Edit tour

Windows Analysis Report
Arrival Notice.exe

Overview

General Information

Sample name:	Arrival Notice.exe
Analysis ID:	1467213
MD5:	954f20c5963fc61a5848f7bf9fef6ba4
SHA1:	fc49c57595e06950054af47ac676c122b18dba41
SHA256:	7d32ffb777ed327a39961748d04917f29b52bf373e7cb07a64cc86ebc172352b
Tags:	AgentTeslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Snort IDS alert for network traffic

Yara detected AgentTesla

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Drops VBS files to the startup folder

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Arrival Notice.exe (PID: 6116 cmdline: "C:\Users\user\Desktop\Arrival Notice.exe" MD5: 954F20C5963FC61A5848F7BF9FEF6BA4)

name.exe (PID: 2748 cmdline: "C:\Users\user\Desktop\Arrival Notice.exe" MD5: 954F20C5963FC61A5848F7BF9FEF6BA4)

RegSvcs.exe (PID: 5144 cmdline: "C:\Users\user\Desktop\Arrival Notice.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

wscript.exe (PID: 4396 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

name.exe (PID: 5052 cmdline: "C:\Users\user\AppData\Local\directory\name.exe" MD5: 954F20C5963FC61A5848F7BF9FEF6BA4)

RegSvcs.exe (PID: 3632 cmdline: "C:\Users\user\AppData\Local\directory\name.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.mahesh-ent.com", "Username": "info@mahesh-ent.com", "Password": "M@hesh3981"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.2226892130.0000000002EA4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.2226892130.0000000002E9C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.2086913169.00000000015D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2086913169.00000000015D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.2086913169.00000000015D0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33e6d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33edf:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33f69:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33ffb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34065:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x340d7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3416d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x341fd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000005.00000002.2225248989.0000000003950000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.2225248989.0000000003950000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.2225248989.0000000003950000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33e6d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33edf:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33f69:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33ffb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34065:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x340d7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3416d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x341fd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000003.00000002.2226892130.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2226892130.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.2224272082.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2224272082.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.4531977929.000000000299B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.4531977929.000000000299B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: name.exe PID: 2748	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: name.exe PID: 2748	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 5144	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 5144	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: name.exe PID: 5052	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: name.exe PID: 5052	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 3632	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 3632	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 17 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33e6d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33edf:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33f69:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33ffb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34065:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x340d7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3416d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x341fd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.name.exe.3950000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.name.exe.3950000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.name.exe.3950000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3206d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x320df:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x32169:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x321fb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32265:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x322d7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3236d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x323fd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.name.exe.15d0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.name.exe.15d0000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.name.exe.15d0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3206d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x320df:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x32169:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x321fb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32265:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x322d7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3236d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x323fd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.name.exe.3950000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.name.exe.3950000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.name.exe.3950000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33e6d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33edf:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33f69:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33ffb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34065:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x340d7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3416d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x341fd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.name.exe.15d0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.name.exe.15d0000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.name.exe.15d0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33e6d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33edf:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33f69:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33ffb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34065:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x340d7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3416d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x341fd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 10 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , ProcessId: 4396, ProcessName: wscript.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 148.66.136.151, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 5144, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49700

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , ProcessId: 4396, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\directory\name.exe, ProcessId: 2748, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Snort Signatures

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.6 - Destination IP: 148.66.136.151

Timestamp:	07/03/24-21:20:37.832940
SID:	2030171
Source Port:	49726
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.6 - Destination IP: 148.66.136.151

Timestamp:	07/03/24-21:18:53.976045
SID:	2030171
Source Port:	49711
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.6 - Destination IP: 148.66.136.151

Timestamp:	07/03/24-21:19:36.768009
SID:	2840032
Source Port:	49716
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.6 - Destination IP: 148.66.136.151

Timestamp:	07/03/24-21:19:53.289503
SID:	2030171
Source Port:	49719
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.6 - Destination IP: 148.66.136.151

Timestamp:	07/03/24-21:19:19.246288
SID:	2030171
Source Port:	49713
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.6 - Destination IP: 148.66.136.151

Timestamp:	07/03/24-21:17:01.207853
SID:	2030171
Source Port:	49700
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.6 - Destination IP: 148.66.136.151

Timestamp:	07/03/24-21:20:05.972440
SID:	2840032
Source Port:	49722
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.6 - Destination IP: 148.66.136.151

Timestamp:	07/03/24-21:20:24.508698
SID:	2030171
Source Port:	49725
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.6 - Destination IP: 148.66.136.151

Timestamp:	07/03/24-21:19:33.245041
SID:	2840032
Source Port:	49715
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.6 - Destination IP: 148.66.136.151

Timestamp:	07/03/24-21:17:15.105650
SID:	2030171
Source Port:	49702
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.6 - Destination IP: 148.66.136.151

Timestamp:	07/03/24-21:19:36.767963
SID:	2030171
Source Port:	49716
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.6 - Destination IP: 148.66.136.151

Timestamp:	07/03/24-21:18:53.976163
SID:	2840032
Source Port:	49711
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.6 - Destination IP: 148.66.136.151

Timestamp:	07/03/24-21:19:53.289584
SID:	2840032
Source Port:	49719
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.6 - Destination IP: 148.66.136.151

Timestamp:	07/03/24-21:20:37.833155
SID:	2840032
Source Port:	49726
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.6 - Destination IP: 148.66.136.151

Timestamp:	07/03/24-21:19:19.246440
SID:	2840032
Source Port:	49713
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.6 - Destination IP: 148.66.136.151

Timestamp:	07/03/24-21:19:33.244969
SID:	2030171
Source Port:	49715
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.6 - Destination IP: 148.66.136.151

Timestamp:	07/03/24-21:20:05.972198
SID:	2030171
Source Port:	49722
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.6 - Destination IP: 148.66.136.151

Timestamp:	07/03/24-21:20:24.508803
SID:	2840032
Source Port:	49725
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 3.2.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.mahesh-ent.com", "Username": "info@mahesh-ent.com", "Password": "M@hesh3981"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\directory\name.exe

ReversingLabs: Detection: 63%

Multi AV Scanner detection for submitted file

Source: Arrival Notice.exe

ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\directory\name.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Arrival Notice.exe

Joe Sandbox ML: detected

Source: Arrival Notice.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49701 version: TLS 1.2

Source:	Binary string: wntdll.pdbUGP source: name.exe, 00000002.00000003.2083901923.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000002.00000003.2085516595.00000000040A0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000005.00000003.2222185062.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000005.00000003.2222613590.0000000004000000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: name.exe, 00000002.00000003.2083901923.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000002.00000003.2085516595.00000000040A0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000005.00000003.2222185062.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000005.00000003.2222613590.0000000004000000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00934696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00934696
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_0093C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0093C9C7
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_0093C93C FindFirstFileW,FindClose,	0_2_0093C93C
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_0093F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0093F200
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_0093F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0093F35D
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_0093F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0093F65E
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00933A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00933A2B
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00933D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00933D4E
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_0093BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0093BF27
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00214696 GetFileAttributesW,FindFirstFileW,FindClose,	2_2_00214696
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0021C93C FindFirstFileW,FindClose,	2_2_0021C93C
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0021C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_0021C9C7
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0021F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0021F200
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0021F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0021F35D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0021F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_0021F65E
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00213A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00213A2B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00213D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00213D4E
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0021BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_0021BF27

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49700 -> 148.66.136.151:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49702 -> 148.66.136.151:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.6:49711 -> 148.66.136.151:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49711 -> 148.66.136.151:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.6:49713 -> 148.66.136.151:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49713 -> 148.66.136.151:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.6:49715 -> 148.66.136.151:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49715 -> 148.66.136.151:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.6:49716 -> 148.66.136.151:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49716 -> 148.66.136.151:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.6:49719 -> 148.66.136.151:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49719 -> 148.66.136.151:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.6:49722 -> 148.66.136.151:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49722 -> 148.66.136.151:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.6:49725 -> 148.66.136.151:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49725 -> 148.66.136.151:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.6:49726 -> 148.66.136.151:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49726 -> 148.66.136.151:587

Source: global traffic

TCP traffic: 192.168.2.6:49700 -> 148.66.136.151:587

Source: Joe Sandbox View	IP Address: 148.66.136.151 148.66.136.151
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205

Source: Joe Sandbox View

ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.6:49700 -> 148.66.136.151:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_009425E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_009425E2

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: mail.mahesh-ent.com

Source: RegSvcs.exe, 00000003.00000002.2226892130.0000000002E9C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4531977929.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4531977929.0000000002BFC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4531977929.0000000002A92000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4531977929.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4531977929.0000000002D42000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4531977929.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4531977929.0000000002B29000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4531977929.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4531977929.0000000002E54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.mahesh-ent.com
Source: RegSvcs.exe, 00000003.00000002.2226892130.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4531977929.000000000295C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000006.00000002.4537874564.0000000005CF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.c
Source: name.exe, 00000002.00000002.2086913169.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2224272082.0000000000402000.00000040.80000000.00040000.00000000.sdmp, name.exe, 00000005.00000002.2225248989.0000000003950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: name.exe, 00000002.00000002.2086913169.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2226892130.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2224272082.0000000000402000.00000040.80000000.00040000.00000000.sdmp, name.exe, 00000005.00000002.2225248989.0000000003950000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4531977929.000000000295C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: RegSvcs.exe, 00000003.00000002.2226892130.0000000002E21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: RegSvcs.exe, 00000003.00000002.2226892130.0000000002E21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49701 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 2.2.name.exe.15d0000.1.raw.unpack, 3DlgK9re6m.cs	.Net Code: S8rY0
Source: 5.2.name.exe.3950000.1.raw.unpack, 3DlgK9re6m.cs	.Net Code: S8rY0

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe			Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_0094425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0094425A

Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00944458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_00944458
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00224458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		2_2_00224458

Source: C:\Users\user\Desktop\Arrival Notice.exe

0_2_0094425A

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_00930219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00930219

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_0095CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_0095CDAC
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0023CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		2_2_0023CDAC

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.name.exe.3950000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.name.exe.15d0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.name.exe.3950000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.name.exe.15d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000002.00000002.2086913169.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000005.00000002.2225248989.0000000003950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: This is a third-party compiled AutoIt script.	0_2_008D3B4C
Source: Arrival Notice.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Arrival Notice.exe, 00000000.00000003.2074284725.0000000003DD5000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_9f6fbcef-7
Source: Arrival Notice.exe, 00000000.00000003.2074284725.0000000003DD5000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_7a8b5c90-1
Source: Arrival Notice.exe, 00000000.00000000.2066511555.0000000000985000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_68eac7e2-d
Source: Arrival Notice.exe, 00000000.00000000.2066511555.0000000000985000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_c375677a-6
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: This is a third-party compiled AutoIt script.	2_2_001B3B4C
Source: name.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: name.exe, 00000002.00000002.2086394620.0000000000265000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_9f8b0b23-9
Source: name.exe, 00000002.00000002.2086394620.0000000000265000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e94843a6-5
Source: name.exe, 00000005.00000000.2210786318.0000000000265000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d4b95cee-4
Source: name.exe, 00000005.00000000.2210786318.0000000000265000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e5dcb13e-b
Source: Arrival Notice.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_bd9cb714-7
Source: Arrival Notice.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_9ba94f04-1
Source: name.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d62dc2ff-2
Source: name.exe.0.dr	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_241a4ee9-4

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Arrival Notice.exe

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_009340B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,

0_2_009340B1

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_00928858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00928858

Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_0093545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_0093545F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0021545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		2_2_0021545F

Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_008DE800	0_2_008DE800
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_008FDBB5	0_2_008FDBB5
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_0095804A	0_2_0095804A
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_008DE060	0_2_008DE060
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_008E4140	0_2_008E4140
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_008F2405	0_2_008F2405
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00906522	0_2_00906522
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_0090267E	0_2_0090267E
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00950665	0_2_00950665
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_008F283A	0_2_008F283A
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_008E6843	0_2_008E6843
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_009089DF	0_2_009089DF
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00906A94	0_2_00906A94
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00950AE2	0_2_00950AE2
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_008E8A0E	0_2_008E8A0E
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00938B13	0_2_00938B13
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_0092EB07	0_2_0092EB07
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_008FCD61	0_2_008FCD61
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00907006	0_2_00907006
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_008E3190	0_2_008E3190
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_008E710E	0_2_008E710E
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_008D1287	0_2_008D1287
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_008F33C7	0_2_008F33C7
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_008FF419	0_2_008FF419
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_008E5680	0_2_008E5680
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_008F16C4	0_2_008F16C4
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_008E58C0	0_2_008E58C0
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_008F78D3	0_2_008F78D3
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_008F1BB8	0_2_008F1BB8
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00909D05	0_2_00909D05
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_008DFE40	0_2_008DFE40
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_008F1FD0	0_2_008F1FD0
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_008FBFE6	0_2_008FBFE6
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_014C3610	0_2_014C3610
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001BE800	2_2_001BE800
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001DDBB5	2_2_001DDBB5
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0023804A	2_2_0023804A
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001BE060	2_2_001BE060
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001C4140	2_2_001C4140
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001D2405	2_2_001D2405
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001E6522	2_2_001E6522
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00230665	2_2_00230665
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001E267E	2_2_001E267E
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001D283A	2_2_001D283A
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001C6843	2_2_001C6843
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001E89DF	2_2_001E89DF
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001C8A0E	2_2_001C8A0E
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001E6A94	2_2_001E6A94
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00230AE2	2_2_00230AE2
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0020EB07	2_2_0020EB07
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00218B13	2_2_00218B13
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001DCD61	2_2_001DCD61
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001E7006	2_2_001E7006
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001C710E	2_2_001C710E
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001C3190	2_2_001C3190
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001B1287	2_2_001B1287
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001D33C7	2_2_001D33C7
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001DF419	2_2_001DF419
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001C5680	2_2_001C5680
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001D16C4	2_2_001D16C4
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001D78D3	2_2_001D78D3
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001C58C0	2_2_001C58C0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001D1BB8	2_2_001D1BB8
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001E9D05	2_2_001E9D05
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001BFE40	2_2_001BFE40
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001D1FD0	2_2_001D1FD0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001DBFE6	2_2_001DBFE6
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_015B3610	2_2_015B3610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0106A1B8	3_2_0106A1B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0106E2C8	3_2_0106E2C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0106AA40	3_2_0106AA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01064AA0	3_2_01064AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0106DCD8	3_2_0106DCD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01063E88	3_2_01063E88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_010641D0	3_2_010641D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06727D58	3_2_06727D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_067265D0	3_2_067265D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06725588	3_2_06725588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0672B210	3_2_0672B210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06722348	3_2_06722348
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0672C158	3_2_0672C158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06727678	3_2_06727678
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06725CD0	3_2_06725CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0672E380	3_2_0672E380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06720040	3_2_06720040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06720007	3_2_06720007
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_02173610	5_2_02173610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00CB41D0	6_2_00CB41D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00CBA1B8	6_2_00CBA1B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00CBE6C8	6_2_00CBE6C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00CB4AA0	6_2_00CB4AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00CBAA40	6_2_00CBAA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00CB3E88	6_2_00CB3E88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_061D5588	6_2_061D5588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_061D65D0	6_2_061D65D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_061DB210	6_2_061DB210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_061D2348	6_2_061D2348
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_061DC158	6_2_061DC158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_061D7D58	6_2_061D7D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_061D7678	6_2_061D7678
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_061DE380	6_2_061DE380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_061D0040	6_2_061D0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_061D5CD0	6_2_061D5CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_061D0006	6_2_061D0006

Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 001D8B40 appears 42 times
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 001D0D27 appears 70 times
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 001B7F41 appears 35 times
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: String function: 008D7F41 appears 35 times
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: String function: 008F0D27 appears 70 times
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: String function: 008F8B40 appears 42 times

Source: Arrival Notice.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.name.exe.3950000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.name.exe.15d0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.name.exe.3950000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.name.exe.15d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000002.00000002.2086913169.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000005.00000002.2225248989.0000000003950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 2.2.name.exe.15d0000.1.raw.unpack, slKb.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.name.exe.15d0000.1.raw.unpack, mAKJ.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.name.exe.15d0000.1.raw.unpack, xQRSe0Fg.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 2.2.name.exe.15d0000.1.raw.unpack, n3rhMa.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.name.exe.15d0000.1.raw.unpack, MQzE4FWn.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.name.exe.15d0000.1.raw.unpack, nSmgRyX5a1.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.name.exe.15d0000.1.raw.unpack, 6IMLmJtk.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.name.exe.15d0000.1.raw.unpack, 6IMLmJtk.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.2.name.exe.15d0000.1.raw.unpack, 3HroK7qN.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.name.exe.15d0000.1.raw.unpack, 3HroK7qN.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@10/10@2/2

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_0093A2D5 GetLastError,FormatMessageW,

0_2_0093A2D5

Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00928713 AdjustTokenPrivileges,CloseHandle,	0_2_00928713
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00928CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_00928CC3
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00208713 AdjustTokenPrivileges,CloseHandle,	2_2_00208713
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00208CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	2_2_00208CC3

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_0093B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0093B59E

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_0094F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0094F121

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_009486D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_009486D0

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_008D4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_008D4FE9

Source: C:\Users\user\Desktop\Arrival Notice.exe

File created: C:\Users\user\AppData\Local\directory

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Arrival Notice.exe

File created: C:\Users\user\AppData\Local\Temp\autA3B6.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"

Source: Arrival Notice.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Arrival Notice.exe

ReversingLabs: Detection: 63%

Source: C:\Users\user\Desktop\Arrival Notice.exe

File read: C:\Users\user\Desktop\Arrival Notice.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Arrival Notice.exe "C:\Users\user\Desktop\Arrival Notice.exe"
Source: C:\Users\user\Desktop\Arrival Notice.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\Desktop\Arrival Notice.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Arrival Notice.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Users\user\Desktop\Arrival Notice.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\Desktop\Arrival Notice.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Arrival Notice.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Arrival Notice.exe

Static file information: File size 1246208 > 1048576

Source: Arrival Notice.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Arrival Notice.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Arrival Notice.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Arrival Notice.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Arrival Notice.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Arrival Notice.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Arrival Notice.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: name.exe, 00000002.00000003.2083901923.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000002.00000003.2085516595.00000000040A0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000005.00000003.2222185062.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000005.00000003.2222613590.0000000004000000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: name.exe, 00000002.00000003.2083901923.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000002.00000003.2085516595.00000000040A0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000005.00000003.2222185062.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000005.00000003.2222613590.0000000004000000.00000004.00001000.00020000.00000000.sdmp

Source: Arrival Notice.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Arrival Notice.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Arrival Notice.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Arrival Notice.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Arrival Notice.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_0094C304 LoadLibraryA,GetProcAddress,

0_2_0094C304

Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_008F8B85 push ecx; ret	0_2_008F8B98
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001BC590 push eax; retn 001Bh	2_2_001BC599
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001D8B85 push ecx; ret	2_2_001D8B98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01060C45 push ebx; retf	3_2_01060C52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01060C53 push ebx; retf	3_2_01060C52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00CB0C45 push ebx; retf	6_2_00CB0C52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00CB0C53 push ebx; retf	6_2_00CB0C52

Source: 2.2.name.exe.15d0000.1.raw.unpack, SMn5.cs	High entropy of concatenated method names: '_8Vimx', 'f7lK', 'uMKvoi6J', 'FWTI9h04fKT', 'OvYNDn1nF7', 'Uc1YsRO0ov', 'qvyIh', 'Q626D', 'VHPMMtos', 'MchLpClTgX'
Source: 5.2.name.exe.3950000.1.raw.unpack, SMn5.cs	High entropy of concatenated method names: '_8Vimx', 'f7lK', 'uMKvoi6J', 'FWTI9h04fKT', 'OvYNDn1nF7', 'Uc1YsRO0ov', 'qvyIh', 'Q626D', 'VHPMMtos', 'MchLpClTgX'

Source: C:\Users\user\Desktop\Arrival Notice.exe

File created: C:\Users\user\AppData\Local\directory\name.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\directory\name.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\directory\name.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\directory\name.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (68).png

Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_008D4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_008D4A35
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_009555FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_009555FD
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001B4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	2_2_001B4A35
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_002355FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	2_2_002355FD

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_008F33C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_008F33C7

Source: C:\Users\user\Desktop\Arrival Notice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\directory\name.exe	API/Special instruction interceptor: Address: 15B3234
Source: C:\Users\user\AppData\Local\directory\name.exe	API/Special instruction interceptor: Address: 2173234

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2396	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2003	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7858	Jump to behavior

Source: C:\Users\user\AppData\Local\directory\name.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\Desktop\Arrival Notice.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_0-100703

Source: C:\Users\user\Desktop\Arrival Notice.exe	API coverage: 4.7 %
Source: C:\Users\user\AppData\Local\directory\name.exe	API coverage: 4.9 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00934696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00934696
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_0093C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0093C9C7
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_0093C93C FindFirstFileW,FindClose,	0_2_0093C93C
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_0093F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0093F200
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_0093F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0093F35D
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_0093F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0093F65E
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00933A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00933A2B
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00933D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00933D4E
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_0093BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0093BF27
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00214696 GetFileAttributesW,FindFirstFileW,FindClose,	2_2_00214696
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0021C93C FindFirstFileW,FindClose,	2_2_0021C93C
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0021C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_0021C9C7
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0021F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0021F200
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0021F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0021F35D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0021F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_0021F65E
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00213A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00213A2B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00213D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00213D4E
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0021BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_0021BF27

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_008D4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008D4AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99782	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99670	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99549	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99423	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97248	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97129	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97013	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96782	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96122	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96012	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95407	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95282	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94952	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94842	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94733	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98901	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98793	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98577	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98138	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97702	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97027	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96794	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94593	Jump to behavior

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: RegSvcs.exe, 00000006.00000002.4537874564.0000000005CF2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll7
Source: RegSvcs.exe, 00000006.00000002.4535339176.0000000003B38000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: IHgfSrloXJZ42t0KsSckkZ5OeaxVhmdXZbeZlj++RExC8Z54445qNTvZAoYmQZQBT8w9
Source: RegSvcs.exe, 00000003.00000002.2228660326.0000000005FFF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Arrival Notice.exe	API call chain: ExitProcess graph end node	graph_0-99109
Source: C:\Users\user\Desktop\Arrival Notice.exe	API call chain: ExitProcess graph end node	graph_0-99175
Source: C:\Users\user\AppData\Local\directory\name.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_009441FD BlockInput,

0_2_009441FD

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_008D3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_008D3B4C

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_00905CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00905CCC

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_0094C304 LoadLibraryA,GetProcAddress,

0_2_0094C304

Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_014C3500 mov eax, dword ptr fs:[00000030h]	0_2_014C3500
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_014C34A0 mov eax, dword ptr fs:[00000030h]	0_2_014C34A0
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_014C1E70 mov eax, dword ptr fs:[00000030h]	0_2_014C1E70
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_015B3500 mov eax, dword ptr fs:[00000030h]	2_2_015B3500
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_015B34A0 mov eax, dword ptr fs:[00000030h]	2_2_015B34A0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_015B1E70 mov eax, dword ptr fs:[00000030h]	2_2_015B1E70
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_02173500 mov eax, dword ptr fs:[00000030h]	5_2_02173500
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_021734A0 mov eax, dword ptr fs:[00000030h]	5_2_021734A0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 5_2_02171E70 mov eax, dword ptr fs:[00000030h]	5_2_02171E70

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_009281F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_009281F7

Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_008FA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_008FA395
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_008FA364 SetUnhandledExceptionFilter,	0_2_008FA364
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001DA364 SetUnhandledExceptionFilter,	2_2_001DA364
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001DA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_001DA395

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\directory\name.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: A8B008			Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 6E2008			Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_00928C93 LogonUserW,

0_2_00928C93

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_008D3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_008D3B4C

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_008D4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_008D4A35

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_00934EC9 mouse_event,

0_2_00934EC9

Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Arrival Notice.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice.exe

0_2_009281F7

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_00934C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00934C03

Source: Arrival Notice.exe, name.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Arrival Notice.exe, name.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_008F886B cpuid

0_2_008F886B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_009050D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_009050D7

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_00912230 GetUserNameW,

0_2_00912230

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_0090418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0090418A

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_008D4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008D4AFE

Source: C:\Users\user\Desktop\Arrival Notice.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.name.exe.3950000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.name.exe.15d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.name.exe.3950000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.name.exe.15d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2226892130.0000000002EA4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2226892130.0000000002E9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2086913169.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2225248989.0000000003950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2226892130.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2224272082.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4531977929.000000000299B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: name.exe PID: 2748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: name.exe PID: 5052, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3632, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: name.exe	Binary or memory string: WIN_81
Source: name.exe	Binary or memory string: WIN_XP
Source: name.exe	Binary or memory string: WIN_XPe
Source: name.exe	Binary or memory string: WIN_VISTA
Source: name.exe	Binary or memory string: WIN_7
Source: name.exe	Binary or memory string: WIN_8
Source: name.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.name.exe.3950000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.name.exe.15d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.name.exe.3950000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.name.exe.15d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2086913169.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2225248989.0000000003950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2226892130.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2224272082.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4531977929.000000000299B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: name.exe PID: 2748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: name.exe PID: 5052, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3632, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.name.exe.3950000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.name.exe.15d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.name.exe.3950000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.name.exe.15d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2226892130.0000000002EA4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2226892130.0000000002E9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2086913169.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2225248989.0000000003950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2226892130.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2224272082.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4531977929.000000000299B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: name.exe PID: 2748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: name.exe PID: 5052, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3632, type: MEMORYSTR

Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00946596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_00946596
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00946A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00946A5A
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00226596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	2_2_00226596
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00226A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	2_2_00226A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	121 Windows Management Instrumentation	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	221 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	1 Credentials in Registry	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	138 System Information Discovery	Distributed Component Object Model	221 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	11 Masquerading	LSA Secrets	341 Security Software Discovery	SSH	4 Clipboard Data	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	121 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	121 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Arrival Notice.exe	63%	ReversingLabs	Win32.Trojan.Strab
Arrival Notice.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\directory\name.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\directory\name.exe	63%	ReversingLabs	Win32.Trojan.Strab

Source	Detection	Scanner	Label
https://api.ipify.org/	0%	URL Reputation	safe
https://api.ipify.org	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
https://api.ipify.org/t	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.microsoft.c	0%	Avira URL Cloud	safe
http://mail.mahesh-ent.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	104.26.12.205	true	false		unknown
mail.mahesh-ent.com	148.66.136.151	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://mail.mahesh-ent.com	RegSvcs.exe, 00000003.00000002.2226892130.0000000002E9C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4531977929.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4531977929.0000000002BFC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4531977929.0000000002A92000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4531977929.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4531977929.0000000002D42000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4531977929.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4531977929.0000000002B29000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4531977929.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4531977929.0000000002E54000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.org	name.exe, 00000002.00000002.2086913169.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2226892130.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2224272082.0000000000402000.00000040.80000000.00040000.00000000.sdmp, name.exe, 00000005.00000002.2225248989.0000000003950000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4531977929.000000000295C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.microsoft.c	RegSvcs.exe, 00000006.00000002.4537874564.0000000005CF2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://account.dyn.com/	name.exe, 00000002.00000002.2086913169.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2224272082.0000000000402000.00000040.80000000.00040000.00000000.sdmp, name.exe, 00000005.00000002.2225248989.0000000003950000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org/t	RegSvcs.exe, 00000003.00000002.2226892130.0000000002E21000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000003.00000002.2226892130.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4531977929.000000000295C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
148.66.136.151	mail.mahesh-ent.com	Singapore		26496	AS-26496-GO-DADDY-COM-LLCUS	true
104.26.12.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1467213
Start date and time:	2024-07-03 21:16:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Arrival Notice.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@10/10@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 59 Number of non-executed functions: 274
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: Arrival Notice.exe

Simulations

Behavior and APIs

Time	Type	Description
15:16:57	API Interceptor	10559185x Sleep call for process: RegSvcs.exe modified
21:16:59	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
148.66.136.151	arrival notice.exe	Get hash	malicious	AgentTesla	Browse
	LOADING ADVICE.exe	Get hash	malicious	AgentTesla	Browse
	SOA.exe	Get hash	malicious	AgentTesla	Browse
	loading advice.exe	Get hash	malicious	AgentTesla	Browse
	loading advice..exe	Get hash	malicious	AgentTesla	Browse
	Order of CTS-SFCS-104.exe	Get hash	malicious	AgentTesla	Browse
	Order of CTS-SFCS-104.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Trojan.PackedNET.2926.9666.23696.exe	Get hash	malicious	AgentTesla	Browse
	SALES CONTRACT (DRAFT).exe	Get hash	malicious	AgentTesla	Browse
	Drawing and specification.exe	Get hash	malicious	AgentTesla	Browse
104.26.12.205	SecuriteInfo.com.Win64.RansomX-gen.22171.1307.exe	Get hash	malicious	Conti, PureLog Stealer, Targeted Ransomware	Browse	api.ipify.org/
	482730621.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	482730621.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sonic-Glyder.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	SecuriteInfo.com.Backdoor.Win32.Agent.myuuxz.13708.17224.exe	Get hash	malicious	Bunny Loader	Browse	api.ipify.org/
	lods.cmd	Get hash	malicious	Remcos	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.mahesh-ent.com	arrival notice.exe	Get hash	malicious	AgentTesla	Browse	148.66.136.151
	LOADING ADVICE.exe	Get hash	malicious	AgentTesla	Browse	148.66.136.151
	SOA.exe	Get hash	malicious	AgentTesla	Browse	148.66.136.151
	loading advice.exe	Get hash	malicious	AgentTesla	Browse	148.66.136.151
	loading advice..exe	Get hash	malicious	AgentTesla	Browse	148.66.136.151
	Order of CTS-SFCS-104.exe	Get hash	malicious	AgentTesla	Browse	148.66.136.151
	Order of CTS-SFCS-104.exe	Get hash	malicious	AgentTesla	Browse	148.66.136.151
	SecuriteInfo.com.Trojan.PackedNET.2926.9666.23696.exe	Get hash	malicious	AgentTesla	Browse	148.66.136.151
	SALES CONTRACT (DRAFT).exe	Get hash	malicious	AgentTesla	Browse	148.66.136.151
	Drawing and specification.exe	Get hash	malicious	AgentTesla	Browse	148.66.136.151
api.ipify.org	rnoahcrypter.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	tgBNtoWqIp.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	19808bS58f.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.6737.3783.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	9691e6dc404680cc6648726c8d124a6d4fc637bb6b4a092661308012438623b2_dump.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	0VcrCVxnMP.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	E48ALuMJ3m.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	MzjwuZnJF0.exe	Get hash	malicious	GuLoader	Browse	104.26.12.205
	VG0x1LZCFb.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	q7r87KTHbc.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	RemittanceCopy389.html	Get hash	malicious	HTMLPhisher	Browse	104.17.24.14
	https://link.mail.beehiiv.com/ls/click?upn=u001.DTQiLe1mLQCNek4IXPrb3cd8am3-2BtbSaRRShUhZCbhF1FE2NDum-2B9YeqhMivZ-2FcIJGKdOjfqgyCSTZimAiOiNKkJG3N5vgYBNDNlk5YkmOU2XPb-2FKTFlF-2Fc7jFH7Nb8Q0JW6uJclJabjCcGs0cWdzdydwDpcxzScPZQBex7SofyQj6MGdYzEG8hbxGGqYt2bpR0NjPAx6JIYz6GJiSrQNg-3D-3DNN1n_VW5ZEdFpCuXmC2nf4fwMfiBmdui0O95PSMmp4s-2F2oS3jvSHISWr6XQl8RtHpD7TWmHpRBlT8NsCamUZaroeFibjayeskXeuNnFhPFOon1-2FD6SmbcpIEUC7jghzzXsggajKIODB16RJEeGNz4SFHe6mT-2Bn59v08ju13fD9NtKJQcr97qiQNjiGiaoQJcvN3gUurUBqLZp9I4f9bNW54ZUVVCzpwaogbLaWcL9oScbt8r4Ku34t9zOqlF27gTqXVf6T2MbNMKkoCYnb-2BuL8kIZdyoRM3EFOIuktrG5gMH3OTa1K2klBhmxFOQ2d7plqd5asAi8Ofl9YcYOh-2FL4f45riCQtSdd7jru06EkHcBuJahi-2BD3xm-2F7PbjpIpmn-2Bu7KYdjQeOSKE-2FSiD6UNxc7JQNRWkdnK1RTC7eoEMZms82uCa8fJQIoMgqBt91NrcdZIDONaGhhpHXRhQ1VbYp5h6Cow-3D-3D#?email=YWx5c2EuYUBjZW50dXJ5Yml6c29sdXRpb25zLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	http://sagilityhealth.com	Get hash	malicious	Unknown	Browse	104.22.70.197
	https://hr.economictimes.indiatimes.com/etl.php?url=//uiytrewrtyuiouyt.pages.dev/	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://ddec1-0-en-ctp.trendmicro.com/wis/clicktime/v1/query?url=https%3A%2F%2Flodgesonvashon.us11.list-manage.com%2Ftrack%2Fclick%3Fu%3D7bd9671a0b3250a7fef40b908%26id%3Dd8775abc58%26e%3D176d192631&umid=dd8a56c0-7dd4-4bb3-bb0e-81b56ebc53fa&auth=f59947c46ffdca8529044338828c8694fe545b0c-e8ce5e3cd8a069926d864ab292898eb1f0993e46	Get hash	malicious	Unknown	Browse	172.67.190.237
	https://ddec1-0-en-ctp.trendmicro.com/wis/clicktime/v1/query?url=https%3A%2F%2Flodgesonvashon.us11.list-manage.com%2Ftrack%2Fclick%3Fu%3D7bd9671a0b3250a7fef40b908%26id%3Dd8775abc58%26e%3D176d192631&umid=dd8a56c0-7dd4-4bb3-bb0e-81b56ebc53fa&auth=f59947c46ffdca8529044338828c8694fe545b0c-e8ce5e3cd8a069926d864ab292898eb1f0993e46	Get hash	malicious	HTMLPhisher	Browse	172.67.190.237
	23eb97f4-980c-745d-c5e2-6fdb70189e48.eml	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	https://hr.economictimes.indiatimes.com/etl.php?url=https://hr.economictimes.indiatimes.com/etl.php?url=//uiytrewrtyuiouyt.pages.dev/#?email=a2V2aW4uai5oYW5zZW5AeGNlbGVuZXJneS5jb20=	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	https://truecommerceedi-my.sharepoint.com/:o:/g/personal/doug_linek_truecommerce_com/EiyWH-QHx4BNkzCWTtkFfUIB_LOEdcSk9TIJqvvJ9XzR1g?e=5%3aMKiHAE&at=9	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	payment.html	Get hash	malicious	Phisher	Browse	188.114.96.3
AS-26496-GO-DADDY-COM-LLCUS	Att00173994.exe	Get hash	malicious	FormBook	Browse	198.12.241.35
	https://newhomeagent.org/oldrealtor/empty/index.html	Get hash	malicious	HTMLPhisher	Browse	132.148.176.65
	https://83.57.205.92.host.secureserver.net/facdigitalweb?contacto/?utm_source=mail;amp;utm_medium=customer;amp;utm_campaign=FOL_Medios_de_contacto	Get hash	malicious	HTMLPhisher	Browse	208.109.213.188
	arrival notice.exe	Get hash	malicious	AgentTesla	Browse	148.66.136.151
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	GuLoader	Browse	107.180.58.64
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	GuLoader	Browse	107.180.58.64
	16bfcGvz5N.elf	Get hash	malicious	Unknown	Browse	166.62.3.68
	Att0027592.exe	Get hash	malicious	FormBook	Browse	198.12.241.35
	SR9qYL1hLF.elf	Get hash	malicious	Mirai, Moobot	Browse	132.148.33.153
	V7UaNBrX72.elf	Get hash	malicious	Mirai, Moobot	Browse	192.169.229.193

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	https://link.mail.beehiiv.com/ls/click?upn=u001.DTQiLe1mLQCNek4IXPrb3cd8am3-2BtbSaRRShUhZCbhF1FE2NDum-2B9YeqhMivZ-2FcIJGKdOjfqgyCSTZimAiOiNKkJG3N5vgYBNDNlk5YkmOU2XPb-2FKTFlF-2Fc7jFH7Nb8Q0JW6uJclJabjCcGs0cWdzdydwDpcxzScPZQBex7SofyQj6MGdYzEG8hbxGGqYt2bpR0NjPAx6JIYz6GJiSrQNg-3D-3DNN1n_VW5ZEdFpCuXmC2nf4fwMfiBmdui0O95PSMmp4s-2F2oS3jvSHISWr6XQl8RtHpD7TWmHpRBlT8NsCamUZaroeFibjayeskXeuNnFhPFOon1-2FD6SmbcpIEUC7jghzzXsggajKIODB16RJEeGNz4SFHe6mT-2Bn59v08ju13fD9NtKJQcr97qiQNjiGiaoQJcvN3gUurUBqLZp9I4f9bNW54ZUVVCzpwaogbLaWcL9oScbt8r4Ku34t9zOqlF27gTqXVf6T2MbNMKkoCYnb-2BuL8kIZdyoRM3EFOIuktrG5gMH3OTa1K2klBhmxFOQ2d7plqd5asAi8Ofl9YcYOh-2FL4f45riCQtSdd7jru06EkHcBuJahi-2BD3xm-2F7PbjpIpmn-2Bu7KYdjQeOSKE-2FSiD6UNxc7JQNRWkdnK1RTC7eoEMZms82uCa8fJQIoMgqBt91NrcdZIDONaGhhpHXRhQ1VbYp5h6Cow-3D-3D#?email=YWx5c2EuYUBjZW50dXJ5Yml6c29sdXRpb25zLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	file.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	http://yournewstech.com	Get hash	malicious	Unknown	Browse	104.26.12.205
	PFbc2O8eXUJp.zip	Get hash	malicious	Unknown	Browse	104.26.12.205
	https://www.bnaminexg.com/Invoice-yetdr.zip	Get hash	malicious	Unknown	Browse	104.26.12.205
	rnoahcrypter.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	2cFFfHDG7D.msi	Get hash	malicious	AteraAgent	Browse	104.26.12.205
	thegreatestexecutor.bat	Get hash	malicious	Unknown	Browse	104.26.12.205
	Purchase Order No.P7696#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	#Uc804#Uc790(#Uc138#Uae08)#Uacc4#Uc0b0#Uc11c 2024-06-20.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205

Process:	C:\Users\user\Desktop\Arrival Notice.exe
File Type:	data
Category:	dropped
Size (bytes):	149320
Entropy (8bit):	7.8836938731943365
Encrypted:	false
SSDEEP:	3072:SwI8/QD3R12aQgtBw9iKH5DYH7PBU1VUU7lAUnHj3+BEwkVbSH2P7X7Z:SwIDD3R12+S9dZEMlAUHld
MD5:	298BBF26B85A7A461A022D093B4C93A9
SHA1:	9670B8099FD6042CB27AC2132D8D147D37A1AAB3
SHA-256:	CEF00C162693E7288D3558531670672DEE84C7839B54CD68B6ADD9EC7D6CFF40
SHA-512:	D7FAF2B895A97FA3B13602095630473D209A10B698BB9D3CA97A5EF3D3CDA2B0694C27376E531C8637BE7651C69C24EEAB5A04380F6B7BB84C05EDFFCBCB7173
Malicious:	false
Reputation:	low
Preview:	EA06.....C9T.>.L.S.s~F.R..TZMZ.M......BoO.T.......\|\..B}P......-...V.4.A%.OhR....#....$.wj.H-2I\|.!&../...^. .M.4z.>....D..7..5..f.#.d.b.Q.O)...?.Q..k....a..y........h.6ao..).9...34...[..y.4.S...k.0..i.....Z........#...F...<u.je.........O..S...&.....T...Gl3..z.P}<.`.@.P..jT.@......V..o.....C\..R@..5D.....Q+..o).MkT....@A/..G.......jH.....&T..2....w.]J..(R.X....).W...\|.W....G.R3.....4..k?...y..E...]o....+.m..9..O...[.B.{.{../E...u.T...c...D..=.I.....W..q;....9.A>....S..y......a._..u...o...F%..O..IT.oc......V.....#QD..z;.6{;..hk.x.".I...I.o7..`a..].9.... .......d.......H...8..N..(.....P......B.(U@......x.uZ.......:.......xs._.M...........Be.,>.%2.A.qZ..AA..h..4Wm..q....O..R.p.\.mI.U....k.A..l..uJ....uF.w.C...u..i.b <.F.....#..<.....d.. s.U-.....9.2.;Y7......+.E.N'r...8..5$.M$.Z.Q........b.H...h.....k.uf;..DT.v..Y.V....!!0......N.J.."Uj.&5......).T.t..Z.V.S.[...qN..!..URe/../.J}.h.xY.3Y..b..^!..Mj.:. '4.d..N.k)...-V.Q...-"q...f..N...F...l.

C:\Users\user\AppData\Local\Temp\autA405.tmp

Download File

Process:	C:\Users\user\Desktop\Arrival Notice.exe
File Type:	data
Category:	dropped
Size (bytes):	9842
Entropy (8bit):	7.596876375424286
Encrypted:	false
SSDEEP:	192:65jwEiqxwzMZTG3cL8Z1KDS7kPgKnVx00uYsLLZbku5nDkUcS:I6qxwzMZy3kDS7kPgKD8BLdIakQ
MD5:	BEDFA8109472436EFCDDCC5DB4B355FD
SHA1:	AA532618BA72610E2B3C4C3F0DC75E2C5C13463F
SHA-256:	24BD552677A47E0DC827BB9E19FF928BDCA606DDAC6B96A2744AD45DCCD4E73C
SHA-512:	910F6D68460E42162CCA8BA892499ECB5EB911D3B6366DEA0837F2A38597A78E58E95D99FE79E9F51A24DCE5F768C53947CE370C684FFBDACF5156512C82FDBE
Malicious:	false
Reputation:	low
Preview:	EA06..pT.Q&...8.M.z,.D.Lf....y9......o3.N&T...5...j..m1..f.Y..cD.L'.....3.N(s...m9...s.5..8.L/.Y...e..&6[...0.L..I..k7.N&. ..a0.M.....q4.Nf.P.....K..d.%...p.lY@.......c.Xf.0.o..b.L.`...,@. ...3+..d....s4.l&..........\|....sa...`.........Y&.K0.....-vs5.M..2...N&.I...@.>..........$.0...fx. ..$l...I...#..$6...... ..... .Z...a.5..&.).....L.j.;$....M.j.;$....X@j.;%....Y@j.;,.....j.e.\|f #^...j......l.....l.5....>0..Xf....M.^....$zn.....G..I....C...M.\|........}S{....7...\| l..P..........0...`>;..c7.6..{......=..7..............6,......b...,S ...i5.M.4.b..i\|v)....b.h.,@..%........9....c...\|3Y..h......._......@.>K...,v[..q5.M,.@..i7.X......9....2.......,.`....3.,.i8........}.k(.f..@..M&V....7.,.x....&.......0.......Fh...Fb.....3.."a9...`....,vb.....cd.X..P.Fl.Y.$..c. ....I...d..f.!...,vd......8..P.......0.....2...y...D.......c.0.......b.<NA...NM..;4.X.q1..&@Q..B.Y.ah......Yl.i..."..Bvj.........ic..'3Y..'f.....,j.1........C.`....7b.., .p..T.......Y,Vi......@

C:\Users\user\AppData\Local\Temp\autA6F2.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	149320
Entropy (8bit):	7.8836938731943365
Encrypted:	false
SSDEEP:	3072:SwI8/QD3R12aQgtBw9iKH5DYH7PBU1VUU7lAUnHj3+BEwkVbSH2P7X7Z:SwIDD3R12+S9dZEMlAUHld
MD5:	298BBF26B85A7A461A022D093B4C93A9
SHA1:	9670B8099FD6042CB27AC2132D8D147D37A1AAB3
SHA-256:	CEF00C162693E7288D3558531670672DEE84C7839B54CD68B6ADD9EC7D6CFF40
SHA-512:	D7FAF2B895A97FA3B13602095630473D209A10B698BB9D3CA97A5EF3D3CDA2B0694C27376E531C8637BE7651C69C24EEAB5A04380F6B7BB84C05EDFFCBCB7173
Malicious:	false
Reputation:	low
Preview:	EA06.....C9T.>.L.S.s~F.R..TZMZ.M......BoO.T.......\|\..B}P......-...V.4.A%.OhR....#....$.wj.H-2I\|.!&../...^. .M.4z.>....D..7..5..f.#.d.b.Q.O)...?.Q..k....a..y........h.6ao..).9...34...[..y.4.S...k.0..i.....Z........#...F...<u.je.........O..S...&.....T...Gl3..z.P}<.`.@.P..jT.@......V..o.....C\..R@..5D.....Q+..o).MkT....@A/..G.......jH.....&T..2....w.]J..(R.X....).W...\|.W....G.R3.....4..k?...y..E...]o....+.m..9..O...[.B.{.{../E...u.T...c...D..=.I.....W..q;....9.A>....S..y......a._..u...o...F%..O..IT.oc......V.....#QD..z;.6{;..hk.x.".I...I.o7..`a..].9.... .......d.......H...8..N..(.....P......B.(U@......x.uZ.......:.......xs._.M...........Be.,>.%2.A.qZ..AA..h..4Wm..q....O..R.p.\.mI.U....k.A..l..uJ....uF.w.C...u..i.b <.F.....#..<.....d.. s.U-.....9.2.;Y7......+.E.N'r...8..5$.M$.Z.Q........b.H...h.....k.uf;..DT.v..Y.V....!!0......N.J.."Uj.&5......).T.t..Z.V.S.[...qN..!..URe/../.J}.h.xY.3Y..b..^!..Mj.:. '4.d..N.k)...-V.Q...-"q...f..N...F...l.

C:\Users\user\AppData\Local\Temp\autA731.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	9842
Entropy (8bit):	7.596876375424286
Encrypted:	false
SSDEEP:	192:65jwEiqxwzMZTG3cL8Z1KDS7kPgKnVx00uYsLLZbku5nDkUcS:I6qxwzMZy3kDS7kPgKD8BLdIakQ
MD5:	BEDFA8109472436EFCDDCC5DB4B355FD
SHA1:	AA532618BA72610E2B3C4C3F0DC75E2C5C13463F
SHA-256:	24BD552677A47E0DC827BB9E19FF928BDCA606DDAC6B96A2744AD45DCCD4E73C
SHA-512:	910F6D68460E42162CCA8BA892499ECB5EB911D3B6366DEA0837F2A38597A78E58E95D99FE79E9F51A24DCE5F768C53947CE370C684FFBDACF5156512C82FDBE
Malicious:	false
Reputation:	low
Preview:	EA06..pT.Q&...8.M.z,.D.Lf....y9......o3.N&T...5...j..m1..f.Y..cD.L'.....3.N(s...m9...s.5..8.L/.Y...e..&6[...0.L..I..k7.N&. ..a0.M.....q4.Nf.P.....K..d.%...p.lY@.......c.Xf.0.o..b.L.`...,@. ...3+..d....s4.l&..........\|....sa...`.........Y&.K0.....-vs5.M..2...N&.I...@.>..........$.0...fx. ..$l...I...#..$6...... ..... .Z...a.5..&.).....L.j.;$....M.j.;$....X@j.;%....Y@j.;,.....j.e.\|f #^...j......l.....l.5....>0..Xf....M.^....$zn.....G..I....C...M.\|........}S{....7...\| l..P..........0...`>;..c7.6..{......=..7..............6,......b...,S ...i5.M.4.b..i\|v)....b.h.,@..%........9....c...\|3Y..h......._......@.>K...,v[..q5.M,.@..i7.X......9....2.......,.`....3.,.i8........}.k(.f..@..M&V....7.,.x....&.......0.......Fh...Fb.....3.."a9...`....,vb.....cd.X..P.Fl.Y.$..c. ....I...d..f.!...,vd......8..P.......0.....2...y...D.......c.0.......b.<NA...NM..;4.X.q1..&@Q..B.Y.ah......Yl.i..."..Bvj.........ic..'3Y..'f.....,j.1........C.`....7b.., .p..T.......Y,Vi......@

C:\Users\user\AppData\Local\Temp\autDC1B.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	149320
Entropy (8bit):	7.8836938731943365
Encrypted:	false
SSDEEP:	3072:SwI8/QD3R12aQgtBw9iKH5DYH7PBU1VUU7lAUnHj3+BEwkVbSH2P7X7Z:SwIDD3R12+S9dZEMlAUHld
MD5:	298BBF26B85A7A461A022D093B4C93A9
SHA1:	9670B8099FD6042CB27AC2132D8D147D37A1AAB3
SHA-256:	CEF00C162693E7288D3558531670672DEE84C7839B54CD68B6ADD9EC7D6CFF40
SHA-512:	D7FAF2B895A97FA3B13602095630473D209A10B698BB9D3CA97A5EF3D3CDA2B0694C27376E531C8637BE7651C69C24EEAB5A04380F6B7BB84C05EDFFCBCB7173
Malicious:	false
Reputation:	low
Preview:	EA06.....C9T.>.L.S.s~F.R..TZMZ.M......BoO.T.......\|\..B}P......-...V.4.A%.OhR....#....$.wj.H-2I\|.!&../...^. .M.4z.>....D..7..5..f.#.d.b.Q.O)...?.Q..k....a..y........h.6ao..).9...34...[..y.4.S...k.0..i.....Z........#...F...<u.je.........O..S...&.....T...Gl3..z.P}<.`.@.P..jT.@......V..o.....C\..R@..5D.....Q+..o).MkT....@A/..G.......jH.....&T..2....w.]J..(R.X....).W...\|.W....G.R3.....4..k?...y..E...]o....+.m..9..O...[.B.{.{../E...u.T...c...D..=.I.....W..q;....9.A>....S..y......a._..u...o...F%..O..IT.oc......V.....#QD..z;.6{;..hk.x.".I...I.o7..`a..].9.... .......d.......H...8..N..(.....P......B.(U@......x.uZ.......:.......xs._.M...........Be.,>.%2.A.qZ..AA..h..4Wm..q....O..R.p.\.mI.U....k.A..l..uJ....uF.w.C...u..i.b <.F.....#..<.....d.. s.U-.....9.2.;Y7......+.E.N'r...8..5$.M$.Z.Q........b.H...h.....k.uf;..DT.v..Y.V....!!0......N.J.."Uj.&5......).T.t..Z.V.S.[...qN..!..URe/../.J}.h.xY.3Y..b..^!..Mj.:. '4.d..N.k)...-V.Q...-"q...f..N...F...l.

C:\Users\user\AppData\Local\Temp\autDC8A.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	9842
Entropy (8bit):	7.596876375424286
Encrypted:	false
SSDEEP:	192:65jwEiqxwzMZTG3cL8Z1KDS7kPgKnVx00uYsLLZbku5nDkUcS:I6qxwzMZy3kDS7kPgKD8BLdIakQ
MD5:	BEDFA8109472436EFCDDCC5DB4B355FD
SHA1:	AA532618BA72610E2B3C4C3F0DC75E2C5C13463F
SHA-256:	24BD552677A47E0DC827BB9E19FF928BDCA606DDAC6B96A2744AD45DCCD4E73C
SHA-512:	910F6D68460E42162CCA8BA892499ECB5EB911D3B6366DEA0837F2A38597A78E58E95D99FE79E9F51A24DCE5F768C53947CE370C684FFBDACF5156512C82FDBE
Malicious:	false
Reputation:	low
Preview:	EA06..pT.Q&...8.M.z,.D.Lf....y9......o3.N&T...5...j..m1..f.Y..cD.L'.....3.N(s...m9...s.5..8.L/.Y...e..&6[...0.L..I..k7.N&. ..a0.M.....q4.Nf.P.....K..d.%...p.lY@.......c.Xf.0.o..b.L.`...,@. ...3+..d....s4.l&..........\|....sa...`.........Y&.K0.....-vs5.M..2...N&.I...@.>..........$.0...fx. ..$l...I...#..$6...... ..... .Z...a.5..&.).....L.j.;$....M.j.;$....X@j.;%....Y@j.;,.....j.e.\|f #^...j......l.....l.5....>0..Xf....M.^....$zn.....G..I....C...M.\|........}S{....7...\| l..P..........0...`>;..c7.6..{......=..7..............6,......b...,S ...i5.M.4.b..i\|v)....b.h.,@..%........9....c...\|3Y..h......._......@.>K...,v[..q5.M,.@..i7.X......9....2.......,.`....3.,.i8........}.k(.f..@..M&V....7.,.x....&.......0.......Fh...Fb.....3.."a9...`....,vb.....cd.X..P.Fl.Y.$..c. ....I...d..f.!...,vd......8..P.......0.....2...y...D.......c.0.......b.<NA...NM..;4.X.q1..&@Q..B.Y.ah......Yl.i..."..Bvj.........ic..'3Y..'f.....,j.1........C.`....7b.., .p..T.......Y,Vi......@

C:\Users\user\AppData\Local\Temp\brawlys

Download File

Process:	C:\Users\user\Desktop\Arrival Notice.exe
File Type:	ASCII text, with very long lines (28756), with no line terminators
Category:	dropped
Size (bytes):	28756
Entropy (8bit):	3.592228891803325
Encrypted:	false
SSDEEP:	768:miTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbp+IAyd4vfF3if6gyuqY:miTZ+2QoioGRk6ZklputwjpjBkCiw2Rh
MD5:	EFF99813AA6E4E81A2FB99794D10F3F3
SHA1:	72350AA8B62EB331AE037ECF1995AD693E81463C
SHA-256:	F1FC41E1ECC7CDD59277453FB0C6246CCA899DAFF29125B403BC3C9EF508A029
SHA-512:	C1E0F571647103DCC0D2E6B15ABC4928F20E1A26058AC99D8ED57A30D8FEE73A3441C5E059AFF2DEB39DA6AE6EBDA84A89C5AAF136060D58662D315DE18D58FF
Malicious:	false
Reputation:	low
Preview:	8D6804F867D7E3ED21599F86932DA5673082A29A59B06B261C54E6F1DF089BBB368C973697738FDC880x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffff

C:\Users\user\AppData\Local\Temp\misrun

Download File

Process:	C:\Users\user\Desktop\Arrival Notice.exe
File Type:	data
Category:	dropped
Size (bytes):	242688
Entropy (8bit):	6.615883545071942
Encrypted:	false
SSDEEP:	6144:9cH9sKHMp1YRDRybetHbIpMYKBCgM3WtW:+9sK61YRDRPHkp9gM3sW
MD5:	B378E58431A93DD5F62E717E260A2AD5
SHA1:	7CF20C60DF5BBC57C07C9E24A1AE3DEA6A7EAE9D
SHA-256:	37C2740218CCA73CA30008FF9A04733095EB364FD1CD723FFE11FBA1CA39C630
SHA-512:	67A3EFB5A5D3B8F32284E920C05BE1D0624697EDBB28A4B331E2633DCA8E9CEECC51674BA25806118FA875AB38D40B0D8C7F1F80F24A68F9CFDA6BC325EEF334
Malicious:	false
Reputation:	low
Preview:	...M3OEL<NS7.JR.JREIVZMpOEL8NS77OJROJREIVZM0OEL8NS77OJROJRE.VZM>P.B8.Z...K..k.- %z=B ">Y#sTV!$=;j0 i$/#.&+l\|...Z .7aG_OmVZM0OELh.S7{NIR..a#IVZM0OEL.NQ6<NARO.QEI^ZM0OEL..P77oJRO.QEIV.M0oEL8LS73OJROJREMVZM0OEL8nW77MJROJREKV..0OUL8^S77OZROZREIVZM OEL8NS77OJR+.QE.VZM0.FL~KS77OJROJREIVZM0OEL8NW7;OJROJREIVZM0OEL8NS77OJROJREIVZM0OEL8NS77OJROJREIVZM0oEL0NS77OJROJREAvZMxOEL8NS77OJRa>7==VZM..FL8nS77.IROHREIVZM0OEL8NS7.OJ2a8!7VZMvJEL8.P77IJRO.QEIVZM0OEL8NS7wOJ.a87)&5ZM<OEL8NW77MJRO.QEIVZM0OEL8NS7wOJ.OJREIVZM0OEL8NS7..IROJRE.VZM2O@Lh.Q7#{KRLJREHVZK0OEL8NS77OJROJREIVZM0OEL8NS77OJROJREIVZM0OEL8NS7....{.+dGRH.j.).4..Y..3..F.O.K[.s.^.....h?T..V.B...1...:.ZJ3S...../N=6&.@.@+.R....k{9p..JV.)...4`.$Ta....if...8C....>..*97cQ?5 ]`.VQ.8;.H.DIVZM......^7..bI][}D".....\+a...1JRE-VZMBOELYNS7pOJR JRE'VZMNOELFNS7qOJR.JRE~VZM.OELUNS7.OJR1JRE.+UB...%K.77OJRz..u.;....{....F.4.-r...2....@..A;.@.....\.=..'..J...06INWMMVFEkT...m:JW25HNQCw\....l.i....F...0.9IVZM0O.L8.S77..R.JRE.V.M..EL8.7.O.R...E

C:\Users\user\AppData\Local\directory\name.exe

Download File

Process:	C:\Users\user\Desktop\Arrival Notice.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1246208
Entropy (8bit):	6.927575832799878
Encrypted:	false
SSDEEP:	24576:vAHnh+eWsN3skA4RV1Hom2KXMmHa0e6nnjqKoepv9JpkUmgJQv5:Sh+ZkldoPK8Ya6jqKoepv9JpNJA
MD5:	954F20C5963FC61A5848F7BF9FEF6BA4
SHA1:	FC49C57595E06950054AF47AC676C122B18DBA41
SHA-256:	7D32FFB777ED327A39961748D04917F29B52BF373E7CB07A64CC86EBC172352B
SHA-512:	9BED0BBB403F60CFC2CC13A93784C356BE01A3679676505CB7BBFC86E39B658381BDB2218E0B199F35068851E58FF535C0409DE7494504E63C9EC09BBA85688D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r...........#.S..._@'.S...R.k.S....".S...RichR...................PE..L....).f..........".......... ....................@..........................`......:.....@...@.......@.........................\|........]......................4q...+..............................PK..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc....].......^...4..............@..@.reloc..4q.......r..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	274
Entropy (8bit):	3.408374803490271
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfclzXUEZ+lX1Al1AE6nriIM8lfQVn:DsO+vNlDQ1A1z4mA2n
MD5:	86948B136B1F801E8D67F09107FE8579
SHA1:	958A64F475E162FD6B7EE3A5CC11E1D49EF7CF99
SHA-256:	AAE1242E1E0755FD14206D7FF8807311E68529F049AB1A47EA105E405C9494F7
SHA-512:	9572FB2BCBB26BFF379A3ED930BEFECD6BC1A185A8FD5B47E60D7B09A50CD49C8B92569EB9667B0EFE71540232E46BC3D64B8BAB8A5996EAB9CE3625B5E08E4F
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.d.i.r.e.c.t.o.r.y.\.n.a.m.e...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.927575832799878
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Arrival Notice.exe
File size:	1'246'208 bytes
MD5:	954f20c5963fc61a5848f7bf9fef6ba4
SHA1:	fc49c57595e06950054af47ac676c122b18dba41
SHA256:	7d32ffb777ed327a39961748d04917f29b52bf373e7cb07a64cc86ebc172352b
SHA512:	9bed0bbb403f60cfc2cc13a93784c356be01a3679676505cb7bbfc86e39b658381bdb2218e0b199f35068851e58ff535c0409de7494504e63c9ec09bba85688d
SSDEEP:	24576:vAHnh+eWsN3skA4RV1Hom2KXMmHa0e6nnjqKoepv9JpkUmgJQv5:Sh+ZkldoPK8Ya6jqKoepv9JpNJA
TLSH:	F245AE037780C079FFAA91B35B16E24567BDAC6A8123951F13C82A7ABDF05B1163D723
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	73191a131b1f736e

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x668529BE [Wed Jul 3 10:36:46 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F92DCBB707Dh
jmp 00007F92DCBA9E34h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F92DCBA9FBAh
cmp edi, eax
jc 00007F92DCBAA31Eh
bt dword ptr [004C41FCh], 01h
jnc 00007F92DCBA9FB9h
rep movsb
jmp 00007F92DCBAA2CCh
cmp ecx, 00000080h
jc 00007F92DCBAA184h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F92DCBA9FC0h
bt dword ptr [004BF324h], 01h
jc 00007F92DCBAA490h
bt dword ptr [004C41FCh], 00000000h
jnc 00007F92DCBAA15Dh
test edi, 00000003h
jne 00007F92DCBAA16Eh
test esi, 00000003h
jne 00007F92DCBAA14Dh
bt edi, 02h
jnc 00007F92DCBA9FBFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F92DCBA9FC3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F92DCBAA015h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x65da4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12e000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x65da4	0x65e00	d11a97978a51eb1aaa7bfc828fac9ca4	False	0.6538846817484663	data	7.160081904626778	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x12e000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc86c8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc87f0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc8918	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc8a40	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	Great Britain	0.5671641791044776
RT_ICON	0xc98e8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	Great Britain	0.6624548736462094
RT_ICON	0xca190	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	English	Great Britain	0.6036866359447005
RT_ICON	0xca858	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	Great Britain	0.47760115606936415
RT_ICON	0xcadc0	0x64c1	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	Great Britain	0.9930989028030861
RT_ICON	0xd1284	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	Great Britain	0.1848456169407311
RT_ICON	0xe1aac	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	Great Britain	0.3375551818372924
RT_ICON	0xeaf54	0x67e8	Device independent bitmap graphic, 80 x 160 x 32, image size 26560	English	Great Britain	0.34515037593984965
RT_ICON	0xf173c	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	Great Britain	0.3652033271719039
RT_ICON	0xf6bc4	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	Great Britain	0.3302432687765706
RT_ICON	0xfadec	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	Great Britain	0.49813278008298756
RT_ICON	0xfd394	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	Great Britain	0.5572232645403377
RT_ICON	0xfe43c	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	Great Britain	0.7163934426229508
RT_ICON	0xfedc4	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	Great Britain	0.7562056737588653
RT_MENU	0xff22c	0x50	data	English	Great Britain	0.9
RT_STRING	0xff27c	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xff810	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xffe9c	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0x10032c	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0x100928	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0x100f84	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0x1013ec	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0x101544	0x2c28c	data			1.0003648908644596
RT_GROUP_ICON	0x12d7d0	0xca	data	English	Great Britain	0.6683168316831684
RT_GROUP_ICON	0x12d89c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x12d8b0	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x12d8c4	0x14	data	English	Great Britain	1.25
RT_VERSION	0x12d8d8	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x12d9b4	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/03/24-21:20:37.832940	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49726	587	192.168.2.6	148.66.136.151
07/03/24-21:18:53.976045	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49711	587	192.168.2.6	148.66.136.151
07/03/24-21:19:36.768009	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49716	587	192.168.2.6	148.66.136.151
07/03/24-21:19:53.289503	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49719	587	192.168.2.6	148.66.136.151
07/03/24-21:19:19.246288	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49713	587	192.168.2.6	148.66.136.151
07/03/24-21:17:01.207853	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49700	587	192.168.2.6	148.66.136.151
07/03/24-21:20:05.972440	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49722	587	192.168.2.6	148.66.136.151
07/03/24-21:20:24.508698	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49725	587	192.168.2.6	148.66.136.151
07/03/24-21:19:33.245041	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49715	587	192.168.2.6	148.66.136.151
07/03/24-21:17:15.105650	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49702	587	192.168.2.6	148.66.136.151
07/03/24-21:19:36.767963	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49716	587	192.168.2.6	148.66.136.151
07/03/24-21:18:53.976163	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49711	587	192.168.2.6	148.66.136.151
07/03/24-21:19:53.289584	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49719	587	192.168.2.6	148.66.136.151
07/03/24-21:20:37.833155	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49726	587	192.168.2.6	148.66.136.151
07/03/24-21:19:19.246440	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49713	587	192.168.2.6	148.66.136.151
07/03/24-21:19:33.244969	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49715	587	192.168.2.6	148.66.136.151
07/03/24-21:20:05.972198	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49722	587	192.168.2.6	148.66.136.151
07/03/24-21:20:24.508803	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49725	587	192.168.2.6	148.66.136.151

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 3, 2024 21:16:56.558377981 CEST	49699	443	192.168.2.6	104.26.12.205
Jul 3, 2024 21:16:56.558429003 CEST	443	49699	104.26.12.205	192.168.2.6
Jul 3, 2024 21:16:56.558505058 CEST	49699	443	192.168.2.6	104.26.12.205
Jul 3, 2024 21:16:56.566762924 CEST	49699	443	192.168.2.6	104.26.12.205
Jul 3, 2024 21:16:56.566792011 CEST	443	49699	104.26.12.205	192.168.2.6
Jul 3, 2024 21:16:57.068104982 CEST	443	49699	104.26.12.205	192.168.2.6
Jul 3, 2024 21:16:57.068200111 CEST	49699	443	192.168.2.6	104.26.12.205
Jul 3, 2024 21:16:57.072804928 CEST	49699	443	192.168.2.6	104.26.12.205
Jul 3, 2024 21:16:57.072843075 CEST	443	49699	104.26.12.205	192.168.2.6
Jul 3, 2024 21:16:57.074049950 CEST	443	49699	104.26.12.205	192.168.2.6
Jul 3, 2024 21:16:57.124484062 CEST	49699	443	192.168.2.6	104.26.12.205
Jul 3, 2024 21:16:57.172513008 CEST	443	49699	104.26.12.205	192.168.2.6
Jul 3, 2024 21:16:57.239218950 CEST	443	49699	104.26.12.205	192.168.2.6
Jul 3, 2024 21:16:57.239296913 CEST	443	49699	104.26.12.205	192.168.2.6
Jul 3, 2024 21:16:57.239367962 CEST	49699	443	192.168.2.6	104.26.12.205
Jul 3, 2024 21:16:57.246239901 CEST	49699	443	192.168.2.6	104.26.12.205
Jul 3, 2024 21:16:57.775264025 CEST	49700	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:16:57.780082941 CEST	587	49700	148.66.136.151	192.168.2.6
Jul 3, 2024 21:16:57.780149937 CEST	49700	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:16:59.064918995 CEST	587	49700	148.66.136.151	192.168.2.6
Jul 3, 2024 21:16:59.065155029 CEST	49700	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:16:59.069945097 CEST	587	49700	148.66.136.151	192.168.2.6
Jul 3, 2024 21:16:59.411030054 CEST	587	49700	148.66.136.151	192.168.2.6
Jul 3, 2024 21:16:59.411935091 CEST	49700	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:16:59.416862965 CEST	587	49700	148.66.136.151	192.168.2.6
Jul 3, 2024 21:16:59.766864061 CEST	587	49700	148.66.136.151	192.168.2.6
Jul 3, 2024 21:16:59.767934084 CEST	49700	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:16:59.772701025 CEST	587	49700	148.66.136.151	192.168.2.6
Jul 3, 2024 21:17:00.122912884 CEST	587	49700	148.66.136.151	192.168.2.6
Jul 3, 2024 21:17:00.123971939 CEST	49700	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:17:00.129540920 CEST	587	49700	148.66.136.151	192.168.2.6
Jul 3, 2024 21:17:00.471105099 CEST	587	49700	148.66.136.151	192.168.2.6
Jul 3, 2024 21:17:00.474175930 CEST	49700	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:17:00.479053020 CEST	587	49700	148.66.136.151	192.168.2.6
Jul 3, 2024 21:17:00.861372948 CEST	587	49700	148.66.136.151	192.168.2.6
Jul 3, 2024 21:17:00.861557007 CEST	49700	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:17:00.866405964 CEST	587	49700	148.66.136.151	192.168.2.6
Jul 3, 2024 21:17:01.207077980 CEST	587	49700	148.66.136.151	192.168.2.6
Jul 3, 2024 21:17:01.207853079 CEST	49700	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:17:01.207907915 CEST	49700	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:17:01.207931995 CEST	49700	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:17:01.207951069 CEST	49700	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:17:01.212734938 CEST	587	49700	148.66.136.151	192.168.2.6
Jul 3, 2024 21:17:01.212747097 CEST	587	49700	148.66.136.151	192.168.2.6
Jul 3, 2024 21:17:01.212847948 CEST	587	49700	148.66.136.151	192.168.2.6
Jul 3, 2024 21:17:01.213032007 CEST	587	49700	148.66.136.151	192.168.2.6
Jul 3, 2024 21:17:09.529084921 CEST	587	49700	148.66.136.151	192.168.2.6
Jul 3, 2024 21:17:09.581794024 CEST	49700	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:17:10.433630943 CEST	49701	443	192.168.2.6	104.26.12.205
Jul 3, 2024 21:17:10.433660984 CEST	443	49701	104.26.12.205	192.168.2.6
Jul 3, 2024 21:17:10.434206963 CEST	49701	443	192.168.2.6	104.26.12.205
Jul 3, 2024 21:17:10.437963009 CEST	49701	443	192.168.2.6	104.26.12.205
Jul 3, 2024 21:17:10.437975883 CEST	443	49701	104.26.12.205	192.168.2.6
Jul 3, 2024 21:17:10.685949087 CEST	49700	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:17:10.937426090 CEST	443	49701	104.26.12.205	192.168.2.6
Jul 3, 2024 21:17:10.937503099 CEST	49701	443	192.168.2.6	104.26.12.205
Jul 3, 2024 21:17:10.939914942 CEST	49701	443	192.168.2.6	104.26.12.205
Jul 3, 2024 21:17:10.939919949 CEST	443	49701	104.26.12.205	192.168.2.6
Jul 3, 2024 21:17:10.940145969 CEST	443	49701	104.26.12.205	192.168.2.6
Jul 3, 2024 21:17:10.988049984 CEST	49701	443	192.168.2.6	104.26.12.205
Jul 3, 2024 21:17:10.990087032 CEST	49701	443	192.168.2.6	104.26.12.205
Jul 3, 2024 21:17:11.032501936 CEST	443	49701	104.26.12.205	192.168.2.6
Jul 3, 2024 21:17:11.104110003 CEST	443	49701	104.26.12.205	192.168.2.6
Jul 3, 2024 21:17:11.104160070 CEST	443	49701	104.26.12.205	192.168.2.6
Jul 3, 2024 21:17:11.104213953 CEST	49701	443	192.168.2.6	104.26.12.205
Jul 3, 2024 21:17:11.107393026 CEST	49701	443	192.168.2.6	104.26.12.205
Jul 3, 2024 21:17:11.662605047 CEST	49702	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:17:11.667429924 CEST	587	49702	148.66.136.151	192.168.2.6
Jul 3, 2024 21:17:11.667535067 CEST	49702	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:17:12.984143972 CEST	587	49702	148.66.136.151	192.168.2.6
Jul 3, 2024 21:17:12.984508991 CEST	49702	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:17:12.989345074 CEST	587	49702	148.66.136.151	192.168.2.6
Jul 3, 2024 21:17:13.329878092 CEST	587	49702	148.66.136.151	192.168.2.6
Jul 3, 2024 21:17:13.330318928 CEST	49702	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:17:13.335119963 CEST	587	49702	148.66.136.151	192.168.2.6
Jul 3, 2024 21:17:13.676126003 CEST	587	49702	148.66.136.151	192.168.2.6
Jul 3, 2024 21:17:13.676625013 CEST	49702	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:17:13.682048082 CEST	587	49702	148.66.136.151	192.168.2.6
Jul 3, 2024 21:17:14.028019905 CEST	587	49702	148.66.136.151	192.168.2.6
Jul 3, 2024 21:17:14.028291941 CEST	49702	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:17:14.033472061 CEST	587	49702	148.66.136.151	192.168.2.6
Jul 3, 2024 21:17:14.373405933 CEST	587	49702	148.66.136.151	192.168.2.6
Jul 3, 2024 21:17:14.373694897 CEST	49702	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:17:14.379760981 CEST	587	49702	148.66.136.151	192.168.2.6
Jul 3, 2024 21:17:14.756536961 CEST	587	49702	148.66.136.151	192.168.2.6
Jul 3, 2024 21:17:14.756766081 CEST	49702	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:17:14.761578083 CEST	587	49702	148.66.136.151	192.168.2.6
Jul 3, 2024 21:17:15.104967117 CEST	587	49702	148.66.136.151	192.168.2.6
Jul 3, 2024 21:17:15.105649948 CEST	49702	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:17:15.105649948 CEST	49702	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:17:15.105709076 CEST	49702	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:17:15.105709076 CEST	49702	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:17:15.110765934 CEST	587	49702	148.66.136.151	192.168.2.6
Jul 3, 2024 21:17:15.110780954 CEST	587	49702	148.66.136.151	192.168.2.6
Jul 3, 2024 21:17:15.111432076 CEST	587	49702	148.66.136.151	192.168.2.6
Jul 3, 2024 21:17:15.111442089 CEST	587	49702	148.66.136.151	192.168.2.6
Jul 3, 2024 21:17:23.370948076 CEST	587	49702	148.66.136.151	192.168.2.6
Jul 3, 2024 21:17:23.425678968 CEST	49702	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:18:49.239933968 CEST	49702	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:18:49.244987965 CEST	587	49702	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:49.633806944 CEST	49709	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:18:49.638842106 CEST	587	49709	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:49.642052889 CEST	49709	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:18:49.788513899 CEST	587	49702	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:49.788548946 CEST	587	49702	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:49.788626909 CEST	49702	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:18:49.788714886 CEST	49702	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:18:49.789870977 CEST	49710	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:18:49.793497086 CEST	587	49702	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:49.794785976 CEST	587	49710	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:49.798672915 CEST	49710	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:18:50.722945929 CEST	587	49709	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:50.723114014 CEST	49709	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:18:50.724023104 CEST	587	49710	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:50.724035978 CEST	587	49710	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:50.724097013 CEST	49710	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:18:50.724118948 CEST	587	49710	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:50.724164009 CEST	49710	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:18:50.727855921 CEST	587	49709	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:50.785182953 CEST	49709	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:18:50.790328979 CEST	587	49709	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:50.790390968 CEST	49709	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:18:50.876827955 CEST	49711	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:18:50.881669998 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:50.881736040 CEST	49711	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:18:51.771159887 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:51.772197962 CEST	49711	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:18:51.777786970 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:52.124577045 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:52.124771118 CEST	49711	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:18:52.129631042 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:52.476636887 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:52.476824045 CEST	49711	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:18:52.481740952 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:52.841259003 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:52.841397047 CEST	49711	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:18:52.846201897 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.192214966 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.192358971 CEST	49711	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:18:53.197091103 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.579090118 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.585933924 CEST	49711	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:18:53.591737032 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.974167109 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.976044893 CEST	49711	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:18:53.976044893 CEST	49711	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:18:53.976162910 CEST	49711	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:18:53.976162910 CEST	49711	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:18:53.978635073 CEST	49711	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:18:53.980812073 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.980879068 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.980887890 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.981004953 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.981065035 CEST	49711	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:18:53.983427048 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.983472109 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.983484030 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.983491898 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.983506918 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.983650923 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.983659029 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.983692884 CEST	49711	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:18:53.985601902 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.985613108 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.985908031 CEST	49711	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:18:53.986552954 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.988468885 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.988519907 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.988574982 CEST	49711	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:18:53.988697052 CEST	49711	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:18:53.989072084 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.990725040 CEST	49711	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:18:53.991318941 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.993527889 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.993577003 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.993587971 CEST	49711	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:18:53.994625092 CEST	49711	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:18:53.995563030 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.995673895 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.995682955 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.995699883 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.995708942 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.995754957 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.995991945 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.998433113 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.998542070 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.998550892 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.998558044 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.998604059 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.998614073 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.998621941 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.998630047 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.998655081 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.998663902 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.998795033 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.998981953 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.998991013 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:53.999526978 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:54.000334978 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:54.000343084 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:54.000353098 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:54.000360012 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:54.000375032 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:54.000416994 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:54.000462055 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:18:54.001058102 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:02.287866116 CEST	49711	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:02.293154955 CEST	587	49711	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:02.293292999 CEST	49711	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:02.352921009 CEST	49712	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:02.358176947 CEST	587	49712	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:02.358239889 CEST	49712	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:03.245515108 CEST	587	49712	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:03.245585918 CEST	587	49712	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:03.245635986 CEST	49712	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:03.245812893 CEST	49712	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:03.250911951 CEST	587	49712	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:16.040950060 CEST	49713	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:16.046916962 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:16.048099041 CEST	49713	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:16.950263977 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:16.950491905 CEST	49713	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:16.956568003 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:17.302284956 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:17.302556038 CEST	49713	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:17.307480097 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:17.790879965 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:17.791162968 CEST	49713	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:17.796001911 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:18.153881073 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:18.154098034 CEST	49713	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:18.159034014 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:18.505590916 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:18.505737066 CEST	49713	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:18.510699987 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:18.894156933 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:18.894319057 CEST	49713	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:18.899204969 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.245860100 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.246251106 CEST	49713	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:19.246288061 CEST	49713	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:19.246364117 CEST	49713	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:19.246439934 CEST	49713	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:19.248167038 CEST	49713	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:19.252737999 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.252780914 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.252789974 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.252823114 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.252855062 CEST	49713	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:19.256712914 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.256731987 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.256747007 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.256788015 CEST	49713	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:19.256807089 CEST	49713	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:19.256870985 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.256880999 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.256930113 CEST	49713	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:19.257491112 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.257503033 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.257554054 CEST	49713	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:19.262917042 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.262969971 CEST	49713	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:19.263020992 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.263076067 CEST	49713	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:19.263324022 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.263384104 CEST	49713	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:19.265507936 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.265568018 CEST	49713	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:19.265604019 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.265661001 CEST	49713	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:19.265731096 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.265847921 CEST	49713	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:19.268591881 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.268646955 CEST	49713	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:19.268774986 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.268838882 CEST	49713	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:19.271006107 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.271056890 CEST	49713	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:19.271094084 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.271187067 CEST	49713	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:19.271550894 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.271569967 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.271604061 CEST	49713	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:19.271610022 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.271625996 CEST	49713	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:19.271691084 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.271699905 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.271708965 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.271840096 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.271848917 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.271883965 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.272068024 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.273672104 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.273683071 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.273691893 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.273708105 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.273718119 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.273726940 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.274089098 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.274128914 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.274137020 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.274147034 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.276540041 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.276550055 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.276559114 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.276596069 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.276638031 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.276648998 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.276837111 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.276846886 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.276967049 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.277090073 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.277107000 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.277116060 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.277157068 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.277165890 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.277200937 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:19.277290106 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:24.160356998 CEST	49713	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:24.221820116 CEST	49714	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:24.332703114 CEST	587	49714	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:24.332833052 CEST	49714	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:24.332882881 CEST	587	49713	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:24.332967043 CEST	49713	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:25.203557014 CEST	587	49714	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:25.203948975 CEST	49714	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:25.203958988 CEST	587	49714	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:25.204035044 CEST	49714	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:25.208965063 CEST	587	49714	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:30.013334036 CEST	49715	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:30.018430948 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:30.018608093 CEST	49715	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:30.898694038 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:30.898823977 CEST	49715	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:30.905344009 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:31.246018887 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:31.251593113 CEST	49715	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:31.256511927 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:31.600635052 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:31.602418900 CEST	49715	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:31.608426094 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:31.968595028 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:31.970128059 CEST	49715	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:31.974998951 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:32.317286968 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:32.319353104 CEST	49715	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:32.324944019 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:32.709916115 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:32.710071087 CEST	49715	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:32.714884996 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.244626999 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.244927883 CEST	49715	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:33.244968891 CEST	49715	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:33.244976044 CEST	49715	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:33.245040894 CEST	49715	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:33.246238947 CEST	49715	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:33.461951017 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.462174892 CEST	49715	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:33.463017941 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.463032961 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.463041067 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.463048935 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.466075897 CEST	49715	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:33.682034016 CEST	49716	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:33.699435949 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.699637890 CEST	49715	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:33.700567007 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.700783968 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.700841904 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.700850964 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.700886965 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.700887918 CEST	49715	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:33.700922012 CEST	49715	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:33.700927019 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.700968981 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.701001883 CEST	49715	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:33.701001883 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.701129913 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.701141119 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.701164007 CEST	49715	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:33.701433897 CEST	49716	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:33.701438904 CEST	49715	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:33.704498053 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.704564095 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.705461979 CEST	49715	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:33.705674887 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.705843925 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.705852032 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.705884933 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.705893993 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.705928087 CEST	49715	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:33.705981016 CEST	49715	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:33.706011057 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.706021070 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.706111908 CEST	49715	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:33.706398964 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.710059881 CEST	49715	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:33.711349010 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.711467028 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.711476088 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.711572886 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.711581945 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.711585045 CEST	49715	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:33.711711884 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.711765051 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.712146997 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.714931011 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.714941025 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.714956045 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.714963913 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.714993000 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.715003014 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.715015888 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.715913057 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.715923071 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.715929985 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.716392040 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.716401100 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.716495037 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.716502905 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.716815948 CEST	587	49715	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:33.718058109 CEST	49715	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:34.598710060 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:34.598845959 CEST	49716	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:34.604060888 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:34.956429958 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:34.956592083 CEST	49716	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:34.961375952 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:35.308583021 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:35.308835983 CEST	49716	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:35.313699007 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:35.665596008 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:35.670042992 CEST	49716	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:35.674869061 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.021584988 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.026083946 CEST	49716	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:36.030977964 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.414683104 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.414815903 CEST	49716	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:36.419651985 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.767528057 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.767887115 CEST	49716	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:36.767962933 CEST	49716	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:36.767962933 CEST	49716	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:36.768008947 CEST	49716	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:36.769702911 CEST	49716	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:36.773617983 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.773746014 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.773756981 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.773802042 CEST	49716	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:36.773891926 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.775466919 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.775490046 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.775521040 CEST	49716	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:36.775544882 CEST	49716	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:36.775610924 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.775621891 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.775629997 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.775643110 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.775652885 CEST	49716	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:36.775669098 CEST	49716	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:36.775686026 CEST	49716	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:36.775762081 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.775804043 CEST	49716	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:36.779295921 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.779320002 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.779347897 CEST	49716	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:36.779371977 CEST	49716	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:36.779417992 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.779462099 CEST	49716	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:36.781122923 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.781167030 CEST	49716	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:36.781291008 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.781301022 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.781327009 CEST	49716	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:36.781352997 CEST	49716	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:36.781579971 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.781629086 CEST	49716	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:36.782057047 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.782133102 CEST	49716	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:36.785063982 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.785120964 CEST	49716	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:36.785218000 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.785260916 CEST	49716	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:36.785396099 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.785442114 CEST	49716	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:36.786927938 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.786937952 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.786983013 CEST	49716	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:36.787062883 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.787072897 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.787357092 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.787375927 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.787817955 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.787837029 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.787956953 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.787966967 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.788120985 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.788131952 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.790884972 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.790899038 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.791013956 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.791186094 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.792515993 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.792633057 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.792642117 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.792650938 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.792659998 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.792777061 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.792937040 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.792946100 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.792954922 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.793083906 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.793092012 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.793100119 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:36.793107986 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:40.269907951 CEST	49716	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:40.275126934 CEST	587	49716	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:40.276110888 CEST	49716	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:40.324018955 CEST	49717	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:40.328890085 CEST	587	49717	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:40.332083941 CEST	49717	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:41.205794096 CEST	587	49717	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:41.205986023 CEST	587	49717	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:41.206033945 CEST	49717	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:41.206094027 CEST	49717	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:41.212208986 CEST	587	49717	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:45.464026928 CEST	49718	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:45.469156981 CEST	587	49718	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:45.476042032 CEST	49718	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:46.320918083 CEST	587	49718	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:46.321193933 CEST	587	49718	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:46.321194887 CEST	49718	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:46.321557045 CEST	49718	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:46.326288939 CEST	587	49718	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:50.150448084 CEST	49719	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:50.155427933 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:50.162182093 CEST	49719	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:51.064815998 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:51.064949036 CEST	49719	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:51.071307898 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:51.421468019 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:51.426105976 CEST	49719	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:51.430844069 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:51.781398058 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:51.782491922 CEST	49719	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:51.787383080 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:52.168433905 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:52.174422026 CEST	49719	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:52.180808067 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:52.529727936 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:52.529913902 CEST	49719	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:52.534756899 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:52.928014040 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:52.928183079 CEST	49719	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:52.933021069 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.289176941 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.289450884 CEST	49719	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:53.289503098 CEST	49719	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:53.289534092 CEST	49719	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:53.289583921 CEST	49719	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:53.291004896 CEST	49719	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:53.295309067 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.295350075 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.295382977 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.295387983 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.295430899 CEST	49719	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:53.295938015 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.295943975 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.295994997 CEST	49719	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:53.296019077 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.296024084 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.296051025 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.296075106 CEST	49719	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:53.296094894 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.296099901 CEST	49719	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:53.296149969 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.296159029 CEST	49719	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:53.296219110 CEST	49719	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:53.299976110 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.299982071 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.300050974 CEST	49719	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:53.300260067 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.300316095 CEST	49719	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:53.300807953 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.300813913 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.300863028 CEST	49719	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:53.300909042 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.300957918 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.300973892 CEST	49719	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:53.301008940 CEST	49719	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:53.301167011 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.301218033 CEST	49719	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:53.301229000 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.301234007 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.301243067 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.301299095 CEST	49719	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:53.304894924 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.304951906 CEST	49719	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:53.305007935 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.305088997 CEST	49719	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:53.305499077 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.305584908 CEST	49719	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:53.305741072 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.305803061 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.305804014 CEST	49719	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:19:53.305867910 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.305932999 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.305938005 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.306021929 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.306060076 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.306099892 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.306190014 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.306214094 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.306243896 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.306278944 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.306282997 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.306299925 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.306303978 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.306488991 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.309801102 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.310240030 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.310267925 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.310276985 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.310317993 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.310322046 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.310331106 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.310334921 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.310555935 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.310595036 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.310616016 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.310620070 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.310666084 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.310669899 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.310683012 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.310724020 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:19:53.310728073 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:00.176018000 CEST	49719	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:00.181372881 CEST	587	49719	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:00.184204102 CEST	49719	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:00.228259087 CEST	49720	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:00.233107090 CEST	587	49720	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:00.234287024 CEST	49720	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:00.551042080 CEST	49720	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:00.556246996 CEST	587	49720	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:00.556319952 CEST	49720	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:00.628696918 CEST	49721	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:00.633493900 CEST	587	49721	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:00.633610964 CEST	49721	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:01.521787882 CEST	587	49721	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:01.521977901 CEST	49721	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:01.527053118 CEST	587	49721	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:01.881588936 CEST	587	49721	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:01.883466005 CEST	49721	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:01.889792919 CEST	587	49721	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:02.237632990 CEST	587	49721	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:02.237932920 CEST	49721	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:02.242764950 CEST	587	49721	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:02.607398987 CEST	587	49721	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:02.607568026 CEST	49721	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:02.612343073 CEST	587	49721	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:02.847986937 CEST	49721	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:02.853257895 CEST	587	49721	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:02.853321075 CEST	49721	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:02.930366039 CEST	49722	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:02.935393095 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:02.935456991 CEST	49722	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:03.823132992 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:03.823666096 CEST	49722	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:03.828510046 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:04.170666933 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:04.172276974 CEST	49722	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:04.177069902 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:04.529757023 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:04.530186892 CEST	49722	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:04.535128117 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:04.883178949 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:04.883347034 CEST	49722	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:04.888111115 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.233011961 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.233273029 CEST	49722	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:05.239434958 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.624604940 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.624789000 CEST	49722	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:05.629592896 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.971734047 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.972146988 CEST	49722	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:05.972198009 CEST	49722	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:05.972198009 CEST	49722	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:05.972440004 CEST	49722	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:05.976991892 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.977003098 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.977013111 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.977054119 CEST	49722	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:05.977118015 CEST	49722	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:05.977214098 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.982043028 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.982053041 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.982057095 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.982064962 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.982073069 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.982089043 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.982098103 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.982105017 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.982114077 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.982156992 CEST	49722	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:05.982188940 CEST	49722	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:05.982208967 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.982448101 CEST	49722	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:05.987222910 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.987234116 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.987241983 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.987251043 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.987253904 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.987267971 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.987328053 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.987335920 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.987345934 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.987368107 CEST	49722	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:05.987418890 CEST	49722	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:05.987441063 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.990370989 CEST	49722	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:05.992203951 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.992283106 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.992403984 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.992413044 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.992441893 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.992496014 CEST	49722	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:05.992522955 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.992588043 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.992634058 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.992728949 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.992753029 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.992820978 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.992857933 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.992919922 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.992928028 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.992935896 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.992944956 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.992953062 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.992968082 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.992974997 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.993026972 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.993036985 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.993046045 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.993052959 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.993124962 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.995167017 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.997008085 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.997019053 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.997045994 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.997445107 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.997453928 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.997508049 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.997515917 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:05.997524977 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:09.411062002 CEST	49722	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:09.416074038 CEST	587	49722	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:09.416141987 CEST	49722	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:09.483639956 CEST	49723	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:09.505554914 CEST	587	49723	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:09.508199930 CEST	49723	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:10.380244017 CEST	587	49723	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:10.380498886 CEST	587	49723	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:10.380548954 CEST	49723	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:10.380599976 CEST	49723	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:10.385399103 CEST	587	49723	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:11.480099916 CEST	49724	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:11.484883070 CEST	587	49724	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:11.485531092 CEST	49724	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:12.454302073 CEST	587	49724	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:12.454428911 CEST	587	49724	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:12.454509974 CEST	49724	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:12.454607964 CEST	49724	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:12.460979939 CEST	587	49724	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:21.240346909 CEST	49725	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:21.245332956 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:21.245430946 CEST	49725	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:22.144223928 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:22.144921064 CEST	49725	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:22.149811983 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:22.496891022 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:22.497031927 CEST	49725	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:22.501858950 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:22.848830938 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:22.849103928 CEST	49725	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:22.853949070 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:23.409730911 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:23.409971952 CEST	49725	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:23.419549942 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:23.419625044 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:23.419636965 CEST	49725	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:23.765284061 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:23.765521049 CEST	49725	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:23.770438910 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.157167912 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.157366037 CEST	49725	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:24.163234949 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.508184910 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.508614063 CEST	49725	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:24.508697987 CEST	49725	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:24.508724928 CEST	49725	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:24.508802891 CEST	49725	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:24.510445118 CEST	49725	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:24.513669014 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.513714075 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.513715982 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.513716936 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.513765097 CEST	49725	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:24.515295982 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.515300989 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.515326023 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.515330076 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.515355110 CEST	49725	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:24.515373945 CEST	49725	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:24.515429974 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.515434980 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.515474081 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.515485048 CEST	49725	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:24.515526056 CEST	49725	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:24.515531063 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.515536070 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.515577078 CEST	49725	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:24.519458055 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.519522905 CEST	49725	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:24.520153999 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.520159006 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.520212889 CEST	49725	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:24.520411968 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.520476103 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.520499945 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.520505905 CEST	49725	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:24.520504951 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.520523071 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.520531893 CEST	49725	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:24.520558119 CEST	49725	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:24.520565987 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.520571947 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.520597935 CEST	49725	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:24.520632029 CEST	49725	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:24.524547100 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.524619102 CEST	49725	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:24.524991989 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.525062084 CEST	49725	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:24.525062084 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.525125980 CEST	49725	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:24.525269032 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.525333881 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.525495052 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.525598049 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.525602102 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.525612116 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.525614977 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.525691986 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.525696039 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.525700092 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.525805950 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.525810003 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.529515028 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.529525042 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.529548883 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.529728889 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.529854059 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.529863119 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.529865980 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.530029058 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.530039072 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.530050993 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.530055046 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:24.530154943 CEST	49725	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:24.535001040 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:32.502252102 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:32.644794941 CEST	49725	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:34.212184906 CEST	49725	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:34.217015982 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:34.765074968 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:34.765178919 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:34.765192986 CEST	49725	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:34.765228033 CEST	49725	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:34.766686916 CEST	49726	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:34.769933939 CEST	587	49725	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:34.771425962 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:34.771502972 CEST	49726	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:35.663155079 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:35.663542986 CEST	49726	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:35.669136047 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:36.010848999 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:36.011029959 CEST	49726	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:36.017441034 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:36.360214949 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:36.360590935 CEST	49726	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:36.372303009 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:36.725709915 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:36.753602028 CEST	49726	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:36.758558989 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.101125956 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.101326942 CEST	49726	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:37.106141090 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.484868050 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.486350060 CEST	49726	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:37.491314888 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.832369089 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.832940102 CEST	49726	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:37.832940102 CEST	49726	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:37.832940102 CEST	49726	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:37.833154917 CEST	49726	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:37.834675074 CEST	49726	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:37.837868929 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.837877989 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.837883949 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.838037968 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.838041067 CEST	49726	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:37.839685917 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.839690924 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.839873075 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.839883089 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.840010881 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.840020895 CEST	49726	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:37.840060949 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.840096951 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.840101004 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.840137959 CEST	49726	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:37.840142012 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.840192080 CEST	49726	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:37.842839956 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.842966080 CEST	49726	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:37.845017910 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.845041990 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.845170975 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.845175982 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.845248938 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.845253944 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.845347881 CEST	49726	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:37.845354080 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.845403910 CEST	49726	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:37.847949028 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.848042965 CEST	49726	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:37.848325014 CEST	49726	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:37.850215912 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.850296974 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.850302935 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.850332975 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.850389957 CEST	49726	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:37.850461960 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.850467920 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.850541115 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.850544930 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.850599051 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.850603104 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.850673914 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.850763083 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.850848913 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.850852966 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.850862980 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.850904942 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.852869034 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.852886915 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.852896929 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.855019093 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.855029106 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.855035067 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.855037928 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.855072975 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.855077028 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.855145931 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.855149984 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.855194092 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.855197906 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.855236053 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.855240107 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.855283976 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:37.855288029 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:48.129419088 CEST	49726	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:48.135844946 CEST	587	49726	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:48.136022091 CEST	49726	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:48.196227074 CEST	49727	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:48.201379061 CEST	587	49727	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:48.204355955 CEST	49727	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:49.076396942 CEST	587	49727	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:49.076473951 CEST	587	49727	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:49.076539993 CEST	49727	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:49.076699972 CEST	49727	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:49.081536055 CEST	587	49727	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:58.356502056 CEST	49728	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:58.361517906 CEST	587	49728	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:58.361917973 CEST	49728	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:59.250492096 CEST	587	49728	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:59.250686884 CEST	49728	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:59.255532980 CEST	587	49728	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:59.609378099 CEST	587	49728	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:59.610409975 CEST	49728	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:59.615871906 CEST	587	49728	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:59.963426113 CEST	587	49728	148.66.136.151	192.168.2.6
Jul 3, 2024 21:20:59.963679075 CEST	49728	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:20:59.970743895 CEST	587	49728	148.66.136.151	192.168.2.6
Jul 3, 2024 21:21:00.330579996 CEST	587	49728	148.66.136.151	192.168.2.6
Jul 3, 2024 21:21:00.330919027 CEST	49728	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:21:00.335763931 CEST	587	49728	148.66.136.151	192.168.2.6
Jul 3, 2024 21:21:00.680464983 CEST	587	49728	148.66.136.151	192.168.2.6
Jul 3, 2024 21:21:00.680619955 CEST	49728	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:21:00.685461044 CEST	587	49728	148.66.136.151	192.168.2.6
Jul 3, 2024 21:21:01.074122906 CEST	587	49728	148.66.136.151	192.168.2.6
Jul 3, 2024 21:21:01.145170927 CEST	49728	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:21:02.603584051 CEST	49728	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:21:02.604270935 CEST	49728	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:21:02.608556032 CEST	587	49728	148.66.136.151	192.168.2.6
Jul 3, 2024 21:21:02.609427929 CEST	587	49728	148.66.136.151	192.168.2.6
Jul 3, 2024 21:21:02.609482050 CEST	49728	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:21:02.714716911 CEST	49729	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:21:02.719908953 CEST	587	49729	148.66.136.151	192.168.2.6
Jul 3, 2024 21:21:02.720020056 CEST	49729	587	192.168.2.6	148.66.136.151
Jul 3, 2024 21:21:03.594991922 CEST	587	49729	148.66.136.151	192.168.2.6
Jul 3, 2024 21:21:03.644905090 CEST	49729	587	192.168.2.6	148.66.136.151

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 3, 2024 21:16:56.544857025 CEST	61915	53	192.168.2.6	1.1.1.1
Jul 3, 2024 21:16:56.552558899 CEST	53	61915	1.1.1.1	192.168.2.6
Jul 3, 2024 21:16:57.760431051 CEST	56693	53	192.168.2.6	1.1.1.1
Jul 3, 2024 21:16:57.774688005 CEST	53	56693	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 3, 2024 21:16:56.544857025 CEST	192.168.2.6	1.1.1.1	0x424	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Jul 3, 2024 21:16:57.760431051 CEST	192.168.2.6	1.1.1.1	0x18ea	Standard query (0)	mail.mahesh-ent.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jul 3, 2024 21:16:56.552558899 CEST	1.1.1.1	192.168.2.6	0x424	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Jul 3, 2024 21:16:56.552558899 CEST	1.1.1.1	192.168.2.6	0x424	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Jul 3, 2024 21:16:56.552558899 CEST	1.1.1.1	192.168.2.6	0x424	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Jul 3, 2024 21:16:57.774688005 CEST	1.1.1.1	192.168.2.6	0x18ea	No error (0)	mail.mahesh-ent.com	148.66.136.151	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49699	104.26.12.205	443	5144	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-03 19:16:57 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-07-03 19:16:57 UTC	211	IN	HTTP/1.1 200 OK Date: Wed, 03 Jul 2024 19:16:57 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89d936815bfa8cc0-EWR
2024-07-03 19:16:57 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49701	104.26.12.205	443	3632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-03 19:17:10 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-07-03 19:17:11 UTC	211	IN	HTTP/1.1 200 OK Date: Wed, 03 Jul 2024 19:17:11 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89d936d80903729b-EWR
2024-07-03 19:17:11 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jul 3, 2024 21:16:59.064918995 CEST	587	49700	148.66.136.151	192.168.2.6	220-sg2plzcpnl505494.prod.sin2.secureserver.net ESMTP Exim 4.96.2 #2 Wed, 03 Jul 2024 12:16:58 -0700 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 3, 2024 21:16:59.065155029 CEST	49700	587	192.168.2.6	148.66.136.151	EHLO 124406
Jul 3, 2024 21:16:59.411030054 CEST	587	49700	148.66.136.151	192.168.2.6	250-sg2plzcpnl505494.prod.sin2.secureserver.net Hello 124406 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 3, 2024 21:16:59.411935091 CEST	49700	587	192.168.2.6	148.66.136.151	AUTH login aW5mb0BtYWhlc2gtZW50LmNvbQ==
Jul 3, 2024 21:16:59.766864061 CEST	587	49700	148.66.136.151	192.168.2.6	334 UGFzc3dvcmQ6
Jul 3, 2024 21:17:00.122912884 CEST	587	49700	148.66.136.151	192.168.2.6	235 Authentication succeeded
Jul 3, 2024 21:17:00.123971939 CEST	49700	587	192.168.2.6	148.66.136.151	MAIL FROM:<info@mahesh-ent.com>
Jul 3, 2024 21:17:00.471105099 CEST	587	49700	148.66.136.151	192.168.2.6	250 OK
Jul 3, 2024 21:17:00.474175930 CEST	49700	587	192.168.2.6	148.66.136.151	RCPT TO:<obtxxxtf@gmail.com>
Jul 3, 2024 21:17:00.861372948 CEST	587	49700	148.66.136.151	192.168.2.6	250 Accepted
Jul 3, 2024 21:17:00.861557007 CEST	49700	587	192.168.2.6	148.66.136.151	DATA
Jul 3, 2024 21:17:01.207077980 CEST	587	49700	148.66.136.151	192.168.2.6	354 Enter message, ending with "." on a line by itself
Jul 3, 2024 21:17:01.207951069 CEST	49700	587	192.168.2.6	148.66.136.151	.
Jul 3, 2024 21:17:09.529084921 CEST	587	49700	148.66.136.151	192.168.2.6	250 OK id=1sP5TR-005iIz-0A
Jul 3, 2024 21:17:12.984143972 CEST	587	49702	148.66.136.151	192.168.2.6	220-sg2plzcpnl505494.prod.sin2.secureserver.net ESMTP Exim 4.96.2 #2 Wed, 03 Jul 2024 12:17:12 -0700 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 3, 2024 21:17:12.984508991 CEST	49702	587	192.168.2.6	148.66.136.151	EHLO 124406
Jul 3, 2024 21:17:13.329878092 CEST	587	49702	148.66.136.151	192.168.2.6	250-sg2plzcpnl505494.prod.sin2.secureserver.net Hello 124406 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 3, 2024 21:17:13.330318928 CEST	49702	587	192.168.2.6	148.66.136.151	AUTH login aW5mb0BtYWhlc2gtZW50LmNvbQ==
Jul 3, 2024 21:17:13.676126003 CEST	587	49702	148.66.136.151	192.168.2.6	334 UGFzc3dvcmQ6
Jul 3, 2024 21:17:14.028019905 CEST	587	49702	148.66.136.151	192.168.2.6	235 Authentication succeeded
Jul 3, 2024 21:17:14.028291941 CEST	49702	587	192.168.2.6	148.66.136.151	MAIL FROM:<info@mahesh-ent.com>
Jul 3, 2024 21:17:14.373405933 CEST	587	49702	148.66.136.151	192.168.2.6	250 OK
Jul 3, 2024 21:17:14.373694897 CEST	49702	587	192.168.2.6	148.66.136.151	RCPT TO:<obtxxxtf@gmail.com>
Jul 3, 2024 21:17:14.756536961 CEST	587	49702	148.66.136.151	192.168.2.6	250 Accepted
Jul 3, 2024 21:17:14.756766081 CEST	49702	587	192.168.2.6	148.66.136.151	DATA
Jul 3, 2024 21:17:15.104967117 CEST	587	49702	148.66.136.151	192.168.2.6	354 Enter message, ending with "." on a line by itself
Jul 3, 2024 21:17:15.105709076 CEST	49702	587	192.168.2.6	148.66.136.151	.
Jul 3, 2024 21:17:23.370948076 CEST	587	49702	148.66.136.151	192.168.2.6	250 OK id=1sP5Te-005iXL-33
Jul 3, 2024 21:18:49.239933968 CEST	49702	587	192.168.2.6	148.66.136.151	QUIT
Jul 3, 2024 21:18:49.788513899 CEST	587	49702	148.66.136.151	192.168.2.6	221 sg2plzcpnl505494.prod.sin2.secureserver.net closing connection
Jul 3, 2024 21:18:50.722945929 CEST	587	49709	148.66.136.151	192.168.2.6	220-sg2plzcpnl505494.prod.sin2.secureserver.net ESMTP Exim 4.96.2 #2 Wed, 03 Jul 2024 12:18:50 -0700 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 3, 2024 21:18:50.723114014 CEST	49709	587	192.168.2.6	148.66.136.151	EHLO 124406
Jul 3, 2024 21:18:50.724023104 CEST	587	49710	148.66.136.151	192.168.2.6	421 Too many concurrent SMTP connections from this IP address; please try again later.
Jul 3, 2024 21:18:51.771159887 CEST	587	49711	148.66.136.151	192.168.2.6	220-sg2plzcpnl505494.prod.sin2.secureserver.net ESMTP Exim 4.96.2 #2 Wed, 03 Jul 2024 12:18:51 -0700 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 3, 2024 21:18:51.772197962 CEST	49711	587	192.168.2.6	148.66.136.151	EHLO 124406
Jul 3, 2024 21:18:52.124577045 CEST	587	49711	148.66.136.151	192.168.2.6	250-sg2plzcpnl505494.prod.sin2.secureserver.net Hello 124406 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 3, 2024 21:18:52.124771118 CEST	49711	587	192.168.2.6	148.66.136.151	AUTH login aW5mb0BtYWhlc2gtZW50LmNvbQ==
Jul 3, 2024 21:18:52.476636887 CEST	587	49711	148.66.136.151	192.168.2.6	334 UGFzc3dvcmQ6
Jul 3, 2024 21:18:52.841259003 CEST	587	49711	148.66.136.151	192.168.2.6	235 Authentication succeeded
Jul 3, 2024 21:18:52.841397047 CEST	49711	587	192.168.2.6	148.66.136.151	MAIL FROM:<info@mahesh-ent.com>
Jul 3, 2024 21:18:53.192214966 CEST	587	49711	148.66.136.151	192.168.2.6	250 OK
Jul 3, 2024 21:18:53.192358971 CEST	49711	587	192.168.2.6	148.66.136.151	RCPT TO:<obtxxxtf@gmail.com>
Jul 3, 2024 21:18:53.579090118 CEST	587	49711	148.66.136.151	192.168.2.6	250 Accepted
Jul 3, 2024 21:18:53.585933924 CEST	49711	587	192.168.2.6	148.66.136.151	DATA
Jul 3, 2024 21:18:53.974167109 CEST	587	49711	148.66.136.151	192.168.2.6	354 Enter message, ending with "." on a line by itself
Jul 3, 2024 21:19:03.245515108 CEST	587	49712	148.66.136.151	192.168.2.6	421 Too many concurrent SMTP connections from this IP address; please try again later.
Jul 3, 2024 21:19:16.950263977 CEST	587	49713	148.66.136.151	192.168.2.6	220-sg2plzcpnl505494.prod.sin2.secureserver.net ESMTP Exim 4.96.2 #2 Wed, 03 Jul 2024 12:19:16 -0700 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 3, 2024 21:19:16.950491905 CEST	49713	587	192.168.2.6	148.66.136.151	EHLO 124406
Jul 3, 2024 21:19:17.302284956 CEST	587	49713	148.66.136.151	192.168.2.6	250-sg2plzcpnl505494.prod.sin2.secureserver.net Hello 124406 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 3, 2024 21:19:17.302556038 CEST	49713	587	192.168.2.6	148.66.136.151	AUTH login aW5mb0BtYWhlc2gtZW50LmNvbQ==
Jul 3, 2024 21:19:17.790879965 CEST	587	49713	148.66.136.151	192.168.2.6	334 UGFzc3dvcmQ6
Jul 3, 2024 21:19:18.153881073 CEST	587	49713	148.66.136.151	192.168.2.6	235 Authentication succeeded
Jul 3, 2024 21:19:18.154098034 CEST	49713	587	192.168.2.6	148.66.136.151	MAIL FROM:<info@mahesh-ent.com>
Jul 3, 2024 21:19:18.505590916 CEST	587	49713	148.66.136.151	192.168.2.6	250 OK
Jul 3, 2024 21:19:18.505737066 CEST	49713	587	192.168.2.6	148.66.136.151	RCPT TO:<obtxxxtf@gmail.com>
Jul 3, 2024 21:19:18.894156933 CEST	587	49713	148.66.136.151	192.168.2.6	250 Accepted
Jul 3, 2024 21:19:18.894319057 CEST	49713	587	192.168.2.6	148.66.136.151	DATA
Jul 3, 2024 21:19:19.245860100 CEST	587	49713	148.66.136.151	192.168.2.6	354 Enter message, ending with "." on a line by itself
Jul 3, 2024 21:19:19.271187067 CEST	49713	587	192.168.2.6	148.66.136.151	457V8xmmuKS8kfVZO7Ye /mxmnWt3ZbYnlWWJgWY4wVc8nHsTmoYJ0a7sbXnzBaB/wIx/SptMa+E00V0WZE4V2UDd yajtLINeWl95hBW0WPZjrnnOaqCUX8md9WUqiv5r9Sh4s/11t/ut/SufroPFn+utv91v 6Vz9e5hf4Mf66nyeYf7zL5fkhKKWkrpOIWq99/x6P+H86sVXvv8Aj0f8P51zYr+BP0f5 Hflf+/Uf8cfzR6PdCc2sotion2Hyy3QNjisbR9EeG+fUb477gjaily5X3JPU/TgVvVx0 +rauPtjRTyiJLhojI0KhY/36ooQkfN8pbOc4xXguCbTZ9bCvKEHCPU6u5tLa7ULcwRzA dA6g4p8UUcMaxxIqIowFUYArlrfVNSn1qOyW4mkijeRTJBHH+8Csg3Nu4AG4g7fTpXWU 7Lcz5nblvoeZ2P8Ax6J+P86nqCx/49E/H+dT172F/gQ9F+R8tmn+/Vv8cvzYUUUV0HAU 9T/491/3x/I1u6fqdqvhEvJPGLy3ilgjQsNx3kcgdfT8qyLmD7RGE3bcHOcZq5pPhP8A tK2eb7d5W1ymPKz2B9feubEclk5u2p6+XzunCO5b1DU7R/CKyJNGb24iit5EDjcAhPJH Xnn8xU3hEzjw5L5AuS32s5+z+XuxsX/npxj9aZ/wgX/UT/8AIH/2VdDoGkDRrFrYTmbd IZC23b1AHTJ9K4qlSkqbjB31PVhCbleSsVt2pf3NY/8AJOs3xX/yFY/+uC/+hNXXVyPi v/kKx/8AXBf/AEJqzw0r1o6d/wAjLHq2Gl8vzRi0UUV7R8wFFFFABRRRQAUUlFAC8UlF FABRRRQMKSlooASiiigAooooAKKKKACkoooGFFFFABSUUUAFFFFAwooooASiiigAoooo AKKKSgYUUUUAJRRRQMKDRSUAFFFFACUUUUDCiiigApKWkoGFFFFACUUUUAFJS0lAwooo pgJRRRQMKSlpO9ABRRRQMSiiigApKWkoGFJS0lABRRRQMSiiigApKKKBhSUtJQAUlLSU DCiiigApKWkoGJRRRQMKSiigANJRRTGFFFFIBKKKKBhSUUUDCkpaSmAUlFFAwpKWkpAF FFFMYlFFFACdaKOtFAwpKKKBhSUtJQAUUUlAwooooGJRRRQAUlHvRQMKKKSgAooooGJR RRQAfWiiigYlFLSUAFBpBRQAUUUUDOppaFDO4RFZmPRVBJP4U1D5n3AX4LfKM8Dqai6R 4ai3siWGWSCQSRMVYdCK2G1lJrBhImJhj5QxXdz1BByKwt4G4EMCq7yNpyF65+nvUkkM 0TIstvMhkOEDRsNx9Bkc1yV8PRrtOe6OzD4jEYe/s72f9X9TbtdbdeBc4/2bldw/77Xn 8wanudWjsZLeJALhBAoLxyYGRkVzHmL5fmZ+TO3djjPp9akkilix5sEyZBYbo2GQOp6d Kj6pRUr3+VzqeZYqcOVrXvY0Na1JNSeFo0ZNgIIb3rNp0aSTMFiikkJyQEQtnGM9B7j8 xTejsjAq6nDKwwQfcV101GC5Inm1ZVKjdSa3CiijpWhkLUN1GZbd0XqelSk7SNwK5UMN wxkHuPaiQmLPmK6AYyWUgDIyPzFZ1FGcHGT0ehvQnUo1Y1YLWLT+7U6CHxfb+Uvn2N2J MfMEQMM+xyKY/iTSJIHgfSrloXJZ42t0KsSckkZ5OeaxVhmdXZbeZlj++RExC8Z54445 qNTvZAoYmQZQBT8w9R69DXm/UY/8/PyPceb9fYfizfj8TaVCUMWl3SFFKKVgUbVJyQOe BwOKfL4vt/KbybK7MmPl3oAM+5ya59FeWF5o45HiT7zohKr9SOlNJ2lgQwKjJBU5AxnO PpzR9QW3tPyD+17WfsPxZHaxtFbojdR1qWnSxywbfPhli3fd8yMrn6ZFNr0qUYxgox2W h4WIqTq1ZVais5Nt/PUKKKdHHJM5SKKSVgMlY0LED1wKttLVmSTbshtdB4e1OzsbKSK5 lKO0pYDYx4wB2HtWDDHLcKxghllC8MY4y2PrgcURRyzxtJDDLLGv3mSMsB9SBWFeEKse Vux14WpUw8+aMb30Oz/4SDS/+fk/9+3/AMKP+Eg0v/n5P/ft/wDCuJRvMMYQMxkBKBVJ 3Y649ehoDZZVAbc2Co2nJz0wO+a5fqUP5ju/tOr/ACfmdt/wkGl/8/J/79v/AIVzviC8 gvdQWW3fegiC52kc5J7/AFrKLgIrkEK2dpIIBxwceuKkSGeQSFLedhGSrkRMdpHUHjit KWHhSkp8xlXxlWvB03Df19RtFIrBhlTkUV3HlC0UlFABRR3ooAKKKKQwooooAKKKSmAt JRRQAUUUGgAooooAKKKSgAooooGFFFFACUUUUAFFBooGFFFJQAUUUUAFFFFAwpKDRQAU lLSUAFFFFAwpKWkoAKKKKAEooooAKKKKBhSUUUDCiiigBKKKKAEooooGFJS0UwEooooG FJRRQAUUUUDEooooASiiigYlFFFABRRSUDCiikoGFFFFABSUUUDEooooAKSlooGJSUtJ TAKKKKQxKDRSUwCiiigYUlLSUAFJS0lAwoopKBhSUtFACUZoooGJRRRQAUlLSUDCiiko GFFFIaACiiigYGkoooAKSiigYd6SlpKBhRRRQCD3pKKKBhSUtJQMM0UflSUAH0o/Oiig AoopKBhRRRQAUn1opaBifjRRRQB06yyQ30MkTFWWOZgR2IiYiq1pfhJVeBxjUoJpFVTk xRiJiyn/ALacD/c96nngjnTbIMiq50u0Ix5defXw0qsm07XVjlwuNp0YKMo3s7lG6FwP DxtA5+3xRJJOuw7/ACM5C59VyGPHQj+6auaoJJtU1Cy0+S6kuJr4SEugVYiuQAmCc9eW OOAOKf8A2baeXs8vipEtIY4fKVcJ6VCwcr3b/rT/ACNpZlHltGJDJcB9Rtrm1mjFt++i WTbsVLracOcngMdrA9AMf3TTYba505raS+W4iEjGOYTKQGDAqx564znNTfYLb/nmKFsY FzgHHoTTjhZRum9yJ4+ErNKzRVdXjuL+xuZpEjtdM8qR4VEhEhlRmwMgHk469qsWjzXV 08yRytFiG3jLkb2O0KpbnqdufQetKNPtgABHwDkU6azhnxvB49DTp4aUHzX1FWx0KsfZ 8tl/VicMcISpUSAlc45wSD+oNNm/1L4/umo4LSK3JMYPPqanIyCD3rsjzW97c82bhze5 sVbm7WQxrO4AsLWGZ1JwZIjGuVHvuAH/AAP2pHu3k1E6jqT/AOiS2tsJdyFlaRkVhgDH 3Tlj7AjvQdNtSSTHyaE020RiwjGTXn/U5v7R7CzKkl8Oun4ENu0tlFDLqEt0buDVJZNs SAiVtiHBYkYU8cgHINNgS5TSmtS2NQnSSS1XYciP+NR6bsHH+6f71WorC3hl8xEw1K1l bsSWTJPemsFK2+onmceb4dCBLa6vlhuIfOazS2RY2iGViYKN4b+6d2Sc465qvqcso0Fr tH/eXMcdpgdcofnOP91Y/wDvo1d+wW4OQpH0NL9gty27ZzjFX9VlZK5nHHwjLmt/SG37 F9YvrO0a4mknv1Z/MQIqEZAC/Mc5LdTjoOKtAsU3+W23YZM5H3Q20nr68VCtrCkRiVcK ajXTbZGDANke9aUqM6MbRZjXxNOvK80/KxbHIzULwT3btai2uJraSSMu9v8AehYZAY9R twTnP5ipRwMVDPaxTnLgn8a2qwc4cpzYeqqVTmZELa8v0thYtNdRxKyboOQJvMbLH+7k bSCe2OeKd9st2uEkVn83+1JfIkR8RiURx/eGMlS/oRwc019OtnGAu33FK1ksszTXEkk8 rcF5GLN7cmuKWEm7K/8AW56cMwpRvLl+X4ECi4bQLOxUPFqjQy70I+aRBLJujX0bPOO4 GPY3LW4txq2mI9tdtJss/nWZQmSq4+XYT9efyqBdMtFBAj609LC3jiaNU+U9aI4Sa3YV MxpyvaJTM8s2n2Gmltq3EcpikY8RyiaTbk+h+6fwPatV45G1GV1tbqUxa1KfOib93B8s fzSDHKjrjK9DzVSLTbWJSFj4PWmjSbNTkR4qPqU7LX+ro0eaU22+UdYNItgJHBddjS+Y uMMobaWxn17VcYMkrxOpV0O1gexql/Zlr/dYfQ1YhhSBNqZx71304zjZS2PKrSpTblBO 7JKKKK1OYKKKKYBRRRQMKKKSkAtJRRTAKKKKACiiigAooooASiiigYUUUUAJRRRQAUUU UDCiikoAKKKKACiiigYUlFFABRRRQAUlFFABRRRQMSilpKACiikoAKKKKBhRRSUAFFFF AwpKWkoAKKSigYUUUUAFJRRTGFFFJQAUUUUgEooopjCkoooGFJS0lABRRRQMKSiigApK WkoGFFFFACUUUGgYlFFJ3oAWkoooGBpKWkoAKSlpKBhSUtJQMKKKKAEoNFFAxKKKKACk paSmMKKKSgAooooGJRRRQMKQ0tJQAlFFFAxKKWkoGFFFJQAUUUlAwooooAKSlpKBhRR2 pKACiiigYlFFFAwpKKKACiiigYUUntRQAUH6UcUdaACkpaPagYnTiiijigDqaKKKk8IK KKKACiiigAooooAKKKKACiijNABiiikoAXNFJRQAUUUUAFFFFABRRRSAKKKKYBRRRQMK KKKACiiigAooooAKKKSgBaSiigAooooAKKKKACiiigApKKKBhRRRQAUlFFABRRRQMKKK KACkoooAKKKKACiiigYlFFFABSUtFACUUUUDCiiigBKKKKACkpaSgAooooGJRRRQMKKK KACkpaSgApKWkoGFFFJQA
Jul 3, 2024 21:19:25.203557014 CEST	587	49714	148.66.136.151	192.168.2.6	421 Too many concurrent SMTP connections from this IP address; please try again later.
Jul 3, 2024 21:19:30.898694038 CEST	587	49715	148.66.136.151	192.168.2.6	220-sg2plzcpnl505494.prod.sin2.secureserver.net ESMTP Exim 4.96.2 #2 Wed, 03 Jul 2024 12:19:30 -0700 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 3, 2024 21:19:30.898823977 CEST	49715	587	192.168.2.6	148.66.136.151	EHLO 124406
Jul 3, 2024 21:19:31.246018887 CEST	587	49715	148.66.136.151	192.168.2.6	250-sg2plzcpnl505494.prod.sin2.secureserver.net Hello 124406 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 3, 2024 21:19:31.251593113 CEST	49715	587	192.168.2.6	148.66.136.151	AUTH login aW5mb0BtYWhlc2gtZW50LmNvbQ==
Jul 3, 2024 21:19:31.600635052 CEST	587	49715	148.66.136.151	192.168.2.6	334 UGFzc3dvcmQ6
Jul 3, 2024 21:19:31.968595028 CEST	587	49715	148.66.136.151	192.168.2.6	235 Authentication succeeded
Jul 3, 2024 21:19:31.970128059 CEST	49715	587	192.168.2.6	148.66.136.151	MAIL FROM:<info@mahesh-ent.com>
Jul 3, 2024 21:19:32.317286968 CEST	587	49715	148.66.136.151	192.168.2.6	250 OK
Jul 3, 2024 21:19:32.319353104 CEST	49715	587	192.168.2.6	148.66.136.151	RCPT TO:<obtxxxtf@gmail.com>
Jul 3, 2024 21:19:32.709916115 CEST	587	49715	148.66.136.151	192.168.2.6	250 Accepted
Jul 3, 2024 21:19:32.710071087 CEST	49715	587	192.168.2.6	148.66.136.151	DATA
Jul 3, 2024 21:19:33.244626999 CEST	587	49715	148.66.136.151	192.168.2.6	354 Enter message, ending with "." on a line by itself
Jul 3, 2024 21:19:33.461951017 CEST	587	49715	148.66.136.151	192.168.2.6	354 Enter message, ending with "." on a line by itself
Jul 3, 2024 21:19:34.598710060 CEST	587	49716	148.66.136.151	192.168.2.6	220-sg2plzcpnl505494.prod.sin2.secureserver.net ESMTP Exim 4.96.2 #2 Wed, 03 Jul 2024 12:19:34 -0700 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 3, 2024 21:19:34.598845959 CEST	49716	587	192.168.2.6	148.66.136.151	EHLO 124406
Jul 3, 2024 21:19:34.956429958 CEST	587	49716	148.66.136.151	192.168.2.6	250-sg2plzcpnl505494.prod.sin2.secureserver.net Hello 124406 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 3, 2024 21:19:34.956592083 CEST	49716	587	192.168.2.6	148.66.136.151	AUTH login aW5mb0BtYWhlc2gtZW50LmNvbQ==
Jul 3, 2024 21:19:35.308583021 CEST	587	49716	148.66.136.151	192.168.2.6	334 UGFzc3dvcmQ6
Jul 3, 2024 21:19:35.665596008 CEST	587	49716	148.66.136.151	192.168.2.6	235 Authentication succeeded
Jul 3, 2024 21:19:35.670042992 CEST	49716	587	192.168.2.6	148.66.136.151	MAIL FROM:<info@mahesh-ent.com>
Jul 3, 2024 21:19:36.021584988 CEST	587	49716	148.66.136.151	192.168.2.6	250 OK
Jul 3, 2024 21:19:36.026083946 CEST	49716	587	192.168.2.6	148.66.136.151	RCPT TO:<obtxxxtf@gmail.com>
Jul 3, 2024 21:19:36.414683104 CEST	587	49716	148.66.136.151	192.168.2.6	250 Accepted
Jul 3, 2024 21:19:36.414815903 CEST	49716	587	192.168.2.6	148.66.136.151	DATA
Jul 3, 2024 21:19:36.767528057 CEST	587	49716	148.66.136.151	192.168.2.6	354 Enter message, ending with "." on a line by itself
Jul 3, 2024 21:19:41.205794096 CEST	587	49717	148.66.136.151	192.168.2.6	421 Too many concurrent SMTP connections from this IP address; please try again later.
Jul 3, 2024 21:19:46.320918083 CEST	587	49718	148.66.136.151	192.168.2.6	421 Too many concurrent SMTP connections from this IP address; please try again later.
Jul 3, 2024 21:19:51.064815998 CEST	587	49719	148.66.136.151	192.168.2.6	220-sg2plzcpnl505494.prod.sin2.secureserver.net ESMTP Exim 4.96.2 #2 Wed, 03 Jul 2024 12:19:50 -0700 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 3, 2024 21:19:51.064949036 CEST	49719	587	192.168.2.6	148.66.136.151	EHLO 124406
Jul 3, 2024 21:19:51.421468019 CEST	587	49719	148.66.136.151	192.168.2.6	250-sg2plzcpnl505494.prod.sin2.secureserver.net Hello 124406 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 3, 2024 21:19:51.426105976 CEST	49719	587	192.168.2.6	148.66.136.151	AUTH login aW5mb0BtYWhlc2gtZW50LmNvbQ==
Jul 3, 2024 21:19:51.781398058 CEST	587	49719	148.66.136.151	192.168.2.6	334 UGFzc3dvcmQ6
Jul 3, 2024 21:19:52.168433905 CEST	587	49719	148.66.136.151	192.168.2.6	235 Authentication succeeded
Jul 3, 2024 21:19:52.174422026 CEST	49719	587	192.168.2.6	148.66.136.151	MAIL FROM:<info@mahesh-ent.com>
Jul 3, 2024 21:19:52.529727936 CEST	587	49719	148.66.136.151	192.168.2.6	250 OK
Jul 3, 2024 21:19:52.529913902 CEST	49719	587	192.168.2.6	148.66.136.151	RCPT TO:<obtxxxtf@gmail.com>
Jul 3, 2024 21:19:52.928014040 CEST	587	49719	148.66.136.151	192.168.2.6	250 Accepted
Jul 3, 2024 21:19:52.928183079 CEST	49719	587	192.168.2.6	148.66.136.151	DATA
Jul 3, 2024 21:19:53.289176941 CEST	587	49719	148.66.136.151	192.168.2.6	354 Enter message, ending with "." on a line by itself
Jul 3, 2024 21:20:01.521787882 CEST	587	49721	148.66.136.151	192.168.2.6	220-sg2plzcpnl505494.prod.sin2.secureserver.net ESMTP Exim 4.96.2 #2 Wed, 03 Jul 2024 12:20:01 -0700 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 3, 2024 21:20:01.521977901 CEST	49721	587	192.168.2.6	148.66.136.151	EHLO 124406
Jul 3, 2024 21:20:01.881588936 CEST	587	49721	148.66.136.151	192.168.2.6	250-sg2plzcpnl505494.prod.sin2.secureserver.net Hello 124406 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 3, 2024 21:20:01.883466005 CEST	49721	587	192.168.2.6	148.66.136.151	AUTH login aW5mb0BtYWhlc2gtZW50LmNvbQ==
Jul 3, 2024 21:20:02.237632990 CEST	587	49721	148.66.136.151	192.168.2.6	334 UGFzc3dvcmQ6
Jul 3, 2024 21:20:02.607398987 CEST	587	49721	148.66.136.151	192.168.2.6	235 Authentication succeeded
Jul 3, 2024 21:20:02.607568026 CEST	49721	587	192.168.2.6	148.66.136.151	MAIL FROM:<info@mahesh-ent.com>
Jul 3, 2024 21:20:03.823132992 CEST	587	49722	148.66.136.151	192.168.2.6	220-sg2plzcpnl505494.prod.sin2.secureserver.net ESMTP Exim 4.96.2 #2 Wed, 03 Jul 2024 12:20:03 -0700 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 3, 2024 21:20:03.823666096 CEST	49722	587	192.168.2.6	148.66.136.151	EHLO 124406
Jul 3, 2024 21:20:04.170666933 CEST	587	49722	148.66.136.151	192.168.2.6	250-sg2plzcpnl505494.prod.sin2.secureserver.net Hello 124406 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 3, 2024 21:20:04.172276974 CEST	49722	587	192.168.2.6	148.66.136.151	AUTH login aW5mb0BtYWhlc2gtZW50LmNvbQ==
Jul 3, 2024 21:20:04.529757023 CEST	587	49722	148.66.136.151	192.168.2.6	334 UGFzc3dvcmQ6
Jul 3, 2024 21:20:04.883178949 CEST	587	49722	148.66.136.151	192.168.2.6	235 Authentication succeeded
Jul 3, 2024 21:20:04.883347034 CEST	49722	587	192.168.2.6	148.66.136.151	MAIL FROM:<info@mahesh-ent.com>
Jul 3, 2024 21:20:05.233011961 CEST	587	49722	148.66.136.151	192.168.2.6	250 OK
Jul 3, 2024 21:20:05.233273029 CEST	49722	587	192.168.2.6	148.66.136.151	RCPT TO:<obtxxxtf@gmail.com>
Jul 3, 2024 21:20:05.624604940 CEST	587	49722	148.66.136.151	192.168.2.6	250 Accepted
Jul 3, 2024 21:20:05.624789000 CEST	49722	587	192.168.2.6	148.66.136.151	DATA
Jul 3, 2024 21:20:05.971734047 CEST	587	49722	148.66.136.151	192.168.2.6	354 Enter message, ending with "." on a line by itself
Jul 3, 2024 21:20:10.380244017 CEST	587	49723	148.66.136.151	192.168.2.6	421 Too many concurrent SMTP connections from this IP address; please try again later.
Jul 3, 2024 21:20:12.454302073 CEST	587	49724	148.66.136.151	192.168.2.6	421 Too many concurrent SMTP connections from this IP address; please try again later.
Jul 3, 2024 21:20:22.144223928 CEST	587	49725	148.66.136.151	192.168.2.6	220-sg2plzcpnl505494.prod.sin2.secureserver.net ESMTP Exim 4.96.2 #2 Wed, 03 Jul 2024 12:20:21 -0700 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 3, 2024 21:20:22.144921064 CEST	49725	587	192.168.2.6	148.66.136.151	EHLO 124406
Jul 3, 2024 21:20:22.496891022 CEST	587	49725	148.66.136.151	192.168.2.6	250-sg2plzcpnl505494.prod.sin2.secureserver.net Hello 124406 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 3, 2024 21:20:22.497031927 CEST	49725	587	192.168.2.6	148.66.136.151	AUTH login aW5mb0BtYWhlc2gtZW50LmNvbQ==
Jul 3, 2024 21:20:22.848830938 CEST	587	49725	148.66.136.151	192.168.2.6	334 UGFzc3dvcmQ6
Jul 3, 2024 21:20:23.409730911 CEST	587	49725	148.66.136.151	192.168.2.6	235 Authentication succeeded
Jul 3, 2024 21:20:23.409971952 CEST	49725	587	192.168.2.6	148.66.136.151	MAIL FROM:<info@mahesh-ent.com>
Jul 3, 2024 21:20:23.419549942 CEST	587	49725	148.66.136.151	192.168.2.6	235 Authentication succeeded
Jul 3, 2024 21:20:23.765284061 CEST	587	49725	148.66.136.151	192.168.2.6	250 OK
Jul 3, 2024 21:20:23.765521049 CEST	49725	587	192.168.2.6	148.66.136.151	RCPT TO:<obtxxxtf@gmail.com>
Jul 3, 2024 21:20:24.157167912 CEST	587	49725	148.66.136.151	192.168.2.6	250 Accepted
Jul 3, 2024 21:20:24.157366037 CEST	49725	587	192.168.2.6	148.66.136.151	DATA
Jul 3, 2024 21:20:24.508184910 CEST	587	49725	148.66.136.151	192.168.2.6	354 Enter message, ending with "." on a line by itself
Jul 3, 2024 21:20:24.530154943 CEST	49725	587	192.168.2.6	148.66.136.151	.
Jul 3, 2024 21:20:32.502252102 CEST	587	49725	148.66.136.151	192.168.2.6	250 OK id=1sP5Wi-005kNE-17
Jul 3, 2024 21:20:34.212184906 CEST	49725	587	192.168.2.6	148.66.136.151	QUIT
Jul 3, 2024 21:20:34.765074968 CEST	587	49725	148.66.136.151	192.168.2.6	221 sg2plzcpnl505494.prod.sin2.secureserver.net closing connection
Jul 3, 2024 21:20:35.663155079 CEST	587	49726	148.66.136.151	192.168.2.6	220-sg2plzcpnl505494.prod.sin2.secureserver.net ESMTP Exim 4.96.2 #2 Wed, 03 Jul 2024 12:20:35 -0700 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 3, 2024 21:20:35.663542986 CEST	49726	587	192.168.2.6	148.66.136.151	EHLO 124406
Jul 3, 2024 21:20:36.010848999 CEST	587	49726	148.66.136.151	192.168.2.6	250-sg2plzcpnl505494.prod.sin2.secureserver.net Hello 124406 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 3, 2024 21:20:36.011029959 CEST	49726	587	192.168.2.6	148.66.136.151	AUTH login aW5mb0BtYWhlc2gtZW50LmNvbQ==
Jul 3, 2024 21:20:36.360214949 CEST	587	49726	148.66.136.151	192.168.2.6	334 UGFzc3dvcmQ6
Jul 3, 2024 21:20:36.725709915 CEST	587	49726	148.66.136.151	192.168.2.6	235 Authentication succeeded
Jul 3, 2024 21:20:36.753602028 CEST	49726	587	192.168.2.6	148.66.136.151	MAIL FROM:<info@mahesh-ent.com>
Jul 3, 2024 21:20:37.101125956 CEST	587	49726	148.66.136.151	192.168.2.6	250 OK
Jul 3, 2024 21:20:37.101326942 CEST	49726	587	192.168.2.6	148.66.136.151	RCPT TO:<obtxxxtf@gmail.com>
Jul 3, 2024 21:20:37.484868050 CEST	587	49726	148.66.136.151	192.168.2.6	250 Accepted
Jul 3, 2024 21:20:37.486350060 CEST	49726	587	192.168.2.6	148.66.136.151	DATA
Jul 3, 2024 21:20:37.832369089 CEST	587	49726	148.66.136.151	192.168.2.6	354 Enter message, ending with "." on a line by itself
Jul 3, 2024 21:20:49.076396942 CEST	587	49727	148.66.136.151	192.168.2.6	421 Too many concurrent SMTP connections from this IP address; please try again later.
Jul 3, 2024 21:20:59.250492096 CEST	587	49728	148.66.136.151	192.168.2.6	220-sg2plzcpnl505494.prod.sin2.secureserver.net ESMTP Exim 4.96.2 #2 Wed, 03 Jul 2024 12:20:59 -0700 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 3, 2024 21:20:59.250686884 CEST	49728	587	192.168.2.6	148.66.136.151	EHLO 124406
Jul 3, 2024 21:20:59.609378099 CEST	587	49728	148.66.136.151	192.168.2.6	250-sg2plzcpnl505494.prod.sin2.secureserver.net Hello 124406 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 3, 2024 21:20:59.610409975 CEST	49728	587	192.168.2.6	148.66.136.151	AUTH login aW5mb0BtYWhlc2gtZW50LmNvbQ==
Jul 3, 2024 21:20:59.963426113 CEST	587	49728	148.66.136.151	192.168.2.6	334 UGFzc3dvcmQ6
Jul 3, 2024 21:21:00.330579996 CEST	587	49728	148.66.136.151	192.168.2.6	235 Authentication succeeded
Jul 3, 2024 21:21:00.330919027 CEST	49728	587	192.168.2.6	148.66.136.151	MAIL FROM:<info@mahesh-ent.com>
Jul 3, 2024 21:21:00.680464983 CEST	587	49728	148.66.136.151	192.168.2.6	250 OK
Jul 3, 2024 21:21:00.680619955 CEST	49728	587	192.168.2.6	148.66.136.151	RCPT TO:<obtxxxtf@gmail.com>
Jul 3, 2024 21:21:01.074122906 CEST	587	49728	148.66.136.151	192.168.2.6	250 Accepted
Jul 3, 2024 21:21:02.603584051 CEST	49728	587	192.168.2.6	148.66.136.151	DATA
Jul 3, 2024 21:21:03.594991922 CEST	587	49729	148.66.136.151	192.168.2.6	220-sg2plzcpnl505494.prod.sin2.secureserver.net ESMTP Exim 4.96.2 #2 Wed, 03 Jul 2024 12:21:03 -0700 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.

Target ID:	0
Start time:	15:16:53
Start date:	03/07/2024
Path:	C:\Users\user\Desktop\Arrival Notice.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Arrival Notice.exe"
Imagebase:	0x8d0000
File size:	1'246'208 bytes
MD5 hash:	954F20C5963FC61A5848F7BF9FEF6BA4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:16:54
Start date:	03/07/2024
Path:	C:\Users\user\AppData\Local\directory\name.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Arrival Notice.exe"
Imagebase:	0x1b0000
File size:	1'246'208 bytes
MD5 hash:	954F20C5963FC61A5848F7BF9FEF6BA4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2086913169.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2086913169.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000002.00000002.2086913169.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 63%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:16:55
Start date:	03/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Arrival Notice.exe"
Imagebase:	0x9b0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2226892130.0000000002EA4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2226892130.0000000002E9C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2226892130.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2226892130.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2224272082.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2224272082.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:17:07
Start date:	03/07/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
Imagebase:	0x7ff736e00000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:17:08
Start date:	03/07/2024
Path:	C:\Users\user\AppData\Local\directory\name.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\directory\name.exe"
Imagebase:	0x1b0000
File size:	1'246'208 bytes
MD5 hash:	954F20C5963FC61A5848F7BF9FEF6BA4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2225248989.0000000003950000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2225248989.0000000003950000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000005.00000002.2225248989.0000000003950000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:17:09
Start date:	03/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\directory\name.exe"
Imagebase:	0x460000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.4531977929.000000000299B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.4531977929.000000000299B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.6%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	2.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	56

Executed Functions

Function 008D3B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008D3B7A
IsDebuggerPresent.KERNEL32 ref: 008D3B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,009962F8,009962E0,?,?), ref: 008D3BFD

Part of subcall function 008D7D2C: _memmove.LIBCMT ref: 008D7D66

Part of subcall function 008E0A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,008D3C26,009962F8,?,?,?), ref: 008E0ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 008D3C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,009893F0,00000010), ref: 0090D4BC
SetCurrentDirectoryW.KERNEL32(?,009962F8,?,?,?), ref: 0090D4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00985D40,009962F8,?,?,?), ref: 0090D57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 0090D581

Part of subcall function 008D3A58: GetSysColorBrush.USER32(0000000F), ref: 008D3A62
Part of subcall function 008D3A58: LoadCursorW.USER32(00000000,00007F00), ref: 008D3A71
Part of subcall function 008D3A58: LoadIconW.USER32(00000063), ref: 008D3A88
Part of subcall function 008D3A58: LoadIconW.USER32(000000A4), ref: 008D3A9A
Part of subcall function 008D3A58: LoadIconW.USER32(000000A2), ref: 008D3AAC
Part of subcall function 008D3A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 008D3AD2
Part of subcall function 008D3A58: RegisterClassExW.USER32(?), ref: 008D3B28

Part of subcall function 008D39E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 008D3A15
Part of subcall function 008D39E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 008D3A36
Part of subcall function 008D39E7: ShowWindow.USER32(00000000,?,?), ref: 008D3A4A
Part of subcall function 008D39E7: ShowWindow.USER32(00000000,?,?), ref: 008D3A53

Part of subcall function 008D43DB: _memset.LIBCMT ref: 008D4401
Part of subcall function 008D43DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 008D44A6

Strings

This is a third-party compiled AutoIt script., xrefs: 0090D4B4
runas, xrefs: 0090D575

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: 046def99229422ee071543f988b01af946ab4c8ca79663e8ef99edcc76d598ec
Instruction ID: 65c4441ae71927ce4f8751f39dc76e87115b3ee847cb3d26bfe90c2a2ead4fd2
Opcode Fuzzy Hash: 046def99229422ee071543f988b01af946ab4c8ca79663e8ef99edcc76d598ec
Instruction Fuzzy Hash: 1A510130A28248AECF11ABFCDC15EFD7B78FB44354B004267F461E23A1DA744A05EB22

Function 008D4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 008D4B2B

Part of subcall function 008D7D2C: _memmove.LIBCMT ref: 008D7D66

GetCurrentProcess.KERNEL32(?,0095FAEC,00000000,00000000,?), ref: 008D4BF8
IsWow64Process.KERNEL32(00000000), ref: 008D4BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 008D4C45
FreeLibrary.KERNEL32(00000000), ref: 008D4C50
GetSystemInfo.KERNEL32(00000000), ref: 008D4C81
GetSystemInfo.KERNEL32(00000000), ref: 008D4C8D

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 07ee9f6c8fce4af37e5db3d13cf470ccd1c34eb12449ce7208ec946752317038
Instruction ID: 30e5809ee47b0a6bd790d3b694e101fefcb6d028a93846d456da0d63513c05f3
Opcode Fuzzy Hash: 07ee9f6c8fce4af37e5db3d13cf470ccd1c34eb12449ce7208ec946752317038
Instruction Fuzzy Hash: 9D91C23154ABC4DFC731DBA885611AABFE4FF36310B485A5FD0CA83B41D631A908D71A

Function 008D4FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,008D4EEE,?,?,00000000,00000000), ref: 008D4FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,008D4EEE,?,?,00000000,00000000), ref: 008D5010
LoadResource.KERNEL32(?,00000000,?,?,008D4EEE,?,?,00000000,00000000,?,?,?,?,?,?,008D4F8F), ref: 0090DD60
SizeofResource.KERNEL32(?,00000000,?,?,008D4EEE,?,?,00000000,00000000,?,?,?,?,?,?,008D4F8F), ref: 0090DD75
LockResource.KERNEL32(008D4EEE,?,?,008D4EEE,?,?,00000000,00000000,?,?,?,?,?,?,008D4F8F,00000000), ref: 0090DD88

Strings

SCRIPT, xrefs: 008D5006

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 1e92df45b76a691fb45a20654eae8e667f5d0dbb693c6833baf92772bb4a4e2a
Instruction ID: 34b49a38639d172716ae6060dd402b0f971d653e09ad65016ef3b6ee877ad76b
Opcode Fuzzy Hash: 1e92df45b76a691fb45a20654eae8e667f5d0dbb693c6833baf92772bb4a4e2a
Instruction Fuzzy Hash: E7115175240B01BFD7218B66DC58F677BB9FBC5722F108269F415C6290DB61DC009661

Function 00934696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0090E7C1), ref: 009346A6
FindFirstFileW.KERNELBASE(?,?), ref: 009346B7
FindClose.KERNEL32(00000000), ref: 009346C7

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 24bec2ce910477e1ac34f5ad72e0bbd9d01afc6a3d49ac9be373a6ff1b3ddae6
Instruction ID: f2b12f135d3a1f32f3a0395324f2d9441e840319271ca6560882ffc1ca8abd4d
Opcode Fuzzy Hash: 24bec2ce910477e1ac34f5ad72e0bbd9d01afc6a3d49ac9be373a6ff1b3ddae6
Instruction Fuzzy Hash: 4DE020364245005B52106B38EC5E4EA775CDE0737AF100715F935C20F0E7B06D509BD6

Function 008DE800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 0091428C

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: a7d5af7e56acf3d545324ecc846a4f34870c426cc6692663cc05f40f89ab774b
Instruction ID: 26d40d1534554d6b9181985715fe3d1c9cb30b9d4dda2c3d70b415465c441fc4
Opcode Fuzzy Hash: a7d5af7e56acf3d545324ecc846a4f34870c426cc6692663cc05f40f89ab774b
Instruction Fuzzy Hash: EAA28D74A04219DFCB24DF58C480AADB7B2FF58314F24866AE916EF351D730AD82DB91

Function 008E0B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008E0BBB
timeGetTime.WINMM ref: 008E0E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008E0FB3
TranslateMessage.USER32(?), ref: 008E0FC7
DispatchMessageW.USER32(?), ref: 008E0FD5
Sleep.KERNEL32(0000000A), ref: 008E0FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 008E105A
DestroyWindow.USER32 ref: 008E1066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 008E1080
Sleep.KERNEL32(0000000A,?,?), ref: 009152AD
TranslateMessage.USER32(?), ref: 0091608A
DispatchMessageW.USER32(?), ref: 00916098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 009160AC

Strings

@GUI_CTRLID, xrefs: 00915364
@GUI_WINHANDLE, xrefs: 009153B9
@COM_EVENTOBJ, xrefs: 0091591A
@GUI_CTRLHANDLE, xrefs: 0091540E
@TRAY_ID, xrefs: 00915BB9

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4003667617-3242690629
Opcode ID: 7e05f53c489e2d4c7f631a03e99dcb97be4a90f5e6fb184aef47e72d79d028c6
Instruction ID: 29e733249e600054044a207c1a414cad46a33de9c6803bcb814bbca434b18dab
Opcode Fuzzy Hash: 7e05f53c489e2d4c7f631a03e99dcb97be4a90f5e6fb184aef47e72d79d028c6
Instruction Fuzzy Hash: 21B2B170608745DFD724DF28C884BAAB7E5FF85304F154A1EE49AC72A1DB75E884CB82

Function 009393DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009391E9: __time64.LIBCMT ref: 009391F3

Part of subcall function 008D5045: _fseek.LIBCMT ref: 008D505D

__wsplitpath.LIBCMT ref: 009394BE

Part of subcall function 008F432E: __wsplitpath_helper.LIBCMT ref: 008F436E

_wcscpy.LIBCMT ref: 009394D1
_wcscat.LIBCMT ref: 009394E4
__wsplitpath.LIBCMT ref: 00939509
_wcscat.LIBCMT ref: 0093951F
_wcscat.LIBCMT ref: 00939532

Part of subcall function 0093922F: _memmove.LIBCMT ref: 00939268
Part of subcall function 0093922F: _memmove.LIBCMT ref: 00939277

_wcscmp.LIBCMT ref: 00939479

Part of subcall function 009399BE: _wcscmp.LIBCMT ref: 00939AAE
Part of subcall function 009399BE: _wcscmp.LIBCMT ref: 00939AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 009396DC
_wcsncpy.LIBCMT ref: 0093974F
DeleteFileW.KERNEL32(?,?), ref: 00939785
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0093979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009397AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009397BE

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: a7f7e82769389d72edf0a743f758312f2d95664d98b486b0b62b12cc7665caf3
Instruction ID: 058a768ebc6bc619afb8df5ade86c353bda3256a94d06dac64a955c30262844e
Opcode Fuzzy Hash: a7f7e82769389d72edf0a743f758312f2d95664d98b486b0b62b12cc7665caf3
Instruction Fuzzy Hash: D1C11AB1D00219AADF21DFA5CC85AEEB7BDEF55310F0040AAF609E6251DB709A848F65

Function 008D3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 008D3074
RegisterClassExW.USER32(00000030), ref: 008D309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008D30AF
InitCommonControlsEx.COMCTL32(?), ref: 008D30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008D30DC
LoadIconW.USER32(000000A9), ref: 008D30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008D3101

Strings

+, xrefs: 008D305D
TaskbarCreated, xrefs: 008D30A4
0, xrefs: 008D3056
AutoIt v3 GUI, xrefs: 008D3090

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 508ac4f71db86272ba8dca15723ca6c39734e9a936b19b7433d1c15805407092
Instruction ID: e4e35d238ed7d7793bbdd2c0111e3fdb0553e706ee85df8de6d0ddba84996522
Opcode Fuzzy Hash: 508ac4f71db86272ba8dca15723ca6c39734e9a936b19b7433d1c15805407092
Instruction Fuzzy Hash: D43167B1869309AFDB00CFA9D888ADDBBF4FB09321F14456AE580E62A0D3B50545DF40

Function 008D3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 008D3074
RegisterClassExW.USER32(00000030), ref: 008D309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008D30AF
InitCommonControlsEx.COMCTL32(?), ref: 008D30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008D30DC
LoadIconW.USER32(000000A9), ref: 008D30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008D3101

Strings

+, xrefs: 008D305D
TaskbarCreated, xrefs: 008D30A4
0, xrefs: 008D3056
AutoIt v3 GUI, xrefs: 008D3090

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: f7f94f568e6d296d4fd337928181ca79f69deb6e59801e9cbe7e6b75b39f2046
Instruction ID: baf5eb6fdea8638da360f0fa2c24518b506972c58e12d7920b1b5cf095d88bee
Opcode Fuzzy Hash: f7f94f568e6d296d4fd337928181ca79f69deb6e59801e9cbe7e6b75b39f2046
Instruction Fuzzy Hash: D921C5B1925318AFDB00DFAAE859BDDBBF4FB08721F04412AF910A62A0D7B14544AF91

Function 008D71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008D4864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,009962F8,?,008D37C0,?), ref: 008D4882

Part of subcall function 008F074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,008D72C5), ref: 008F0771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 008D7308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0090ECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0090ED32
RegCloseKey.ADVAPI32(?), ref: 0090ED70
_wcscat.LIBCMT ref: 0090EDC9

Strings

Include, xrefs: 0090ECE8, 0090ED29
Software\AutoIt v3\AutoIt, xrefs: 008D72FE
\Include\, xrefs: 008D72C5
\, xrefs: 0090EDEC

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: bae6e5e695b108416ae99c018e360649e7c92fa02ea3dc38f77162b7e7c57493
Instruction ID: bc26aac23ecf35724aeb333ef483531cb74305ef8f91e4c5642918f7f87d86bd
Opcode Fuzzy Hash: bae6e5e695b108416ae99c018e360649e7c92fa02ea3dc38f77162b7e7c57493
Instruction Fuzzy Hash: DE71397142C3059EC714EFA9D8819AFBBE8FF94750B44492FF455C32A1EB309948DB52

Function 008D3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 008D3A62
LoadCursorW.USER32(00000000,00007F00), ref: 008D3A71
LoadIconW.USER32(00000063), ref: 008D3A88
LoadIconW.USER32(000000A4), ref: 008D3A9A
LoadIconW.USER32(000000A2), ref: 008D3AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 008D3AD2
RegisterClassExW.USER32(?), ref: 008D3B28

Part of subcall function 008D3041: GetSysColorBrush.USER32(0000000F), ref: 008D3074
Part of subcall function 008D3041: RegisterClassExW.USER32(00000030), ref: 008D309E
Part of subcall function 008D3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008D30AF
Part of subcall function 008D3041: InitCommonControlsEx.COMCTL32(?), