC229B706082519FCB14DF18D488A2ABBF1FF95314F25896DF496CB3A2D731E991CB82

Function 0082DADA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(00000000,?,00000000,00000000,00000000,?,0081674A,?,00000047,00000000,00000000,?), ref: 0082DB77

Strings

ERCP, xrefs: 0082DA82

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: BuffCharUpper
String ID: ERCP
API String ID: 3964851224-1384759551
Opcode ID: f82c30591b3ea87281ce7a0554173ff37b56152a0ff73af21b13265ded1a1366
Instruction ID: 0ad79408581c36424dd63d8f7483ac6202b4942b9f2c80153839bafae79b3b9a
Opcode Fuzzy Hash: f82c30591b3ea87281ce7a0554173ff37b56152a0ff73af21b13265ded1a1366
Instruction Fuzzy Hash: 4441E5B650D3B19FCB138F24A850E997FA0FF52754B1881EED987CF193E6214886CB51

Function 00812DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00852C8C

Part of subcall function 00813AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00813A97,?,?,00812E7F,?,?,?,00000000), ref: 00813AC2

Part of subcall function 00812DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00812DC4

Strings

X, xrefs: 00852C5A

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: c33de775d40a1e81797858fc4f541fcfa36956f51300283f8c6e20e2e4851625
Instruction ID: cee250f2fc234b8a31a18dd40ecb46e42e8a670ddd24d012f84a5adff0af0816
Opcode Fuzzy Hash: c33de775d40a1e81797858fc4f541fcfa36956f51300283f8c6e20e2e4851625
Instruction Fuzzy Hash: 9E21A170A0025C9ADB01DF98C845BEE7BBDFF49315F00405AE505E7241EBB45A9D8FA2

Function 00813837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00813908

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: fc746222cd93613b1398cff3baab47f162969943ed3f19d473e04b2b939a3c7c
Instruction ID: d399aed171162f956e8d2645737aa476e3207b86ef8833c0e647f1d65b97f09c
Opcode Fuzzy Hash: fc746222cd93613b1398cff3baab47f162969943ed3f19d473e04b2b939a3c7c
Instruction Fuzzy Hash: D9315AB05043019FD721DF24D8847D6BBE8FF49708F00092EE99AD7250E775AA84CB52

Function 00815745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0081949C,?,00008000), ref: 00815773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,0081949C,?,00008000), ref: 00854052

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2898dffe25538cb1792f2974e98b9a6d48df72ad4292d2411dc51dde4686d842
Instruction ID: 79ff646c2aedf1032437b16e01f7d40c7844981aa6a31c4e47d582870b62115a
Opcode Fuzzy Hash: 2898dffe25538cb1792f2974e98b9a6d48df72ad4292d2411dc51dde4686d842
Instruction Fuzzy Hash: AE014031245625F6E3714A2ADC0EF977F98FF42BB5F148610BA9C9A1E0CBB45894CB90

Function 0081B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0081BB4E

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 083ae65faa0e79365b001a64b116966b0cb9b52d6ca8d216df04eaf61f98ae3b
Instruction ID: d5c005ee34f0c5c077b839d4bfe7c339b11c4e58a02cb77bfbb24da408bac84d
Opcode Fuzzy Hash: 083ae65faa0e79365b001a64b116966b0cb9b52d6ca8d216df04eaf61f98ae3b
Instruction Fuzzy Hash: A732BB30A002099FDB24CF58C994ABABBB9FF44354F158069E915EB3A1D774ED82CF91

Function 00DFFF9D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00E007CD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00E007F1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00E00813

Memory Dump Source

Source File: 00000000.00000002.1337076469.0000000000DFE000.00000040.00000020.00020000.00000000.sdmp, Offset: 00DFE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfe000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: df6a772f5278f9eae63f3a29a40672dfa4321236305f3f5d8c91d224ff423281
Instruction ID: ec71b020320ee1f60588e44fd24e5576ae5662227fe80c40c4ef34d86e3a3bef
Opcode Fuzzy Hash: df6a772f5278f9eae63f3a29a40672dfa4321236305f3f5d8c91d224ff423281
Instruction Fuzzy Hash: 7912CD24A14658C6EB24DF64D8507DEB232EF68300F10A4E9910DEB7A5E77A4F81CF5A

Function 0089709C Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: a0aab1f5ae35474d3c042320598c0063b648a6d0d9447d2c9ac4da4009c189c7
Instruction ID: f215ad7a0d83caf5b9552718afe34e2cc35341fe6ca3e373601c9f1b1418bc44
Opcode Fuzzy Hash: a0aab1f5ae35474d3c042320598c0063b648a6d0d9447d2c9ac4da4009c189c7
Instruction Fuzzy Hash: 1CD12774A14209EFCF14EF98D8819EDBBB5FF48314F284159E915EB291EB30AD81CB91

Function 0082FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0082FD1F

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 9483155d13b19cec2705f982529cead8b54638cbbf094dd17448211daa32e295
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 9E31E2B4A001299BD718CF59E490969FBB1FF49304B2486B5E90ACB656D731EEC1CBC0

Function 00814ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00814E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00814EDD,?,008E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00814E9C
Part of subcall function 00814E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00814EAE
Part of subcall function 00814E90: FreeLibrary.KERNEL32(00000000,?,?,00814EDD,?,008E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00814EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,008E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00814EFD

Part of subcall function 00814E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00853CDE,?,008E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00814E62
Part of subcall function 00814E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00814E74
Part of subcall function 00814E59: FreeLibrary.KERNEL32(00000000,?,?,00853CDE,?,008E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00814E87

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 57e6fc8da7400435b92d09a6a4e05c468d0965430de2f2702a99dbcb5936e645
Instruction ID: de8c78b55d79c401d95d3b0d969eb9d37a8086281f29e238dc9b3a85e129710c
Opcode Fuzzy Hash: 57e6fc8da7400435b92d09a6a4e05c468d0965430de2f2702a99dbcb5936e645
Instruction Fuzzy Hash: A011C132600205AADB14AB68D802FED77A9FF80711F108429F542EA2C1EE719E869791

Function 00848402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00848440

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 301b2e9b5e4937eb5470090748ea86564ee219f8e5ff6613f8bb63f9146963dd
Instruction ID: 3df8fb578c682be63db6571dabd516916779af875029ff88f4314e761c1aa171
Opcode Fuzzy Hash: 301b2e9b5e4937eb5470090748ea86564ee219f8e5ff6613f8bb63f9146963dd
Instruction Fuzzy Hash: A311067590410AEFCB05DF58E94199E7BF9FF48314F144059FC08EB312DA31DA118BA5

Function 00811CD0 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00812B12,008E1418,?,?,?,?,?,?,?,00811CAD,?), ref: 00811D11

Part of subcall function 00816B57: _wcslen.LIBCMT ref: 00816B6A

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: FullNamePath_wcslen
String ID:
API String ID: 4019309064-0
Opcode ID: 69f6076e7d99c5fbc5e7542a2f27831c95d3f2c16716048f6b47ec3bff87c3f8
Instruction ID: ef2b2fa8cd3cd288e16b90d4e545b989eaf3adc3dc429893a87ad7c5a9856499
Opcode Fuzzy Hash: 69f6076e7d99c5fbc5e7542a2f27831c95d3f2c16716048f6b47ec3bff87c3f8
Instruction Fuzzy Hash: 41118875A042099ACF10EBA9D849DD973FDFF09354F004061BA99D7291DE70D7C8C712

Function 0083E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 231308ad2812756c43b4de4a09d60189baed25adaaa97ff5c1b904fd74793ae9
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 73F08132511A1896D6313A6E9C06B5A3798FFE2335F100719F925D22D2EB749802C6E6

Function 00819CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00819CBD

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 925dd5c5bacb953470c4b1c403d787b0688307d40fd5fb7636ab76acd22fdb11
Instruction ID: 7d4b2ac4f5230677c382257966203c890066e6e02007593a2ff9de4c8947e22a
Opcode Fuzzy Hash: 925dd5c5bacb953470c4b1c403d787b0688307d40fd5fb7636ab76acd22fdb11
Instruction Fuzzy Hash: 80F0A4B36006146ED7259F28D806AA6BBA8FF44760F10853AFA19CB1D1EB31E550CAE0

Function 0082DB43 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(00000000,?,00000000,00000000,00000000,?,0081674A,?,00000047,00000000,00000000,?), ref: 0082DB77

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 8d1f01cf98426d0a411b74d1e02bb3d02d6de52d5871f73941d10006f673c25c
Instruction ID: eaeb73ff0ca32461c456e7a2bd77a9f0f8b07f18731b89dc217fd8bb3e9dd2d0
Opcode Fuzzy Hash: 8d1f01cf98426d0a411b74d1e02bb3d02d6de52d5871f73941d10006f673c25c
Instruction Fuzzy Hash: A9F0BE75200730ABCB156F29E410A69FFA8FF44B30F01802AF109C6A41CB7198A1CBCA

Function 00843820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,008E1444,?,0082FDF5,?,?,0081A976,00000010,008E1440,008113FC,?,008113C6,?,00811129), ref: 00843852

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f436b4e79232ff988de3d4124e44c151ad51eacaa6d03ce959f0a8c741c685a3
Instruction ID: 1635e25d69729158aaa133496c9858856be944a5e75864bc188577a8e58dce99
Opcode Fuzzy Hash: f436b4e79232ff988de3d4124e44c151ad51eacaa6d03ce959f0a8c741c685a3
Instruction Fuzzy Hash: 8BE09B3150122C97E73126BB9C05B9BF749FF827B0F150131BD15D6591DB61EE0185E1

Function 00814F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,008E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00814F6D

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: ae7243db99213ecdcc3ab93391b4124c3f9dcfeb0518dd586d61456993a6b272
Instruction ID: d82a193909895d7bf16177c18fb4c43477346477f9cb1f2229289b40fb69b5cf
Opcode Fuzzy Hash: ae7243db99213ecdcc3ab93391b4124c3f9dcfeb0518dd586d61456993a6b272
Instruction Fuzzy Hash: ABF03971105752CFDB349F64E4908A2BBE8FF15329324A97EE1EBC6621CB319889DF50

Function 0087CCFF Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,0085EE51,008D3630,00000002), ref: 0087CD26

Part of subcall function 0087CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,0087CD19,?,?,?), ref: 0087CC59
Part of subcall function 0087CC37: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,0087CD19,?,?,?,?,0085EE51,008D3630,00000002), ref: 0087CC6E
Part of subcall function 0087CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,0087CD19,?,?,?,?,0085EE51,008D3630,00000002), ref: 0087CC7A

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: File$Pointer$Write
String ID:
API String ID: 3847668363-0
Opcode ID: 020e0ababdb7e01744968e9db81367fe8a2429593a33749d3bf18823e0efc7ec
Instruction ID: 526554e017c94c74d4f10cf5391f353ee54cb4878da0adadf35fdf3207ebe4e7
Opcode Fuzzy Hash: 020e0ababdb7e01744968e9db81367fe8a2429593a33749d3bf18823e0efc7ec
Instruction Fuzzy Hash: D4E06D7A500704EFD7219F8ADD018AABBF9FFC5360710852FE99AC2514D7B1EA14DB60

Function 00812DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00812DC4

Part of subcall function 00816B57: _wcslen.LIBCMT ref: 00816B6A

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 0cb7537c54c74fe5393e9ba6933332054868f47ce6068f06fef42d026c313739
Instruction ID: c43fcfa17eca432eccbf0dbdf9c709b0a5d82f0b5126f965a4c81c94f7c8b133
Opcode Fuzzy Hash: 0cb7537c54c74fe5393e9ba6933332054868f47ce6068f06fef42d026c313739
Instruction Fuzzy Hash: B5E0CD726041245BCB10925C9C05FEA77DDFFC8791F050071FD09D7248DA64AD848551

Function 00812B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00813837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00813908

Part of subcall function 0081D730: GetInputState.USER32 ref: 0081D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00812B6B

Part of subcall function 008130F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0081314E

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 5765930578b5c9f213feafd2567b11ff8c91f57cb2957814a7d9ad6b23a0c9f6
Instruction ID: 4a7389af0b92bb7c5eb8460d1d1269ddab480630e630ae231457812781227bb5
Opcode Fuzzy Hash: 5765930578b5c9f213feafd2567b11ff8c91f57cb2957814a7d9ad6b23a0c9f6
Instruction Fuzzy Hash: 6CE0863130424407CA05BB7DA8565EDA79EFFD6355F40153EF142C72A2CE6589C94353

Function 0085039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00850704,?,?,00000000,?,00850704,00000000,0000000C), ref: 008503B7

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a4c07dba16edf7d013aa759931aaca0d44724cdb8d41a43f900b2fdf6d208d51
Instruction ID: 5a7243399ac559722f235d3d9a048c0b017f5e78b1abd75efbfd3fa447b9b2cc
Opcode Fuzzy Hash: a4c07dba16edf7d013aa759931aaca0d44724cdb8d41a43f900b2fdf6d208d51
Instruction Fuzzy Hash: BBD06C3214010DBBDF028F84DD06EDA3BAAFB48714F014000BE1856020C736E821AB90

Function 00811CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00811CBC

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 36e0f665b0f343dea0151516d2602ccdcb003ac4a4492c705c2d2defc406de31
Instruction ID: 9bec22163f6cb7edad410d8b1d945d7d683fcd6417c717fc0a24f9ff700c7abb
Opcode Fuzzy Hash: 36e0f665b0f343dea0151516d2602ccdcb003ac4a4492c705c2d2defc406de31
Instruction Fuzzy Hash: CEC09B352803449FF6144780BD8EF107754B348B00F444001F6095D5E3C7F11810D650

Function 0088744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 00815745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0081949C,?,00008000), ref: 00815773

GetLastError.KERNEL32(00000002,00000000), ref: 008876DE

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 92dfe0888ee3f42ea63dcb958cd3129275f4a258e70a78627d1a7fa3945de15f
Instruction ID: 84712a34e3ce55a7a8374c4f7c9f6b6c70b338728bdca09a1dee2686e2f53636
Opcode Fuzzy Hash: 92dfe0888ee3f42ea63dcb958cd3129275f4a258e70a78627d1a7fa3945de15f
Instruction Fuzzy Hash: 6C817C306087019FC714EF28C491AA9B7F5FF99314F14452DF89A9B2A2DB30ED85CB92

Function 00E00F9C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00E00FB1

Memory Dump Source

Source File: 00000000.00000002.1337076469.0000000000DFE000.00000040.00000020.00020000.00000000.sdmp, Offset: 00DFE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfe000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 842348f308c59f73afed04c2f17e40dc807ac7c86e99515de6d28c47df67505f
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: D6E0BF7494510EEFDB10EFA4D6496DE7BB4EF04301F1005A1FD05E7680DB309E549A62

Function 00816246 Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,00000000,008524E0), ref: 00816266

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: c087e0e6d581dd082dad97ea675f7662adb16cd1d2209b23070f1631db00cdbd
Instruction ID: d818e3c41aea2912c71aa63b8c10af9f9ece3f8ce596c62e6c32dd4271e4e62b
Opcode Fuzzy Hash: c087e0e6d581dd082dad97ea675f7662adb16cd1d2209b23070f1631db00cdbd
Instruction Fuzzy Hash: 90E0BD75800B01DFD7318F1AE804492FBF9FFE13613208A2ED0E692660E7B0689ACF50

Function 00E00FA0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00E00FB1

Memory Dump Source

Source File: 00000000.00000002.1337076469.0000000000DFE000.00000040.00000020.00020000.00000000.sdmp, Offset: 00DFE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfe000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 7858c66057d2e178e9caa880910147d43db2695ac1f75f7abb29ff6ea8a7e3e8
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 2DE0E67494510EDFDB00EFB4D64969E7FB4EF04301F100161FD05E2280D7309D509A62

Non-executed Functions

Function 008A9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00829BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00829BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 008A961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 008A965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 008A969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008A96C9
SendMessageW.USER32 ref: 008A96F2
GetKeyState.USER32(00000011), ref: 008A978B
GetKeyState.USER32(00000009), ref: 008A9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 008A97AE
GetKeyState.USER32(00000010), ref: 008A97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008A97E9
SendMessageW.USER32 ref: 008A9810
SendMessageW.USER32(?,00001030,?,008A7E95), ref: 008A9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 008A992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 008A9941
SetCapture.USER32(?), ref: 008A994A
ClientToScreen.USER32(?,?), ref: 008A99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 008A99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008A99D6
ReleaseCapture.USER32 ref: 008A99E1
GetCursorPos.USER32(?), ref: 008A9A19
ScreenToClient.USER32(?,?), ref: 008A9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 008A9A80
SendMessageW.USER32 ref: 008A9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 008A9AEB
SendMessageW.USER32 ref: 008A9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 008A9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 008A9B4A
GetCursorPos.USER32(?), ref: 008A9B68
ScreenToClient.USER32(?,?), ref: 008A9B75
GetParent.USER32(?), ref: 008A9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 008A9BFA
SendMessageW.USER32 ref: 008A9C2B
ClientToScreen.USER32(?,?), ref: 008A9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 008A9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 008A9CDE
SendMessageW.USER32 ref: 008A9D01
ClientToScreen.USER32(?,?), ref: 008A9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 008A9D82

Part of subcall function 00829944: GetWindowLongW.USER32(?,000000EB), ref: 00829952

GetWindowLongW.USER32(?,000000F0), ref: 008A9E05

Strings

F, xrefs: 008A9D07
@GUI_DRAGID, xrefs: 008A997D

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 4dfaab4b8101e45aa60a7e1ab36309d2f32c640bf9d25f7ea177f018534def83
Instruction ID: 430649a502f0b29e1ab9254312345104bff9884b75d4cc7afbe856634beeb5b0
Opcode Fuzzy Hash: 4dfaab4b8101e45aa60a7e1ab36309d2f32c640bf9d25f7ea177f018534def83
Instruction Fuzzy Hash: 4B428034608241AFEB24CF68CC84AAABBE5FF5A314F14051DF695C7AA1D771E850CF51

Function 008A4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 008A48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 008A4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 008A4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 008A494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 008A495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 008A497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 008A49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 008A49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 008A4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 008A4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 008A4A7E
IsMenu.USER32(?), ref: 008A4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008A4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008A4B20
GetWindowLongW.USER32(?,000000F0), ref: 008A4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 008A4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 008A4C82
wsprintfW.USER32 ref: 008A4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 008A4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 008A4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 008A4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 008A4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 008A4D5A

Strings

%d/%02d/%02d, xrefs: 008A4CA8

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 6e0b0818f5a5cce567403c43d2b5837c9b5b3e063b9793253801d82806a7c3eb
Instruction ID: c69cd272b3f94ee06a02a7452982dd2c03e07ef2f1cdd81b08f44c9dbfb3dbcc
Opcode Fuzzy Hash: 6e0b0818f5a5cce567403c43d2b5837c9b5b3e063b9793253801d82806a7c3eb
Instruction Fuzzy Hash: BB12DC71600218ABFF258F28DC49FAE7BF8FF86314F105129F516EA6A1DBB49941CB50

Function 0082F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0082F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0086F474
IsIconic.USER32(00000000), ref: 0086F47D
ShowWindow.USER32(00000000,00000009), ref: 0086F48A
SetForegroundWindow.USER32(00000000), ref: 0086F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0086F4AA
GetCurrentThreadId.KERNEL32 ref: 0086F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0086F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0086F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0086F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0086F4DE
SetForegroundWindow.USER32(00000000), ref: 0086F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0086F4F6
keybd_event.USER32(00000012,00000000), ref: 0086F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0086F50B
keybd_event.USER32(00000012,00000000), ref: 0086F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0086F519
keybd_event.USER32(00000012,00000000), ref: 0086F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0086F528
keybd_event.USER32(00000012,00000000), ref: 0086F52D
SetForegroundWindow.USER32(00000000), ref: 0086F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0086F557

Strings

Shell_TrayWnd, xrefs: 0086F46F

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: c43e5eba7bb8bbcb483dfec13e3bccce5a3bfdf53653402f16b03b691b518a63
Instruction ID: bbba0c5f667ea7f8af060f3decbadbff585188750c6d6a9de9f4381c163a062e
Opcode Fuzzy Hash: c43e5eba7bb8bbcb483dfec13e3bccce5a3bfdf53653402f16b03b691b518a63
Instruction Fuzzy Hash: 39311071A40218BFFB216BB55C4AFBF7E6CFB45B50F110065FB01E61D1DAB19D00AA60

Function 00871201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 008716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0087170D
Part of subcall function 008716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0087173A
Part of subcall function 008716C3: GetLastError.KERNEL32 ref: 0087174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00871286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 008712A8
CloseHandle.KERNEL32(?), ref: 008712B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 008712D1
GetProcessWindowStation.USER32 ref: 008712EA
SetProcessWindowStation.USER32(00000000), ref: 008712F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00871310

Part of subcall function 008710BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008711FC), ref: 008710D4
Part of subcall function 008710BF: CloseHandle.KERNEL32(?,?,008711FC), ref: 008710E9

Strings

winsta0, xrefs: 008712CC
, xrefs: 0087125A
default, xrefs: 0087130B

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: fdb1ae0deb239b08f7fdcca23c63e56a1788b356fc797429404e300026cca432
Instruction ID: fcda87ccc518b7deea5e1c8b655cf97664884e83f2236db6e13b48e44acd96d3
Opcode Fuzzy Hash: fdb1ae0deb239b08f7fdcca23c63e56a1788b356fc797429404e300026cca432
Instruction Fuzzy Hash: 42819D71900208AFEF219FA8DC49BEE7BBAFF05704F148129F914E66A4D774C944CB65

Function 00870B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00871114
Part of subcall function 008710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00870B9B,?,?,?), ref: 00871120
Part of subcall function 008710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00870B9B,?,?,?), ref: 0087112F
Part of subcall function 008710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00870B9B,?,?,?), ref: 00871136
Part of subcall function 008710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0087114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00870BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00870C00
GetLengthSid.ADVAPI32(?), ref: 00870C17
GetAce.ADVAPI32(?,00000000,?), ref: 00870C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00870C6D
GetLengthSid.ADVAPI32(?), ref: 00870C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00870C8C
HeapAlloc.KERNEL32(00000000), ref: 00870C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00870CB4
CopySid.ADVAPI32(00000000), ref: 00870CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00870CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00870D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00870D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00870D45
HeapFree.KERNEL32(00000000), ref: 00870D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00870D55
HeapFree.KERNEL32(00000000), ref: 00870D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00870D65
HeapFree.KERNEL32(00000000), ref: 00870D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00870D78
HeapFree.KERNEL32(00000000), ref: 00870D7F

Part of subcall function 00871193: GetProcessHeap.KERNEL32(00000008,00870BB1,?,00000000,?,00870BB1,?), ref: 008711A1
Part of subcall function 00871193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00870BB1,?), ref: 008711A8
Part of subcall function 00871193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00870BB1,?), ref: 008711B7

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 45878661e8de86a8c88a90153f60b12486fc92120f7f742692ab7d5295d99260
Instruction ID: f04aa307d036dc1ea4e2f0ad3ba18c60c1f70765eab9db2d73ac6bf8261845d2
Opcode Fuzzy Hash: 45878661e8de86a8c88a90153f60b12486fc92120f7f742692ab7d5295d99260
Instruction Fuzzy Hash: 4B713C71A0020AEBEF10DFA4DC48BAEBBB8FF05310F148615E919E6295D775E905CF60

Function 0088EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(008ACC08), ref: 0088EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0088EB37
GetClipboardData.USER32(0000000D), ref: 0088EB43
CloseClipboard.USER32 ref: 0088EB4F
GlobalLock.KERNEL32(00000000), ref: 0088EB87
CloseClipboard.USER32 ref: 0088EB91
GlobalUnlock.KERNEL32(00000000), ref: 0088EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0088EBC9
GetClipboardData.USER32(00000001), ref: 0088EBD1
GlobalLock.KERNEL32(00000000), ref: 0088EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0088EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0088EC38
GetClipboardData.USER32(0000000F), ref: 0088EC44
GlobalLock.KERNEL32(00000000), ref: 0088EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0088EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0088EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0088ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0088ECF3
CountClipboardFormats.USER32 ref: 0088ED14
CloseClipboard.USER32 ref: 0088ED59

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 527503877cae71db8263cf0b58aa055d114de37d4355ba7c85f1f718c32c62f1
Instruction ID: 633a7cf0669e7108942ce50a8ff17b37dc466ab25bdbd8524c71ce7e867e3be0
Opcode Fuzzy Hash: 527503877cae71db8263cf0b58aa055d114de37d4355ba7c85f1f718c32c62f1
Instruction Fuzzy Hash: 2061BD342042059FE310EF28D894F6ABBA8FF85714F18451DF496D76A2DB31ED49CBA2

Function 0088698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 008869BE
FindClose.KERNEL32(00000000), ref: 00886A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00886A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00886A75

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00886AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00886ADF

Strings

%4d, xrefs: 00886BB1
%4d%02d%02d%02d%02d%02d, xrefs: 00886B6A
%03d, xrefs: 00886DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00886B32
%02d, xrefs: 00886C00, 00886C0A, 00886C5A, 00886CAA, 00886CFA, 00886D4A

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: cf52c05cae511dfb5c89627ca2b10f10ef2965edde4114305ef70ecf70a38568
Instruction ID: 6d44530155ac059c145f82fe8597139afeab526d3e926450768e5ef87e6d4f5e
Opcode Fuzzy Hash: cf52c05cae511dfb5c89627ca2b10f10ef2965edde4114305ef70ecf70a38568
Instruction Fuzzy Hash: 06D12C72508300AAC714EBA8D891EABB7ECFF88704F44491EF585D7291EB74DA44CB63

Function 00889642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,756E8FB0,?,00000000), ref: 00889663
GetFileAttributesW.KERNEL32(?), ref: 008896A1
SetFileAttributesW.KERNEL32(?,?), ref: 008896BB
FindNextFileW.KERNEL32(00000000,?), ref: 008896D3
FindClose.KERNEL32(00000000), ref: 008896DE
FindFirstFileW.KERNEL32(*.*,?), ref: 008896FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0088974A
SetCurrentDirectoryW.KERNEL32(008D6B7C), ref: 00889768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00889772
FindClose.KERNEL32(00000000), ref: 0088977F
FindClose.KERNEL32(00000000), ref: 0088978F

Strings

*.*, xrefs: 008896F5

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: e81c4f1c5a21108f7ba14b21a741e3574d5e5cefa170ce81816fa471f7bcca4b
Instruction ID: 7a6813a68ac68ac39c4800058b60ea3f36b32e74ab9a25e210a598cb9248e469
Opcode Fuzzy Hash: e81c4f1c5a21108f7ba14b21a741e3574d5e5cefa170ce81816fa471f7bcca4b
Instruction Fuzzy Hash: 6331C0325412196AEF20FFB4DC08AEE77ACFF4A320F184156F855E22A0EB74DE408B54

Function 0088979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,756E8FB0,?,00000000), ref: 008897BE
FindNextFileW.KERNEL32(00000000,?), ref: 00889819
FindClose.KERNEL32(00000000), ref: 00889824
FindFirstFileW.KERNEL32(*.*,?), ref: 00889840
SetCurrentDirectoryW.KERNEL32(?), ref: 00889890
SetCurrentDirectoryW.KERNEL32(008D6B7C), ref: 008898AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 008898B8
FindClose.KERNEL32(00000000), ref: 008898C5
FindClose.KERNEL32(00000000), ref: 008898D5

Part of subcall function 0087DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0087DB00

Strings

*.*, xrefs: 0088983B

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: b950f0f06f11aabe836724549331d907aacce1ba4713af246605aa39aef6f8ef
Instruction ID: 1421da529393fbbd0d4d7643d9c05ea0bba676cb1f48f1c7ec1583597b05a411
Opcode Fuzzy Hash: b950f0f06f11aabe836724549331d907aacce1ba4713af246605aa39aef6f8ef
Instruction Fuzzy Hash: 9831A33150061E6EEF10BFB4DC48AEE77ACFF46324F184166E894E2691EB75DE448B60

Function 00888195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00888257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00888267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00888273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00888310
SetCurrentDirectoryW.KERNEL32(?), ref: 00888324
SetCurrentDirectoryW.KERNEL32(?), ref: 00888356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0088838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00888395

Strings

*.*, xrefs: 0088839B

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 02424f832d2ea5e739f452a789d861a90500819fd43231abc464ee0ce0fbc055
Instruction ID: 9bd259eb8d3483169038e16cfc408bb5c9460502cf9d5699998f62ff1459170f
Opcode Fuzzy Hash: 02424f832d2ea5e739f452a789d861a90500819fd43231abc464ee0ce0fbc055
Instruction Fuzzy Hash: C06169725043059FDB10EF68C8849AEB3E9FF89314F44892EF999C7251EB31E945CB92

Function 0087D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00813AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00813A97,?,?,00812E7F,?,?,?,00000000), ref: 00813AC2

Part of subcall function 0087E199: GetFileAttributesW.KERNEL32(?,0087CF95), ref: 0087E19A

FindFirstFileW.KERNEL32(?,?), ref: 0087D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0087D1DD
MoveFileW.KERNEL32(?,?), ref: 0087D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0087D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0087D237

Part of subcall function 0087D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0087D21C,?,?), ref: 0087D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0087D253
FindClose.KERNEL32(00000000), ref: 0087D264

Strings

\*.*, xrefs: 0087D0CD, 0087D0D6, 0087D0EB

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: d943f30c43b86fa956aa12fca07554c57a3b2277b6b72808074f5fafa2428d8a
Instruction ID: f9880ab141660cc5a7733c83ab855e5758e04019233b317e66a701f521562e6b
Opcode Fuzzy Hash: d943f30c43b86fa956aa12fca07554c57a3b2277b6b72808074f5fafa2428d8a
Instruction Fuzzy Hash: D7617E3180120D9ACF05EBE4D9529EDB7B9FF15300F248165E44AF7196EB31AF4ACB62

Function 0088ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0088ED91
EmptyClipboard.USER32 ref: 0088ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0088EDAC
CloseClipboard.USER32 ref: 0088EEA3

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 6afddd7c7075babbe31b5cbc6f32a2cdfa88d4217213d86a0fa81f974bba9bef
Instruction ID: c4769590371508fabd6540fcd51cdcc31d9222d27240fd0e199f47267cdcc307
Opcode Fuzzy Hash: 6afddd7c7075babbe31b5cbc6f32a2cdfa88d4217213d86a0fa81f974bba9bef
Instruction Fuzzy Hash: 16418D35208611AFE720EF19D888B59BBE5FF55318F14C09DE419CBAA2CB75EC42CB91

Function 0087E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 008716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0087170D
Part of subcall function 008716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0087173A
Part of subcall function 008716C3: GetLastError.KERNEL32 ref: 0087174A

ExitWindowsEx.USER32(?,00000000), ref: 0087E932

Strings

SeShutdownPrivilege, xrefs: 0087E902
, xrefs: 0087E95C
, xrefs: 0087E920
@, xrefs: 0087E925

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 7b513760314a0fb0039a20554f8adc4fc582eb44f8b45c22ccbff6819fe44eb1
Instruction ID: ed33613e9fe8b1d7641eaaf207c1f2b2daa2998334ea485910f841f1d088ddc5
Opcode Fuzzy Hash: 7b513760314a0fb0039a20554f8adc4fc582eb44f8b45c22ccbff6819fe44eb1
Instruction Fuzzy Hash: 92014933610214AFFB6466B89C8AFBF769CF719744F148462FE1BE31D5D6A0DC408290

Function 00891204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00891276
WSAGetLastError.WSOCK32 ref: 00891283
bind.WSOCK32(00000000,?,00000010), ref: 008912BA
WSAGetLastError.WSOCK32 ref: 008912C5
closesocket.WSOCK32(00000000), ref: 008912F4
listen.WSOCK32(00000000,00000005), ref: 00891303
WSAGetLastError.WSOCK32 ref: 0089130D
closesocket.WSOCK32(00000000), ref: 0089133C

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 70e39943a1120b97cb07078d6d3d50993a70432b3c8a748ac07b8d39e546fbdf
Instruction ID: 7c4c5c9326b48492d8c47b1bbcdd4b147839af500790e0f5eda8c3aac92c5c08
Opcode Fuzzy Hash: 70e39943a1120b97cb07078d6d3d50993a70432b3c8a748ac07b8d39e546fbdf
Instruction Fuzzy Hash: 62416E316041019FEB10EF68C488B69BBE6FF46318F188198E856DF296C775ED81CBA1

Function 0084B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0084B9D4
_free.LIBCMT ref: 0084B9F8
_free.LIBCMT ref: 0084BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,008B3700), ref: 0084BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,008E121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0084BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,008E1270,000000FF,?,0000003F,00000000,?), ref: 0084BC36
_free.LIBCMT ref: 0084BD4B

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 40a38ee8f6d7a55357793d99281e7e6599b9e852517b6fe9c076b5698861247b
Instruction ID: e012613f99d11bcb8e35dfcd96409cc75711302868efc520d45d63d06523ed38
Opcode Fuzzy Hash: 40a38ee8f6d7a55357793d99281e7e6599b9e852517b6fe9c076b5698861247b
Instruction Fuzzy Hash: 55C12571A0425DAFDB20DF698C81BAEBBB9FF41360F1441AAE590DB251EB30CE41C791

Function 0087D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00813AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00813A97,?,?,00812E7F,?,?,?,00000000), ref: 00813AC2

Part of subcall function 0087E199: GetFileAttributesW.KERNEL32(?,0087CF95), ref: 0087E19A

FindFirstFileW.KERNEL32(?,?), ref: 0087D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0087D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0087D481
FindClose.KERNEL32(00000000), ref: 0087D498
FindClose.KERNEL32(00000000), ref: 0087D4A1

Strings

\*.*, xrefs: 0087D3F2

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 0711038c0b3a31c1690a251aaa880e159aa4645712857d420cde6ce09f97c7d2
Instruction ID: 5fbcaa0f860aee7ad12e3d7cec2409ef96ea4cc83973e0b340ad352761a3718e
Opcode Fuzzy Hash: 0711038c0b3a31c1690a251aaa880e159aa4645712857d420cde6ce09f97c7d2
Instruction Fuzzy Hash: 13316F710083459BC204EF68D8559EFB7ACFE92314F448A2DF4E5D2191EB20EA49D767

Function 0084E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0084E645

Strings

1#QNAN, xrefs: 0084F84B
1#SNAN, xrefs: 0084F844
1#INF, xrefs: 0084F852
1#IND, xrefs: 0084F83D

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: ef0ef7d62c2f6b6ab658af321834053647aad31f405d5ae8be2bcd182bb32946
Instruction ID: 90275f9f6f5757bdbecf5443cf373a04b143d6c6901470a5804ff7d31f321b81
Opcode Fuzzy Hash: ef0ef7d62c2f6b6ab658af321834053647aad31f405d5ae8be2bcd182bb32946
Instruction Fuzzy Hash: CDC22872E0462C8FDB25CE289D407EAB7B5FB88305F1541EAD94DE7241E778AE818F41

Function 0088648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008864DC
CoInitialize.OLE32(00000000), ref: 00886639
CoCreateInstance.OLE32(008AFCF8,00000000,00000001,008AFB68,?), ref: 00886650
CoUninitialize.OLE32 ref: 008868D4

Strings

.lnk, xrefs: 008864BA, 00886524, 008865E0

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 42439b68cd21de467ab33d30ac1b53e599a59e24f4e6b7abf35d8d58bcc68c2d
Instruction ID: 3622fa213303c409e7b35e917ac7eb2557190a82d691d3d4a28ee2f28f676cb7
Opcode Fuzzy Hash: 42439b68cd21de467ab33d30ac1b53e599a59e24f4e6b7abf35d8d58bcc68c2d
Instruction Fuzzy Hash: 3AD139715083019FD304EF28C891AABB7E9FF99704F10496DF595CB291EB70E946CB92

Function 008922DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 008922E8

Part of subcall function 0088E4EC: GetWindowRect.USER32(?,?), ref: 0088E504

GetDesktopWindow.USER32 ref: 00892312
GetWindowRect.USER32(00000000), ref: 00892319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00892355
GetCursorPos.USER32(?), ref: 00892381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 008923DF

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 3dc77ebf6d51a9f89fdea5b2214a86963387fe7439ee58600a8ec578b88dce82
Instruction ID: 915fcaadd45099f62c482e08fac491cd9e0f5a7f26ce41c3a69a42d30a1d1078
Opcode Fuzzy Hash: 3dc77ebf6d51a9f89fdea5b2214a86963387fe7439ee58600a8ec578b88dce82
Instruction Fuzzy Hash: 6331E072504315AFDB20EF58C849B5BBBA9FF89314F04091DF989D7291DB34EA08CB92

Function 00889B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00889B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00889C8B

Part of subcall function 00883874: GetInputState.USER32 ref: 008838CB
Part of subcall function 00883874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00883966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00889BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00889C75

Strings

*.*, xrefs: 00889B5D

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 6b85d6c3901ab316bdafa41c23849cfb16ca4d78b361805afb8c9807275c5d0f
Instruction ID: 269e4de35f460f0a87444b13994afe44448478b9613ac4ae010d66618f43f646
Opcode Fuzzy Hash: 6b85d6c3901ab316bdafa41c23849cfb16ca4d78b361805afb8c9807275c5d0f
Instruction Fuzzy Hash: A341827190020AAFDF15EFA8C845AEE7BB9FF45310F144156E855E2291EB31AE84CF61

Function 0082997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00829BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00829BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00829A4E
GetSysColor.USER32(0000000F), ref: 00829B23
SetBkColor.GDI32(?,00000000), ref: 00829B36

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 71918c04e86930b879b2dd05fbe4d7a575905b780092bff031dec608c10d27aa
Instruction ID: a81398d775928f81ac40f502fd09bb19fbe4c064f8d9963ffe30b5e33fe9d730
Opcode Fuzzy Hash: 71918c04e86930b879b2dd05fbe4d7a575905b780092bff031dec608c10d27aa
Instruction Fuzzy Hash: 05A12D70108578AEE724AA3CAC9CE7B3A9DFF43318F164119F583D69D1CA259D81D3B2

Function 00891806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0089304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0089307A
Part of subcall function 0089304E: _wcslen.LIBCMT ref: 0089309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0089185D
WSAGetLastError.WSOCK32 ref: 00891884
bind.WSOCK32(00000000,?,00000010), ref: 008918DB
WSAGetLastError.WSOCK32 ref: 008918E6
closesocket.WSOCK32(00000000), ref: 00891915

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: f30bb6cfc0179df843ad0386fede923eab226ede30629318ad47b0aca15e5a06
Instruction ID: 5877d5369995596257fc4caa8b3cffc95542356e7760dae39aba2230e68c09aa
Opcode Fuzzy Hash: f30bb6cfc0179df843ad0386fede923eab226ede30629318ad47b0aca15e5a06
Instruction Fuzzy Hash: 70519671A002105FEB10AF28D88AF6A77E5FF45718F088058F955AF3D3DB71AD818B92

Function 008A1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 008A1CC0
IsWindowEnabled.USER32 ref: 008A1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 008A1CDB
IsIconic.USER32 ref: 008A1CE9
IsZoomed.USER32 ref: 008A1CF7

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: e0ddde5982e175b01c31130dc27ed41b7884818cbe680aa16bd236ab9b8ab957
Instruction ID: 4eb90dddcd8b453d1d5717e66cdff3021b6b0b672833f54202957d932f8a96cc
Opcode Fuzzy Hash: e0ddde5982e175b01c31130dc27ed41b7884818cbe680aa16bd236ab9b8ab957
Instruction Fuzzy Hash: C02191317406119FFB208F2AC848B6A7BE5FF96324F198058E846CBA51DB71EC42CB95

Function 00818060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 008183FA
VUUU, xrefs: 00855DF0
VUUU, xrefs: 0081843C
VUUU, xrefs: 008183E8
ERCP, xrefs: 0081813C

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 1a235cdec599ea831806ade56c68dcfc8ad3bb9819cefae649d12799d7f074b4
Instruction ID: f6ed3510bce12d766c6cdd333771aeedf7427cf30019443d3fedab949d82875c
Opcode Fuzzy Hash: 1a235cdec599ea831806ade56c68dcfc8ad3bb9819cefae649d12799d7f074b4
Instruction Fuzzy Hash: 6DA25770A0061ACBDF248F58C8957EEB7B6FF54315F6481AAEC15E7280EB309DD58B90

Function 0089A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0089A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0089A6BA

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

Process32NextW.KERNEL32(00000000,?), ref: 0089A79C
CloseHandle.KERNEL32(00000000), ref: 0089A7AB

Part of subcall function 0082CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00853303,?), ref: 0082CE8A

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: b269c36abb48937b0cb8bb7e731b5b9e10d71f503c6172d01cba5f1f0cac0740
Instruction ID: 0f08d981f3fe2be853bd64791ea702b4db2d24db2ba27e6c9137a4145dd5b283
Opcode Fuzzy Hash: b269c36abb48937b0cb8bb7e731b5b9e10d71f503c6172d01cba5f1f0cac0740
Instruction Fuzzy Hash: 0B515B71508310AFD714EF28D886AABBBE8FF89754F00492DF595D7252EB30D944CB92

Function 0087AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0087AAAC
SetKeyboardState.USER32(00000080), ref: 0087AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0087AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0087AB88

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 280e5ea90575dffde57b4b8e4e6c4a69fe3620f89f59212378426c982db2c3b6
Instruction ID: e4d89d304964572152231b3674b480ef13043c721d7f85924c2283f983d4e755
Opcode Fuzzy Hash: 280e5ea90575dffde57b4b8e4e6c4a69fe3620f89f59212378426c982db2c3b6
Instruction Fuzzy Hash: FD31F730A40208AEFB29CA64C845BFE77A6FBC5320F04C21AF199D61D9D375D985C752

Function 0088CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0088CE89
GetLastError.KERNEL32(?,00000000), ref: 0088CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0088CEFE

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 9ee61256e5bb22776ca1e2de2015163071ed9fff0ac9b8165960ae61222676c7
Instruction ID: b422cac32ce97d7bfca0a75494c64fafe71adddba90f3cd6573f66735f01e109
Opcode Fuzzy Hash: 9ee61256e5bb22776ca1e2de2015163071ed9fff0ac9b8165960ae61222676c7
Instruction Fuzzy Hash: 2B219DB1500305ABEB30EF65D949BA6B7F8FB50358F10441EE646D2151EBB4EE048BA0

Function 0087DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00855222), ref: 0087DBCE
GetFileAttributesW.KERNEL32(?), ref: 0087DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0087DBEE
FindClose.KERNEL32(00000000), ref: 0087DBFA

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 79a831e996f4b30caced9c8f08668536dbe092cf4ce4f53e7358f5e694f794f9
Instruction ID: a5513b44b347b5da32322c2e019c3d4919a364a96d2411595eb2213206444bc7
Opcode Fuzzy Hash: 79a831e996f4b30caced9c8f08668536dbe092cf4ce4f53e7358f5e694f794f9
Instruction Fuzzy Hash: 7BF0E530810A145792216B7CAC0D8AA37BCFF82334B108702F83AC26F0EBB49D54C6D5

Function 00878298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 008782AA

Strings

|, xrefs: 008782DA
(, xrefs: 008782F0

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: b1c551b3c8f6aa29afe47a4d9b024d8d14073d6215883c6e1756e912cec1d72d
Instruction ID: 3e4315dace8ae9acd4099724091ef9217bdbc8a5c60c4521efc749b1b1417eac
Opcode Fuzzy Hash: b1c551b3c8f6aa29afe47a4d9b024d8d14073d6215883c6e1756e912cec1d72d
Instruction Fuzzy Hash: C3324474A00605DFCB28CF69C084A6AB7F0FF48710B15C56EE59ADB7A5EB70E981CB40

Function 00885C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00885CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00885D17
FindClose.KERNEL32(?), ref: 00885D5F

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 87ad2f561730b3f88dfcfab1b30a861044489532d5319f3b54b0c881bb4fc5df
Instruction ID: bfa16de0fd5c0a47a935b305604b2fef47f2168c5a6dc33c218eb7ab6be4f3b9
Opcode Fuzzy Hash: 87ad2f561730b3f88dfcfab1b30a861044489532d5319f3b54b0c881bb4fc5df
Instruction Fuzzy Hash: 0C519A346046019FC714DF28C494A96B7E4FF49324F14856EE96ACB3A2DB30ED45CF91

Function 00842622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0084271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00842724
UnhandledExceptionFilter.KERNEL32(?), ref: 00842731

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 103fa85694bd72516340e633bdd5b210db18f47ea86ac3f5f0dc8958976afcae
Instruction ID: a0ae00a625feae205408cdc14a079cac187cab6c32ae06a0e1ce871dd22fdaa0
Opcode Fuzzy Hash: 103fa85694bd72516340e633bdd5b210db18f47ea86ac3f5f0dc8958976afcae
Instruction Fuzzy Hash: 0E31B47491122C9BCB21DF68DD897D9BBB8FF48310F5041EAE41CA6261E7709F818F85

Function 008851CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008851DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00885238
SetErrorMode.KERNEL32(00000000), ref: 008852A1

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 2fe51de855f3dbccc717290ded37f22176f4346a376850aa26a566f18cf970d8
Instruction ID: 7585707be00c5a8b2584deec7bc277720e4d3f5f659d68fb85b20328f20c49a1
Opcode Fuzzy Hash: 2fe51de855f3dbccc717290ded37f22176f4346a376850aa26a566f18cf970d8
Instruction Fuzzy Hash: 02312C75A00518DFDB00EF54D884EADBBB5FF49314F048099E805EB362DB31E856CB91

Function 008716C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0082FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00830668
Part of subcall function 0082FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00830685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0087170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0087173A
GetLastError.KERNEL32 ref: 0087174A

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 6cb0b36ffa34f78da8796069cef562f9bd69daed3b34f624f37a3fd70ac4e7a4
Instruction ID: e4078a1d435ab052e038c9126f45bf5b16a499d4bed637ab125a941e1186aa11
Opcode Fuzzy Hash: 6cb0b36ffa34f78da8796069cef562f9bd69daed3b34f624f37a3fd70ac4e7a4
Instruction Fuzzy Hash: E41194B2414304AFE7189F58EC86D6AB7FDFB44754B20C52EE45697645EB70FC81CA20

Function 0087D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0087D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0087D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0087D650

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 9ad26a22901c90ecb58950b11e34daeca8fa1ba67a7f94928a92ab273f135e8d
Instruction ID: a0da2529d917954f9e4f02ee1a0bd0d96d93c8aa645376bdb232864b3f8e7822
Opcode Fuzzy Hash: 9ad26a22901c90ecb58950b11e34daeca8fa1ba67a7f94928a92ab273f135e8d
Instruction Fuzzy Hash: 9A113C75E05228BBEB108F959C45FAFBBBCFB46B50F108115F908E7294D6704A058BA1

Function 00871663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0087168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 008716A1
FreeSid.ADVAPI32(?), ref: 008716B1

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: b2854324620d84566f6a67ff1ab0393319830a64b2d3ce7f5be490a297d300a7
Instruction ID: 14f975cc50021222f181a54d3cae474063be1a0995d89ef05a3f1a12e43fa8df
Opcode Fuzzy Hash: b2854324620d84566f6a67ff1ab0393319830a64b2d3ce7f5be490a297d300a7
Instruction Fuzzy Hash: E3F0F47195030DFBEF00DFE49C89AAEBBBCFB08604F508565E501E2181E774AA448A50

Function 00834CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(008428E9,?,00834CBE,008428E9,008D88B8,0000000C,00834E15,008428E9,00000002,00000000,?,008428E9), ref: 00834D09
TerminateProcess.KERNEL32(00000000,?,00834CBE,008428E9,008D88B8,0000000C,00834E15,008428E9,00000002,00000000,?,008428E9), ref: 00834D10
ExitProcess.KERNEL32 ref: 00834D22

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 8ef01821f8f036cae25588a51b705d70280ff6fac22d2747f3c7e099c1b7a0f5
Instruction ID: 7af196af8871434e553504a1213941ad50d3e31595d4d9ee324f94e6eafbbe51
Opcode Fuzzy Hash: 8ef01821f8f036cae25588a51b705d70280ff6fac22d2747f3c7e099c1b7a0f5
Instruction Fuzzy Hash: AEE0B631000548ABDF51AF54DD09A593B69FB82781F104414FC05DA632DB39ED42DA80

Function 0084C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0084C36C

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: d5b75a9f670ab4333e76f5f203be4f8eb936f30b4c6397179d6338701cfe95eb
Instruction ID: 08cb46e46966d8ae9608b4682f3ff13189d3990d58538a36b181e94c5411aa49
Opcode Fuzzy Hash: d5b75a9f670ab4333e76f5f203be4f8eb936f30b4c6397179d6338701cfe95eb
Instruction Fuzzy Hash: CD41267690121DABCB209FB9CC89EBB77BCFB84314F504269F905D7280E6709D81CB50

Function 0086D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0086D28C

Strings

X64, xrefs: 0086D2A8

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: e0b270b6208a189c136f63fb34611c9d2dcd6390d35d155ccea51b54b2b2a23b
Instruction ID: 6e2c9c45aca7a1fd45289ba0722db5f21f1a33143aa9525a0e74249bd8353c5d
Opcode Fuzzy Hash: e0b270b6208a189c136f63fb34611c9d2dcd6390d35d155ccea51b54b2b2a23b
Instruction Fuzzy Hash: EBD0C9B580166DEACB90CB90EC88DD9B77CFB14309F100151F106E2100DB3095488F10

Function 0083CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: c7ae74d5d22689fed4a7c95cebbc19c7bd414f0fb8af528d0a07f731c6078236
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 3E020D72E012199BDF14CFA9D8806ADFBF1FF88314F258169E919F7384D731AA418B94

Function 008868EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00886918
FindClose.KERNEL32(00000000), ref: 00886961

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: d367d2b83307971664c84a3a53e29c01c8e3d1d7063b31b51c89d007407b45ca
Instruction ID: fd57118e21a5d73800ea0b5f37bd52bfdaf92c5d90442436a58cd6d74e35f3a2
Opcode Fuzzy Hash: d367d2b83307971664c84a3a53e29c01c8e3d1d7063b31b51c89d007407b45ca
Instruction Fuzzy Hash: E2119D316042009FD710DF29D888A16BBE5FF89328F14C6A9E469CF7A2DB34EC45CB91

Function 008837B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00894891,?,?,00000035,?), ref: 008837E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00894891,?,?,00000035,?), ref: 008837F4

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 87765843a1d4124d5378435e8f4687db31fa9b4a28ef0d21bc4334f4fa797f88
Instruction ID: a66c83bad438ab707e690397428537efb982b10e193aeac3b4626188b74d48df
Opcode Fuzzy Hash: 87765843a1d4124d5378435e8f4687db31fa9b4a28ef0d21bc4334f4fa797f88
Instruction Fuzzy Hash: FDF0E5B06042282AEB20276A8C4DFEB3AAEFFC5B61F000175F509D2281D9609944C7B1

Function 0087B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0087B25D
keybd_event.USER32(?,7608C0D0,?,00000000), ref: 0087B270

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 524051892c3e4d217c366adbda91792be568011263a177677af199572bb8bb55
Instruction ID: 56517607f4ed18f5ec4bb18be493a894ea84a9584e88959372fc318eca270a43
Opcode Fuzzy Hash: 524051892c3e4d217c366adbda91792be568011263a177677af199572bb8bb55
Instruction Fuzzy Hash: 25F01D7181424DABEB059FA4C805BBE7BB5FF05309F048009F955E6192C379C6119F94

Function 008710BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008711FC), ref: 008710D4
CloseHandle.KERNEL32(?,?,008711FC), ref: 008710E9

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: ba024cf3b59636e1b60abc89ab23d9b838f89029e1a769683311aa55b6873d28
Instruction ID: 159ef090f17797ad386ea1fd1ec5875bef9ec8d238261c917be51bd0882b5e4d
Opcode Fuzzy Hash: ba024cf3b59636e1b60abc89ab23d9b838f89029e1a769683311aa55b6873d28
Instruction Fuzzy Hash: 9BE04F32004610AEFB252B15FC09E7377A9FF04310B10882DF5A6C08B1DB62ACD0DB10

Function 0081CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00860C40

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 2cf65bec563f18eaa13ec5b44cc8c90015ef6777e7ee79fb5ee412a760fa9c2e
Instruction ID: b774454dddc28c2762a82b47238c4f3cf5f0ae51ef3b2919cd4d3d47a5c8a9b0
Opcode Fuzzy Hash: 2cf65bec563f18eaa13ec5b44cc8c90015ef6777e7ee79fb5ee412a760fa9c2e
Instruction Fuzzy Hash: BC328D70940218DBCF14DF94D881AEEB7B9FF05308F148159E806EB292DB75AE86CF65

Function 0084676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00846766,?,?,00000008,?,?,0084FEFE,00000000), ref: 00846998

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: cea1b9150f361c659902684389e7058cd1410a48798386b4049c0cef99ba48e3
Instruction ID: a642d05dabaa7eb16fe400253d06f9fa970551e5c75dc5a04351955ebeed5247
Opcode Fuzzy Hash: cea1b9150f361c659902684389e7058cd1410a48798386b4049c0cef99ba48e3
Instruction Fuzzy Hash: 8AB13B3161060D9FD715CF28C486B657FE0FF46368F298658E899CF2A2D335E9A1CB41

Function 0082B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0086851F

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: b212818d0b91b5ed7220222ddd69c2db6764735fc6f747ef757894932280415e
Instruction ID: 216920d801b8118a1d463272249d7e407a4e92af7020281f7621547972a460bb
Opcode Fuzzy Hash: b212818d0b91b5ed7220222ddd69c2db6764735fc6f747ef757894932280415e
Instruction Fuzzy Hash: CC125D71900229DBDB24DF58D880AEEB7F5FF48710F15819AE849EB355DB309E81CB94

Function 0088EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0088EABD

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: ce588ee29a22f8555bbf39b71dd1544767d069b9a1f00d930e07580c95f61921
Instruction ID: 4c512078564a12f03963e9a6c230394c3ca346c48f19accb7df23dd2d3d3de31
Opcode Fuzzy Hash: ce588ee29a22f8555bbf39b71dd1544767d069b9a1f00d930e07580c95f61921
Instruction Fuzzy Hash: F8E01A312002149FD710EF59D804E9AB7EDFFA8760F00841AFC49C7251DAB0E8818B91

Function 008309D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,008303EE), ref: 008309DA

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: bc919a8e2cf1ceac08001761b7f7edd08c4a54187c05fa91ea0ebd217892c5ff
Instruction ID: 20df7bdd77c022cd690da5cce05f22b331c7ac8e80e7d5dd8941b7f5ca93258c
Opcode Fuzzy Hash: bc919a8e2cf1ceac08001761b7f7edd08c4a54187c05fa91ea0ebd217892c5ff
Instruction Fuzzy Hash:

Function 0083781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0083798B

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 1b49fa875631ea889c9f200ae6ab626512ab636b6a6e1c4dc23dc3387ca48c4d
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 4D516AE160C749ABDB38552C845E7BE67C5FBD2304F180A39ED82D7682C619DE01D3DA

Function 00846DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8e1d9d38be0a9137e8619b6063ed8a4132fdc80d7ecd34337e1c466149c9185
Instruction ID: fb81b05b4a5898cfc4bd33b73685602ab858eaa4dee5a6eccf17f0bd3b4e6417
Opcode Fuzzy Hash: f8e1d9d38be0a9137e8619b6063ed8a4132fdc80d7ecd34337e1c466149c9185
Instruction Fuzzy Hash: 6B320222D29F454DDB239635C822336A749FFB73C5F15D737E81AB5AA6EB29C4834100

Function 0082CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b262e182013ceb25a29c1af994b5f9018ca2059bb18a7ebe52985b5d463533fa
Instruction ID: e906d5ca14522cfc8a7d248986f17f46b357e028a35781b065360528bcd43354
Opcode Fuzzy Hash: b262e182013ceb25a29c1af994b5f9018ca2059bb18a7ebe52985b5d463533fa
Instruction Fuzzy Hash: 10323572A001698BCF28CF69D89467D7BA1FB45314F2A816BD8CACB391D734DE81DB41

Function 00817920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14dbff544eec10fa68162d9ad5c32163196a4b88b4ec1eb9c356d5525aef319b
Instruction ID: 5a218a5b98cbf5a3f3e2b22221fd1c0603517c14f7f049625c065a6a9635e500
Opcode Fuzzy Hash: 14dbff544eec10fa68162d9ad5c32163196a4b88b4ec1eb9c356d5525aef319b
Instruction Fuzzy Hash: 5222BFB0A04609DFDF14CF68D891AEEB7F9FF44314F204229E816E7291EB369994CB51

Function 008191C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d6ea4a35de5fcdd311dd812fc9436907cbd5519426ca7c4b12ef6e750777b70
Instruction ID: f2290b465aeb1debf81ef7d1a53a3e6021522a065d55491f560358989eb0f6d7
Opcode Fuzzy Hash: 2d6ea4a35de5fcdd311dd812fc9436907cbd5519426ca7c4b12ef6e750777b70
Instruction Fuzzy Hash: 9802D6B0E00119EBDB09DF68D981AAEB7B5FF44304F118169E856DB391EB31EE54CB81

Function 00831C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 7233a08605e71bea38fa3afce6ea0a94e46470858d457775c56973dc14477149
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 5F9178722090A349DF69463A857C03DFFE1FAD2BA1B1A079DD8F2CA1C1EE14C554D660

Function 008319B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 5bd3cfd7bc3e020fdd26fb9e58f3014ff24f0365b232043a65fa3e5129125459
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 7D9153722090A34ADF69427A857C03DFFE1EAD2BB6B1A079DD4F2CA1C1FE1485649660

Function 00837A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf8993e98e8b2801585ff3f3187af8f14567d2554357156b8ec6b6aaecf81f46
Instruction ID: 4fbabdcf2a005b60049a13f9edfb7f1fe59e270673dbdfca2964a3941707b248
Opcode Fuzzy Hash: cf8993e98e8b2801585ff3f3187af8f14567d2554357156b8ec6b6aaecf81f46
Instruction Fuzzy Hash: B16179F1208719A6DE349A2C8CA5BBEA3A4FFC1764F140D1AF943DB281D651DE42C3D6

Function 00837CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9559d90bb9049eccd817f4316904b2ed2e513dd0ade78bf26166ee9bc437f90
Instruction ID: d3cf7b5636e3d43d6c2b852d1beb03d554085a51f0154096a168c26123895f35
Opcode Fuzzy Hash: f9559d90bb9049eccd817f4316904b2ed2e513dd0ade78bf26166ee9bc437f90
Instruction Fuzzy Hash: A6616AF160C709A6DE389A2C9895BBF2398FFC1B04F100959F943DB285EA52DD4287D6

Function 00831706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 3d51ebd215d6352ae5dd3ae154b35713014a6449aa6e73c61c95f9234e349808
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: BF8184326090A309DF6D423A857C03EFFE1FAD2BA1B1A07ADD4F2CA1C5EE148554D6A0

Function 00882046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c8e22dd85afc12a18eb60b4e5f0048fc0c44146c458c4b43d3fbc42cbf757af
Instruction ID: a67522e40ed37fcac2a56266aa90503e2a321e6c27a394e4c52d64206fd4cf85
Opcode Fuzzy Hash: 2c8e22dd85afc12a18eb60b4e5f0048fc0c44146c458c4b43d3fbc42cbf757af
Instruction Fuzzy Hash: B021A8326206518BDB28CE79C85267A73E9F7A4310F15862EE4A7C77D0DE75A904CB80

Function 00892ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00892B30
DeleteObject.GDI32(00000000), ref: 00892B43
DestroyWindow.USER32 ref: 00892B52
GetDesktopWindow.USER32 ref: 00892B6D
GetWindowRect.USER32(00000000), ref: 00892B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00892CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00892CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00892CF8
GetClientRect.USER32(00000000,?), ref: 00892D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00892D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00892D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00892D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00892D80
GlobalLock.KERNEL32(00000000), ref: 00892D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00892D98
GlobalUnlock.KERNEL32(00000000), ref: 00892DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00892DA8
GlobalFree.KERNEL32(00000000), ref: 00892DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00892DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,008AFC38,00000000), ref: 00892DDB
GlobalFree.KERNEL32(00000000), ref: 00892DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00892E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00892E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00892E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0089303F

Strings

DISPLAY, xrefs: 00892EA2
, xrefs: 00892FC5
AutoIt v3, xrefs: 00892CF2
static, xrefs: 00892D3A, 00892E91

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: fb38228d3c29fa54fdc59c342f3c8957a2f56fe094ee84cab5c3e5862b1c95e9
Instruction ID: 97de340f9f6b83ed04b2b2090e0cfc9363d2345b27cc8e2e4d2abfcd90d07a1e
Opcode Fuzzy Hash: fb38228d3c29fa54fdc59c342f3c8957a2f56fe094ee84cab5c3e5862b1c95e9
Instruction Fuzzy Hash: 04025B71A00209AFDB14DF68CC89EAE7BB9FF49714F048158F915EB2A1DB74AD41CB60

Function 008A70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 008A712F
GetSysColorBrush.USER32(0000000F), ref: 008A7160
GetSysColor.USER32(0000000F), ref: 008A716C
SetBkColor.GDI32(?,000000FF), ref: 008A7186
SelectObject.GDI32(?,?), ref: 008A7195
InflateRect.USER32(?,000000FF,000000FF), ref: 008A71C0
GetSysColor.USER32(00000010), ref: 008A71C8
CreateSolidBrush.GDI32(00000000), ref: 008A71CF
FrameRect.USER32(?,?,00000000), ref: 008A71DE
DeleteObject.GDI32(00000000), ref: 008A71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 008A7230
FillRect.USER32(?,?,?), ref: 008A7262
GetWindowLongW.USER32(?,000000F0), ref: 008A7284

Part of subcall function 008A73E8: GetSysColor.USER32(00000012), ref: 008A7421
Part of subcall function 008A73E8: SetTextColor.GDI32(?,?), ref: 008A7425
Part of subcall function 008A73E8: GetSysColorBrush.USER32(0000000F), ref: 008A743B
Part of subcall function 008A73E8: GetSysColor.USER32(0000000F), ref: 008A7446
Part of subcall function 008A73E8: GetSysColor.USER32(00000011), ref: 008A7463
Part of subcall function 008A73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 008A7471
Part of subcall function 008A73E8: SelectObject.GDI32(?,00000000), ref: 008A7482
Part of subcall function 008A73E8: SetBkColor.GDI32(?,00000000), ref: 008A748B
Part of subcall function 008A73E8: SelectObject.GDI32(?,?), ref: 008A7498
Part of subcall function 008A73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 008A74B7
Part of subcall function 008A73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008A74CE
Part of subcall function 008A73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 008A74DB

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 3c091f863a962e71a69258c6d353ef8aa0c64ada297efd57dcfa18cab1d331d4
Instruction ID: b3bb462dd0ce0a7ae6662ff588936cfd1ad9fdde6cffd59e1b205db197554190
Opcode Fuzzy Hash: 3c091f863a962e71a69258c6d353ef8aa0c64ada297efd57dcfa18cab1d331d4
Instruction Fuzzy Hash: E5A1B172508301AFEB009F64DC48E6B7BE9FF4A320F100A19FA62D65E1D771E944DB51

Function 00828D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00828E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00866AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00866AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00866F43

Part of subcall function 00828F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00828BE8,?,00000000,?,?,?,?,00828BBA,00000000,?), ref: 00828FC5

SendMessageW.USER32(?,00001053), ref: 00866F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00866F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00866FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00866FB7

Strings

0, xrefs: 00866DCF

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 0dd8709217487b3a66ea32c62c09df53a7ab02f650b81c5a8a3a299a4e8895ff
Instruction ID: b70db125fb125cf0974ab0f53f6bc23a8959cc2a06a46a60c42d7903aff38419
Opcode Fuzzy Hash: 0dd8709217487b3a66ea32c62c09df53a7ab02f650b81c5a8a3a299a4e8895ff
Instruction Fuzzy Hash: 9112CD34201291DFDB25DF28D888BA9BBE1FB45310F564069F485CB662DB32ECA1CF91

Function 00892711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0089273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0089286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 008928A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 008928B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00892900
GetClientRect.USER32(00000000,?), ref: 0089290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00892955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00892964
GetStockObject.GDI32(00000011), ref: 00892974
SelectObject.GDI32(00000000,00000000), ref: 00892978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00892988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00892991
DeleteDC.GDI32(00000000), ref: 0089299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 008929C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 008929DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00892A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00892A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00892A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00892A77
GetStockObject.GDI32(00000011), ref: 00892A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00892A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00892A97

Strings

DISPLAY, xrefs: 0089295A
msctls_progress32, xrefs: 00892A13
AutoIt v3, xrefs: 008928F8
static, xrefs: 0089294F, 00892A71

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 6a9f505a4b66626d54d2ff73e0a16dbd40530a03a39c8a3c252f0940388148a9
Instruction ID: b82ab0379efe228cf936f22c1adff8984c37dd5cce674eb522ec3d48bd23b061
Opcode Fuzzy Hash: 6a9f505a4b66626d54d2ff73e0a16dbd40530a03a39c8a3c252f0940388148a9
Instruction Fuzzy Hash: F1B13B71A00219BFEB14DFA8DC89EAE7BA9FB09714F044115F915EB690D774AD40CBA0

Function 00884ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00884AED
GetDriveTypeW.KERNEL32(?,008ACB68,?,\\.\,008ACC08), ref: 00884BCA
SetErrorMode.KERNEL32(00000000,008ACB68,?,\\.\,008ACC08), ref: 00884D36

Strings

Virtual, xrefs: 00884CE5
PhysicalDrive, xrefs: 00884B76
SSA, xrefs: 00884CA6
Fibre, xrefs: 00884CAD
Unknown, xrefs: 00884BED, 00884C83
1394, xrefs: 00884C9F
Removable, xrefs: 00884C10, 00884C15
CDROM, xrefs: 00884BFB
MMC, xrefs: 00884CDE
USB, xrefs: 00884CB4
iSCSI, xrefs: 00884CC2
ATA, xrefs: 00884C98
Fixed, xrefs: 00884C09
Network, xrefs: 00884C02
RAMDisk, xrefs: 00884BF4
SCSI, xrefs: 00884C8A
ATAPI, xrefs: 00884C91
SATA, xrefs: 00884CD0
\\.\, xrefs: 00884B3F
FileBackedVirtual, xrefs: 00884CEC
SAS, xrefs: 00884CC9
SSD, xrefs: 00884C4A
RAID, xrefs: 00884CBB

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 13044c364e687491ff0567171906d62c29cfe5205508f9b38f939749b4c56ecf
Instruction ID: 3b938c1218e075d32656273d48aea033e0317bb83a3a611492774d76d5b181e8
Opcode Fuzzy Hash: 13044c364e687491ff0567171906d62c29cfe5205508f9b38f939749b4c56ecf
Instruction Fuzzy Hash: 7761B23260120F9BCB04EF58D9819A8B7BAFF04304B249116F816EB751EB7AED51DB42

Function 008A73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 008A7421
SetTextColor.GDI32(?,?), ref: 008A7425
GetSysColorBrush.USER32(0000000F), ref: 008A743B
GetSysColor.USER32(0000000F), ref: 008A7446
CreateSolidBrush.GDI32(?), ref: 008A744B
GetSysColor.USER32(00000011), ref: 008A7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 008A7471
SelectObject.GDI32(?,00000000), ref: 008A7482
SetBkColor.GDI32(?,00000000), ref: 008A748B
SelectObject.GDI32(?,?), ref: 008A7498
InflateRect.USER32(?,000000FF,000000FF), ref: 008A74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008A74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 008A74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 008A752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 008A7554
InflateRect.USER32(?,000000FD,000000FD), ref: 008A7572
DrawFocusRect.USER32(?,?), ref: 008A757D
GetSysColor.USER32(00000011), ref: 008A758E
SetTextColor.GDI32(?,00000000), ref: 008A7596
DrawTextW.USER32(?,008A70F5,000000FF,?,00000000), ref: 008A75A8
SelectObject.GDI32(?,?), ref: 008A75BF
DeleteObject.GDI32(?), ref: 008A75CA
SelectObject.GDI32(?,?), ref: 008A75D0
DeleteObject.GDI32(?), ref: 008A75D5
SetTextColor.GDI32(?,?), ref: 008A75DB
SetBkColor.GDI32(?,?), ref: 008A75E5

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: a2cecfe8b0b87c1760d90dd536873bcc42c6c7f17d0181c6989a7571c5ad5a81
Instruction ID: d812d1d982f2d7ba4756ad21e3d3513c687a419f784319ecacbfbd3f006acec0
Opcode Fuzzy Hash: a2cecfe8b0b87c1760d90dd536873bcc42c6c7f17d0181c6989a7571c5ad5a81
Instruction Fuzzy Hash: 7D615C72D04218AFEF019FA4DC49EAEBFB9FF0A320F114125F915AB6A1D7749940DB90

Function 008A0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 008A1128
GetDesktopWindow.USER32 ref: 008A113D
GetWindowRect.USER32(00000000), ref: 008A1144
GetWindowLongW.USER32(?,000000F0), ref: 008A1199
DestroyWindow.USER32(?), ref: 008A11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 008A11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 008A120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 008A121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 008A1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 008A1245
IsWindowVisible.USER32(00000000), ref: 008A12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 008A12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 008A12D0
GetWindowRect.USER32(00000000,?), ref: 008A12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 008A130E
GetMonitorInfoW.USER32(00000000,?), ref: 008A1328
CopyRect.USER32(?,?), ref: 008A133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 008A13AA

Strings

tooltips_class32, xrefs: 008A11E6
(, xrefs: 008A131B
0, xrefs: 008A10D3

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 6078defceadd444b0d5eac0661c077c7b7f743519df4ea511750deaef69ae3f7
Instruction ID: f32fd2b9dbf027f38fc0329020a0550b3bec858c9ad43adfe1e9bf9026f1051b
Opcode Fuzzy Hash: 6078defceadd444b0d5eac0661c077c7b7f743519df4ea511750deaef69ae3f7
Instruction Fuzzy Hash: EBB18F71608341AFEB04DF64C888BAABBE5FF85354F00891CF999DB661D771D844CB92

Function 008A0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008A02E5
_wcslen.LIBCMT ref: 008A031F
_wcslen.LIBCMT ref: 008A0389
_wcslen.LIBCMT ref: 008A03F1
_wcslen.LIBCMT ref: 008A0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 008A04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 008A0504

Part of subcall function 0082F9F2: _wcslen.LIBCMT ref: 0082F9FD

Part of subcall function 0087223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00872258
Part of subcall function 0087223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0087228A

Strings

VIEWCHANGE, xrefs: 008A0675
SELECT, xrefs: 008A0548
GETITEMCOUNT, xrefs: 008A0316, 008A0337
SELECTALL, xrefs: 008A0515
GETSELECTED, xrefs: 008A05E1
GETTEXT, xrefs: 008A03EC, 008A0407
GETSELECTEDCOUNT, xrefs: 008A0470, 008A048B
SELECTINVERT, xrefs: 008A057E
GETSUBITEMCOUNT, xrefs: 008A0384, 008A039F
ISSELECTED, xrefs: 008A04DD
SELECTCLEAR, xrefs: 008A052D
DESELECT, xrefs: 008A059C
FINDITEM, xrefs: 008A0627

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 09b276eeecea602e576756d59865e695911b348fca23d2618e27e5b1246b0c47
Instruction ID: f33c497cf582ca8cd97deacdc8d61a415176e0587becb6d26c055dbf7b783994
Opcode Fuzzy Hash: 09b276eeecea602e576756d59865e695911b348fca23d2618e27e5b1246b0c47
Instruction Fuzzy Hash: DEE19F312083018FD714DF28C45096AB7E6FF99318B544A6DF896DB7A6DB30ED85CB82

Function 00828891 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00828968
GetSystemMetrics.USER32(00000007), ref: 00828970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0082899B
GetSystemMetrics.USER32(00000008), ref: 008289A3
GetSystemMetrics.USER32(00000004), ref: 008289C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 008289E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 008289F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00828A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00828A3C
GetClientRect.USER32(00000000,000000FF), ref: 00828A5A
GetStockObject.GDI32(00000011), ref: 00828A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00828A81

Part of subcall function 0082912D: GetCursorPos.USER32(?), ref: 00829141
Part of subcall function 0082912D: ScreenToClient.USER32(00000000,?), ref: 0082915E
Part of subcall function 0082912D: GetAsyncKeyState.USER32(00000001), ref: 00829183
Part of subcall function 0082912D: GetAsyncKeyState.USER32(00000002), ref: 0082919D

SetTimer.USER32(00000000,00000000,00000028,008290FC), ref: 00828AA8

Strings

AutoIt v3 GUI, xrefs: 00828A20
f805405, xrefs: 008667BA

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI$f805405
API String ID: 1458621304-577219050
Opcode ID: c12aa51b12f59f5462cc10dacfffccd3633a8e39af7e303ac20828ef0b44f318
Instruction ID: 1e7d297346fd8879c6207814d3185916310917603fdfc47effda89773e7b3b84
Opcode Fuzzy Hash: c12aa51b12f59f5462cc10dacfffccd3633a8e39af7e303ac20828ef0b44f318
Instruction Fuzzy Hash: 6DB18B31A00259DFDF14DFA8DC89BAE7BB5FB49314F114229FA15EB290DB34A880CB51

Function 00870D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00871114
Part of subcall function 008710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00870B9B,?,?,?), ref: 00871120
Part of subcall function 008710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00870B9B,?,?,?), ref: 0087112F
Part of subcall function 008710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00870B9B,?,?,?), ref: 00871136
Part of subcall function 008710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0087114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00870DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00870E29
GetLengthSid.ADVAPI32(?), ref: 00870E40
GetAce.ADVAPI32(?,00000000,?), ref: 00870E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00870E96
GetLengthSid.ADVAPI32(?), ref: 00870EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00870EB5
HeapAlloc.KERNEL32(00000000), ref: 00870EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00870EDD
CopySid.ADVAPI32(00000000), ref: 00870EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00870F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00870F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00870F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00870F6E
HeapFree.KERNEL32(00000000), ref: 00870F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00870F7E
HeapFree.KERNEL32(00000000), ref: 00870F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00870F8E
HeapFree.KERNEL32(00000000), ref: 00870F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00870FA1
HeapFree.KERNEL32(00000000), ref: 00870FA8

Part of subcall function 00871193: GetProcessHeap.KERNEL32(00000008,00870BB1,?,00000000,?,00870BB1,?), ref: 008711A1
Part of subcall function 00871193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00870BB1,?), ref: 008711A8
Part of subcall function 00871193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00870BB1,?), ref: 008711B7

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 8a70958244e7b9b1ea89b5fb30c31362f84d88e68bfe1bde3e9cc2b40f376da3
Instruction ID: b14e1bf5757deb1027f0da04fe830cea0fb39076fccd182a9704b252bed59697
Opcode Fuzzy Hash: 8a70958244e7b9b1ea89b5fb30c31362f84d88e68bfe1bde3e9cc2b40f376da3
Instruction Fuzzy Hash: BB712A7290020AEBEF20DFA4DC49BAEBBB8FF05310F148115E959E6195DB71D905CF60

Function 0089C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0089C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,008ACC08,00000000,?,00000000,?,?), ref: 0089C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0089C5A4
_wcslen.LIBCMT ref: 0089C5F4
_wcslen.LIBCMT ref: 0089C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0089C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0089C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0089C84D
RegCloseKey.ADVAPI32(?), ref: 0089C881
RegCloseKey.ADVAPI32(00000000), ref: 0089C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0089C960

Strings

REG_QWORD, xrefs: 0089C8C3
REG_MULTI_SZ, xrefs: 0089C6F5
REG_EXPAND_SZ, xrefs: 0089C5CD
REG_DWORD, xrefs: 0089C804
REG_BINARY, xrefs: 0089C913
REG_SZ, xrefs: 0089C644

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: da3944f245afa2103031d11ccd8b8450610f40f5cbd4dd0eea6979938f6140de
Instruction ID: 3592cf677bd1fdb2f3707b7949aa76978518516d903c92e6b052dafad841fb20
Opcode Fuzzy Hash: da3944f245afa2103031d11ccd8b8450610f40f5cbd4dd0eea6979938f6140de
Instruction Fuzzy Hash: 39124C356042019FDB14EF18C891A6AB7E5FF88714F09885DF85ADB3A2DB31ED41CB82

Function 008A091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008A09C6
_wcslen.LIBCMT ref: 008A0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 008A0A54
_wcslen.LIBCMT ref: 008A0A8A
_wcslen.LIBCMT ref: 008A0B06
_wcslen.LIBCMT ref: 008A0B81

Part of subcall function 0082F9F2: _wcslen.LIBCMT ref: 0082F9FD

Part of subcall function 00872BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00872BFA

Strings

COLLAPSE, xrefs: 008A0B01, 008A0B1C
GETTOTALCOUNT, xrefs: 008A09F2, 008A0A17
SELECT, xrefs: 008A0D11
GETITEMCOUNT, xrefs: 008A0C1E
CHECK, xrefs: 008A0A85, 008A0AA0
EXPAND, xrefs: 008A0BF8
ISCHECKED, xrefs: 008A0CE1
EXISTS, xrefs: 008A0B7C, 008A0B97
GETSELECTED, xrefs: 008A0C4E
UNCHECK, xrefs: 008A0D3E
GETTEXT, xrefs: 008A0C97

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 716e9a4005f01f64d5895b919b6b49adda69139083b3da1deea875496948c684
Instruction ID: d2534ad2d83b0b296e046ab743acea7ecfaecec67bae64dd29afc931086d326d
Opcode Fuzzy Hash: 716e9a4005f01f64d5895b919b6b49adda69139083b3da1deea875496948c684
Instruction Fuzzy Hash: C2E16A312083118FD714DF28C45096AB7E2FF99314B148A5DF896DB7A2D731ED86CB92

Function 0089C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0089B6AE,?,?), ref: 0089C9B5
_wcslen.LIBCMT ref: 0089C9F1
_wcslen.LIBCMT ref: 0089CA68
_wcslen.LIBCMT ref: 0089CA9E
_wcslen.LIBCMT ref: 0089CAF9
_wcslen.LIBCMT ref: 0089CB2F
_wcslen.LIBCMT ref: 0089CB7F

Strings

HKEY_USERS, xrefs: 0089CBDF
HKEY_CURRENT_CONFIG, xrefs: 0089CB79, 0089CB7E
HKEY_CURRENT_USER, xrefs: 0089CBBD
HKEY_CLASSES_ROOT, xrefs: 0089CAF3, 0089CAF8
HKEY_LOCAL_MACHINE, xrefs: 0089CA62, 0089CA67
HKLM, xrefs: 0089CA98, 0089CA9D
HKCU, xrefs: 0089CBCE
HKU, xrefs: 0089CBF0
HKCC, xrefs: 0089CBAC
HKCR, xrefs: 0089CB29, 0089CB2E

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: a3bd66c0332dd3843bc65499351af19d5925b0f863c407315e2162c468fa2866
Instruction ID: e2dcc496cbc453e223f1c7aac6548b2724d889f6aeb33e00598e37133f5a0db2
Opcode Fuzzy Hash: a3bd66c0332dd3843bc65499351af19d5925b0f863c407315e2162c468fa2866
Instruction Fuzzy Hash: D371F27260016A8BCF20EE6CCD515BE3795FFA0764F590629F856D7284F636CD84C3A1

Function 008A833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008A835A
_wcslen.LIBCMT ref: 008A836E
_wcslen.LIBCMT ref: 008A8391
_wcslen.LIBCMT ref: 008A83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 008A83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,008A5BF2), ref: 008A844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 008A8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 008A84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 008A8501
FreeLibrary.KERNEL32(?), ref: 008A850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 008A851D
DestroyIcon.USER32(?,?,?,?,?,008A5BF2), ref: 008A852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 008A8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 008A8555

Strings

.dll, xrefs: 008A83AB
.icl, xrefs: 008A8368
.exe, xrefs: 008A8388

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 8d802d9fe56fe3c04bd826e91ae5089fb377b311fc1d91e6e1ec46e38be62a71
Instruction ID: 4b2ebc5ca45f76d45d4bc894b703365abf446d762a3b20b491cd2aba7895bf4b
Opcode Fuzzy Hash: 8d802d9fe56fe3c04bd826e91ae5089fb377b311fc1d91e6e1ec46e38be62a71
Instruction Fuzzy Hash: 7461BD71900219FEFB14DF68CC45BBE77A8FB09B21F104609F815D65D1EBB4A990CBA0

Function 00817778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#include, xrefs: 00817847
#pragma compile, xrefs: 008177D3
#cs, xrefs: 00817873, 008178C5
#requireadmin, xrefs: 008177FF
#include-once, xrefs: 0081782F
#ce, xrefs: 008178ED
", xrefs: 00855153
Bad directive syntax error, xrefs: 0085519A
#notrayicon, xrefs: 008177E7
Unterminated group of comments, xrefs: 0085528C
#comments-start, xrefs: 0081785F, 008178B1
#OnAutoItStartRegister, xrefs: 00817817
Cannot parse #include, xrefs: 00855279
#comments-end, xrefs: 008178D9
', xrefs: 00855169

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: b1c08729b429f8810a4eee1993ea708213cf13da3cf7ef4d43581a1401bbeeeb
Instruction ID: 921aab522a8fcdf0d3e9c881b381441dd966d4d0b9977d0fc1bf432ed46209bd
Opcode Fuzzy Hash: b1c08729b429f8810a4eee1993ea708213cf13da3cf7ef4d43581a1401bbeeeb
Instruction Fuzzy Hash: CF81F471644605ABDB20AF64DC52FEE3BB8FF55300F044428FD05EA292EB74D985C7A2

Function 00875A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00875A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00875A40
SetWindowTextW.USER32(?,?), ref: 00875A57
GetDlgItem.USER32(?,000003EA), ref: 00875A6C
SetWindowTextW.USER32(00000000,?), ref: 00875A72
GetDlgItem.USER32(?,000003E9), ref: 00875A82
SetWindowTextW.USER32(00000000,?), ref: 00875A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00875AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00875AC3
GetWindowRect.USER32(?,?), ref: 00875ACC
_wcslen.LIBCMT ref: 00875B33
SetWindowTextW.USER32(?,?), ref: 00875B6F
GetDesktopWindow.USER32 ref: 00875B75
GetWindowRect.USER32(00000000), ref: 00875B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00875BD3
GetClientRect.USER32(?,?), ref: 00875BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00875C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00875C2F

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 5ec44f65475793e90bbb4036ddc8eaa5710ffb147dcc64e457d2cec6093d6857
Instruction ID: decb5fe27f74074c58b1c895b8db9e27d5c8acc989b14fc29134acc17d1be862
Opcode Fuzzy Hash: 5ec44f65475793e90bbb4036ddc8eaa5710ffb147dcc64e457d2cec6093d6857
Instruction Fuzzy Hash: F9715E31900B09AFDB20DFA8CE85BAEBBF5FF48714F108918E546E25A4D7B5E944CB50

Function 008300C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 008300C6

Part of subcall function 008300ED: InitializeCriticalSectionAndSpinCount.KERNEL32(008E070C,00000FA0,942146AE,?,?,?,?,008523B3,000000FF), ref: 0083011C
Part of subcall function 008300ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,008523B3,000000FF), ref: 00830127
Part of subcall function 008300ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,008523B3,000000FF), ref: 00830138
Part of subcall function 008300ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0083014E
Part of subcall function 008300ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0083015C
Part of subcall function 008300ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0083016A
Part of subcall function 008300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00830195
Part of subcall function 008300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 008301A0

___scrt_fastfail.LIBCMT ref: 008300E7

Part of subcall function 008300A3: __onexit.LIBCMT ref: 008300A9

Strings

kernel32.dll, xrefs: 00830133
InitializeConditionVariable, xrefs: 00830148
SleepConditionVariableCS, xrefs: 00830154
WakeAllConditionVariable, xrefs: 00830162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00830122

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: c3c251404636fc06099979f8c8149035b012c3da4daf9f894b0b6eea584d1319
Instruction ID: 17f7e1443fda2fa0ec677dcbb0946c34fabf2283feb8192e018bf8bff7dc3f86
Opcode Fuzzy Hash: c3c251404636fc06099979f8c8149035b012c3da4daf9f894b0b6eea584d1319
Instruction Fuzzy Hash: C1212932A44710ABF7216BA4AC55B2E37E4FB86B51F000539F911E6B92DFB89C40CED1

Function 008730F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0087318D
_wcslen.LIBCMT ref: 008731F8

Strings

INSTANCE, xrefs: 00873453
CLASS, xrefs: 00873188, 008731A5
NAME, xrefs: 00873335, 00873346
REGEXPCLASS, xrefs: 00873255, 00873266
CLASSNN, xrefs: 008731F3, 00873204
TEXT, xrefs: 0087347C

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 5ff9bb487eed4c1260b589676875ebbb50853c8ae9d75f33325765451c1b2c43
Instruction ID: a8903310516f2ce972266f22efa0093a4803da8f92431e932c1f5783b1840bc8
Opcode Fuzzy Hash: 5ff9bb487eed4c1260b589676875ebbb50853c8ae9d75f33325765451c1b2c43
Instruction Fuzzy Hash: 97E1F632A00516ABCB18DFB8C4516EDBBB4FF54710F54C22AE45AF7244DB30EE85A792

Function 008844C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,008ACC08), ref: 00884527
_wcslen.LIBCMT ref: 0088453B
_wcslen.LIBCMT ref: 00884599
_wcslen.LIBCMT ref: 008845F4
_wcslen.LIBCMT ref: 0088463F
_wcslen.LIBCMT ref: 008846A7

Part of subcall function 0082F9F2: _wcslen.LIBCMT ref: 0082F9FD

GetDriveTypeW.KERNEL32(?,008D6BF0,00000061), ref: 00884743

Strings

removable, xrefs: 008845EA, 008845EF
cdrom, xrefs: 0088458F, 00884594
unknown, xrefs: 00884708
fixed, xrefs: 00884635, 0088463A
ramdisk, xrefs: 008846F1
network, xrefs: 0088469D, 008846A2
all, xrefs: 00884531, 00884536

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 64c53274bc7adf205780037e0ddd82cbe532501d1841743233fa42873b4ba216
Instruction ID: 1795809cc986bef12928970d469b6e2a3ffc1338b9a9737f148706994aad65aa
Opcode Fuzzy Hash: 64c53274bc7adf205780037e0ddd82cbe532501d1841743233fa42873b4ba216
Instruction Fuzzy Hash: D6B1D2326083029FC710EF28C890A6EB7E5FFA5764F505A1DF596C7291E730D985CB92

Function 0089AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0089B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0089B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0089B1D4
_wcslen.LIBCMT ref: 0089B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0089B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0089B236
_wcslen.LIBCMT ref: 0089B332

Part of subcall function 008805A7: GetStdHandle.KERNEL32(000000F6), ref: 008805C6

_wcslen.LIBCMT ref: 0089B34B
_wcslen.LIBCMT ref: 0089B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0089B3B6
GetLastError.KERNEL32(00000000), ref: 0089B407
CloseHandle.KERNEL32(?), ref: 0089B439
CloseHandle.KERNEL32(00000000), ref: 0089B44A
CloseHandle.KERNEL32(00000000), ref: 0089B45C
CloseHandle.KERNEL32(00000000), ref: 0089B46E
CloseHandle.KERNEL32(?), ref: 0089B4E3

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 943f783eabce989fb2ed741cb59359082bfcae56c6253df0634b17f6259a8ff1
Instruction ID: 4dd3e8505f845647dc21546c79113bc06b0acd2c3450e187c81829c775ef6119
Opcode Fuzzy Hash: 943f783eabce989fb2ed741cb59359082bfcae56c6253df0634b17f6259a8ff1
Instruction Fuzzy Hash: 31F17A316083409FCB14EF28D991B6ABBE5FF85314F18855DF8999B2A2DB31EC44CB52

Function 0081326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(008E1990), ref: 00852F8D
GetMenuItemCount.USER32(008E1990), ref: 0085303D
GetCursorPos.USER32(?), ref: 00853081
SetForegroundWindow.USER32(00000000), ref: 0085308A
TrackPopupMenuEx.USER32(008E1990,00000000,?,00000000,00000000,00000000), ref: 0085309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 008530A9

Strings

0, xrefs: 0081327D

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 94fd71e83c60b53b4478d7d16a7b60905e8bf602a07e86fe71312472c1b49cdd
Instruction ID: cb3b0390b68c57d7d2da324077aaf78a8969b7e641042054a35b57374cabceee
Opcode Fuzzy Hash: 94fd71e83c60b53b4478d7d16a7b60905e8bf602a07e86fe71312472c1b49cdd
Instruction Fuzzy Hash: 20712A30640205BEFB319F68DC49F9ABF69FF06365F204216F925EA1E0CBB1A954C791

Function 008A6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 008A6DEB

Part of subcall function 00816B57: _wcslen.LIBCMT ref: 00816B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 008A6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 008A6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 008A6E94
DestroyWindow.USER32(?), ref: 008A6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00810000,00000000), ref: 008A6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 008A6EFD
GetDesktopWindow.USER32 ref: 008A6F16
GetWindowRect.USER32(00000000), ref: 008A6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 008A6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 008A6F4D

Part of subcall function 00829944: GetWindowLongW.USER32(?,000000EB), ref: 00829952

Strings

tooltips_class32, xrefs: 008A6E58, 008A6EDD
0, xrefs: 008A6D98

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 36bf41e064833c3b7152ed2fe760692d05b8d6530907f194ed238bf39f391d69
Instruction ID: 289da819b61a33a9371dd613b6a62aa1bd4a654517839610801de84502fa31fe
Opcode Fuzzy Hash: 36bf41e064833c3b7152ed2fe760692d05b8d6530907f194ed238bf39f391d69
Instruction Fuzzy Hash: 88718A70144244AFEB21DF18DC48FAABBE9FB8A304F58041DF999C76A1EB70A915CB11

Function 008A911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00829BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00829BB2

DragQueryPoint.SHELL32(?,?), ref: 008A9147

Part of subcall function 008A7674: ClientToScreen.USER32(?,?), ref: 008A769A
Part of subcall function 008A7674: GetWindowRect.USER32(?,?), ref: 008A7710
Part of subcall function 008A7674: PtInRect.USER32(?,?,008A8B89), ref: 008A7720

SendMessageW.USER32(?,000000B0,?,?), ref: 008A91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 008A91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 008A91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 008A9225
SendMessageW.USER32(?,000000B0,?,?), ref: 008A923E
SendMessageW.USER32(?,000000B1,?,?), ref: 008A9255
SendMessageW.USER32(?,000000B1,?,?), ref: 008A9277
DragFinish.SHELL32(?), ref: 008A927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 008A9371

Strings

@GUI_DRAGFILE, xrefs: 008A9320
@GUI_DROPID, xrefs: 008A929E
@GUI_DRAGID, xrefs: 008A92E9

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 73d452d13f84d404f9a7e1ba222ff6bc14bdfc57c470b6ae52ff7518ba1ba7dc
Instruction ID: 624af73d54d10553c33b979f34ffd718429212ee75017b73eda29cbdc8acb0c7
Opcode Fuzzy Hash: 73d452d13f84d404f9a7e1ba222ff6bc14bdfc57c470b6ae52ff7518ba1ba7dc
Instruction Fuzzy Hash: DF613971108301AFD701DF64DC85DAFBBE8FF99750F40092EF5A5922A1DB709A49CB92

Function 0088C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0088C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0088C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0088C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0088C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0088C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0088C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0088C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0088C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0088C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0088C5F0
InternetCloseHandle.WININET(00000000), ref: 0088C5FB

Strings

, xrefs: 0088C575

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: a4c70165717a8d843d91bad01e50f1d55076c0ac3c6bd6432236d323a1ceb987
Instruction ID: 63184e77b05627782cbb38657380b85fa893aee37ffb19a45f32875927373fd9
Opcode Fuzzy Hash: a4c70165717a8d843d91bad01e50f1d55076c0ac3c6bd6432236d323a1ceb987
Instruction Fuzzy Hash: 64516BB1500608BFEB21AF64C988AAB7BFCFF09754F00442AF945D6614DB34E944DBB0

Function 008A856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 008A8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008A85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008A85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008A85BA
GlobalLock.KERNEL32(00000000), ref: 008A85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008A85D7
GlobalUnlock.KERNEL32(00000000), ref: 008A85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008A85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008A85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,008AFC38,?), ref: 008A8611
GlobalFree.KERNEL32(00000000), ref: 008A8621
GetObjectW.GDI32(?,00000018,?), ref: 008A8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 008A8671
DeleteObject.GDI32(?), ref: 008A8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 008A86AF

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: c2679540819a2cbe7381f3f1319e5b9ef488523b99e211982f8c49ef104f507c
Instruction ID: 42cd6b5193a319e3d9b5356e900d7d437a3778a5596c26dd4d6cf6c2285dafca
Opcode Fuzzy Hash: c2679540819a2cbe7381f3f1319e5b9ef488523b99e211982f8c49ef104f507c
Instruction Fuzzy Hash: 84410975600208EFEB119FA5CC48EAABBB8FF9AB15F104058F909E7660DB309901CB60

Function 008814BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00881502
VariantCopy.OLEAUT32(?,?), ref: 0088150B
VariantClear.OLEAUT32(?), ref: 00881517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 008815FB
VarR8FromDec.OLEAUT32(?,?), ref: 00881657
VariantInit.OLEAUT32(?), ref: 00881708
SysFreeString.OLEAUT32(?), ref: 0088178C
VariantClear.OLEAUT32(?), ref: 008817D8
VariantClear.OLEAUT32(?), ref: 008817E7
VariantInit.OLEAUT32(00000000), ref: 00881823

Strings

Default, xrefs: 008816AF
%4d%02d%02d%02d%02d%02d, xrefs: 00881625

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: adebb2f6074dfdc365e26370e9d35dbfe68bfea500e15d93d470772f9d630f89
Instruction ID: c44098da40c5ee549eeaed36d892344f334570db31ed73c0a1cb95376cc85004
Opcode Fuzzy Hash: adebb2f6074dfdc365e26370e9d35dbfe68bfea500e15d93d470772f9d630f89
Instruction Fuzzy Hash: 8CD1D071A0011ADBDF10AF69E889B79B7B9FF46704F10805AE446EB581DF30DD82DB52

Function 0089B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

Part of subcall function 0089C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0089B6AE,?,?), ref: 0089C9B5
Part of subcall function 0089C998: _wcslen.LIBCMT ref: 0089C9F1
Part of subcall function 0089C998: _wcslen.LIBCMT ref: 0089CA68
Part of subcall function 0089C998: _wcslen.LIBCMT ref: 0089CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0089B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0089B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0089B80A
RegCloseKey.ADVAPI32(?), ref: 0089B87E
RegCloseKey.ADVAPI32(?), ref: 0089B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0089B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0089B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0089B922
FreeLibrary.KERNEL32(00000000), ref: 0089B983
RegCloseKey.ADVAPI32(00000000), ref: 0089B994

Strings

advapi32.dll, xrefs: 0089B8ED
RegDeleteKeyExW, xrefs: 0089B8FE

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 2467d34105e4abd42b48c4294a79c9d58935356093d2b26c5c20f79f67435d10
Instruction ID: d4457c2886bc2d03499b830249e796574ffac36c1c4d1abf59f7af4defd28225
Opcode Fuzzy Hash: 2467d34105e4abd42b48c4294a79c9d58935356093d2b26c5c20f79f67435d10
Instruction Fuzzy Hash: 20C18F30204201AFDB14EF18D594F6ABBE5FF84308F18855CE5998B7A2DB71ED85CB92

Function 0089255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 008925D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 008925E8
CreateCompatibleDC.GDI32(?), ref: 008925F4
SelectObject.GDI32(00000000,?), ref: 00892601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0089266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 008926AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 008926D0
SelectObject.GDI32(?,?), ref: 008926D8
DeleteObject.GDI32(?), ref: 008926E1
DeleteDC.GDI32(?), ref: 008926E8
ReleaseDC.USER32(00000000,?), ref: 008926F3

Strings

(, xrefs: 0089268D

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: adf2bd2d0e36e41eb0607f3acb3e22871b9eb3ab73dd1321894f151984689649
Instruction ID: b6a258bdb6412bef341cd0ce997569fce399049b330e00f44595e6631db6f39b
Opcode Fuzzy Hash: adf2bd2d0e36e41eb0607f3acb3e22871b9eb3ab73dd1321894f151984689649
Instruction Fuzzy Hash: D961F1B5E00219EFDF05DFA8D884AAEBBB5FF48310F248529E955A7250E770A941CF90

Function 0084DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0084DAA1

Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D659
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D66B
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D67D
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D68F
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D6A1
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D6B3
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D6C5
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D6D7
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D6E9
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D6FB
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D70D
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D71F
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D731

_free.LIBCMT ref: 0084DA96

Part of subcall function 008429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000), ref: 008429DE
Part of subcall function 008429C8: GetLastError.KERNEL32(00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000,00000000), ref: 008429F0

_free.LIBCMT ref: 0084DAB8
_free.LIBCMT ref: 0084DACD
_free.LIBCMT ref: 0084DAD8
_free.LIBCMT ref: 0084DAFA
_free.LIBCMT ref: 0084DB0D
_free.LIBCMT ref: 0084DB1B
_free.LIBCMT ref: 0084DB26
_free.LIBCMT ref: 0084DB5E
_free.LIBCMT ref: 0084DB65
_free.LIBCMT ref: 0084DB82
_free.LIBCMT ref: 0084DB9A

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 90dc60f91b231da797b2585f22d2533c472785bd85c4fd343504c9affc5f7828
Instruction ID: 065df8293dfc6e980e3349f81f4a4b17013db8badef4f2b824c51254c4d96de0
Opcode Fuzzy Hash: 90dc60f91b231da797b2585f22d2533c472785bd85c4fd343504c9affc5f7828
Instruction Fuzzy Hash: AA313B3260870D9FEB22AA79E845F5A7BE9FF10360F55452AF449D7291DF31AC40C721

Function 0087365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0087369C
_wcslen.LIBCMT ref: 008736A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00873797
GetClassNameW.USER32(?,?,00000400), ref: 0087380C
GetDlgCtrlID.USER32(?), ref: 0087385D
GetWindowRect.USER32(?,?), ref: 00873882
GetParent.USER32(?), ref: 008738A0
ScreenToClient.USER32(00000000), ref: 008738A7
GetClassNameW.USER32(?,?,00000100), ref: 00873921
GetWindowTextW.USER32(?,?,00000400), ref: 0087395D

Strings

%s%u, xrefs: 00873734

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 809be739f193b7da12dadf5e3be99e53339a914ce9f05b1659b6c0a6ec56ade7
Instruction ID: 84290beeadb343992b1a3b4e59e0f3d6cba3b2de0966efec7c8a26648a4af316
Opcode Fuzzy Hash: 809be739f193b7da12dadf5e3be99e53339a914ce9f05b1659b6c0a6ec56ade7
Instruction Fuzzy Hash: 5F91C171204606AFDB18DF24C885BAAF7A8FF45354F00C629FA9DD2194DB30EA45DB92

Function 00874954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00874994
GetWindowTextW.USER32(?,?,00000400), ref: 008749DA
_wcslen.LIBCMT ref: 008749EB
CharUpperBuffW.USER32(?,00000000), ref: 008749F7
_wcsstr.LIBVCRUNTIME ref: 00874A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00874A64
GetWindowTextW.USER32(?,?,00000400), ref: 00874A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00874AE6
GetClassNameW.USER32(?,?,00000400), ref: 00874B20
GetWindowRect.USER32(?,?), ref: 00874B8B

Strings

ThumbnailClass, xrefs: 00874A6F, 00874AF1

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 2397edfed82e8d8ada1cb30933de5cf84acfebc218883ac1bf7d1d72b89a71ea
Instruction ID: d7f1c1073af4a0c1d91380801deca315945975c6d2b9c34a78c2c73dd2fe213c
Opcode Fuzzy Hash: 2397edfed82e8d8ada1cb30933de5cf84acfebc218883ac1bf7d1d72b89a71ea
Instruction Fuzzy Hash: B491BE711042059FDB05DF58C981BAAB7E8FF84314F04946AFD89DA19AEB30ED45CBA2

Function 008A8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00829BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00829BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 008A8D5A
GetFocus.USER32 ref: 008A8D6A
GetDlgCtrlID.USER32(00000000), ref: 008A8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 008A8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 008A8ECF
GetMenuItemCount.USER32(?), ref: 008A8EEC
GetMenuItemID.USER32(?,00000000), ref: 008A8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 008A8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 008A8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 008A8FA1

Strings

0, xrefs: 008A8E9F

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: fc98a891eab4f2f6e2917a8f16450bd5d4e48040d68e4ec9bd63b8fc6de7ddae
Instruction ID: bddb8c5a0cfb35b8868a32459d08fc0cd7debd65b52fbc7171ee6034c32213ba
Opcode Fuzzy Hash: fc98a891eab4f2f6e2917a8f16450bd5d4e48040d68e4ec9bd63b8fc6de7ddae
Instruction Fuzzy Hash: DF819C71508315EFEB10CF24D884AABBBE9FB8A754F140929F985D7691DF70D900CBA2

Function 0087DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0087DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0087DC46
_wcslen.LIBCMT ref: 0087DC50
_wcsstr.LIBVCRUNTIME ref: 0087DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0087DCBC

Strings

04090000, xrefs: 0087DCF2
StringFileInfo\, xrefs: 0087DC8F
DefaultLangCodepage, xrefs: 0087DD1F
%u.%u.%u.%u, xrefs: 0087DD9A
\VarFileInfo\Translation, xrefs: 0087DCB4

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: c842c86a22950d5b2e3f2ba37df2689c2cc940d180e5384c6fd9f677271e8e74
Instruction ID: ff702ee6a6b43354c9c1f3b902c1d81b072679c897b367b06bab0b3b78aa9028
Opcode Fuzzy Hash: c842c86a22950d5b2e3f2ba37df2689c2cc940d180e5384c6fd9f677271e8e74
Instruction Fuzzy Hash: D44117329403147BEB15A7699C43EBF3BBCFF86710F10406AF904E6282EB75D90197A6

Function 0089CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0089CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0089CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0089CD48

Part of subcall function 0089CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0089CCAA
Part of subcall function 0089CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0089CCBD
Part of subcall function 0089CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0089CCCF
Part of subcall function 0089CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0089CD05
Part of subcall function 0089CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0089CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0089CCF3

Strings

advapi32.dll, xrefs: 0089CCB8
RegDeleteKeyExW, xrefs: 0089CCC9

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 8ae14009db217c4f2ff72329295b6bd0c06f498c74afe8329945b18180aa5157
Instruction ID: a471f42764baec8893905b9946a81dca487d3ece20d9c649573841940229c156
Opcode Fuzzy Hash: 8ae14009db217c4f2ff72329295b6bd0c06f498c74afe8329945b18180aa5157
Instruction Fuzzy Hash: AC316C71A01129BBEB20AB54DC88EFFBB7CFF46754F040165E906E2240DA349E45EAA0

Function 0087E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0087E6B4

Part of subcall function 0082E551: timeGetTime.WINMM(?,?,0087E6D4), ref: 0082E555

Sleep.KERNEL32(0000000A), ref: 0087E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0087E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0087E727
SetActiveWindow.USER32 ref: 0087E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0087E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0087E773
Sleep.KERNEL32(000000FA), ref: 0087E77E
IsWindow.USER32 ref: 0087E78A
EndDialog.USER32(00000000), ref: 0087E79B

Strings

BUTTON, xrefs: 0087E719

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 85a31b00e925d5eda0c37ad9d827bb753618fa9639d0da775776f4f0ab559b76
Instruction ID: 60658990388f472e86f1355df645c65a07fd17521ecb21dd0f60498a1fc73aae
Opcode Fuzzy Hash: 85a31b00e925d5eda0c37ad9d827bb753618fa9639d0da775776f4f0ab559b76
Instruction Fuzzy Hash: 4C218170200245AFFF109F64ECC9A253B6DF76A349B108565F51DC66B5DBB1EC00DB25

Function 0087E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0087EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0087EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0087EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0087EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0087EAA7

Strings

status PlayMe mode, xrefs: 0087EA58
close PlayMe, xrefs: 0087EA6E, 0087EA9B
play PlayMe, xrefs: 0087EAA2
alias PlayMe, xrefs: 0087EA36
play PlayMe wait, xrefs: 0087EA91
open , xrefs: 0087EA0C

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: fddc5caebcb12b650e9a14d615773ae9e0238027f613397068220c4ae76ba3cd
Instruction ID: 3c4a6acec5c4bbb9dc6932541cebd508d0a775376675805fe8c74c7ac1055641
Opcode Fuzzy Hash: fddc5caebcb12b650e9a14d615773ae9e0238027f613397068220c4ae76ba3cd
Instruction Fuzzy Hash: 3C118F21A5022D79D720A7A5DC5ADFBAF7CFFD5B40F00052AB821E22D0EE705955C5B1

Function 00875CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00875CE2
GetWindowRect.USER32(00000000,?), ref: 00875CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00875D59
GetDlgItem.USER32(?,00000002), ref: 00875D69
GetWindowRect.USER32(00000000,?), ref: 00875D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00875DCF
GetDlgItem.USER32(?,000003E9), ref: 00875DDD
GetWindowRect.USER32(00000000,?), ref: 00875DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00875E31
GetDlgItem.USER32(?,000003EA), ref: 00875E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00875E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00875E67

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 4c1cddc95296cddcd61f20cbcd622382d024a6cbaad865d49484ff8f9184f230
Instruction ID: 43c3972705daa46087ad1ec786ea8b2b3e825b3ce24efbe477a806d7aebee1f4
Opcode Fuzzy Hash: 4c1cddc95296cddcd61f20cbcd622382d024a6cbaad865d49484ff8f9184f230
Instruction Fuzzy Hash: C551FD71A00609AFDB18CF68DD89AAEBBB5FB59300F148129F519E6694D770EE04CB50

Function 00828BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00828F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00828BE8,?,00000000,?,?,?,?,00828BBA,00000000,?), ref: 00828FC5

DestroyWindow.USER32(?), ref: 00828C81
KillTimer.USER32(00000000,?,?,?,?,00828BBA,00000000,?), ref: 00828D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00866973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00828BBA,00000000,?), ref: 008669A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00828BBA,00000000,?), ref: 008669B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00828BBA,00000000), ref: 008669D4
DeleteObject.GDI32(00000000), ref: 008669E6

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: fedc2389f49be907e8669b4665f57a19fa38448a7be915d56d162daecf961d5c
Instruction ID: 107366fb3f20fa379bf482bd8d57e02c242d2d5bd8cf062578303534e3877024
Opcode Fuzzy Hash: fedc2389f49be907e8669b4665f57a19fa38448a7be915d56d162daecf961d5c
Instruction Fuzzy Hash: 8161AA30502664DFDF21AF28EA88B29BBF1FB51316F554518E042DBA60CB35A8E0CF90

Function 00829838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00829944: GetWindowLongW.USER32(?,000000EB), ref: 00829952

GetSysColor.USER32(0000000F), ref: 00829862

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: e0c6ee776396087ca89e5d8a777ec8227cc28250f0e7204297f69749a81a7348
Instruction ID: b934076efa5552902271ab929a3d13388fe2ea178d5081ae6e183c328b45d052
Opcode Fuzzy Hash: e0c6ee776396087ca89e5d8a777ec8227cc28250f0e7204297f69749a81a7348
Instruction Fuzzy Hash: 58419031504654AFEB245F38AC88BB93BA5FB17334F194669F9E2C72E1D7319882DB10

Function 008796E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0085F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00879717
LoadStringW.USER32(00000000,?,0085F7F8,00000001), ref: 00879720

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0085F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00879742
LoadStringW.USER32(00000000,?,0085F7F8,00000001), ref: 00879745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00879866

Strings

Line %d:, xrefs: 008797A0
Line %d (File "%s"):, xrefs: 0087978F
Error: , xrefs: 0087981D
%s (%d) : ==> %s: %s %s, xrefs: 0087984A
^ ERROR, xrefs: 008797FB

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: c295fea69835a6158d9a7910abfb52ad8f4d9792b49a2fe82b78d9dfbdfe8402
Instruction ID: e76d5fb62028e7c509f38640da4b6aecedf1fa50ac367957124cc2c0c9e0b1e4
Opcode Fuzzy Hash: c295fea69835a6158d9a7910abfb52ad8f4d9792b49a2fe82b78d9dfbdfe8402
Instruction Fuzzy Hash: 09414D72800219AADB04EBE8DD96DEEB77CFF15350F104025F645F2192EA356F88CB62

Function 008706DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00816B57: _wcslen.LIBCMT ref: 00816B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 008707A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 008707BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 008707DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00870804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0087082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00870837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0087083C

Strings

\CLSID, xrefs: 00870724
\IPC$, xrefs: 00870784
SOFTWARE\Classes\, xrefs: 0087070E

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 5943c65b59586971bee84414ae287796e4ad57971f0ee8da5d359cac70b428e4
Instruction ID: 06b48684e2932b48cd275e172a384aad5f79c24f921fcfff9b24997d56e6e921
Opcode Fuzzy Hash: 5943c65b59586971bee84414ae287796e4ad57971f0ee8da5d359cac70b428e4
Instruction Fuzzy Hash: B441D672C10229EBDB15EBA4DC958EEB778FF04350F05412AE915E3261EB30AE44CF91

Function 00893C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00893C5C
CoInitialize.OLE32(00000000), ref: 00893C8A
CoUninitialize.OLE32 ref: 00893C94
_wcslen.LIBCMT ref: 00893D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00893DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00893ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00893F0E
CoGetObject.OLE32(?,00000000,008AFB98,?), ref: 00893F2D
SetErrorMode.KERNEL32(00000000), ref: 00893F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00893FC4
VariantClear.OLEAUT32(?), ref: 00893FD8

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 560ac5782b6b194425a613bbb4a1ff12b2fad6d10adefcfa81c44212004845e8
Instruction ID: 211a34ea043c4215c0ed0806dd89c7d28c97fc62c2e837b74cb3087254424920
Opcode Fuzzy Hash: 560ac5782b6b194425a613bbb4a1ff12b2fad6d10adefcfa81c44212004845e8
Instruction Fuzzy Hash: 9DC12571608205AFDB00EF68C88496BB7E9FF89748F14491DF98ADB211DB31EE45CB52

Function 00887A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00887AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00887B8F
SHGetDesktopFolder.SHELL32(?), ref: 00887BA3
CoCreateInstance.OLE32(008AFD08,00000000,00000001,008D6E6C,?), ref: 00887BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00887C74
CoTaskMemFree.OLE32(?,?), ref: 00887CCC
SHBrowseForFolderW.SHELL32(?), ref: 00887D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00887D7A
CoTaskMemFree.OLE32(00000000), ref: 00887D81
CoTaskMemFree.OLE32(00000000), ref: 00887DD6
CoUninitialize.OLE32 ref: 00887DDC

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: fa191ec3a4699e0f8372ef048a2cef83f7f1c7b77e0f85b4dea21981b85238db
Instruction ID: a330f53fe3de4bc1803b27aba4dd33442d5dbc29d4f30680b1da193e3296db80
Opcode Fuzzy Hash: fa191ec3a4699e0f8372ef048a2cef83f7f1c7b77e0f85b4dea21981b85238db
Instruction Fuzzy Hash: C3C12C75A04109AFDB14DFA4C884DAEBBF9FF48314B1484A9E819DB761D730ED41CB90

Function 008A541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 008A5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008A5515
CharNextW.USER32(00000158), ref: 008A5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 008A5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 008A559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008A55AC

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 42798054cd3c043234fc8232e33f53841524dbbf2b11a79c04b76518f568d986
Instruction ID: b7b3f8d02d75b75127416e6791c2ad16cfcc81d21fd79cd6dd9473ef03b28e71
Opcode Fuzzy Hash: 42798054cd3c043234fc8232e33f53841524dbbf2b11a79c04b76518f568d986
Instruction Fuzzy Hash: CF619B71901A08EBEF10CF54DC849FE7BB9FB0B724F144149F925EAA90D7748A80DB61

Function 0086FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0086FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0086FB08
VariantInit.OLEAUT32(?), ref: 0086FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0086FB3A
VariantCopy.OLEAUT32(?,?), ref: 0086FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0086FBA1
VariantClear.OLEAUT32(?), ref: 0086FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0086FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0086FBCC
VariantClear.OLEAUT32(?), ref: 0086FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0086FBE9

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: a61c353833d0b558378ce8a91857c16507bc675921c93a94b2ba1169f6728a87
Instruction ID: 38057d97637906d8355e2026385f6da75c283806a9f443059983249868d020cd
Opcode Fuzzy Hash: a61c353833d0b558378ce8a91857c16507bc675921c93a94b2ba1169f6728a87
Instruction Fuzzy Hash: C2416235A002199FDB00DF68E8549EDBBB9FF09354F018069E945E7261CB30E945CF95

Function 00879C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00879CA1
GetAsyncKeyState.USER32(000000A0), ref: 00879D22
GetKeyState.USER32(000000A0), ref: 00879D3D
GetAsyncKeyState.USER32(000000A1), ref: 00879D57
GetKeyState.USER32(000000A1), ref: 00879D6C
GetAsyncKeyState.USER32(00000011), ref: 00879D84
GetKeyState.USER32(00000011), ref: 00879D96
GetAsyncKeyState.USER32(00000012), ref: 00879DAE
GetKeyState.USER32(00000012), ref: 00879DC0
GetAsyncKeyState.USER32(0000005B), ref: 00879DD8
GetKeyState.USER32(0000005B), ref: 00879DEA

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: d8af4398b7451e722584167fd4583567d07a8da7bfb6139d9ddc7c4f5d014763
Instruction ID: 72417bd45de4559bfcc7fde1a7383339d83a1ecdcd336b5b3b8f3888b975bf28
Opcode Fuzzy Hash: d8af4398b7451e722584167fd4583567d07a8da7bfb6139d9ddc7c4f5d014763
Instruction Fuzzy Hash: 2B41A834504BC96DFF31966488043B5BEA1FF52344F08C09ADACAD65C6EBE5D9C8C792

Function 0089055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 008905BC
inet_addr.WSOCK32(?), ref: 0089061C
gethostbyname.WSOCK32(?), ref: 00890628
IcmpCreateFile.IPHLPAPI ref: 00890636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 008906C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 008906E5
IcmpCloseHandle.IPHLPAPI(?), ref: 008907B9
WSACleanup.WSOCK32 ref: 008907BF

Strings

Ping, xrefs: 00890676

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 12903acd0b6cac753c16e357ba8c3b82a86c0537dfd1cd61188a0bc44078855b
Instruction ID: 5e10986b997a712b75b5f7ba118d1f46583b4a79149294c810b8d7481ed8e8d7
Opcode Fuzzy Hash: 12903acd0b6cac753c16e357ba8c3b82a86c0537dfd1cd61188a0bc44078855b
Instruction Fuzzy Hash: F9917F35604201AFD710DF19D488B16BBE4FF44328F1985A9F469DB6A2C731ED85CF92

Function 00898CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00898CF3

Part of subcall function 00878E54: _wcslen.LIBCMT ref: 00878E77

_wcslen.LIBCMT ref: 00898D4E
_wcslen.LIBCMT ref: 00898D9C
_wcslen.LIBCMT ref: 00898DDC
_wcslen.LIBCMT ref: 00898E6E

Strings

none, xrefs: 00898E65, 00898E6A
cdecl, xrefs: 00898D48, 00898D4D
winapi, xrefs: 00898D96, 00898D9B
stdcall, xrefs: 00898DD6, 00898DDB

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: f1d6fcc52421c3cb5bc9d9e893564319bce66e1d20c90bc123e0c4f3daf80aef
Instruction ID: 8cacf5986f209b7782412fa18878f91d9053fdb37cd4985cfc456a7184b058d7
Opcode Fuzzy Hash: f1d6fcc52421c3cb5bc9d9e893564319bce66e1d20c90bc123e0c4f3daf80aef
Instruction Fuzzy Hash: C1519E31A00117DBCF14EFACC9509BEB7A5FF66324B294229E966E7284EB35DD40C790

Function 0089372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00893774
CoUninitialize.OLE32 ref: 0089377F
CoCreateInstance.OLE32(?,00000000,00000017,008AFB78,?), ref: 008937D9
IIDFromString.OLE32(?,?), ref: 0089384C
VariantInit.OLEAUT32(?), ref: 008938E4
VariantClear.OLEAUT32(?), ref: 00893936

Strings

NULL Pointer assignment, xrefs: 0089381E
Invalid parameter, xrefs: 00893865
Failed to create object, xrefs: 008937E4, 0089389A

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 6b3b5f2dc36bc7021bbc09fc5d51e728dd0a7d1ec48b239abe9d9b3983431a72
Instruction ID: 5679e8fc4665ab9fdfc9ef35c66806b5cc48315b1f081cda2849229d6e8106ba
Opcode Fuzzy Hash: 6b3b5f2dc36bc7021bbc09fc5d51e728dd0a7d1ec48b239abe9d9b3983431a72
Instruction Fuzzy Hash: C9619F70608311AFD710EF54C848B6ABBE8FF49714F144929F995EB291D770EE48CB92

Function 00883388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 008833CF

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 008833F0

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00883504
Line %d (File "%s"):, xrefs: 00883443, 0088345C
^ ERROR , xrefs: 0088349E
Error: , xrefs: 008834D1
"%s" (%d) : ==> %s:, xrefs: 00883522
Incorrect parameters to object property !, xrefs: 008834AB

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: ca236c50f8aedbbef93936d41af5473525fd01c39388f039fd9e455fdaafef23
Instruction ID: 74bb861e58a51ac85ed075dd4147617eb390274967bb702c0b95d26f2365a1f4
Opcode Fuzzy Hash: ca236c50f8aedbbef93936d41af5473525fd01c39388f039fd9e455fdaafef23
Instruction Fuzzy Hash: A9518A71800209AADF14EBA4DD46EEEB778FF04740F104166F515F22A2EB356F98DB62

Function 0087B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0087B5FC
_wcslen.LIBCMT ref: 0087B608
_wcslen.LIBCMT ref: 0087B64D
_wcslen.LIBCMT ref: 0087B68C
_wcslen.LIBCMT ref: 0087B6C7

Strings

REMOVE, xrefs: 0087B602, 0087B607
APPEND, xrefs: 0087B6C1, 0087B6C6
KEYS, xrefs: 0087B647, 0087B64C
EXISTS, xrefs: 0087B686, 0087B68B

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: faf38e021d33cfd6919ab23b0586c707a4909ec878e04c0edf65e44f4043f589
Instruction ID: 6181028bc26b588207e668c775808f23624601e8eda098095a5e8b8d979c6e9a
Opcode Fuzzy Hash: faf38e021d33cfd6919ab23b0586c707a4909ec878e04c0edf65e44f4043f589
Instruction Fuzzy Hash: 9441DE32A000269BCB105F7DC8906BE77A6FFB1754B248229E629D7288F735CD81C790

Function 00885393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008853A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00885416
GetLastError.KERNEL32 ref: 00885420
SetErrorMode.KERNEL32(00000000,READY), ref: 008854A7

Strings

READONLY, xrefs: 00885452
READY, xrefs: 00885460, 00885468
NOTREADY, xrefs: 0088544B
UNKNOWN, xrefs: 00885444
INVALID, xrefs: 00885459

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 720a9dee1ebf921fef32b93c2194d14f7ee4d28d522eece762b3afc70c6812fd
Instruction ID: ae3b272595fb2339e9dab5c83b74453055f6126cf19bed5986d7382cee417099
Opcode Fuzzy Hash: 720a9dee1ebf921fef32b93c2194d14f7ee4d28d522eece762b3afc70c6812fd
Instruction Fuzzy Hash: 5431A3B5A006089FD710EF68C484AAA7BF4FF45305F148069E505DB392EB71ED86CB91

Function 008A3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 008A3C79
SetMenu.USER32(?,00000000), ref: 008A3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008A3D10
IsMenu.USER32(?), ref: 008A3D24
CreatePopupMenu.USER32 ref: 008A3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 008A3D5B
DrawMenuBar.USER32 ref: 008A3D63

Strings

0, xrefs: 008A3C54
F, xrefs: 008A3D4E

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 9748f50de1885d48193ac8de7a6b876db4018e24046bde072cb8886e12420386
Instruction ID: 8934534bb893224dbcd9a5716ee9b96ec8a4780c5d42d307bd3566f62f6a9625
Opcode Fuzzy Hash: 9748f50de1885d48193ac8de7a6b876db4018e24046bde072cb8886e12420386
Instruction Fuzzy Hash: BF413875A01209EFEB14DF64D884BAABBB5FF4A350F140029F946E7760D770AA10CB94

Function 008A3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 008A3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 008A3AA0
GetWindowLongW.USER32(?,000000F0), ref: 008A3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 008A3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 008A3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 008A3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 008A3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 008A3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 008A3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 008A3C13

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: e87a7c5dc48afd9c1b2ea62dd430c42132247719934b456ab602517a539b56d6
Instruction ID: 49961f6a216c592fbf1d2016c2e659c77397034f04155e69615c5b85a574a6c8
Opcode Fuzzy Hash: e87a7c5dc48afd9c1b2ea62dd430c42132247719934b456ab602517a539b56d6
Instruction Fuzzy Hash: 45617D75900248AFEB11DF68CC85EEE77B8FB0A710F100059FA15E7291C774AE41DB60

Function 0087B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0087B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0087A1E1,?,00000001), ref: 0087B165
GetWindowThreadProcessId.USER32(00000000), ref: 0087B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0087A1E1,?,00000001), ref: 0087B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0087B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0087A1E1,?,00000001), ref: 0087B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0087A1E1,?,00000001), ref: 0087B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0087A1E1,?,00000001), ref: 0087B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0087A1E1,?,00000001), ref: 0087B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0087A1E1,?,00000001), ref: 0087B21D

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 5bd7c2ca15d11edb4ee946de560ef9a0ef3a7681d843fbd7f006f13342c300cf
Instruction ID: 3938c800c6f57659c36ff11748ea7c8fe60fa675735c36fd04b2ad935c79143f
Opcode Fuzzy Hash: 5bd7c2ca15d11edb4ee946de560ef9a0ef3a7681d843fbd7f006f13342c300cf
Instruction Fuzzy Hash: 0C3191B5510608BFEB10DF64DC88B6D7BAAFB62325F108419FA09DB191D7B4DE408F64

Function 00842C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00842C94

Part of subcall function 008429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000), ref: 008429DE
Part of subcall function 008429C8: GetLastError.KERNEL32(00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000,00000000), ref: 008429F0

_free.LIBCMT ref: 00842CA0
_free.LIBCMT ref: 00842CAB
_free.LIBCMT ref: 00842CB6
_free.LIBCMT ref: 00842CC1
_free.LIBCMT ref: 00842CCC
_free.LIBCMT ref: 00842CD7
_free.LIBCMT ref: 00842CE2
_free.LIBCMT ref: 00842CED
_free.LIBCMT ref: 00842CFB

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e091495acf67c7c18493d1ae598793bc3d8629afc1a9fc49b670b672c78346a0
Instruction ID: 6df76ff7bd89801dea2a454fba054351cc33ae4fe019166598b3a23d4eae4b4d
Opcode Fuzzy Hash: e091495acf67c7c18493d1ae598793bc3d8629afc1a9fc49b670b672c78346a0
Instruction Fuzzy Hash: BB11A27610410CAFDB02EF99D882DDD3FA9FF05350F9144A5FA489F222DA31EE509B92

Function 00811410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00811459
OleUninitialize.OLE32(?,00000000), ref: 008114F8
UnregisterHotKey.USER32(?), ref: 008116DD
DestroyWindow.USER32(?), ref: 008524B9
FreeLibrary.KERNEL32(?), ref: 0085251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0085254B

Strings

close all, xrefs: 00811454

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: f481df172f2fafa365fa5342c4cd4cc2a44cf64ce40ad7bbf390bf857a83f80c
Instruction ID: 0121e52e40d1733420a2c099579fc18a332a37a9ad72994867a2798ca664cecb
Opcode Fuzzy Hash: f481df172f2fafa365fa5342c4cd4cc2a44cf64ce40ad7bbf390bf857a83f80c
Instruction Fuzzy Hash: 75D16B317012228FDB19EF18C499A69F7A9FF06701F1441ADEA4AEB252DF30AC56CF51

Function 00887DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00887FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00887FC1
GetFileAttributesW.KERNEL32(?), ref: 00887FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00888005
SetCurrentDirectoryW.KERNEL32(?), ref: 00888017
SetCurrentDirectoryW.KERNEL32(?), ref: 00888060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 008880B0

Strings

*.*, xrefs: 00888066

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: dd4d67bfd980c753a1bff5728a7a9fbeddd5b2c82c6c8ddaf416f726df79cec5
Instruction ID: 99e6bf4b6351ff897d900aca5d4ced6d8951c2f8fe054373cbfb45a8029c9fd7
Opcode Fuzzy Hash: dd4d67bfd980c753a1bff5728a7a9fbeddd5b2c82c6c8ddaf416f726df79cec5
Instruction Fuzzy Hash: 4F81B1725082459BCB20FF18C4849AAB3E8FF89714F644C6EF889C7251EB75ED45CB92

Function 00815BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00815C7A

Part of subcall function 00815D0A: GetClientRect.USER32(?,?), ref: 00815D30
Part of subcall function 00815D0A: GetWindowRect.USER32(?,?), ref: 00815D71
Part of subcall function 00815D0A: ScreenToClient.USER32(?,?), ref: 00815D99

GetDC.USER32 ref: 008546F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00854708
SelectObject.GDI32(00000000,00000000), ref: 00854716
SelectObject.GDI32(00000000,00000000), ref: 0085472B
ReleaseDC.USER32(?,00000000), ref: 00854733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 008547C4

Strings

U, xrefs: 00854693

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: ce6811eb7fe0ad6dbb7e38da6f7ca7b13c742e86d9c61d9aa8efbd5f14bb9690
Instruction ID: 4137a0626c53febc464dc85a216585e7c5a77c3c538d68d66eb0a771974b94f7
Opcode Fuzzy Hash: ce6811eb7fe0ad6dbb7e38da6f7ca7b13c742e86d9c61d9aa8efbd5f14bb9690
Instruction Fuzzy Hash: DC71F134500209DFDF218F64C984AFA3BB5FF8A32AF145269ED55DA266C73098C9DF50

Function 0088359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 008835E4

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

LoadStringW.USER32(008E2390,?,00000FFF,?), ref: 0088360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00883724
Line %d (File "%s"):, xrefs: 0088366B
Error: , xrefs: 008836EF
"%s" (%d) : ==> %s:, xrefs: 00883742
^ ERROR, xrefs: 008836C9

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 8a113526f825c8a9afbe0b3bdf93f679998c44feefbd3a9def675bcf442e7f19
Instruction ID: 0f5de109b6aee3f7c28e196da00b03782dbaa0bf05cc94a92d06263959965015
Opcode Fuzzy Hash: 8a113526f825c8a9afbe0b3bdf93f679998c44feefbd3a9def675bcf442e7f19
Instruction Fuzzy Hash: 87516D71800219AADF14EBA4DC52EEEBB39FF14710F144125F515B22A1EB346BD8DBA2

Function 008A8B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00829BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00829BB2

Part of subcall function 0082912D: GetCursorPos.USER32(?), ref: 00829141
Part of subcall function 0082912D: ScreenToClient.USER32(00000000,?), ref: 0082915E
Part of subcall function 0082912D: GetAsyncKeyState.USER32(00000001), ref: 00829183
Part of subcall function 0082912D: GetAsyncKeyState.USER32(00000002), ref: 0082919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 008A8B6B
ImageList_EndDrag.COMCTL32 ref: 008A8B71
ReleaseCapture.USER32 ref: 008A8B77
SetWindowTextW.USER32(?,00000000), ref: 008A8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 008A8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 008A8CFF

Strings

@GUI_DRAGFILE, xrefs: 008A8C9A
@GUI_DROPID, xrefs: 008A8C51

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 29e33d2b58bd0f56154adc1282168e8ddb2175e2e573821eaa9cb84715eacf50
Instruction ID: be01ba573d3be391db96bffb16c152f7270b0145cc20a0938f51a47449e618c6
Opcode Fuzzy Hash: 29e33d2b58bd0f56154adc1282168e8ddb2175e2e573821eaa9cb84715eacf50
Instruction Fuzzy Hash: DE518C70104344AFEB04EF14DC99FAA77E4FF89714F40062DF992972A2DB709944CB62

Function 0088C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0088C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0088C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0088C2CA
GetLastError.KERNEL32 ref: 0088C322
SetEvent.KERNEL32(?), ref: 0088C336
InternetCloseHandle.WININET(00000000), ref: 0088C341

Strings

, xrefs: 0088C2BB

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 57cfda2516c468bb56fbc5fcc9fb543c32ae49d95b3317c9d0867f8e00151854
Instruction ID: 1a0653a032fd854d698666d7ba1758ee2ba5de86d6c5a34708329432db1888ac
Opcode Fuzzy Hash: 57cfda2516c468bb56fbc5fcc9fb543c32ae49d95b3317c9d0867f8e00151854
Instruction Fuzzy Hash: 31317AB1600608AFE721AFA99C88ABB7BFCFB4A744F10851EF446D2644DB34DD059B71

Function 0087989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00853AAF,?,?,Bad directive syntax error,008ACC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 008798BC
LoadStringW.USER32(00000000,?,00853AAF,?), ref: 008798C3

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00879987

Strings

Error: , xrefs: 00879955
%s (%d) : ==> %s.: %s %s, xrefs: 008798F1
Line %d:, xrefs: 00879912
Line %d (File "%s"):, xrefs: 0087992D
., xrefs: 0087996D

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 9a95b4026de28044d361661d3e96e080e2ba0fdd997869d1ecbdd9cc9bed00db
Instruction ID: ccaa9893f79439ecd07958b490e1ceb94e27209c439c66ac3d31d449154c991a
Opcode Fuzzy Hash: 9a95b4026de28044d361661d3e96e080e2ba0fdd997869d1ecbdd9cc9bed00db
Instruction Fuzzy Hash: BF21943180021EABDF15AF94CC06EEE7779FF14300F044466F629A21A2EB75A668DB51

Function 0087209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 008720AB
GetClassNameW.USER32(00000000,?,00000100), ref: 008720C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0087214D

Strings

largeicons, xrefs: 008720E1
smallicons, xrefs: 00872115
list, xrefs: 0087212F
SHELLDLL_DefView, xrefs: 008720CC
details, xrefs: 008720FB

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: c8cc2bcbbd6122309f33db6f031275068684d22569dc1dd94fdecc8b70995829
Instruction ID: 455a3bcfd63462d7f9828b0d3bd4cb32b8f51ba3cbb41299efa2c97e663841e1
Opcode Fuzzy Hash: c8cc2bcbbd6122309f33db6f031275068684d22569dc1dd94fdecc8b70995829
Instruction Fuzzy Hash: 35115976288706B9FA01A228DC07CA6339CFB15324F20411BFB08E41D5FF65F8015664

Function 00848D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39ca2a283f43fcf816b3fd5933dccb176b5d82d72a68527a9a564bebf7fc9ab8
Instruction ID: d2a2706be8c83b768b2bfb3ae96e9dd842ac08a2677cd3568d566c629d5b9065
Opcode Fuzzy Hash: 39ca2a283f43fcf816b3fd5933dccb176b5d82d72a68527a9a564bebf7fc9ab8
Instruction Fuzzy Hash: CDC1AD74E0424DEFDB21DFA8D841BAEBBB4FF49310F144199E954EB292CB709941CB61

Function 0084CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0084CEB7
_free.LIBCMT ref: 0084CF22
_free.LIBCMT ref: 0084CF48
_free.LIBCMT ref: 0084CF71
_free.LIBCMT ref: 0084CFA9
_free.LIBCMT ref: 0084CFDA
_free.LIBCMT ref: 0084D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0084D09C
_free.LIBCMT ref: 0084D0B5

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: fd4c3e76ebefdc8c6ac5c03a655d95a3cff318c09fc260ab9bcf4e06e3379815
Instruction ID: 6c13c3b7d788813796ffe2df883a7b09285bd27e6b3c63a7d1c5d020a54e88ab
Opcode Fuzzy Hash: fd4c3e76ebefdc8c6ac5c03a655d95a3cff318c09fc260ab9bcf4e06e3379815
Instruction Fuzzy Hash: 9D614771A0534CAFDB21AFB89C81A6E7BA9FF01310F04416DF940DB242DFB59D4587A1

Function 008A50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 008A5186
ShowWindow.USER32(?,00000000), ref: 008A51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 008A51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 008A51D1

Part of subcall function 008A6FBA: DeleteObject.GDI32(00000000), ref: 008A6FE6

GetWindowLongW.USER32(?,000000F0), ref: 008A520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 008A521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 008A524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 008A5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 008A5296

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 40e58569590ef448322b2ea44f27cabb24cb1ce60d6fdeee4ce7d30785d2bca4
Instruction ID: 2861fad47e6c3b1e08ca80a80d1d6b60ebe12fd2e9ea240c8cda918353108ac3
Opcode Fuzzy Hash: 40e58569590ef448322b2ea44f27cabb24cb1ce60d6fdeee4ce7d30785d2bca4
Instruction Fuzzy Hash: BB518D30A40A08BEFF209F28DC4ABE93BA5FB06325F144011F625DAAE1C775A9D0DB41

Function 00828B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00866890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 008668A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 008668B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 008668D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 008668F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00828874,00000000,00000000,00000000,000000FF,00000000), ref: 00866901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0086691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00828874,00000000,00000000,00000000,000000FF,00000000), ref: 0086692D

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: f5d7cf573d1d2068c26b4063f15759f02af10a8a70db96d3bfb28e69db321341
Instruction ID: ed26b91fcfb24290af97a71a90fe5027698f401c8a4435e4157e7dfb315b129a
Opcode Fuzzy Hash: f5d7cf573d1d2068c26b4063f15759f02af10a8a70db96d3bfb28e69db321341
Instruction Fuzzy Hash: FC516970600249EFEF20CF24DC95BAA7BB5FB58764F104528F956D72A0EB70A9A0DB50

Function 0088C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0088C182
GetLastError.KERNEL32 ref: 0088C195
SetEvent.KERNEL32(?), ref: 0088C1A9

Part of subcall function 0088C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0088C272
Part of subcall function 0088C253: GetLastError.KERNEL32 ref: 0088C322
Part of subcall function 0088C253: SetEvent.KERNEL32(?), ref: 0088C336
Part of subcall function 0088C253: InternetCloseHandle.WININET(00000000), ref: 0088C341

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 70dafde0cbd10a6896cc8c70410a1176a16e93a1b4687c2da6be17dadabdb606
Instruction ID: e0b192aa8881b0a8b3483124d3fe2fb4f9690ae3600b3a10c2af74b3adfa76cb
Opcode Fuzzy Hash: 70dafde0cbd10a6896cc8c70410a1176a16e93a1b4687c2da6be17dadabdb606
Instruction Fuzzy Hash: A5318D71200605AFEB21AFB9DC48A76BBF8FF19300B00841DF956C2A64DB31E814DBB0

Function 008725A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00873A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00873A57
Part of subcall function 00873A3D: GetCurrentThreadId.KERNEL32 ref: 00873A5E
Part of subcall function 00873A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008725B3), ref: 00873A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 008725BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 008725DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 008725DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 008725E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00872601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00872605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0087260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00872623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00872627

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: b4529ef30112c3ab66f49999aaf6ede03c4530d37cfc7264c8e9015c4722e221
Instruction ID: 4a6d797f6641b250759e5e3db7d788cc37c6f5edcb23b30a7f3db93aa274b435
Opcode Fuzzy Hash: b4529ef30112c3ab66f49999aaf6ede03c4530d37cfc7264c8e9015c4722e221
Instruction Fuzzy Hash: 9C01D431390624BBFB1067689C8AF597F59FB5EB12F104005F318EE0D5C9E264459A6A

Function 00871803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00871449,?,?,00000000), ref: 0087180C
HeapAlloc.KERNEL32(00000000,?,00871449,?,?,00000000), ref: 00871813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00871449,?,?,00000000), ref: 00871828
GetCurrentProcess.KERNEL32(?,00000000,?,00871449,?,?,00000000), ref: 00871830
DuplicateHandle.KERNEL32(00000000,?,00871449,?,?,00000000), ref: 00871833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00871449,?,?,00000000), ref: 00871843
GetCurrentProcess.KERNEL32(00871449,00000000,?,00871449,?,?,00000000), ref: 0087184B
DuplicateHandle.KERNEL32(00000000,?,00871449,?,?,00000000), ref: 0087184E
CreateThread.KERNEL32(00000000,00000000,00871874,00000000,00000000,00000000), ref: 00871868

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 6c3d7da245e2f464ee413e4d9053f81122bf09f9f4576019d307936b5a776a68
Instruction ID: 61cc98bf464bdc736debd4142b79081080866b709bbacb125a84cc2bfce83dc1
Opcode Fuzzy Hash: 6c3d7da245e2f464ee413e4d9053f81122bf09f9f4576019d307936b5a776a68
Instruction Fuzzy Hash: B701AC75340304BFF610ABA5DC4DF577BACFB8AB11F004411FA05DB691DA7498008B20

Function 0089A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0087D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0087D501
Part of subcall function 0087D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0087D50F
Part of subcall function 0087D4DC: CloseHandle.KERNEL32(00000000), ref: 0087D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0089A16D
GetLastError.KERNEL32 ref: 0089A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0089A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0089A268
GetLastError.KERNEL32(00000000), ref: 0089A273
CloseHandle.KERNEL32(00000000), ref: 0089A2C4

Strings

SeDebugPrivilege, xrefs: 0089A18F

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 7505a96c4070c4a3148eecf8d6a56e14c8bfedfc6c7ea06b052bb83a01509aa1
Instruction ID: 08cb46f75aea1b22f8bcc2a309b9038d8c5d74c89f5f57d3858440274de9e85e
Opcode Fuzzy Hash: 7505a96c4070c4a3148eecf8d6a56e14c8bfedfc6c7ea06b052bb83a01509aa1
Instruction Fuzzy Hash: 9A616D302082419FDB14EF58C494F55BBA5FF44318F18849CE4668BBA2DB76EC85CBD2

Function 008A3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 008A3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 008A393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 008A3954
_wcslen.LIBCMT ref: 008A3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 008A39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 008A39F4

Strings

SysListView32, xrefs: 008A38F7

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: eeddeae30ff6ca45753255523ff733c8d5d02c686135e600cb5835a739c84e32
Instruction ID: 28afd0388d90b9077ee7e575a6f4532230397ca660be7c27eb2415825037a7e9
Opcode Fuzzy Hash: eeddeae30ff6ca45753255523ff733c8d5d02c686135e600cb5835a739c84e32
Instruction Fuzzy Hash: 0C41A371A00218ABEF219F64CC49FEA7BA9FF09350F14052AF958E7281D7759E84CB90

Function 0087BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0087BCFD
IsMenu.USER32(00000000), ref: 0087BD1D
CreatePopupMenu.USER32 ref: 0087BD53
GetMenuItemCount.USER32(00B15670), ref: 0087BDA4
InsertMenuItemW.USER32(00B15670,?,00000001,00000030), ref: 0087BDCC

Strings

2, xrefs: 0087BD37
0, xrefs: 0087BCA8

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 7fcb4b6ff169c6930faf8c1b83f4c6f3c3d8a31c4fed07a8e90d57659d36918e
Instruction ID: 7e1ef10cd941ea462f11a9221d5126847a1949881041c06cf12d6a1b9dff72fc
Opcode Fuzzy Hash: 7fcb4b6ff169c6930faf8c1b83f4c6f3c3d8a31c4fed07a8e90d57659d36918e
Instruction Fuzzy Hash: FB518A70A002099FDB21CFA8D888BAEBFF6FF45354F148119E419D72A9E770D940CB62

Function 0087C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0087C913

Strings

stop, xrefs: 0087C8E4
info, xrefs: 0087C8B4
blank, xrefs: 0087C895
question, xrefs: 0087C8CC
warning, xrefs: 0087C8FC

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 94a0e475e052044b9b400fadb81e1b97a251e345c6d479989429738ba82c533b
Instruction ID: e08ec870101569f42e0a1d90f3364c7b9a6b0cceee7c14282695c1bc4a4394d2
Opcode Fuzzy Hash: 94a0e475e052044b9b400fadb81e1b97a251e345c6d479989429738ba82c533b
Instruction Fuzzy Hash: F911EB3168930EBAA7015B549C82DEA6B9CFF15358B10812FF608E7382E774ED0052A9

Function 0087ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0087ED2A
_wcslen.LIBCMT ref: 0087ED3B
_wcslen.LIBCMT ref: 0087ED79
_wcslen.LIBCMT ref: 0087EDAF
_wcslen.LIBCMT ref: 0087EDDF
_wcslen.LIBCMT ref: 0087EDEF
_wcslen.LIBCMT ref: 0087EE2B
_wcslen.LIBCMT ref: 0087EE5A

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: d7e823e0a352177ea7fb8e52f2f0821e93ccd48b3f2b51670c5d57575da96d3c
Instruction ID: 568ae74cbb5cd9623901e65381b256e1a13c550e2424bedb79479c7d247e9c15
Opcode Fuzzy Hash: d7e823e0a352177ea7fb8e52f2f0821e93ccd48b3f2b51670c5d57575da96d3c
Instruction Fuzzy Hash: 22417765C1121875CB11EBF8888AACF77A8FF89710F509562F518E3121FB78E255C3E6

Function 0082F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0086682C,00000004,00000000,00000000), ref: 0082F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0086682C,00000004,00000000,00000000), ref: 0086F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0086682C,00000004,00000000,00000000), ref: 0086F454

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: d5c024785e872efe6fc2489c99e5c343838902a7d9272dfc290cbdd7a5725d18
Instruction ID: 814dca7f420cf453302ae3ac921ec0a8168c0c1d6202635777317416e501c05f
Opcode Fuzzy Hash: d5c024785e872efe6fc2489c99e5c343838902a7d9272dfc290cbdd7a5725d18
Instruction Fuzzy Hash: 5141F831608690BAD7399B2DB98872A7FB1FB56314F15443CE387D6A63DA31E8C0CB51

Function 008A2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 008A2D1B
GetDC.USER32(00000000), ref: 008A2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 008A2D2E
ReleaseDC.USER32(00000000,00000000), ref: 008A2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 008A2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 008A2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,008A5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 008A2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 008A2DE1

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 67cf69fcbba1203ac2095740e8fea1ce7b5347bd8543cee83f4421e2d358601c
Instruction ID: fcd55419ade65b0d4fd0528473ffd8d2b6b393c899f6f1d94f6893c616f64b7d
Opcode Fuzzy Hash: 67cf69fcbba1203ac2095740e8fea1ce7b5347bd8543cee83f4421e2d358601c
Instruction Fuzzy Hash: 02318772201614BBFB218F548C8AFEB3BA9FB1A711F044065FE08DA292D6759C50CBA0

Function 00875622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00875637
_memcmp.LIBVCRUNTIME ref: 00875659
_memcmp.LIBVCRUNTIME ref: 00875671
_memcmp.LIBVCRUNTIME ref: 00875684
_memcmp.LIBVCRUNTIME ref: 0087569E
_memcmp.LIBVCRUNTIME ref: 008756B1
_memcmp.LIBVCRUNTIME ref: 008756C9
_memcmp.LIBVCRUNTIME ref: 008756E4

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 7fa0abfc0038d76296524c9c9935b57e2bfbcd262ccc88ec3c19b680662efa72
Instruction ID: d9bab49044317d0e0708d2eb11a20bb2f3d575470c7c5ed6f9dc181dd60aaf00
Opcode Fuzzy Hash: 7fa0abfc0038d76296524c9c9935b57e2bfbcd262ccc88ec3c19b680662efa72
Instruction Fuzzy Hash: 11212961640A1977E71855258D82FFA335CFF71794F448020FE0CDAB8AFBA8EE1081E6

Function 00894FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00895007
NULL Pointer assignment, xrefs: 0089502E, 00895383

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: bd1c286a106d60e1885083be0f938d6834a380cdacb679cb1063b3b50b2ee6f0
Instruction ID: 4ccb9fba8269456a5fbd169046b832ff2142e097b8530085a088dc16854debd8
Opcode Fuzzy Hash: bd1c286a106d60e1885083be0f938d6834a380cdacb679cb1063b3b50b2ee6f0
Instruction Fuzzy Hash: 2AD1B171A0060A9FDF11DFA8C881BAEB7B5FF48344F188169E915EB281E770DD45CB90

Function 00851522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,008517FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 008515CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,008517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00851651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,008517FB,?,008517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008516E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,008517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008516FB

Part of subcall function 00843820: RtlAllocateHeap.NTDLL(00000000,?,008E1444,?,0082FDF5,?,?,0081A976,00000010,008E1440,008113FC,?,008113C6,?,00811129), ref: 00843852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,008517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00851777
__freea.LIBCMT ref: 008517A2
__freea.LIBCMT ref: 008517AE

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 2b64ed26ba92d56ac26c70cc0c4a1052f7e818ee97f26f867dd9f414a46a678d
Instruction ID: 0eb7534d8dd2865860226dc7c2b1176b0eca33e14278e692d10de0e38226fffc
Opcode Fuzzy Hash: 2b64ed26ba92d56ac26c70cc0c4a1052f7e818ee97f26f867dd9f414a46a678d
Instruction Fuzzy Hash: 58919171F0021A9ADF208E78C889BEE7BA5FF49715F184659EC02E7141EB35DC48CBA0

Function 00894523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00894648
VariantInit.OLEAUT32(?), ref: 00894749
VariantClear.OLEAUT32(?), ref: 00894753
VariantClear.OLEAUT32(?), ref: 008947B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 008945D8, 00894706, 008947BE
Incorrect Object type in FOR..IN loop, xrefs: 0089472C

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 81e65f924563a82bfad46a9de9f404f6b23382355cc95da3c0b43a03f1f6bfbf
Instruction ID: 2cf3272162f9900fb3b131bbc59ccefdb942ca4339f006ec513029bccae6df33
Opcode Fuzzy Hash: 81e65f924563a82bfad46a9de9f404f6b23382355cc95da3c0b43a03f1f6bfbf
Instruction Fuzzy Hash: FC918C71A0021DABDF20EFA4C884FAEBBB8FF46714F148559F515EB281D7709946CBA0

Function 00881187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0088125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00881284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 008812A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008812D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0088135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008813C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00881430

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 1d6a12bc93c70102d9028d306115b06208b998ca8a5d1586e151a83a07ccab5a
Instruction ID: 3ed429001a582b237cf0342330dfd755c018ad874d96f6485f5fc4725532994f
Opcode Fuzzy Hash: 1d6a12bc93c70102d9028d306115b06208b998ca8a5d1586e151a83a07ccab5a
Instruction Fuzzy Hash: 2691E271A002199FDF10EF98C888BBEB7BDFF45315F104029E941EB292DB74A946CB95

Function 0082948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 42778a37a00f072ce297ec0e2cd5bdcb6d43f7d76c2b1d848df533da3e3df41f
Instruction ID: 70aa0cde7efb53b33d3d951b937f9bf7f22083b807600b74ed20d4e71c1f1faa
Opcode Fuzzy Hash: 42778a37a00f072ce297ec0e2cd5bdcb6d43f7d76c2b1d848df533da3e3df41f
Instruction Fuzzy Hash: 85912571E00219EFCB10CFA9D984AEEBBB8FF49324F144059E955F7251D378A981CBA0

Function 00893947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0089396B
CharUpperBuffW.USER32(?,?), ref: 00893A7A
_wcslen.LIBCMT ref: 00893A8A
VariantClear.OLEAUT32(?), ref: 00893C1F

Part of subcall function 00880CDF: VariantInit.OLEAUT32(00000000), ref: 00880D1F
Part of subcall function 00880CDF: VariantCopy.OLEAUT32(?,?), ref: 00880D28
Part of subcall function 00880CDF: VariantClear.OLEAUT32(?), ref: 00880D34

Strings

Incorrect Parameter format, xrefs: 008939A6, 00893BA1
AUTOIT.ERROR, xrefs: 00893A80, 00893A85

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 03c967a64dce555bcbc189f1679244261ead9d29b0fc8bba3bea49453ad200ef
Instruction ID: 381817fc9963af4f2d62900d3276e7142e4b1ac082b170aca5b3be2db9fa4e66
Opcode Fuzzy Hash: 03c967a64dce555bcbc189f1679244261ead9d29b0fc8bba3bea49453ad200ef
Instruction Fuzzy Hash: 319113756083059FCB04EF68C48096ABBE5FF89314F18892DF88AD7351DB31EA45CB92

Function 00894BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0087000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0086FF41,80070057,?,?,?,0087035E), ref: 0087002B
Part of subcall function 0087000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0086FF41,80070057,?,?), ref: 00870046
Part of subcall function 0087000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0086FF41,80070057,?,?), ref: 00870054
Part of subcall function 0087000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0086FF41,80070057,?), ref: 00870064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00894C51
_wcslen.LIBCMT ref: 00894D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00894DCF
CoTaskMemFree.OLE32(?), ref: 00894DDA

Strings

NULL Pointer assignment, xrefs: 00894E23, 00894E52

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 0a2910f66cb679823f72564cf2e92a1d7fc99f895020a7695138ab4f26150be1
Instruction ID: 62f7abec79aafd9fde36be978ef3050fe8d0fd8c15df8f5800bf46ceebee47ab
Opcode Fuzzy Hash: 0a2910f66cb679823f72564cf2e92a1d7fc99f895020a7695138ab4f26150be1
Instruction Fuzzy Hash: 70911571D0021DAFDF14EFA4D890EEEB7B8FF08314F108169E919A7251EB349A458F61

Function 008A20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 008A2183
GetMenuItemCount.USER32(00000000), ref: 008A21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 008A21DD
_wcslen.LIBCMT ref: 008A2213
GetMenuItemID.USER32(?,?), ref: 008A224D
GetSubMenu.USER32(?,?), ref: 008A225B

Part of subcall function 00873A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00873A57
Part of subcall function 00873A3D: GetCurrentThreadId.KERNEL32 ref: 00873A5E
Part of subcall function 00873A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008725B3), ref: 00873A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 008A22E3

Part of subcall function 0087E97B: Sleep.KERNEL32 ref: 0087E9F3

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: cc8573d8504f6580bd678c22ef52933800116c9352805a420aee91022bcac48c
Instruction ID: 8a665e8f97eafc110c55f2ce08cbe742bc94e7c0f6cd2496bdc6fc3316b541a3
Opcode Fuzzy Hash: cc8573d8504f6580bd678c22ef52933800116c9352805a420aee91022bcac48c
Instruction Fuzzy Hash: F1718E35A00215AFDB20DF68C841AAEB7F5FF49310F148459E916EB751DB34ED41CB91

Function 0087AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0087AEF9
GetKeyboardState.USER32(?), ref: 0087AF0E
SetKeyboardState.USER32(?), ref: 0087AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0087AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0087AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0087AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0087B020

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 89d4621985484a7c39ce2cc21f846ff8886d4a9fc1b968fdcc90cf8352c851ba
Instruction ID: 33a99dbde33afc1968d0a7607c3268fadad898fdfb594c4f7267fe47cb68ab15
Opcode Fuzzy Hash: 89d4621985484a7c39ce2cc21f846ff8886d4a9fc1b968fdcc90cf8352c851ba
Instruction Fuzzy Hash: 195104A16047D53DFB3A82348845BBE7EAABB46304F08C589E1DDC58D3C798E8C4D352

Function 0087ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0087AD19
GetKeyboardState.USER32(?), ref: 0087AD2E
SetKeyboardState.USER32(?), ref: 0087AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0087ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0087ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0087AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0087AE38

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: aaeca2b9031f2608062bc0cca36f1ecb2f8fb1eabaa1d5f627f996af86b3e25c
Instruction ID: 4b3781c652a2dcb32c86ab328c312986c2f4e6072bad7ba9b6d92dad0a857095
Opcode Fuzzy Hash: aaeca2b9031f2608062bc0cca36f1ecb2f8fb1eabaa1d5f627f996af86b3e25c
Instruction Fuzzy Hash: C251C5A15047D53DFB3A83648C95BBE7EA9FB86300F08C489E1DDD68C6D294EC84D752

Function 0084542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00853CD6,?,?,?,?,?,?,?,?,00845BA3,?,?,00853CD6,?,?), ref: 00845470
__fassign.LIBCMT ref: 008454EB
__fassign.LIBCMT ref: 00845506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00853CD6,00000005,00000000,00000000), ref: 0084552C
WriteFile.KERNEL32(?,00853CD6,00000000,00845BA3,00000000,?,?,?,?,?,?,?,?,?,00845BA3,?), ref: 0084554B
WriteFile.KERNEL32(?,?,00000001,00845BA3,00000000,?,?,?,?,?,?,?,?,?,00845BA3,?), ref: 00845584

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 80da4c42a1db080242869f9ab43e5be0e77f7c4561ca4bdb59109225137c5702
Instruction ID: 3f6f4d0fb785ecb971c9fc8c5e336b151066d841016747b135c1fa74180a337b
Opcode Fuzzy Hash: 80da4c42a1db080242869f9ab43e5be0e77f7c4561ca4bdb59109225137c5702
Instruction Fuzzy Hash: DF51E3B0A0064DAFDB11CFA8D895AEEBBF9FF09300F15451AF555E7292E7309A41CB60

Function 00832D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00832D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00832D53
_ValidateLocalCookies.LIBCMT ref: 00832DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00832E0C
_ValidateLocalCookies.LIBCMT ref: 00832E61

Strings

csm, xrefs: 00832DF6

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 44aa3e4b4c5d8ef22457d68293bfcf152aaaa9ae8b8a55b4c982e41a14b1f631
Instruction ID: 2519ebbb97768f8adae416334e7c17beba880da7f06dcbb522b5608686b1f228
Opcode Fuzzy Hash: 44aa3e4b4c5d8ef22457d68293bfcf152aaaa9ae8b8a55b4c982e41a14b1f631
Instruction Fuzzy Hash: 5A418C34A0020DEBCF10DF68C845A9EBBA5FF85328F148165E915EB392DB35AA15CBD1

Function 008910B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0089304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0089307A
Part of subcall function 0089304E: _wcslen.LIBCMT ref: 0089309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00891112
WSAGetLastError.WSOCK32 ref: 00891121
WSAGetLastError.WSOCK32 ref: 008911C9
closesocket.WSOCK32(00000000), ref: 008911F9

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: d6eb21cdfded9dd29f68995d0a6e8e8df0233cd922102bf092b32e98da8195f5
Instruction ID: f2717c2f1d67d344b12423ea05b33808d4ff7d31b1eb2ae6e14478b846b77dfd
Opcode Fuzzy Hash: d6eb21cdfded9dd29f68995d0a6e8e8df0233cd922102bf092b32e98da8195f5
Instruction Fuzzy Hash: 8B41D431600205AFEF10AF18C888BA9BBE9FF45364F188059F915DB291DB74ED81CBA1

Function 0087CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0087DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0087CF22,?), ref: 0087DDFD

Part of subcall function 0087DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0087CF22,?), ref: 0087DE16

lstrcmpiW.KERNEL32(?,?), ref: 0087CF45
MoveFileW.KERNEL32(?,?), ref: 0087CF7F
_wcslen.LIBCMT ref: 0087D005
_wcslen.LIBCMT ref: 0087D01B
SHFileOperationW.SHELL32(?), ref: 0087D061

Strings

\*.*, xrefs: 0087CFF3

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 9c6a9b9d9eeb0f6a9fe6083ab725cbeac66b3bd8beb6c819263174b6dc185d8c
Instruction ID: 789d712bffeef1b8987f604361bd2070f4ff653fc27aaaf4a2a35338963cda82
Opcode Fuzzy Hash: 9c6a9b9d9eeb0f6a9fe6083ab725cbeac66b3bd8beb6c819263174b6dc185d8c
Instruction Fuzzy Hash: E74142719052185FDF12EFA4C981ADEB7B8FF49380F0040EAE549EB145EE74E688CB51

Function 008A2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 008A2E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 008A2E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 008A2E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 008A2EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 008A2EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 008A2EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 008A2F0B

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 3ccfd5d6c443ae5e36e4406cd436f4c9f23036e2d97b853e9b6ece2944c2e02c
Instruction ID: fbab4a08932be16223c4ca9284c096d919ba355cbc0d4d3b47250a2e22a91273
Opcode Fuzzy Hash: 3ccfd5d6c443ae5e36e4406cd436f4c9f23036e2d97b853e9b6ece2944c2e02c
Instruction Fuzzy Hash: C531E130604294AFEB21DF5CDC88F657BE1FB9A710F1501A4F901CF6A2CB71A8A0DB41

Function 00877726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00877769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0087778F
SysAllocString.OLEAUT32(00000000), ref: 00877792
SysAllocString.OLEAUT32(?), ref: 008777B0
SysFreeString.OLEAUT32(?), ref: 008777B9
StringFromGUID2.OLE32(?,?,00000028), ref: 008777DE
SysAllocString.OLEAUT32(?), ref: 008777EC

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 4b1bec0a6646412770c50a37645de211ab087456d1ecde0040a931d15dc3894e
Instruction ID: ab802792089b92afd14a04dfbe79168e1a0022f43fb7669558252f410c735ddf
Opcode Fuzzy Hash: 4b1bec0a6646412770c50a37645de211ab087456d1ecde0040a931d15dc3894e
Instruction Fuzzy Hash: 6721B076604219AFEB14DFA8DC88CBB77ECFB093A47008025FA18DB165D670DC41C764

Function 008777FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00877842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00877868
SysAllocString.OLEAUT32(00000000), ref: 0087786B
SysAllocString.OLEAUT32 ref: 0087788C
SysFreeString.OLEAUT32 ref: 00877895
StringFromGUID2.OLE32(?,?,00000028), ref: 008778AF
SysAllocString.OLEAUT32(?), ref: 008778BD

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 209cf2427b765ee2f7c60484bffe0415723a3ef740838496e3d9d0ec7570efcc
Instruction ID: 3f68255f2af33869cb9c6c2befebca7033dc2362b1e79d7de22e2b5fb7837ccd
Opcode Fuzzy Hash: 209cf2427b765ee2f7c60484bffe0415723a3ef740838496e3d9d0ec7570efcc
Instruction Fuzzy Hash: 20216035608218AFEB109FA8DC88DBA77ECFB097607108135F919CB2A5DA74DC41CB69

Function 008804D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 008804F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0088052E

Strings

nul, xrefs: 00880567

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 849e4582fb02f90544b8a9064625d9e63365d36ea2c31d60a35bfc260d5750a3
Instruction ID: a59fdfc204b9c09e468b5dedc28c98ccf9fd81d57bd119762be09233a451cc7b
Opcode Fuzzy Hash: 849e4582fb02f90544b8a9064625d9e63365d36ea2c31d60a35bfc260d5750a3
Instruction Fuzzy Hash: 80213D75600305AFDB60AF69DC44A9A77E4FF45724F204A19F8A1E62E1E7709958CF30

Function 008805A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 008805C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00880601

Strings

nul, xrefs: 00880639

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 3c009bd4d5fd66a703a80190741526ff815129618392a5a7689c29842787e738
Instruction ID: 6c613343cd4feeecbb2e8785d80594f6a9a4e313ec38543aa5d1de3ee7448fa5
Opcode Fuzzy Hash: 3c009bd4d5fd66a703a80190741526ff815129618392a5a7689c29842787e738
Instruction Fuzzy Hash: A62181755003059FDB60AF698C04A9A77E4FFA5724F200B19F8A1E72E0E7709864CF20

Function 008A40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0081600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0081604C
Part of subcall function 0081600E: GetStockObject.GDI32(00000011), ref: 00816060
Part of subcall function 0081600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0081606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 008A4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 008A411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 008A412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 008A4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 008A4145

Strings

Msctls_Progress32, xrefs: 008A40E3

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: c13d5487db977a2465090fb125f6867dc59cad3f08ca6375ba56f24fd5fd489b
Instruction ID: add745b5157f803081b7b7a03e1085df5723cafcec251d3c06a172c7475b2c9b
Opcode Fuzzy Hash: c13d5487db977a2465090fb125f6867dc59cad3f08ca6375ba56f24fd5fd489b
Instruction Fuzzy Hash: 2B1190B214021DBEFF118E64CC85EE77F9DFF09798F005121BA18E6150CAB29C619BA4

Function 0084D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0084D7A3: _free.LIBCMT ref: 0084D7CC

_free.LIBCMT ref: 0084D82D

Part of subcall function 008429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000), ref: 008429DE
Part of subcall function 008429C8: GetLastError.KERNEL32(00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000,00000000), ref: 008429F0

_free.LIBCMT ref: 0084D838
_free.LIBCMT ref: 0084D843
_free.LIBCMT ref: 0084D897
_free.LIBCMT ref: 0084D8A2
_free.LIBCMT ref: 0084D8AD
_free.LIBCMT ref: 0084D8B8

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: e0b3f7f2c545c1e874a6e9a482f29263a3d30fe51ad632c298dc8fa4746682b6
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 5111F971544B08AAEA21BFB5CC46FCB7F9CFF04700F804825B299E6692DA75A5058662

Function 0087DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0087DA74
LoadStringW.USER32(00000000), ref: 0087DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0087DA91
LoadStringW.USER32(00000000), ref: 0087DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0087DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0087DAB9

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 3dcfab05ada66b28a97f6226d29d3d78676af7620619d97e22045be82d88521c
Instruction ID: 60c190476077b3002e2db3fe689c9b5251df8dda362ed7277b3f3b1538591e29
Opcode Fuzzy Hash: 3dcfab05ada66b28a97f6226d29d3d78676af7620619d97e22045be82d88521c
Instruction Fuzzy Hash: 87014BF29002187FF710ABA49D89EEA776CFB09301F404496B74AE2441EA749E848B74

Function 0088096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00B0E378,00B0E378), ref: 0088097B
EnterCriticalSection.KERNEL32(00B0E358,00000000), ref: 0088098D
TerminateThread.KERNEL32(008E43D8,000001F6), ref: 0088099B
WaitForSingleObject.KERNEL32(008E43D8,000003E8), ref: 008809A9
CloseHandle.KERNEL32(008E43D8), ref: 008809B8
InterlockedExchange.KERNEL32(00B0E378,000001F6), ref: 008809C8
LeaveCriticalSection.KERNEL32(00B0E358), ref: 008809CF

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: e3243154a9b06686e0c69d3d9972d9a1cb8d6024d72a9c7632837aace24021c9
Instruction ID: 38f1ce82c4f2279c02f0eaafe1077900a83071f5287d0b5114491f2e753c0b0a
Opcode Fuzzy Hash: e3243154a9b06686e0c69d3d9972d9a1cb8d6024d72a9c7632837aace24021c9
Instruction Fuzzy Hash: 9DF0EC32542A12BBE7515FA4EE8DBD6BB39FF06702F402025F20290CA1DB759465CF90

Function 00891C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00891DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00891DE1
WSAGetLastError.WSOCK32 ref: 00891DF2
htons.WSOCK32(?,?,?,?,?), ref: 00891EDB
inet_ntoa.WSOCK32(?), ref: 00891E8C

Part of subcall function 008739E8: _strlen.LIBCMT ref: 008739F2

Part of subcall function 00893224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0088EC0C), ref: 00893240

_strlen.LIBCMT ref: 00891F35

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: fe47ef7cc2a1f4fcdd0b9658c15d87e8c7eff746fe557f4d00ef5fb7e008beb0
Instruction ID: 47c55770b48cfa7a4974fbed12bfdd48e4bbd44adee96f3dd12098c5b2f5c87e
Opcode Fuzzy Hash: fe47ef7cc2a1f4fcdd0b9658c15d87e8c7eff746fe557f4d00ef5fb7e008beb0
Instruction Fuzzy Hash: F2B1C4312083019FDB14EF28C899E6A77A5FF85318F58855CF4569B2E2DB31ED81CB92

Function 00815D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00815D30
GetWindowRect.USER32(?,?), ref: 00815D71
ScreenToClient.USER32(?,?), ref: 00815D99
GetClientRect.USER32(?,?), ref: 00815ED7
GetWindowRect.USER32(?,?), ref: 00815EF8

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 397b78bf4389a16cc47f188510b19a22630dddd77b7bd53c62b592a4973f12a6
Instruction ID: 6c706b80d444f2cb20546e42c52c33f82323fa42eb8d5571213a644157420d2c
Opcode Fuzzy Hash: 397b78bf4389a16cc47f188510b19a22630dddd77b7bd53c62b592a4973f12a6
Instruction Fuzzy Hash: 71B17974A0074ADBDB10CFA8C4807EEB7F5FF58314F14941AE8AAD7250DB30AA95DB50

Function 008401B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 008400BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008400D6
__allrem.LIBCMT ref: 008400ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0084010B
__allrem.LIBCMT ref: 00840122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00840140

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 908df50457970ae771974849dae04a3d1b467e7238ba4de22139128350ee8ac1
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 8481C771A00B0A9BD720AE6DCC41B6B73E9FF91324F244539F651D7282EB70D9008F91

Function 008461FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,008382D9,008382D9,?,?,?,0084644F,00000001,00000001,8BE85006), ref: 00846258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0084644F,00000001,00000001,8BE85006,?,?,?), ref: 008462DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 008463D8
__freea.LIBCMT ref: 008463E5

Part of subcall function 00843820: RtlAllocateHeap.NTDLL(00000000,?,008E1444,?,0082FDF5,?,?,0081A976,00000010,008E1440,008113FC,?,008113C6,?,00811129), ref: 00843852

__freea.LIBCMT ref: 008463EE
__freea.LIBCMT ref: 00846413

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 890c7553ec466c3754c397b2123071da2fd3365960fa4f25ca406f767ef50a4a
Instruction ID: fabab229cc223bcd0b8a1159b4dbe838b1c9c8d6b71b1c5b5638f133313e49f0
Opcode Fuzzy Hash: 890c7553ec466c3754c397b2123071da2fd3365960fa4f25ca406f767ef50a4a
Instruction Fuzzy Hash: BB51F572A0025EABEF258F64CC81EAF77A9FF46710F154229FC05D6240EB34DC60C662

Function 0089BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

Part of subcall function 0089C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0089B6AE,?,?), ref: 0089C9B5
Part of subcall function 0089C998: _wcslen.LIBCMT ref: 0089C9F1
Part of subcall function 0089C998: _wcslen.LIBCMT ref: 0089CA68
Part of subcall function 0089C998: _wcslen.LIBCMT ref: 0089CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0089BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0089BD25
RegCloseKey.ADVAPI32(00000000), ref: 0089BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0089BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0089BDF3
RegCloseKey.ADVAPI32(?), ref: 0089BDFF

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 7bcc6ec23a20c406684d46f23a70c9c4a7545ed2328e446afce25f3080df7aa5
Instruction ID: 9c124fa964434d0f9a6328c093096905e6e895f4974f32505acc0263516bcbe3
Opcode Fuzzy Hash: 7bcc6ec23a20c406684d46f23a70c9c4a7545ed2328e446afce25f3080df7aa5
Instruction Fuzzy Hash: A281D430108241EFD714EF24D981E6ABBE9FF84308F18445CF5598B2A2DB31ED45CB92

Function 0086F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0086F7B9
SysAllocString.OLEAUT32(00000001), ref: 0086F860
VariantCopy.OLEAUT32(0086FA64,00000000), ref: 0086F889
VariantClear.OLEAUT32(0086FA64), ref: 0086F8AD
VariantCopy.OLEAUT32(0086FA64,00000000), ref: 0086F8B1
VariantClear.OLEAUT32(?), ref: 0086F8BB

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 4a4fd2eb8c5f1a17428b05a6373bfb23dafa1da5f2a186aa6d892e3cde38da04
Instruction ID: 0ce2c24d0044c96843db78e00cd9a449fc8b149da65f9bd335bf0d8337d5c40e
Opcode Fuzzy Hash: 4a4fd2eb8c5f1a17428b05a6373bfb23dafa1da5f2a186aa6d892e3cde38da04
Instruction Fuzzy Hash: F151D531600314BADF10AB69E895B69B7A8FF45314F215476EA05DF293DB70CC40C757

Function 0088910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00817620: _wcslen.LIBCMT ref: 00817625

Part of subcall function 00816B57: _wcslen.LIBCMT ref: 00816B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 008894E5
_wcslen.LIBCMT ref: 00889506
_wcslen.LIBCMT ref: 0088952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00889585

Strings

X, xrefs: 00889412

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: a75427b822a779ad2acd56af3f77d7ab595b568ec27847df10a8971d0d69a51f
Instruction ID: 4986c21e5784752fc18fdb8511fb96dbd5dd982fc3364144687bd7a91d50aa11
Opcode Fuzzy Hash: a75427b822a779ad2acd56af3f77d7ab595b568ec27847df10a8971d0d69a51f
Instruction Fuzzy Hash: E1E170315043009FD724EF28D881AAAB7E5FF85314F08856DE999DB3A2DB31ED45CB92

Function 0082920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00829BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00829BB2

BeginPaint.USER32(?,?,?), ref: 00829241
GetWindowRect.USER32(?,?), ref: 008292A5
ScreenToClient.USER32(?,?), ref: 008292C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 008292D3
EndPaint.USER32(?,?,?,?,?), ref: 00829321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 008671EA

Part of subcall function 00829339: BeginPath.GDI32(00000000), ref: 00829357

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 8b941adba3d4da861d5ff253420de8927611d9750ed5cb86be8b4a6835078c28
Instruction ID: 4953935d01614026069910bf2cf886655a2ac5403b61a3b25af6e88502b22371
Opcode Fuzzy Hash: 8b941adba3d4da861d5ff253420de8927611d9750ed5cb86be8b4a6835078c28
Instruction Fuzzy Hash: 48419230104255AFDB11DF24DC88FBA7BF8FB56724F140269F9A4CB2A2C7319885DB62

Function 008807EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0088080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00880847
EnterCriticalSection.KERNEL32(?), ref: 00880863
LeaveCriticalSection.KERNEL32(?), ref: 008808DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 008808F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00880921

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 17eef1d5df0e643b05279565eb5668abacadd6ef6845c1f0f44b8c125ea366ac
Instruction ID: 97c1c09b8b0bb1b37da1e2528bcb4fd6910d61e205d9ce07195dcc1bd9c1ebe0
Opcode Fuzzy Hash: 17eef1d5df0e643b05279565eb5668abacadd6ef6845c1f0f44b8c125ea366ac
Instruction Fuzzy Hash: 07415871A00205EBEF15AF58DC85AAA77B8FF04310F1440B9E900EA297DB30DE64DFA1

Function 008A81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0086F3AB,00000000,?,?,00000000,?,0086682C,00000004,00000000,00000000), ref: 008A824C
EnableWindow.USER32(00000000,00000000), ref: 008A8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 008A82D1
ShowWindow.USER32(00000000,00000004), ref: 008A82E5
EnableWindow.USER32(00000000,00000001), ref: 008A830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 008A832F

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 8cf9a876dc7c5bb911b91e42a30a2989fec43bed5230ad46e8978703e54ff130
Instruction ID: 54bf42c32fabe735bb12fa964f3e29d472ad1df16a1202422e8cbcc8552709fe
Opcode Fuzzy Hash: 8cf9a876dc7c5bb911b91e42a30a2989fec43bed5230ad46e8978703e54ff130
Instruction Fuzzy Hash: 92418234601644EFEF25CF25D8D9BE47BE1FB0B714F1841A9E6488F6A2CB31A851CB60

Function 00874C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00874C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00874CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00874CEA
_wcslen.LIBCMT ref: 00874D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00874D10
_wcsstr.LIBVCRUNTIME ref: 00874D1A

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 39af0e85926c100a7264f740b32498264147d810fed6d2ff602d539354db033a
Instruction ID: 03cb17eb58e13c9116c321fb2313c496dc40858aa84b12aa3cf2721857143011
Opcode Fuzzy Hash: 39af0e85926c100a7264f740b32498264147d810fed6d2ff602d539354db033a
Instruction Fuzzy Hash: 13210731204214BBFB669B39AC49E7B7FACFF46750F10903DF809CA196EB65DC4092A1

Function 0088581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00813AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00813A97,?,?,00812E7F,?,?,?,00000000), ref: 00813AC2

_wcslen.LIBCMT ref: 0088587B
CoInitialize.OLE32(00000000), ref: 00885995
CoCreateInstance.OLE32(008AFCF8,00000000,00000001,008AFB68,?), ref: 008859AE
CoUninitialize.OLE32 ref: 008859CC

Strings

.lnk, xrefs: 00885876, 008858C1, 00885985

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 29e61a2b3fbceeb74b458838c11da5bdaf0efac1433405f725ca0f8e2f58bb4e
Instruction ID: dc0a413d1caf724311832d4f66e59fd7a8b9ff61121baa062f935c6cdf3b351d
Opcode Fuzzy Hash: 29e61a2b3fbceeb74b458838c11da5bdaf0efac1433405f725ca0f8e2f58bb4e
Instruction Fuzzy Hash: A4D143716086019FC714EF28C480A6ABBE6FF89724F14885DF889DB361DB31ED45CB92

Function 0087175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00870FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00870FCA
Part of subcall function 00870FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00870FD6
Part of subcall function 00870FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00870FE5
Part of subcall function 00870FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00870FEC
Part of subcall function 00870FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00871002

GetLengthSid.ADVAPI32(?,00000000,00871335), ref: 008717AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 008717BA
HeapAlloc.KERNEL32(00000000), ref: 008717C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 008717DA
GetProcessHeap.KERNEL32(00000000,00000000,00871335), ref: 008717EE
HeapFree.KERNEL32(00000000), ref: 008717F5

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 71c549b2d0fc57d8c3dea8781ffb7a4afb97f7d97a3489986b0a796f3d623837
Instruction ID: c287dc3669ad41d6d8603cdef7af3be79336bb2fb987844643bd9ce41e70d399
Opcode Fuzzy Hash: 71c549b2d0fc57d8c3dea8781ffb7a4afb97f7d97a3489986b0a796f3d623837
Instruction Fuzzy Hash: D3118E71610605FFEF189FA8CC49BAE7BA9FB46399F108018F445D7628D735E944CB60

Function 008714CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 008714FF
OpenProcessToken.ADVAPI32(00000000), ref: 00871506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00871515
CloseHandle.KERNEL32(00000004), ref: 00871520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0087154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00871563

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 55d4f103e32fe1d50eb19279ab4f58b3bc79fab52348ad51fa6d594dc2f698b5
Instruction ID: 1cb463768898732bdc4af13678b8ca6cd40078eeab98da4c54d6185bd3a41d23
Opcode Fuzzy Hash: 55d4f103e32fe1d50eb19279ab4f58b3bc79fab52348ad51fa6d594dc2f698b5
Instruction Fuzzy Hash: 4B11267250020DABEF118FA8DD49BDE7BAAFF49748F048025FA09A2560C375CE64DB60

Function 00833382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00833379,00832FE5), ref: 00833390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0083339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 008333B7
SetLastError.KERNEL32(00000000,?,00833379,00832FE5), ref: 00833409

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 8093718281f4a5dc69b8a4b0ac8527cfb4b41150507487204df641e7972dabc4
Instruction ID: c73dfd7fad4422cf9083f8d83e5c15a589bcff93cf0a8af1320c2af897f5c5ed
Opcode Fuzzy Hash: 8093718281f4a5dc69b8a4b0ac8527cfb4b41150507487204df641e7972dabc4
Instruction Fuzzy Hash: E901D43364E712BEAA2527797C86A676F94FBA5379F20832AF410C53F0EF114D01A5C5

Function 00842D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00845686,00853CD6,?,00000000,?,00845B6A,?,?,?,?,?,0083E6D1,?,008D8A48), ref: 00842D78
_free.LIBCMT ref: 00842DAB
_free.LIBCMT ref: 00842DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0083E6D1,?,008D8A48,00000010,00814F4A,?,?,00000000,00853CD6), ref: 00842DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0083E6D1,?,008D8A48,00000010,00814F4A,?,?,00000000,00853CD6), ref: 00842DEC
_abort.LIBCMT ref: 00842DF2

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: cbf0986f3247b8000898a076fd6f000b8c7061997e0cfc5838c8fcb43960fe46
Instruction ID: 989a69dba07be89eafd82ea3462224152ec7ba480fc23ccbc736140142a10aa8
Opcode Fuzzy Hash: cbf0986f3247b8000898a076fd6f000b8c7061997e0cfc5838c8fcb43960fe46
Instruction Fuzzy Hash: F7F0C83190DA1D67D612773DBC0AF1E3A59FFC27A5F640519F824D22D2EF7488014162

Function 008A8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00829639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00829693
Part of subcall function 00829639: SelectObject.GDI32(?,00000000), ref: 008296A2
Part of subcall function 00829639: BeginPath.GDI32(?), ref: 008296B9
Part of subcall function 00829639: SelectObject.GDI32(?,00000000), ref: 008296E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 008A8A4E
LineTo.GDI32(?,00000003,00000000), ref: 008A8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 008A8A70
LineTo.GDI32(?,00000000,00000003), ref: 008A8A80
EndPath.GDI32(?), ref: 008A8A90
StrokePath.GDI32(?), ref: 008A8AA0

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: a4262048931d3c8a7ad926f1740df1e1acc08e8f8b500f545a99e1268d739167
Instruction ID: aa9fc65547969822506b436fc71b37a789f94fe6ab7fe01a9b68fc4c60a886bc
Opcode Fuzzy Hash: a4262048931d3c8a7ad926f1740df1e1acc08e8f8b500f545a99e1268d739167
Instruction Fuzzy Hash: 14110976000158FFEF129F94DC88EAA7F6CFB09350F008012FA199A5A1D771AD55DBA0

Function 008751FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00875218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00875229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00875230
ReleaseDC.USER32(00000000,00000000), ref: 00875238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0087524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00875261

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: fbc241248d2aaa85f51b2a6497c70e47d628fa17918573f3394e813a365c5340
Instruction ID: 8062e9420107747b4ee0e9d07450c381f45b5647a8f7713fa3afd342f8ac26e2
Opcode Fuzzy Hash: fbc241248d2aaa85f51b2a6497c70e47d628fa17918573f3394e813a365c5340
Instruction Fuzzy Hash: 8C014F75A00718BBEB109BA69C49A5EBFB8FB49751F044065FA04E7681DA70DC00CFA0

Function 00811BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00811BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00811BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00811C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00811C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00811C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00811C22

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 9793ae4ce71b431f56d3d3ef4fec3d52770578dfa0b0fe19880e06f701a98c7c
Instruction ID: 2337703464a6f9ee212430fa96ea39a66334e7a06e6b9de92bce74c1d70a8111
Opcode Fuzzy Hash: 9793ae4ce71b431f56d3d3ef4fec3d52770578dfa0b0fe19880e06f701a98c7c
Instruction Fuzzy Hash: 4A0167B0902B5ABDE3008F6A8C85B52FFE8FF19354F04411BA15C4BA42C7F5A864CBE5

Function 0087EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0087EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0087EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0087EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0087EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0087EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0087EB75

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 7e759b3454cc717106e17f0b44f214ae25b8739cb0f419d8951b409b43e62612
Instruction ID: 40168818099cb8d42b4809b61048450c53e67157d579d0993def229f72e36206
Opcode Fuzzy Hash: 7e759b3454cc717106e17f0b44f214ae25b8739cb0f419d8951b409b43e62612
Instruction Fuzzy Hash: 1BF01772240558BBE6219B629C0EEAB7A7CFBDBB11F004159F601E1591EBA05A0186B5

Function 00867439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00867452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00867469
GetWindowDC.USER32(?), ref: 00867475
GetPixel.GDI32(00000000,?,?), ref: 00867484
ReleaseDC.USER32(?,00000000), ref: 00867496
GetSysColor.USER32(00000005), ref: 008674B0

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 437e8727d222653393daad84f1a23778484038ea3146e693da763592178d0442
Instruction ID: a7d42d0348540ced15115b729965fc4cb1676fc43b31d000ef18ab4dde283bf8
Opcode Fuzzy Hash: 437e8727d222653393daad84f1a23778484038ea3146e693da763592178d0442
Instruction Fuzzy Hash: B501A931400219EFEB509FA4DD08BAE7BB6FF05325F210064FA26E25A0CF311E41EB90

Function 00871874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0087187F
UnloadUserProfile.USERENV(?,?), ref: 0087188B
CloseHandle.KERNEL32(?), ref: 00871894
CloseHandle.KERNEL32(?), ref: 0087189C
GetProcessHeap.KERNEL32(00000000,?), ref: 008718A5
HeapFree.KERNEL32(00000000), ref: 008718AC

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 23863f7181cddd2d4649a1fba116ba666bc512aef1ccacc7ea64a9e59b9ce47b
Instruction ID: 7ffbc852af878ce1165dcd9bd31d78e644538c451e1beffe6e0c94e4b1b5982e
Opcode Fuzzy Hash: 23863f7181cddd2d4649a1fba116ba666bc512aef1ccacc7ea64a9e59b9ce47b
Instruction Fuzzy Hash: DBE0E536204101BBEB015FA5ED0C90AFF79FF4AB22B108220F22581970CB329421DF50

Function 0087C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00817620: _wcslen.LIBCMT ref: 00817625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0087C6EE
_wcslen.LIBCMT ref: 0087C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0087C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0087C7CA

Strings

0, xrefs: 0087C6AF

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 00a3e81845b52c699f025dd9c30228c452be6ceb3de5d09e3fabe154c04d3676
Instruction ID: df52c7669c8f35e50a65e9584c483644c6d0f36b49f666fd1b5ce552c23db30c
Opcode Fuzzy Hash: 00a3e81845b52c699f025dd9c30228c452be6ceb3de5d09e3fabe154c04d3676
Instruction Fuzzy Hash: CF51DE716083009BD7189F2CC885A6B77E8FF9A394F048A2DF999E31A5DF70D944CB52

Function 0089AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0089AEA3

Part of subcall function 00817620: _wcslen.LIBCMT ref: 00817625

GetProcessId.KERNEL32(00000000), ref: 0089AF38
CloseHandle.KERNEL32(00000000), ref: 0089AF67

Strings

<, xrefs: 0089AE6B
@, xrefs: 0089AE72

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: d53c90c819a6dd87a497e18ebbbe61626ef27eeb79ad6301617b688135329c13
Instruction ID: 6f9ac9b25f206e60ff7a7a1de2099239b1ec9536349287a352b8b34d46d2ab24
Opcode Fuzzy Hash: d53c90c819a6dd87a497e18ebbbe61626ef27eeb79ad6301617b688135329c13
Instruction Fuzzy Hash: A8713774A00219DFCF14EF58C484A9EBBB5FF08314F088499E816AB752CB75ED85CB92

Function 0087719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00877206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0087723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0087724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 008772CF

Strings

DllGetClassObject, xrefs: 00877242

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 7bfb60997defd8b72c9d193725d9e0be4d906f8995dfc64fd58d260ac79e23cd
Instruction ID: 9706590ac4e62610e0a26b6e601e8dea8fd3b091979dad5de2e81a96f9597e95
Opcode Fuzzy Hash: 7bfb60997defd8b72c9d193725d9e0be4d906f8995dfc64fd58d260ac79e23cd
Instruction Fuzzy Hash: BF416B71A04204EFDB15CF94C884A9A7BA9FF45314F1480A9BD1ADF20ED7B0D944DBA0

Function 00871DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

Part of subcall function 00873CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00873CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00871E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00871E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00871EA9

Part of subcall function 00816B57: _wcslen.LIBCMT ref: 00816B6A

Strings

ListBox, xrefs: 00871E25
ComboBox, xrefs: 00871DF0

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 6291dc51180b7bd74806396d2c8c1b505e9250b6bae5a9910d23bdeb6786e032
Instruction ID: 80961461524de38f45ceebbae78f23e308295c6a18afe0443c3b62b4ba9fb5a1
Opcode Fuzzy Hash: 6291dc51180b7bd74806396d2c8c1b505e9250b6bae5a9910d23bdeb6786e032
Instruction Fuzzy Hash: 61210A72900104BADB149B68DC5ACFF77BCFF46360B108129F869E76D1DB3489459661

Function 008A2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 008A2F8D
LoadLibraryW.KERNEL32(?), ref: 008A2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 008A2FA9
DestroyWindow.USER32(?), ref: 008A2FB1

Strings

SysAnimate32, xrefs: 008A2F68

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 9543f169b7774eecaa10b553932183d36a731e9a8f38fe63d273cc53ccabd882
Instruction ID: c882540c39c35ab9049b35d48d41c067a3c808a0b7730cc251328533ef558ce6
Opcode Fuzzy Hash: 9543f169b7774eecaa10b553932183d36a731e9a8f38fe63d273cc53ccabd882
Instruction Fuzzy Hash: 5E219A71200209AFFB309F68DC80EBB37B9FB5A368F104229FA50D6990DB71DC919760

Function 00834D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00834D1E,008428E9,?,00834CBE,008428E9,008D88B8,0000000C,00834E15,008428E9,00000002), ref: 00834D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00834DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00834D1E,008428E9,?,00834CBE,008428E9,008D88B8,0000000C,00834E15,008428E9,00000002,00000000), ref: 00834DC3

Strings

CorExitProcess, xrefs: 00834D98
mscoree.dll, xrefs: 00834D86

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: f77f4c2ffce647d5ad94eaf6419dd4a3cc7556c05df5bb551fbfb036eef90fee
Instruction ID: 8c62049ae16b9ebb502ac6ff77886f4bc86747e8bbb9df099f01eee671bbac78
Opcode Fuzzy Hash: f77f4c2ffce647d5ad94eaf6419dd4a3cc7556c05df5bb551fbfb036eef90fee
Instruction Fuzzy Hash: E0F03C34A41618ABEB119B94DC49BAEBFE5FB44751F0001A4E806E2660CF75AD40DED5

Function 0086D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0086D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0086D3BF
FreeLibrary.KERNEL32(00000000), ref: 0086D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0086D3B9
X64, xrefs: 0086D2A8

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 82be257e039231f774a07d78f4730894c6e6dcc0400ca8b0e17cc42f7bcbbda2
Instruction ID: a297cb63ff226854e3e6a3e452b5bee0d5f1d73fb74125c5e2883a26af56a864
Opcode Fuzzy Hash: 82be257e039231f774a07d78f4730894c6e6dcc0400ca8b0e17cc42f7bcbbda2
Instruction Fuzzy Hash: 78F05571F05B208BE77117118C28A6E3720FF12709B568155F602EA321EB20CC84C792

Function 00814E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00814EDD,?,008E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00814E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00814EAE
FreeLibrary.KERNEL32(00000000,?,?,00814EDD,?,008E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00814EC0

Strings

kernel32.dll, xrefs: 00814E94
Wow64DisableWow64FsRedirection, xrefs: 00814EA8

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 6f25a49518c044b1e8791cfb561095a280105b1cc8d5af3a04ae76d5e7ba2fee
Instruction ID: b85881fec64011d4c9bc059d0e947e72b2f4df5f0c9d5441b20d4c3893854add
Opcode Fuzzy Hash: 6f25a49518c044b1e8791cfb561095a280105b1cc8d5af3a04ae76d5e7ba2fee
Instruction Fuzzy Hash: 3BE08635B019225BA2311B256C18B9B7658FF82B727050115FC04D2600DB64CD4284A1

Function 00814E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00853CDE,?,008E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00814E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00814E74
FreeLibrary.KERNEL32(00000000,?,?,00853CDE,?,008E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00814E87

Strings

kernel32.dll, xrefs: 00814E5B
Wow64RevertWow64FsRedirection, xrefs: 00814E6E

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 9585ab067d2a81acf6942d2c3e693e25ca69607aad54d4b13fd926b13867de53
Instruction ID: 3df3d790f6dff00018e60566ed398687ca9ef9fe4181d8eff4372c10332cfbdd
Opcode Fuzzy Hash: 9585ab067d2a81acf6942d2c3e693e25ca69607aad54d4b13fd926b13867de53
Instruction Fuzzy Hash: 5ED01235602A225766221B257C18DCB7A1CFF86B713450615F905E2614DF65CD42C5E0

Function 00882947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00882C05
DeleteFileW.KERNEL32(?), ref: 00882C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00882C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00882CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00882CC0

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: c68840c0f85503e7cd0814b8e28611621543a7590e93867d43c5264e60680382
Instruction ID: d0ec38892414321d62ae7b0a1830bb7ac355c170860e7114373a24bcd1b96136
Opcode Fuzzy Hash: c68840c0f85503e7cd0814b8e28611621543a7590e93867d43c5264e60680382
Instruction Fuzzy Hash: ECB14F71D01129ABDF15EBA8CC85EEEB7BDFF49350F1040A6F509E6141EA319A448FA1

Function 0089A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0089A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0089A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0089A468
CloseHandle.KERNEL32(?), ref: 0089A63D

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: f84652a55adbadc899f799bd3238582dc4cd7bf3f50cf0f402a6c4d8cbea1f41
Instruction ID: 27b453d339398d167e006fa6b31306b76a3c14d5bb1bd42d2f50b98243d691c2
Opcode Fuzzy Hash: f84652a55adbadc899f799bd3238582dc4cd7bf3f50cf0f402a6c4d8cbea1f41
Instruction Fuzzy Hash: 01A16D716043009FDB24EF28D886B2AB7E5FF94714F14885DF55ADB292DBB0EC418B92

Function 0084BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,008B3700), ref: 0084BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,008E121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0084BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,008E1270,000000FF,?,0000003F,00000000,?), ref: 0084BC36
_free.LIBCMT ref: 0084BB7F

Part of subcall function 008429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000), ref: 008429DE
Part of subcall function 008429C8: GetLastError.KERNEL32(00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000,00000000), ref: 008429F0

_free.LIBCMT ref: 0084BD4B

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: a69a9c19405967a550f219219947f9ce714fd0edeef8ff4493c9430bb3bf5c6a
Instruction ID: 92d154c32cb1cd0ae437891b914b4e7aadde01061fc2decdba71ed45376bbabd
Opcode Fuzzy Hash: a69a9c19405967a550f219219947f9ce714fd0edeef8ff4493c9430bb3bf5c6a
Instruction Fuzzy Hash: B451D37190021DEFDB14EF699CC59AEBBB8FF41320B10026AE564D72A1EB30DE41CB91

Function 0087E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0087DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0087CF22,?), ref: 0087DDFD

Part of subcall function 0087DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0087CF22,?), ref: 0087DE16

Part of subcall function 0087E199: GetFileAttributesW.KERNEL32(?,0087CF95), ref: 0087E19A

lstrcmpiW.KERNEL32(?,?), ref: 0087E473
MoveFileW.KERNEL32(?,?), ref: 0087E4AC
_wcslen.LIBCMT ref: 0087E5EB
_wcslen.LIBCMT ref: 0087E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0087E650

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 395137d8fc2a1d6a095280bd11e30f87f792e8154261622e8c9bc8f5e37dba8a
Instruction ID: 05b726201daf8e20938d714133a81ea4b6961d5603cbac2fcd8b1f922d1b162c
Opcode Fuzzy Hash: 395137d8fc2a1d6a095280bd11e30f87f792e8154261622e8c9bc8f5e37dba8a
Instruction Fuzzy Hash: 20517EB24087445BC724DB94C8919DB73ECFF88344F00492EE689D3151EE74E68887AB

Function 0089B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

Part of subcall function 0089C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0089B6AE,?,?), ref: 0089C9B5
Part of subcall function 0089C998: _wcslen.LIBCMT ref: 0089C9F1
Part of subcall function 0089C998: _wcslen.LIBCMT ref: 0089CA68
Part of subcall function 0089C998: _wcslen.LIBCMT ref: 0089CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0089BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0089BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0089BB63
RegCloseKey.ADVAPI32(?,?), ref: 0089BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0089BBB3

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 81a94357b7a5e8f4f398af7051d7a486b315801828dc15d41cb7a3f72739b1fe
Instruction ID: adca6da3d2f0b635c40fcc00d335442d703c13191090965d275f18db2bcb3df3
Opcode Fuzzy Hash: 81a94357b7a5e8f4f398af7051d7a486b315801828dc15d41cb7a3f72739b1fe
Instruction Fuzzy Hash: 4A61C031208241EFD714EF14D990E6ABBE9FF84318F18855CF4998B2A2DB31ED45CB92

Function 00878BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00878BCD
VariantClear.OLEAUT32 ref: 00878C3E
VariantClear.OLEAUT32 ref: 00878C9D
VariantClear.OLEAUT32(?), ref: 00878D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00878D3B

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 228207fd30c23ebda0b092dd299a5f675328bbb17c7c39bf1215130ba83fe721
Instruction ID: b442e11746f46f4395e162824327115b1dc0624e97c368362e7d0ebc6cb875bb
Opcode Fuzzy Hash: 228207fd30c23ebda0b092dd299a5f675328bbb17c7c39bf1215130ba83fe721
Instruction Fuzzy Hash: F85189B1A00219EFCB10CF28C884AAABBF8FF8D314B158559E919DB354E730E911CF90

Function 00888AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00888BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00888BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00888C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00888C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00888C5F

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 28cbdda3d5e5e5c9c819c7191c9ed2f5ad4db4331f9b0c65ebcab7c8cd7ad2ce
Instruction ID: 9ae282b72db3ea27cf956987baa7b15bc76fd29619bfa79659b18cf7facb33d0
Opcode Fuzzy Hash: 28cbdda3d5e5e5c9c819c7191c9ed2f5ad4db4331f9b0c65ebcab7c8cd7ad2ce
Instruction Fuzzy Hash: 44515D35A00215DFCB01DF68C881AADBBF6FF49314F088458E849AB362DB31ED81CB91

Function 00898EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00898F40
GetProcAddress.KERNEL32(00000000,?), ref: 00898FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00898FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00899032
FreeLibrary.KERNEL32(00000000), ref: 00899052

Part of subcall function 0082F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00881043,?,7556E610), ref: 0082F6E6
Part of subcall function 0082F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0086FA64,00000000,00000000,?,?,00881043,?,7556E610,?,0086FA64), ref: 0082F70D

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: b80ea0c358ed2fd48de22e54cf6773e11fa8f7e692dded6fbce9491ea0d33508
Instruction ID: 60b929f097bcce6ee7fefe4b696a56eedd6c8d6b18f006e0c5331054859c23ff
Opcode Fuzzy Hash: b80ea0c358ed2fd48de22e54cf6773e11fa8f7e692dded6fbce9491ea0d33508
Instruction Fuzzy Hash: E2512835600605DFCB11EF58C4948ADBBF5FF49314B0980A8E85ADB762DB31ED85CB91

Function 008A6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 008A6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 008A6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 008A6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0088AB79,00000000,00000000), ref: 008A6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 008A6CC7

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: be86487edc27d339706033dabdab7b285bcfad06b14370ebdb6f81e7b36ae26d
Instruction ID: bd6812b4266632d4af5f71d46ea338a4ac321d2ff4d322e41208087d612b0896
Opcode Fuzzy Hash: be86487edc27d339706033dabdab7b285bcfad06b14370ebdb6f81e7b36ae26d
Instruction Fuzzy Hash: 7641D535A04104AFEB24DF28CC58FA57BA5FB0B370F190228F895E76E5E771AD61C650

Function 00842051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008420C3
_free.LIBCMT ref: 008420E3

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e2b5dff7edb89556bad23e4817dbd98baa6b0be6689f8ec7a23aba83bca66215
Instruction ID: 0c0055029585b6a5ede671083009e926b2b4ba059ae6854e0cbd3e1833c98b1e
Opcode Fuzzy Hash: e2b5dff7edb89556bad23e4817dbd98baa6b0be6689f8ec7a23aba83bca66215
Instruction Fuzzy Hash: 6F41E132A006089FCB20DF78C880A5EB7F5FF88314F5545A9F615EB396DA31AD01CB81

Function 0082912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00829141
ScreenToClient.USER32(00000000,?), ref: 0082915E
GetAsyncKeyState.USER32(00000001), ref: 00829183
GetAsyncKeyState.USER32(00000002), ref: 0082919D

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: d3beb79cae16491d18229e920deb59dd84695c200b86e5edef35cf6217164da5
Instruction ID: 487ef05559f8078eb386c19c77f42f922bac231d16cb43d34cee7b314fb19e01
Opcode Fuzzy Hash: d3beb79cae16491d18229e920deb59dd84695c200b86e5edef35cf6217164da5
Instruction Fuzzy Hash: 6B41407190861AFBDF159F69D844BEEB774FB06324F204216E465E72D0C7345990CB91

Function 00883874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 008838CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00883922
TranslateMessage.USER32(?), ref: 0088394B
DispatchMessageW.USER32(?), ref: 00883955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00883966

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: da56ae7c91a1cc332cfa292e2c3afa9ae4aa0af071271a27d38c9fd1ab40bb40
Instruction ID: 54e1788dc8e24537c2bb99be933a865cd014fac9accea3fa1a02fbf96a78e0fe
Opcode Fuzzy Hash: da56ae7c91a1cc332cfa292e2c3afa9ae4aa0af071271a27d38c9fd1ab40bb40
Instruction Fuzzy Hash: 9931D3709043869EEF35EB34DC88BB67FA8FB07B04F040569E466C65A1E7F49A85CB11

Function 0088CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0088C21E,00000000), ref: 0088CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0088CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0088C21E,00000000), ref: 0088CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0088C21E,00000000), ref: 0088CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0088C21E,00000000), ref: 0088CFF2

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 032611e9a63eccb72a0ee92da9fc14725bd044b0c8db21a73c7e5037043a62f3
Instruction ID: a2eefc12e4f49fbb293572487e69442805c34a452a1bd162efcf19371fee9f55
Opcode Fuzzy Hash: 032611e9a63eccb72a0ee92da9fc14725bd044b0c8db21a73c7e5037043a62f3
Instruction Fuzzy Hash: 34315E71504205EFEB20EFA9D884AABBBF9FF15354B10442EF606D2545DF70AE40DB60

Function 00871901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00871915
PostMessageW.USER32(00000001,00000201,00000001), ref: 008719C1
Sleep.KERNEL32(00000000,?,?,?), ref: 008719C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 008719DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 008719E2

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: ea9dad20c58bbc962efde06cd4799ad01080e6824f7de6061472e84456c9402e
Instruction ID: 1622a46f3886f23d5150b917ca281bb22efce44ab8c76fee601111a4dea10629
Opcode Fuzzy Hash: ea9dad20c58bbc962efde06cd4799ad01080e6824f7de6061472e84456c9402e
Instruction Fuzzy Hash: BF317871A00219AFDB10CFACC999B9E3BB5FB55315F108229FA25E72D1C770D945CB90

Function 008A5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 008A5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 008A579D
_wcslen.LIBCMT ref: 008A57AF
_wcslen.LIBCMT ref: 008A57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 008A5816

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 2b13f0d87eef7fcde1340343d4e886b8dfe9366d589eb1493fd3ddb22734e601
Instruction ID: 3a73f42fc2894542e092b88369ffe703e3402cede2c68ddfd457d8f160162a41
Opcode Fuzzy Hash: 2b13f0d87eef7fcde1340343d4e886b8dfe9366d589eb1493fd3ddb22734e601
Instruction Fuzzy Hash: 4C21B671904618DAEB20CF64DC84AEE7BB8FF46324F108216F929EB580D77499C5CF91

Function 0082990F Relevance: 7.6, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008298CC
SetTextColor.GDI32(?,?), ref: 008298D6
SetBkMode.GDI32(?,00000001), ref: 008298E9
GetStockObject.GDI32(00000005), ref: 008298F1
GetWindowLongW.USER32(?,000000EB), ref: 00829952

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: fba9b56133fc415a0e82017fc7bcf38dcb72e2a827c1603565bda1500cfb94ad
Instruction ID: 00c066718cb837de5afd814bbebea1668a8ce7d8586a1b89c4821747eaa1f388
Opcode Fuzzy Hash: fba9b56133fc415a0e82017fc7bcf38dcb72e2a827c1603565bda1500cfb94ad
Instruction Fuzzy Hash: D521A1715492909FDB228B34EC59AA53FA0FF13335B19019DE5D2CA1A2D6364992CB50

Function 00890930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00890951
GetForegroundWindow.USER32 ref: 00890968
GetDC.USER32(00000000), ref: 008909A4
GetPixel.GDI32(00000000,?,00000003), ref: 008909B0
ReleaseDC.USER32(00000000,00000003), ref: 008909E8

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 5c25c11687e209f88ee7c47804089b916926c28287e5f19c291028c5d6a2de1f
Instruction ID: 957d2352b0709b077422092f60b066b5011ea88aa13b213724da1bb7b1cd41ca
Opcode Fuzzy Hash: 5c25c11687e209f88ee7c47804089b916926c28287e5f19c291028c5d6a2de1f
Instruction Fuzzy Hash: 67218435A00204AFDB04EF69D944AAEBBE9FF45700F04846CF84AD7751DB70AC44CB50

Function 0084CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0084CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0084CDE9

Part of subcall function 00843820: RtlAllocateHeap.NTDLL(00000000,?,008E1444,?,0082FDF5,?,?,0081A976,00000010,008E1440,008113FC,?,008113C6,?,00811129), ref: 00843852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0084CE0F
_free.LIBCMT ref: 0084CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0084CE31

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 42a88adf63b974f84d6a2f45b31112d08fa93c2684b9b4ecaa6abf8d052761e7
Instruction ID: 378cebfd0605599f615f6e3086e9f1bcdaeb3be1f9379b8ff4d593c802daa1ba
Opcode Fuzzy Hash: 42a88adf63b974f84d6a2f45b31112d08fa93c2684b9b4ecaa6abf8d052761e7
Instruction Fuzzy Hash: 8A014F72A0361D7F37611ABAAC88D7B7E6DFEC7BA13150129F905D7201EF618D0291B1

Function 00829639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00829693
SelectObject.GDI32(?,00000000), ref: 008296A2
BeginPath.GDI32(?), ref: 008296B9
SelectObject.GDI32(?,00000000), ref: 008296E2

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 6f68c8e08b7de07214907c8fa42bb561097ddc9dd256406bd5def739d5794265
Instruction ID: aebf369782d2319621c43bdd1c05c81116c575f34e95cfd986090fad30061409
Opcode Fuzzy Hash: 6f68c8e08b7de07214907c8fa42bb561097ddc9dd256406bd5def739d5794265
Instruction Fuzzy Hash: EA217F30802355EBDF11AF28EC4CBA93FA8FB21315F900216F850EA1A2D37458D2CF90

Function 00875711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00875726
_memcmp.LIBVCRUNTIME ref: 00875744
_memcmp.LIBVCRUNTIME ref: 00875757
_memcmp.LIBVCRUNTIME ref: 0087576F
_memcmp.LIBVCRUNTIME ref: 00875787

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: a881648d6b5de5e7133eddd9446e4f752a53bd242223186b16e7bc57183cae58
Instruction ID: 634e45ce2ec735040f35416cd4ff9cdeceae41a79bf10c671ca393dc5a7247a4
Opcode Fuzzy Hash: a881648d6b5de5e7133eddd9446e4f752a53bd242223186b16e7bc57183cae58
Instruction Fuzzy Hash: C90192A1641A19BAE70C55159D86FBA635CFB627E8F00C020FE1CDA746F7A5ED1082E1

Function 00842DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0083F2DE,00843863,008E1444,?,0082FDF5,?,?,0081A976,00000010,008E1440,008113FC,?,008113C6), ref: 00842DFD
_free.LIBCMT ref: 00842E32
_free.LIBCMT ref: 00842E59
SetLastError.KERNEL32(00000000,00811129), ref: 00842E66
SetLastError.KERNEL32(00000000,00811129), ref: 00842E6F

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 1153c98591a78d01d615f1c6cee5517e5170111e96cfa23ce5ce23534472d96c
Instruction ID: da435009536782110b502a65d46bcc5dce07b8b5f21a795665217bd4463b98dc
Opcode Fuzzy Hash: 1153c98591a78d01d615f1c6cee5517e5170111e96cfa23ce5ce23534472d96c
Instruction Fuzzy Hash: 9101F43220D60D77DA1267396C85E2B2B69FBD23B9BE40129F421E2293EF74CC018121

Function 0087000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0086FF41,80070057,?,?,?,0087035E), ref: 0087002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0086FF41,80070057,?,?), ref: 00870046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0086FF41,80070057,?,?), ref: 00870054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0086FF41,80070057,?), ref: 00870064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0086FF41,80070057,?,?), ref: 00870070

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 6f33481e19e967b5f8a7e5d3641040009eb0cc137cdb390baadeaae4ba8b0225
Instruction ID: ee89200bfad049ea9e2f16d94b934cf0854e0747b46e31833a5e60f3711f8597
Opcode Fuzzy Hash: 6f33481e19e967b5f8a7e5d3641040009eb0cc137cdb390baadeaae4ba8b0225
Instruction Fuzzy Hash: B501AD72600604FFEB108F68DC04BAA7AEDFF497A2F148124F909D2314EB75DD409BA0

Function 0087E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0087E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0087E9A5
Sleep.KERNEL32(00000000), ref: 0087E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0087E9B7
Sleep.KERNEL32 ref: 0087E9F3

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: fbf59f5f8103581892fc3e979493bcfe4fc9c98e2e04c7b84aa4814f4dd99aa7
Instruction ID: e8671d783757d48a8f54d9dca43c4eb98d644f0c8a34a1dd1580c7c82c7c7990
Opcode Fuzzy Hash: fbf59f5f8103581892fc3e979493bcfe4fc9c98e2e04c7b84aa4814f4dd99aa7
Instruction Fuzzy Hash: 73010532D0162DDBDF00ABE5D859BEDBB78FB0E701F004596EA06F2245CB3495558BA1

Function 008710F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00871114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00870B9B,?,?,?), ref: 00871120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00870B9B,?,?,?), ref: 0087112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00870B9B,?,?,?), ref: 00871136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0087114D

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 0c388830020a4137424687fd29f3d82236c65a8105ea0f3265d78c82b3a84637
Instruction ID: da3384582b05139e5089db9d02036d53c6da0f7acf89bd89b8a136f7302226ec
Opcode Fuzzy Hash: 0c388830020a4137424687fd29f3d82236c65a8105ea0f3265d78c82b3a84637
Instruction Fuzzy Hash: B9011975200205BFEB114FA9DC4DA6A3B6EFF8A3A0B604419FA45D7760DA31DD009A60

Function 00870FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00870FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00870FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00870FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00870FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00871002

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: e5af3018e422cb32dec97d0c4e8a8ebf0e302fe946984c001202941bfe326b05
Instruction ID: b0be2a920a6126f7b4c69688060500b13668765fe8e622d0dd744adbd4239405
Opcode Fuzzy Hash: e5af3018e422cb32dec97d0c4e8a8ebf0e302fe946984c001202941bfe326b05
Instruction Fuzzy Hash: C5F04935200701ABEB214FA89C4DF563BADFF8AB62F104414FA49C6651DE70DC508A60

Function 00871014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0087102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00871036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00871045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0087104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00871062

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 2a298950b3560cccd696698e5590e0d0fd681424442d0ec41fbf814b16d6e512
Instruction ID: 3f5f91e11c88501fa89fc270732a6624432747475a59cece021461699ccce633
Opcode Fuzzy Hash: 2a298950b3560cccd696698e5590e0d0fd681424442d0ec41fbf814b16d6e512
Instruction Fuzzy Hash: 64F04935200701ABEB219FA8EC4DF563BADFF8A761F104414FA49C6650DE70D8508A60

Function 0088030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0088017D,?,008832FC,?,00000001,00852592,?), ref: 00880324
CloseHandle.KERNEL32(?,?,?,?,0088017D,?,008832FC,?,00000001,00852592,?), ref: 00880331
CloseHandle.KERNEL32(?,?,?,?,0088017D,?,008832FC,?,00000001,00852592,?), ref: 0088033E
CloseHandle.KERNEL32(?,?,?,?,0088017D,?,008832FC,?,00000001,00852592,?), ref: 0088034B
CloseHandle.KERNEL32(?,?,?,?,0088017D,?,008832FC,?,00000001,00852592,?), ref: 00880358
CloseHandle.KERNEL32(?,?,?,?,0088017D,?,008832FC,?,00000001,00852592,?), ref: 00880365

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: edcd758a46512f2c6327ecf3334624bb1b681dc22bc204ee9dad8bc805e3aa96
Instruction ID: a1a26e24c5108b9d86efd86074efbcf5c755b376fb135f8c02dba47dc13eae9d
Opcode Fuzzy Hash: edcd758a46512f2c6327ecf3334624bb1b681dc22bc204ee9dad8bc805e3aa96
Instruction Fuzzy Hash: BB016C72801B159FCB30AF66D890816FBF9FE602153158A3ED19692A31C7B1A959DF80

Function 0084D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0084D752

Part of subcall function 008429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000), ref: 008429DE
Part of subcall function 008429C8: GetLastError.KERNEL32(00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000,00000000), ref: 008429F0

_free.LIBCMT ref: 0084D764
_free.LIBCMT ref: 0084D776
_free.LIBCMT ref: 0084D788
_free.LIBCMT ref: 0084D79A

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 62f871b8d1889659a193eae531eb8815ee0da2af07252cde60b6ed7707d661fd
Instruction ID: 9296f7bf3507a5bfc472f1f11da9265e27329b60633d580bfba55d4c8c5d612f
Opcode Fuzzy Hash: 62f871b8d1889659a193eae531eb8815ee0da2af07252cde60b6ed7707d661fd
Instruction Fuzzy Hash: 78F01D3254A30DAB9621EB69F9C6D1ABFDDFB44710BE40D06F048E7502CB30FC808A65

Function 00875C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00875C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00875C6F
MessageBeep.USER32(00000000), ref: 00875C87
KillTimer.USER32(?,0000040A), ref: 00875CA3
EndDialog.USER32(?,00000001), ref: 00875CBD

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 9b09bdb1dee2706ff4e2d7125fd6430e4948f21d5e4423edb72cef66be2d1bd0
Instruction ID: 16b818071be4168717eeefd5c1ba66fce19e6fb9af3f0e7d9278e30aa7c565a6
Opcode Fuzzy Hash: 9b09bdb1dee2706ff4e2d7125fd6430e4948f21d5e4423edb72cef66be2d1bd0
Instruction Fuzzy Hash: AF018130500B08ABFB219B50DD8EFA677B8FF51B05F04455DA587E14E1DBF4A9848A90

Function 008422A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008422BE

Part of subcall function 008429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000), ref: 008429DE
Part of subcall function 008429C8: GetLastError.KERNEL32(00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000,00000000), ref: 008429F0

_free.LIBCMT ref: 008422D0
_free.LIBCMT ref: 008422E3
_free.LIBCMT ref: 008422F4
_free.LIBCMT ref: 00842305

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 43381f4fe83f3551d9863e2f3f7b85e4a65cf96ba9a6669297e64bf33ade2765
Instruction ID: 253c4deb202b244bb50cee25d458dc7fd7d5d5185d6bf5a418c9e1ded6ceb265
Opcode Fuzzy Hash: 43381f4fe83f3551d9863e2f3f7b85e4a65cf96ba9a6669297e64bf33ade2765
Instruction Fuzzy Hash: 68F05E708091A59B9A12EF99BC81D0C3F68F7187607800A1BF414DA2B5CB711862EFE5

Function 008295C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 008295D4
StrokeAndFillPath.GDI32(?,?,008671F7,00000000,?,?,?), ref: 008295F0
SelectObject.GDI32(?,00000000), ref: 00829603
DeleteObject.GDI32 ref: 00829616
StrokePath.GDI32(?), ref: 00829631

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 0709e0c9139c3cf92ad96fa9b7ad536e31306cfdf3aca2a975c769d097cfd76b
Instruction ID: b3c50a94adf40547de9b950cfc38650b340b580122a132a971c889b680b6abd4
Opcode Fuzzy Hash: 0709e0c9139c3cf92ad96fa9b7ad536e31306cfdf3aca2a975c769d097cfd76b
Instruction Fuzzy Hash: ABF04F30005648EBEF126F65ED5C7643FA1FB12322F448214F565994F2CB3489D1DF20

Function 00840F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 008410F9
__freea.LIBCMT ref: 00841117

Part of subcall function 00841537: _free.LIBCMT ref: 0084154F

Strings

a/p, xrefs: 008411DE
am/pm, xrefs: 0084117A

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 41649554c4a1ddda6e9bbf398edd4aa16249b15d8a40e0288bbd445748779cb1
Instruction ID: 5fdee0413b8cd5eeb4361d79ea63106bb2752e7aa3d0283ded9a8a3c1cdf9ef7
Opcode Fuzzy Hash: 41649554c4a1ddda6e9bbf398edd4aa16249b15d8a40e0288bbd445748779cb1
Instruction Fuzzy Hash: CAD1DE31A1020E9ADF289F68C89DABAB7B1FF05704F284159E911EBB50D7799DC0CB91

Function 00897B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00830242: EnterCriticalSection.KERNEL32(008E070C,008E1884,?,?,0082198B,008E2518,?,?,?,008112F9,00000000), ref: 0083024D
Part of subcall function 00830242: LeaveCriticalSection.KERNEL32(008E070C,?,0082198B,008E2518,?,?,?,008112F9,00000000), ref: 0083028A

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

Part of subcall function 008300A3: __onexit.LIBCMT ref: 008300A9

__Init_thread_footer.LIBCMT ref: 00897BFB

Part of subcall function 008301F8: EnterCriticalSection.KERNEL32(008E070C,?,?,00828747,008E2514), ref: 00830202
Part of subcall function 008301F8: LeaveCriticalSection.KERNEL32(008E070C,?,00828747,008E2514), ref: 00830235

Strings

G, xrefs: 00897C7F
Variable must be of type 'Object'., xrefs: 00897C3A
5, xrefs: 00897C78

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 27a57d815dbc2c1653155bf0e0e602d22dbd6400c8f6a77db9aa12d895cbdc92
Instruction ID: 378f778ff601613632eb0f92874d0ca3bfe1a9629d50d43ccbb12665f515a95a
Opcode Fuzzy Hash: 27a57d815dbc2c1653155bf0e0e602d22dbd6400c8f6a77db9aa12d895cbdc92
Instruction Fuzzy Hash: 6F918970A14209EFCF04EF98D8919ADB7B5FF49304F188059F806DB292DB71AE85CB52

Function 00872716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0087B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008721D0,?,?,00000034,00000800,?,00000034), ref: 0087B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00872760

Part of subcall function 0087B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008721FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0087B3F8

Part of subcall function 0087B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0087B355
Part of subcall function 0087B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00872194,00000034,?,?,00001004,00000000,00000000), ref: 0087B365
Part of subcall function 0087B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00872194,00000034,?,?,00001004,00000000,00000000), ref: 0087B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008727CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0087281A

Strings

@, xrefs: 00872832

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: b03f31979b71c8fe1999019e2264c3e11692615ead24f86757782d4604eaf87f
Instruction ID: e04bc967268eaf9c8680fde97fd1dd52b0e1a3805ef186f5e0cddd1dba06ca77
Opcode Fuzzy Hash: b03f31979b71c8fe1999019e2264c3e11692615ead24f86757782d4604eaf87f
Instruction Fuzzy Hash: DB411F72900218AFDB10DBA8CD45BDEBBB8FF05700F108095FA59B7185DB71AE85DB91

Function 0084172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe,00000104), ref: 00841769
_free.LIBCMT ref: 00841834
_free.LIBCMT ref: 0084183E

Strings

C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe, xrefs: 00841760, 00841767, 00841796, 008417CE

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\QUOTATION#090125-ELITEMARINE.exe
API String ID: 2506810119-3867564610
Opcode ID: 13955819af2e51a0aa501a5fd4b85d54051b51e16188c0ac1dccfd05616853be
Instruction ID: 524df0cd09e16bcdfd3f360fcf9fa9e6ce9ada851ad86d15fe89db6edff16341
Opcode Fuzzy Hash: 13955819af2e51a0aa501a5fd4b85d54051b51e16188c0ac1dccfd05616853be
Instruction Fuzzy Hash: BC316D71A4425CEBDF21DB99DC89D9EBBFCFB89310B544166F904DB211D6B08E80CB91

Function 0087C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0087C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0087C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,008E1990,00B15670), ref: 0087C395

Strings

0, xrefs: 0087C2DF

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 503e71d9d729636b04418efcc4275b5551d0cc0d0087b83fa5ed4c5d13579e73
Instruction ID: 756c7f3130142dce2905ff85324e22512374db8bdc189acc11f349a20c9fae1b
Opcode Fuzzy Hash: 503e71d9d729636b04418efcc4275b5551d0cc0d0087b83fa5ed4c5d13579e73
Instruction Fuzzy Hash: 814156712043019FD7209F29D885B6ABBE8FB85324F148A1DF9A9D73D5D730E904CB62

Function 008A4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,008ACC08,00000000,?,?,?,?), ref: 008A44AA
GetWindowLongW.USER32 ref: 008A44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 008A44D7

Strings

SysTreeView32, xrefs: 008A447C

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 23587f9a4e4894d6de02ba3d6bedcc0ecf51d5b3519f9710f14db884b495cb35
Instruction ID: 9de2c604cbf10b1e829b87333a6d9cce19363ed06d07c2fd60f20eef70d95470
Opcode Fuzzy Hash: 23587f9a4e4894d6de02ba3d6bedcc0ecf51d5b3519f9710f14db884b495cb35
Instruction Fuzzy Hash: 6F319C31201605AFEF208E38DC45BEA7BA9FB4A334F205725F975E25D0D7B4AC909B50

Function 0089304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0089335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00893077,?,?), ref: 00893378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0089307A
_wcslen.LIBCMT ref: 0089309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00893106

Strings

255.255.255.255, xrefs: 00893095, 0089309A

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 2e663dc0273502947d0f5ba944558a1fc918940c82b9f8e60cc3aa5ec7b2147c
Instruction ID: 9b310032cadc4a259e90056e185f885259427069ac9b769fd231bc22395bafd4
Opcode Fuzzy Hash: 2e663dc0273502947d0f5ba944558a1fc918940c82b9f8e60cc3aa5ec7b2147c
Instruction Fuzzy Hash: 0731D3392002059FCF20EF68C885EAA77E0FF55318F288059E915CB7A2DB36EE45C761

Function 008A4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 008A4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 008A4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 008A471A

Strings

msctls_updown32, xrefs: 008A4684

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: f939df726f4f2a83c16492a673b03379a5ca935d99fa401599974cd0e54b05de
Instruction ID: 6abec5156b7dd2e113903eae3d29bbd116e8be216a22360c2e1769fee626a160
Opcode Fuzzy Hash: f939df726f4f2a83c16492a673b03379a5ca935d99fa401599974cd0e54b05de
Instruction Fuzzy Hash: 9D214CB5600248AFEB10DF68DCC1DAB77ADFB9B3A4B040059FA01DB261DB70EC51CA61

Function 008795AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0087961D

Strings

#OnAutoItStartRegister, xrefs: 008795F3
#requireadmin, xrefs: 008795D9
#notrayicon, xrefs: 008795B7

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: cda5bcb8462679bdb58c5a3f583805448425fb89d48c17ea88092c69051ff4c3
Instruction ID: ef3a8045a5999bea28da92258f3af03958b3123b2619e4bf22d0b915f4231249
Opcode Fuzzy Hash: cda5bcb8462679bdb58c5a3f583805448425fb89d48c17ea88092c69051ff4c3
Instruction Fuzzy Hash: 6E213B7210422166D331EA299C02FB773ACFFA1314F108029F9CDD7149EB55ED81C2D6

Function 008A37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 008A3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 008A3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 008A3876

Strings

Listbox, xrefs: 008A380F

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 3a179f5a666ae81e60d6bf1b1bfec0dfac1bb2078cf0dc7405648f22c2c91b8f
Instruction ID: 8932e2f165a332976d5831fb03690821ec6cb72adc245aea9cbdb05cd1f80ad5
Opcode Fuzzy Hash: 3a179f5a666ae81e60d6bf1b1bfec0dfac1bb2078cf0dc7405648f22c2c91b8f
Instruction Fuzzy Hash: 85218E72610218BBFF218F54CC85FAB376EFF8A754F108125F9149B590DA75DC528BA0

Function 008849F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00884A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00884A5C
SetErrorMode.KERNEL32(00000000,?,?,008ACC08), ref: 00884AD0

Strings

%lu, xrefs: 00884A6F

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: f0cea8f5935274c7b6033fc254f5b78f0206a688aebe0b201e4e1fe37a70e2b8
Instruction ID: b567fcc41e8af2189c777bde43fa98fb1c81de4000a877078b85ed6c298d0272
Opcode Fuzzy Hash: f0cea8f5935274c7b6033fc254f5b78f0206a688aebe0b201e4e1fe37a70e2b8
Instruction Fuzzy Hash: 7E315E75A00119AFDB10DF58C885EAA7BF8FF09308F1480A9E909DB352DB75EE45CB61

Function 008A41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 008A424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 008A4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 008A4271

Strings

msctls_trackbar32, xrefs: 008A4226

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 4369454715c02ce989f01f607bca4648c5939d4fe0720bf19a84cc8d5f567a86
Instruction ID: 5bab714a6eb6b6248163b3f24236fdf01d4d44edfcf5d9d067d13c14169ac188
Opcode Fuzzy Hash: 4369454715c02ce989f01f607bca4648c5939d4fe0720bf19a84cc8d5f567a86
Instruction Fuzzy Hash: 9911E331240248BEFF205E28CC46FAB3BACFF96B54F110124FA55E6090D6B1DC519B60

Function 00872F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00816B57: _wcslen.LIBCMT ref: 00816B6A

Part of subcall function 00872DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00872DC5
Part of subcall function 00872DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00872DD6
Part of subcall function 00872DA7: GetCurrentThreadId.KERNEL32 ref: 00872DDD
Part of subcall function 00872DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00872DE4

GetFocus.USER32 ref: 00872F78

Part of subcall function 00872DEE: GetParent.USER32(00000000), ref: 00872DF9

GetClassNameW.USER32(?,?,00000100), ref: 00872FC3
EnumChildWindows.USER32(?,0087303B), ref: 00872FEB

Strings

%s%d, xrefs: 00872FFF

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: eb582b516551dbeca6f8521bd78ba54a3d5ba5c841bb9a41fe5efb9a9ef49258
Instruction ID: 000e411ac42f4a24e38765281c8ac581b02d30d97930df346d50818b3bae0177
Opcode Fuzzy Hash: eb582b516551dbeca6f8521bd78ba54a3d5ba5c841bb9a41fe5efb9a9ef49258
Instruction Fuzzy Hash: CB11E4716002096BDF10BF788C85EED3B6AFF94314F048079F90DDB256EE3099459B62

Function 008A5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008A58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008A58EE
DrawMenuBar.USER32(?), ref: 008A58FD

Strings

0, xrefs: 008A588F

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 2957d400512833f27c462c2d931d14c33eccbda493cfbe4b5769b5e0f605df4f
Instruction ID: d79603d81fc7f8a8b1f0234cba6b397bdc0a4eb05638a5f8cabb4ee0721517a0
Opcode Fuzzy Hash: 2957d400512833f27c462c2d931d14c33eccbda493cfbe4b5769b5e0f605df4f
Instruction Fuzzy Hash: 34015B31500218EEEB219F15EC44BAFBBB4FF46360F1480A9F949DA552DB308AC4DF21

Function 0087007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d93edae1f780acef7607408cb36c24467d2573c3111f0dd7ebd19af59b8ae7db
Instruction ID: a674420898bac3a123476b380722b27479a30620ea25abcfb93f0f04c0dd7bc9
Opcode Fuzzy Hash: d93edae1f780acef7607408cb36c24467d2573c3111f0dd7ebd19af59b8ae7db
Instruction Fuzzy Hash: C5C15B75A0020AEFDB14CFA8C894AAEB7B5FF48704F208598E509EB255D731EE41CF90

Function 0089342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00893459
CoUninitialize.OLE32 ref: 00893463
VariantInit.OLEAUT32(?), ref: 0089346E
VariantClear.OLEAUT32(?), ref: 0089371B

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: d02ea152aacc35278bec08a59759e5e5e4bb5bbcbd57aab34081e0b06e95e8db
Instruction ID: fe9880188b10c011bc80e0b225d3e5a36c7e57b30e0c7b10b181cf1f035e9d8b
Opcode Fuzzy Hash: d02ea152aacc35278bec08a59759e5e5e4bb5bbcbd57aab34081e0b06e95e8db
Instruction Fuzzy Hash: F7A13D756042109FCB11EF68C485A5AB7E9FF88714F09885DF98ADB362DB30ED41CB52

Function 00870436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,008AFC08,?), ref: 008705F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,008AFC08,?), ref: 00870608
CLSIDFromProgID.OLE32(?,?,00000000,008ACC40,000000FF,?,00000000,00000800,00000000,?,008AFC08,?), ref: 0087062D
_memcmp.LIBVCRUNTIME ref: 0087064E

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: c575a17e17059da0076003726722c25f8d805f08fbfe5cca867c9db04f635f3d
Instruction ID: 1b8caa126e3dd3b9c995dc00dbe1d6d367a7298840d45c9140e5ea7279e5b0c6
Opcode Fuzzy Hash: c575a17e17059da0076003726722c25f8d805f08fbfe5cca867c9db04f635f3d
Instruction Fuzzy Hash: A281E971A00209EFCB04DF94C984DEEB7B9FF89315B208558E516EB254DB71AE46CF60

Function 00851391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008514C0

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 9625d42e6b0e664ef8b9022e6fbbb7ce7706c785bdf7088440f6a613be8671a1
Instruction ID: d01f969fcb6dfbc7fc5695d221e4f46e2030c880d7de4799ae7a9fb73a9ab19b
Opcode Fuzzy Hash: 9625d42e6b0e664ef8b9022e6fbbb7ce7706c785bdf7088440f6a613be8671a1
Instruction Fuzzy Hash: D9414C35A00104ABDF216BBDDC8DBBF3AA6FF81371F144225FC19D6292E6B4484553A7

Function 008A6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00B1E568,?), ref: 008A62E2
ScreenToClient.USER32(?,?), ref: 008A6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 008A6382

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 96d7adc506ee0a029fa13765b21b23f2c1fce436aeaec421446f3c0aa19347b9
Instruction ID: 492b881e8a57786133ff15c9183488376116d6438774d2d0e4fd85fbf605df35
Opcode Fuzzy Hash: 96d7adc506ee0a029fa13765b21b23f2c1fce436aeaec421446f3c0aa19347b9
Instruction Fuzzy Hash: 16514A70A00209EFEF10DF68D880AAE7BB5FF56360F148169F815DB694E770AD91CB50

Function 00891AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00891AFD
WSAGetLastError.WSOCK32 ref: 00891B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00891B8A
WSAGetLastError.WSOCK32 ref: 00891B94

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: b922aff71c0cb142b93f436522e42be5006d97ac11e9f5a52e4ccb99d5eae879
Instruction ID: 93791ad3dae93623745be24a84403d97412971f50af63c1c06956d1cfcaabcf7
Opcode Fuzzy Hash: b922aff71c0cb142b93f436522e42be5006d97ac11e9f5a52e4ccb99d5eae879
Instruction Fuzzy Hash: 0B41AF346402006FEB20AF28C88AF6577A5FF44718F588448F5169F3D2D672ED828B91

Function 0084B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1225d5204238bf20b7509eae421cc2f0ac13e3faf93d1b3bda4a5500361c30ba
Instruction ID: 692cff2035023ea6240168e260a26bf56bd9a502c00166662f6a8358fc0527e0
Opcode Fuzzy Hash: 1225d5204238bf20b7509eae421cc2f0ac13e3faf93d1b3bda4a5500361c30ba
Instruction Fuzzy Hash: 78410471A00308AFD7249F7CCC46BAABBA9FB88720F10852AF555DB682D771D9018781

Function 008856D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00885783
GetLastError.KERNEL32(?,00000000), ref: 008857A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 008857CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 008857FA

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 6f3d906f4b584d8995183e460b498ecbaa6e824d2861b2088463d9daf7e36aab
Instruction ID: f6ba009f8e429f25e2b05d8a004b5c5063004948f7593f931015dc2c89299e08
Opcode Fuzzy Hash: 6f3d906f4b584d8995183e460b498ecbaa6e824d2861b2088463d9daf7e36aab
Instruction Fuzzy Hash: 1A41FB35600610DFCB11EF19C545A9ABBF6FF49720B198498E84A9B362CB34FD41CB92

Function 0084D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00836D71,00000000,00000000,008382D9,?,008382D9,?,00000001,00836D71,8BE85006,00000001,008382D9,008382D9), ref: 0084D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0084D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0084D9AB
__freea.LIBCMT ref: 0084D9B4

Part of subcall function 00843820: RtlAllocateHeap.NTDLL(00000000,?,008E1444,?,0082FDF5,?,?,0081A976,00000010,008E1440,008113FC,?,008113C6,?,00811129), ref: 00843852

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: c7aeac4a2b1e0bc14ea050de4d3da000f2a20009ab3b24445dd402bd7d1842a5
Instruction ID: de722104b89663ece983ae1241342df0e2e60f491f5cc2d6dbbbc14b5732fce7
Opcode Fuzzy Hash: c7aeac4a2b1e0bc14ea050de4d3da000f2a20009ab3b24445dd402bd7d1842a5
Instruction Fuzzy Hash: 0531BC72A0020AABDF249F69DC45EAE7FA5FB41710F054268FC04DB2A0EB35DD51CBA1

Function 008A52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 008A5352
GetWindowLongW.USER32(?,000000F0), ref: 008A5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 008A5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008A53A8

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 0077c2ebab92b3f714f106d35e6fc4e855c89abb7395403b6e41d99f8364dd9f
Instruction ID: 1e9e20cdf1d3294bd825ee9255f0b720e075fe04c585ac9e6155e6fdde2111de
Opcode Fuzzy Hash: 0077c2ebab92b3f714f106d35e6fc4e855c89abb7395403b6e41d99f8364dd9f
Instruction Fuzzy Hash: 5D31BC30A55A0CEFFF249A14CC56BE977A5FB97390F584001FA11D6BE1C7B099C09B42

Function 0087AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7608C0D0,?,00008000), ref: 0087ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0087AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0087AC74
SendInput.USER32(00000001,?,0000001C,7608C0D0,?,00008000), ref: 0087ACC6

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: fcf8206580bfd3b6b6a68f149f03a694fa7b616059fa42bad8c333780e0183a2
Instruction ID: 6e3cc8169bef93ee6b16cc8db4a581f2a5222ec5adcc1feca24462275a45a528
Opcode Fuzzy Hash: fcf8206580bfd3b6b6a68f149f03a694fa7b616059fa42bad8c333780e0183a2
Instruction Fuzzy Hash: A731E530A00618BFFB2ACB65C805BFE7AA5FBC5320F08C21AE489D21D9C375C9859752

Function 008A7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 008A769A
GetWindowRect.USER32(?,?), ref: 008A7710
PtInRect.USER32(?,?,008A8B89), ref: 008A7720
MessageBeep.USER32(00000000), ref: 008A778C

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: e19c37178fd2f5c4dc14de76c2920d27583b8cf159f9dc467588171697dd4658
Instruction ID: 5e45a9593f3564b9fe6b3d5f01604565b7821b0a96fa1a35beac7e57dc1c0391
Opcode Fuzzy Hash: e19c37178fd2f5c4dc14de76c2920d27583b8cf159f9dc467588171697dd4658
Instruction Fuzzy Hash: C0418B34A09254DFEB01DF58CC98EA9BBF5FB4A314F1940A8E914DFA61D730A941DF90

Function 008A16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 008A16EB

Part of subcall function 00873A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00873A57
Part of subcall function 00873A3D: GetCurrentThreadId.KERNEL32 ref: 00873A5E
Part of subcall function 00873A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008725B3), ref: 00873A65

GetCaretPos.USER32(?), ref: 008A16FF
ClientToScreen.USER32(00000000,?), ref: 008A174C
GetForegroundWindow.USER32 ref: 008A1752

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 93b50d38704a9c82858349d586bbf17cdcb464296c28b17c38a4b39cc0612bdd
Instruction ID: e4fc89d3d97fcea4a51578b8904faf9ff7dc9092e23ea4bdbc322ba48e2b21ab
Opcode Fuzzy Hash: 93b50d38704a9c82858349d586bbf17cdcb464296c28b17c38a4b39cc0612bdd
Instruction Fuzzy Hash: C3312C75D00249AFDB00EFA9C8858EEBBFDFF49304B5080A9E415E7611EA31DE45CBA1

Function 0087D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0087D501
Process32FirstW.KERNEL32(00000000,?), ref: 0087D50F
Process32NextW.KERNEL32(00000000,?), ref: 0087D52F
CloseHandle.KERNEL32(00000000), ref: 0087D5DC

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: ab51eaba2adedc8faca6c57d1b0832d2d2dd19f1b349df4d2e46a583e70553e7
Instruction ID: 5e645767f5cd8c65a4aeac6905b591086d8938d69c980a33b43514ca7f427a0d
Opcode Fuzzy Hash: ab51eaba2adedc8faca6c57d1b0832d2d2dd19f1b349df4d2e46a583e70553e7
Instruction Fuzzy Hash: DA318C711083009FD300EF58C881AAABBF8FF99344F10492DF585C21A1EB619985CB93

Function 008A8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00829BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00829BB2

GetCursorPos.USER32(?), ref: 008A9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00867711,?,?,?,?,?), ref: 008A9016
GetCursorPos.USER32(?), ref: 008A905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00867711,?,?,?), ref: 008A9094

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 802ae1c3accfb1fb24e8e784ca2e05d0968f9a3f3b79b9ea6641d144f2789ecb
Instruction ID: 37203aff76f6772b7496d162f0d39eda045ff7b5586eb3444ab0e87a13f11ac5
Opcode Fuzzy Hash: 802ae1c3accfb1fb24e8e784ca2e05d0968f9a3f3b79b9ea6641d144f2789ecb
Instruction Fuzzy Hash: 4D21BF35600418EFEF258F94C898EEA7BF9FB4A3A0F104065F9458B661C3319990DB60

Function 0087D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,008ACB68), ref: 0087D2FB
GetLastError.KERNEL32 ref: 0087D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0087D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,008ACB68), ref: 0087D376

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 1da8667c7786cd399d4d30a26973308c83160d3d8297c2878514bb7639ccaff9
Instruction ID: 54524df990ed233b841e45423b6238b2ed6baa6227f45b31dfa8d05ebd821971
Opcode Fuzzy Hash: 1da8667c7786cd399d4d30a26973308c83160d3d8297c2878514bb7639ccaff9
Instruction Fuzzy Hash: 012151705093019F8710DF28C8818AA77F8FE56768F508A1DF4A9C73A1EB31D946CB93

Function 00871571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00871014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0087102A
Part of subcall function 00871014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00871036
Part of subcall function 00871014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00871045
Part of subcall function 00871014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0087104C
Part of subcall function 00871014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00871062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 008715BE
_memcmp.LIBVCRUNTIME ref: 008715E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00871617
HeapFree.KERNEL32(00000000), ref: 0087161E

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: d8f67d9c109542e4c6189ec2a4df19a35806e38819ed02f636a3e77cfe7caee3
Instruction ID: e1847ddd93bb3e6c3e97eeefebf7608d05226d2cfdce96467c4c34756ebe5688
Opcode Fuzzy Hash: d8f67d9c109542e4c6189ec2a4df19a35806e38819ed02f636a3e77cfe7caee3
Instruction Fuzzy Hash: 72215531E00108ABDF14DFA8C949BEEB7B8FF94344F188459E449EB645E730AA05DBA0

Function 008A2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 008A280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 008A2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 008A2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 008A2840

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 7f6def8dc8cfc4bbceef1a75b895b29c8670269b7b5e75e4493df644e6d4564e
Instruction ID: 9bbc0fe5c44e02afb23a26ae2828b828ef227f5f535d77ddd4a5b4c5d4aeefc5
Opcode Fuzzy Hash: 7f6def8dc8cfc4bbceef1a75b895b29c8670269b7b5e75e4493df644e6d4564e
Instruction Fuzzy Hash: 0121D631604515AFE724DB28C844FAA7799FF46324F148158F426CBAD2CB75FD82C791

Function 008778F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00878D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0087790A,?,000000FF,?,00878754,00000000,?,0000001C,?,?), ref: 00878D8C
Part of subcall function 00878D7D: lstrcpyW.KERNEL32(00000000,?,?,0087790A,?,000000FF,?,00878754,00000000,?,0000001C,?,?,00000000), ref: 00878DB2
Part of subcall function 00878D7D: lstrcmpiW.KERNEL32(00000000,?,0087790A,?,000000FF,?,00878754,00000000,?,0000001C,?,?), ref: 00878DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00878754,00000000,?,0000001C,?,?,00000000), ref: 00877923
lstrcpyW.KERNEL32(00000000,?,?,00878754,00000000,?,0000001C,?,?,00000000), ref: 00877949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00878754,00000000,?,0000001C,?,?,00000000), ref: 00877984

Strings

cdecl, xrefs: 0087797B

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: b01be4c19970d03a0684b6cc1ff1966d0a55b78e0e90fe329d75f4af1be53bd5
Instruction ID: 6f7c5b75f43cd821c646bfaeba85ce21e971f0e5142ec2e2b341117d9f828401
Opcode Fuzzy Hash: b01be4c19970d03a0684b6cc1ff1966d0a55b78e0e90fe329d75f4af1be53bd5
Instruction Fuzzy Hash: 5511D63A201201ABDB155F38D845E7A7BA9FF95350B50802AFA4ACB368EB35D811D791

Function 008A7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 008A7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 008A7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 008A7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0088B7AD,00000000), ref: 008A7D6B

Part of subcall function 00829BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00829BB2

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 79504c950d7234db5e68035243993189fd9a2a9f87de340fb081938df71cca93
Instruction ID: 89bb729273058218c7ad3c90d4f201cd902f36a574f83983d7d59ac7c618b2dd
Opcode Fuzzy Hash: 79504c950d7234db5e68035243993189fd9a2a9f87de340fb081938df71cca93
Instruction Fuzzy Hash: 4E11A231604665AFEB109F28CC08A6A3BA5FF47370B154728F835DB6F0E7309950DB50

Function 008A5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 008A56BB
_wcslen.LIBCMT ref: 008A56CD
_wcslen.LIBCMT ref: 008A56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 008A5816

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: cfc0959a789f41a619c80e8ee77ef59740836dbd3523c96c304e6cdde703f927
Instruction ID: 2c41c547b402ba1ecd8245d7faee0a8443883dd5996f5d04bbb0c5c77d5a45cf
Opcode Fuzzy Hash: cfc0959a789f41a619c80e8ee77ef59740836dbd3523c96c304e6cdde703f927
Instruction Fuzzy Hash: 7711E471600A18A6EF20DF65DC85AEE3B6CFF16764F104026F915D6481EB7489C0CBA5

Function 00871A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00871A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00871A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00871A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00871A8A

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 216ca4fb950dc030157d9e5b0d35c3b597bfbcc100f6239a4354c09cf711a1aa
Instruction ID: fb5fde697ae645fcad23c2c298370b157a69ab05346f17c271405f9ff8a0a19c
Opcode Fuzzy Hash: 216ca4fb950dc030157d9e5b0d35c3b597bfbcc100f6239a4354c09cf711a1aa
Instruction Fuzzy Hash: F211183A901229BFEF109BA88985FADFB78FB14750F204091E604B7294D671AE509B94

Function 0087E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0087E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0087E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0087E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0087E24D

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: b7def3bfc5ff49444ee988c3f04f27ccaa2fcb467596e5e36079eeab1e31d691
Instruction ID: 77a5064ba95d423b978095cb804219649e47c058c7e0e9f77e401e263b7ce2cc
Opcode Fuzzy Hash: b7def3bfc5ff49444ee988c3f04f27ccaa2fcb467596e5e36079eeab1e31d691
Instruction Fuzzy Hash: 30112B72A04258BBDB019FA89C49A9F7FACFB46315F008255F828D7395D774CD0087A0

Function 0083D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0083CFF9,00000000,00000004,00000000), ref: 0083D218
GetLastError.KERNEL32 ref: 0083D224
__dosmaperr.LIBCMT ref: 0083D22B
ResumeThread.KERNEL32(00000000), ref: 0083D249

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: da2e0f283d007c36e2b3fccf6a900bf368fdbbdbc8bd140bd4ca7a5c8f464bbe
Instruction ID: 8d5bb60d8960a5651c0f9fae930802bee3ae347f43d13a1c569f81bd338128be
Opcode Fuzzy Hash: da2e0f283d007c36e2b3fccf6a900bf368fdbbdbc8bd140bd4ca7a5c8f464bbe
Instruction Fuzzy Hash: 7F01C036805208BBDB215BA9EC09AAF7A69FFC2731F104229F925D21D1CF719901C6E1

Function 0081600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0081604C
GetStockObject.GDI32(00000011), ref: 00816060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0081606A

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: f98cb10c6f42464350d607d70f5cd10c59bbb080bce9bf8a812bf6998f532a7e
Instruction ID: dc22e2270e1e73e54e7b9313f03b35b6d3b4378cf3e1b16d65ee66283a0090fd
Opcode Fuzzy Hash: f98cb10c6f42464350d607d70f5cd10c59bbb080bce9bf8a812bf6998f532a7e
Instruction Fuzzy Hash: 02116172501948BFEF129F949C44EEA7BADFF1D364F040115FA54A2110D732DCA0DB90

Function 00833B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00833B56

Part of subcall function 00833AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00833AD2
Part of subcall function 00833AA3: ___AdjustPointer.LIBCMT ref: 00833AED

_UnwindNestedFrames.LIBCMT ref: 00833B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00833B7C
CallCatchBlock.LIBVCRUNTIME ref: 00833BA4

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: f2d0ce4de731a3d39ffe9c9cb3b120496c0fb00301fa09308771886bbdf8b20d
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 3401E932100149BBDF125E99CC46EEB7B69FF98764F044414FE48A6121C736E961DBE1

Function 00843073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,008113C6,00000000,00000000,?,0084301A,008113C6,00000000,00000000,00000000,?,0084328B,00000006,FlsSetValue), ref: 008430A5
GetLastError.KERNEL32(?,0084301A,008113C6,00000000,00000000,00000000,?,0084328B,00000006,FlsSetValue,008B2290,FlsSetValue,00000000,00000364,?,00842E46), ref: 008430B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0084301A,008113C6,00000000,00000000,00000000,?,0084328B,00000006,FlsSetValue,008B2290,FlsSetValue,00000000), ref: 008430BF

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: a495ce06e9082e76bb100198867c74f8200dfab9ae63a0a3f2e3c88c143f3194
Instruction ID: 0d39aabcaaada561ce6bfa8659a9df9b04534d8e5dcd2aac2d4f39c0f551cf95
Opcode Fuzzy Hash: a495ce06e9082e76bb100198867c74f8200dfab9ae63a0a3f2e3c88c143f3194
Instruction Fuzzy Hash: 03014E32301A2AABDB314B789C44A577BD8FF06B71B200720F905E7240CB21DD01C6E0

Function 00877464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0087747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00877497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 008774AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 008774CA

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: f6fa6737ca62b5028bb1e93edc27462fc249eea587cac4ddf6956ec3640d1998
Instruction ID: cd7025eb0b5b219e1f9f82a4429908403823ee5d5422c83ed54ca29c391ebaf8
Opcode Fuzzy Hash: f6fa6737ca62b5028bb1e93edc27462fc249eea587cac4ddf6956ec3640d1998
Instruction Fuzzy Hash: 81118EB12093159BF7208F24DC08B927BFCFB04B04F10C569A61AD6555D7B0E944DB98

Function 0087B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0087ACD3,?,00008000), ref: 0087B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0087ACD3,?,00008000), ref: 0087B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0087ACD3,?,00008000), ref: 0087B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0087ACD3,?,00008000), ref: 0087B126

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: ece8c9bbfa408220dc36c8bf1943defcfa2e8b072f81a4e6acd6d960005f1601
Instruction ID: 335c273efdcec33ea3252cc758ec1f4fa3484ad3f24924cc69df86959124c64e
Opcode Fuzzy Hash: ece8c9bbfa408220dc36c8bf1943defcfa2e8b072f81a4e6acd6d960005f1601
Instruction Fuzzy Hash: 38117C30E0152DD7DF00AFE4E9687EEBB78FF0A311F008085D945B2145DB3085918B65

Function 00872DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00872DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00872DD6
GetCurrentThreadId.KERNEL32 ref: 00872DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00872DE4

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: caf9b77eaf14c7a95523af6734b9df01d90c9784492d8ecbe835efa11231e334
Instruction ID: c9f204e13d289a1f9c3bb234e9a601e5c815049e4e487c11bd16eea94a466b06
Opcode Fuzzy Hash: caf9b77eaf14c7a95523af6734b9df01d90c9784492d8ecbe835efa11231e334
Instruction Fuzzy Hash: D1E012B16052287BE7305B739C0DFEB7E6CFF57BA1F404119F50AD14909AA5C941C6B0

Function 008A8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00829639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00829693
Part of subcall function 00829639: SelectObject.GDI32(?,00000000), ref: 008296A2
Part of subcall function 00829639: BeginPath.GDI32(?), ref: 008296B9
Part of subcall function 00829639: SelectObject.GDI32(?,00000000), ref: 008296E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 008A8887
LineTo.GDI32(?,?,?), ref: 008A8894
EndPath.GDI32(?), ref: 008A88A4
StrokePath.GDI32(?), ref: 008A88B2

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 4194ab208ed2d62784bcb0a96af73e61ebd53745f1fd397012b763e14bf84223
Instruction ID: d8fb30f4e1c3d7ee76d523d780a7196f2420225211d8d7a97e5c6e77a1fedd9e
Opcode Fuzzy Hash: 4194ab208ed2d62784bcb0a96af73e61ebd53745f1fd397012b763e14bf84223
Instruction Fuzzy Hash: 17F03A36045658FAEB126F94AC0DFCE3E59BF06310F448000FA11A54E2CB795551CBA9

Function 008298B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008298CC
SetTextColor.GDI32(?,?), ref: 008298D6
SetBkMode.GDI32(?,00000001), ref: 008298E9
GetStockObject.GDI32(00000005), ref: 008298F1

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 82a88f8ad3401d7700bc26ef8ad905bf42bcc5f4bf3e85cb1151fa6e60a6ede6
Instruction ID: e85a301ed0767817e4dceed4a52940ca3ebba8dccd31675d4aa79d360dbe61b6
Opcode Fuzzy Hash: 82a88f8ad3401d7700bc26ef8ad905bf42bcc5f4bf3e85cb1151fa6e60a6ede6
Instruction Fuzzy Hash: 3DE06D31244280AAEB215B74BC0DBE83F61FB13336F048219F6FA984E1C77246809B10

Function 0087162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00871634
OpenThreadToken.ADVAPI32(00000000,?,?,?,008711D9), ref: 0087163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,008711D9), ref: 00871648
OpenProcessToken.ADVAPI32(00000000,?,?,?,008711D9), ref: 0087164F

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 4ddf26440a961d8ba8e26641bf14a24f5231e0e95527ce489558c8959c61eb62
Instruction ID: 5cb9d100a12dee9a0f3ffd42428f2f0f0492014f60551e8dc2331866d5919947
Opcode Fuzzy Hash: 4ddf26440a961d8ba8e26641bf14a24f5231e0e95527ce489558c8959c61eb62
Instruction Fuzzy Hash: 34E08C32602211EBEB201FA5AE0DB873BBCFF56792F148808F249C9480EA388540CB60

Function 0086D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0086D858
GetDC.USER32(00000000), ref: 0086D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0086D882
ReleaseDC.USER32(?), ref: 0086D8A3

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 1bce8d339edf1806da5962e74b54f92e6d232b5e6229b747f3f0744b4817cb54
Instruction ID: 36bdff0617f8f45a55eb48bac9e64bbb2dd6fedc5241512380eade3e18de9dd5
Opcode Fuzzy Hash: 1bce8d339edf1806da5962e74b54f92e6d232b5e6229b747f3f0744b4817cb54
Instruction Fuzzy Hash: FAE01AB0800208DFDB419FA0D80C66DBBB5FB19310F109419E806E7750CB388941AF40

Function 0086D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0086D86C
GetDC.USER32(00000000), ref: 0086D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0086D882
ReleaseDC.USER32(?), ref: 0086D8A3

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 5e7415956cef5788422355c7576713a226b4b0ee8d55a63a3dcd15fce1b84e83
Instruction ID: b5eea3b0b73ec0060532e985c5607dd124d347e47e3385808e0d169001aad6c7
Opcode Fuzzy Hash: 5e7415956cef5788422355c7576713a226b4b0ee8d55a63a3dcd15fce1b84e83
Instruction Fuzzy Hash: FCE012B0800204EFDB41AFA0D80866EBBB5FB18310B109008E80AE7760CB389942AF40

Function 00884D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00817620: _wcslen.LIBCMT ref: 00817625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00884ED4

Strings

*, xrefs: 00884E10
LPT, xrefs: 00884DFB

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 819ea01fcef3eeff38099168e2b6144697c96b6629d835080950498e856356fa
Instruction ID: 1cf7b925eaf80a0c34e1e1c543900a46ed6a081e7db964ff9365f092490cacea
Opcode Fuzzy Hash: 819ea01fcef3eeff38099168e2b6144697c96b6629d835080950498e856356fa
Instruction Fuzzy Hash: A2914A75A002059FCB14EF58C484EAABBB5FF44318F18909DE90A9F362DB35ED85CB91

Function 0083E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0083E30D

Strings

pow, xrefs: 0083E2E5, 0083E302

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 5def7ce09ad62495d409d33ef6f4bc13ea5623d90ae562cfed03a0b16ba5aed8
Instruction ID: eed8ba0503fbd399c0b0042d102b0402cf0c1847dd5716c3cc96a5936a14dfd3
Opcode Fuzzy Hash: 5def7ce09ad62495d409d33ef6f4bc13ea5623d90ae562cfed03a0b16ba5aed8
Instruction Fuzzy Hash: 48512B61E1C20A96DB157728C9413BA3BA4FB80B40F744E68F0D5C63EDEF358C959AC6

Function 0082E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0082E1B1

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 39b69372549f14f8d8c464bd98e7f2f54603744f81a3e029dd22e72d3070c856
Instruction ID: 4556106f470561206a6db3c08deeac102d2a16df287557cd272e8d0a81a1994a
Opcode Fuzzy Hash: 39b69372549f14f8d8c464bd98e7f2f54603744f81a3e029dd22e72d3070c856
Instruction Fuzzy Hash: 9951233950025ADFDF15DF68D485AFA7BA8FF26310F244059F892DB2D0D6349D82CBA1

Function 0082F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0082F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0082F2BB

Strings

@, xrefs: 0082F2AF

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: be47045f6b66b0bdfb8cdd3fd2d91c67a9cd1206e5822491f6b46767a44836af
Instruction ID: 7da5f998818ab42650d68e552cf76a7c59f5f7981ff1be1eed4cabc25172b6a1
Opcode Fuzzy Hash: be47045f6b66b0bdfb8cdd3fd2d91c67a9cd1206e5822491f6b46767a44836af
Instruction Fuzzy Hash: 09512571418B449BD320AF14D886BABBBFCFF85300F81885DF2D9811A5EB709569CB67

Function 00895745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 008957E0
_wcslen.LIBCMT ref: 008957EC

Strings

CALLARGARRAY, xrefs: 008957E6, 008957EB

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: b9b3169f45e9a8494ee04496d856abde7b2c756c2021eabfb8ef6d5404443cbf
Instruction ID: effa3ddb0e226fc93bd8c3f64d8fd70fbdfb6fb6f779f8499781985bd480b2cf
Opcode Fuzzy Hash: b9b3169f45e9a8494ee04496d856abde7b2c756c2021eabfb8ef6d5404443cbf
Instruction Fuzzy Hash: A941AE71A002099FCF04EFA9C8859EEBBB5FF59724F148069E505E7291E7309D81CB91

Function 0088D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0088D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0088D13A

Strings

|, xrefs: 0088D10B

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 32e93493c287f7c2e00d6278ce898fd2f4e9cd67e9a91db773c25a824288c465
Instruction ID: dd0c2e8da79077e7c41627ed5b7c2bc27eda91f4085055af24e4694837bf177b
Opcode Fuzzy Hash: 32e93493c287f7c2e00d6278ce898fd2f4e9cd67e9a91db773c25a824288c465
Instruction Fuzzy Hash: CE311975D00219ABCF15EFA8CC85AEEBFB9FF04300F100119F815E6166EB31AA56CB61

Function 008A356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 008A3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 008A365C

Strings

static, xrefs: 008A35BC

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 02791141a566fa177f258b1abc586b294d1a2645aaa2589cd899a2c7bfa92d18
Instruction ID: 00dc7420d71a048c6abe6c0ec381e18b52da38ad663ba00b93b3bece0a34727c
Opcode Fuzzy Hash: 02791141a566fa177f258b1abc586b294d1a2645aaa2589cd899a2c7bfa92d18
Instruction Fuzzy Hash: 28318B71500604AEEB109F68DC80EFB73A9FF99724F008619F8A5D7280DA31AD91DB60

Function 008A4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 008A461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 008A4634

Strings

', xrefs: 008A458E

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 950e127f3647ddbf4f30ece5d7768d15126ef2df46d9186fe7b94bb70208dcfa
Instruction ID: 0bf9d817e3adad4fe23feab810267e167f6e9b366ef4784aec4e54a9c85b72f9
Opcode Fuzzy Hash: 950e127f3647ddbf4f30ece5d7768d15126ef2df46d9186fe7b94bb70208dcfa
Instruction Fuzzy Hash: 51312874A0120A9FEF14CF69C980BDABBB5FF8A300F105069E904EB741D7B0A941CF90

Function 008A31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 008A327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008A3287

Strings

Combobox, xrefs: 008A3249

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: d1373fc561a16150c0e4ab401aa0d09e384df0be69368b89288b0d167568788c
Instruction ID: 7c067a09a8394a5ccffd7e103a6c9d000e478924f014b4dd36bfa042bc5be73f
Opcode Fuzzy Hash: d1373fc561a16150c0e4ab401aa0d09e384df0be69368b89288b0d167568788c
Instruction Fuzzy Hash: B011B2713002087FFF219E94DC85FBB3B6AFB9A3A5F104129F918E7690D6319D5187A0

Function 008A3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0081600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0081604C
Part of subcall function 0081600E: GetStockObject.GDI32(00000011), ref: 00816060
Part of subcall function 0081600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0081606A

GetWindowRect.USER32(00000000,?), ref: 008A377A
GetSysColor.USER32(00000012), ref: 008A3794

Strings

static, xrefs: 008A3757

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: f2e86444e8a81d2b79acb4de1d783748215f0754e8829ed52baa4a9a5885c213
Instruction ID: 0e14cf02875783ca7e5c1eeee1e3f7a9077e1ff5f16a2163c447d1649ce35172
Opcode Fuzzy Hash: f2e86444e8a81d2b79acb4de1d783748215f0754e8829ed52baa4a9a5885c213
Instruction Fuzzy Hash: 0811F9B2610209AFEF01DFA8CC45EFA7BB8FB09354F004525F955E2250E775E9519B60

Function 0088CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0088CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0088CDA6

Strings

<local>, xrefs: 0088CD66

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: a99e7740e1c2e68787fcc6e86141af69f5ba67435f6903dffe216a9401de8810
Instruction ID: 04ba3b047b8d678203356d3ae68de9d5b3562bfaa62c10c5c620c539fb01e870
Opcode Fuzzy Hash: a99e7740e1c2e68787fcc6e86141af69f5ba67435f6903dffe216a9401de8810
Instruction Fuzzy Hash: 8C11A371205636BAD7746B668C45EE7BEA8FB127A4F004226B109C3184D6749841D7F0

Function 008A3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 008A34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 008A34BA

Strings

edit, xrefs: 008A348F

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 22a6e565d55c22cd88fce54aa9b97c8bb93bbcfdb687999a9d6965398f8b51ed
Instruction ID: f3b2856bd3e267dbafb9a2bc4cb5c9b123dc9b31c8922b1164eef5c656518fc2
Opcode Fuzzy Hash: 22a6e565d55c22cd88fce54aa9b97c8bb93bbcfdb687999a9d6965398f8b51ed
Instruction Fuzzy Hash: 1E116D71501208ABFB118E64DC44AAB3B6AFB2A378F504324F961D79D0C771DD919B68

Function 00876C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

CharUpperBuffW.USER32(?,?,?), ref: 00876CB6
_wcslen.LIBCMT ref: 00876CC2

Strings

STOP, xrefs: 00876CBC, 00876CC1

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 564d0aa517d9c4eaa80a8f52b878bb8f3dfead59a32e595c7e699f22af357f48
Instruction ID: b41f7b547dbe74b910470fc6992e6f5e886f0907743b8c119f75df931a58b85e
Opcode Fuzzy Hash: 564d0aa517d9c4eaa80a8f52b878bb8f3dfead59a32e595c7e699f22af357f48
Instruction Fuzzy Hash: 7C010432A109268ACB219FBDCC809BF37A8FFA1710B104528E966D6198FB32D960C650

Function 00871CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

Part of subcall function 00873CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00873CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00871D4C

Strings

ListBox, xrefs: 00871D16
ComboBox, xrefs: 00871CEB

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 9cb6959ad22d941a0b265045d300158e11649e221f61c59166e37070d8eb3cb5
Instruction ID: e531934f340717fc4f21d8d8b70de52a75fa001daac7a6b7489ac931e99446ca
Opcode Fuzzy Hash: 9cb6959ad22d941a0b265045d300158e11649e221f61c59166e37070d8eb3cb5
Instruction Fuzzy Hash: 2E012D316001186BCF14EBACCC55CFE7768FF43390B00461AF876D73C5EA3099089A61

Function 00871BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

Part of subcall function 00873CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00873CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00871C46

Strings

ListBox, xrefs: 00871C10
ComboBox, xrefs: 00871BE5

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 7efc58a12b211cfa41bafca1558a9d03ce6683cd5b47b63ef3369044df201921
Instruction ID: 97efb2f01797dae4c7a5ee1a49cef128f5b836c715748fe7fe9445c844588d8b
Opcode Fuzzy Hash: 7efc58a12b211cfa41bafca1558a9d03ce6683cd5b47b63ef3369044df201921
Instruction Fuzzy Hash: A701D87168010866CF05E7D8C9569FF73ACFF51340F20001AE85AE7685EA20DB0896B2

Function 00871C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

Part of subcall function 00873CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00873CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00871CC8

Strings

ListBox, xrefs: 00871C94
ComboBox, xrefs: 00871C69

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: d71eedffd2cfe0dd5ba4ba3e14581d07b32f5155ac5b2a259bd3b59ae199e7c7
Instruction ID: f9d184419b2ce5dc4f2ef4ca7f824033314464e91e528798622f664b9f6cb4ac
Opcode Fuzzy Hash: d71eedffd2cfe0dd5ba4ba3e14581d07b32f5155ac5b2a259bd3b59ae199e7c7
Instruction Fuzzy Hash: BF01A77168011866DF15EBD8CA16AFE73ACFF51340B144016B886F3685EA20DF0896B2

Function 0089747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00897493
_wcslen.LIBCMT ref: 008974B9

Strings

3, 3, 16, 1, xrefs: 00897483

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: df59a66127e7b75d86255d5a14dc38a940b4f97438c8431816359d7ee2eac021
Instruction ID: b0c9570cc18cc8bc6e0a15935c1d22ab9417d6bbdfd743e821ef7492abd84201
Opcode Fuzzy Hash: df59a66127e7b75d86255d5a14dc38a940b4f97438c8431816359d7ee2eac021
Instruction Fuzzy Hash: F9E02B02224220109731327DDCC1B7F5B89FFC9760B18282BFD85C2377EA989D9193E6

Function 00870B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00870B23

Strings

Error allocating memory., xrefs: 00870B1C
AutoIt, xrefs: 00870B17

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 7bd407442d361815b55dbd26b3ae65f8f2fb8f1012c0ccfdd8d75abbc1305395
Instruction ID: f003c798c29efb58c17c4ba14deffd7daae0921fd8f06882e0de7f2b10ad85f7
Opcode Fuzzy Hash: 7bd407442d361815b55dbd26b3ae65f8f2fb8f1012c0ccfdd8d75abbc1305395
Instruction Fuzzy Hash: FCE0D83124431836E21037987C03F897B84FF06B60F100427FB98D5AC38FE1649046EA

Function 00830D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0082F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00830D71,?,?,?,0081100A), ref: 0082F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0081100A), ref: 00830D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0081100A), ref: 00830D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00830D7F

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 8190aac6d4c11a093638a9498259bc1541b4818d842ea91f4d7eb9de85701a3e
Instruction ID: c2c17584899b51a69c9f51e3184ddb519db6c7a06f50f157ff63199430157ddf
Opcode Fuzzy Hash: 8190aac6d4c11a093638a9498259bc1541b4818d842ea91f4d7eb9de85701a3e
Instruction Fuzzy Hash: 57E06D702007518BE3209FFCE8583467BE4FF05740F004A2DE582CAA52DBB4E4888FD1

Function 00883017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0088302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00883044

Strings

aut, xrefs: 00883038

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: a952069d7203b2fc5545cb149153b4abcbc31a347afea88ba88cad3c8140f0c1
Instruction ID: f138cb5a82abec90377433de8f33b86f40ed7874e53840673b3f74f947d3e15f
Opcode Fuzzy Hash: a952069d7203b2fc5545cb149153b4abcbc31a347afea88ba88cad3c8140f0c1
Instruction Fuzzy Hash: 21D05B7150032867DA209794AD0DFC73B6CE705750F0002527655D2191DAB49544CAD0

Function 0086D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0086D220

Strings

%.3d, xrefs: 0086D22B
X64, xrefs: 0086D2A8

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: c2e8ae44ad7932f4c2359f2d58d83c29fc0771bb3bf49f0e7fbace9d9b2811d0
Instruction ID: 5de2fe68ec3711abb88604ae65c2ef43707bd995798b97fb8d0b07f9e017f95c
Opcode Fuzzy Hash: c2e8ae44ad7932f4c2359f2d58d83c29fc0771bb3bf49f0e7fbace9d9b2811d0
Instruction Fuzzy Hash: 59D05BB1D0831CE9CB9097D0DC559B9B37CFB08305F918463F906D1241E738E548A761

Function 008A2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008A232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 008A233F

Part of subcall function 0087E97B: Sleep.KERNEL32 ref: 0087E9F3

Strings

Shell_TrayWnd, xrefs: 008A2325

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: f5487fce4cea312ee9a729e91246d7a89b117aeae2203d3b98b4d194167e5686
Instruction ID: 49ac0c524c9ecfa5996180fa75af021079cc36840f2b1e3d72b1fe6b69be35fc
Opcode Fuzzy Hash: f5487fce4cea312ee9a729e91246d7a89b117aeae2203d3b98b4d194167e5686
Instruction Fuzzy Hash: ACD01236794314B7F6A4BB70DC4FFCA7A14FB15B10F008A167759EA2D4D9F4A801CA54

Function 008A2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008A236C
PostMessageW.USER32(00000000), ref: 008A2373

Part of subcall function 0087E97B: Sleep.KERNEL32 ref: 0087E9F3

Strings

Shell_TrayWnd, xrefs: 008A2365

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 3d581e3807a6fef973aa98eabfe49f13599ecd58d07a38c9ce50a8a41b6fa038
Instruction ID: eccca48c20e6be6db2eceb6058761953ab3a2f23f69dda266fa4498532d1c7ee
Opcode Fuzzy Hash: 3d581e3807a6fef973aa98eabfe49f13599ecd58d07a38c9ce50a8a41b6fa038
Instruction Fuzzy Hash: 6FD0C9327813147AF6A4AB709C4FFCA6A14BB16B10F008A167755EA2D4D9A4A8018A54

Function 0084BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0084BE93
GetLastError.KERNEL32 ref: 0084BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0084BEFC

Memory Dump Source

Source File: 00000000.00000002.1332620368.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1332601345.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332677113.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332734354.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332753794.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_QUOTATION#090125-ELITEMARINE.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 3991960f86941f8e40a85fa42166253ba18fd24a506b2fc5271580cf8a9ca21d
Instruction ID: bc90a83e0f63a8a24ae0db000ca94e4479e4d5985ebaf6e7c2cad2ae98afea84
Opcode Fuzzy Hash: 3991960f86941f8e40a85fa42166253ba18fd24a506b2fc5271580cf8a9ca21d
Instruction Fuzzy Hash: 3141A23460420AABDB218FA9CC44AAABBA5FF42310F144169F95DD72A2DF30DD05DB61

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report QUOTATION#090125-ELITEMARINE.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\intemeration

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
QUOTATION#090125-ELITEMARINE.exe

Function 008142DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 008142A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00852BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00812CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 0085065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 0081344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00812B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00813170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 00E01330 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00812C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 00E010B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 163
fileCOMMON

Function 00813B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Function 00DFFFA0 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Function 00813923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre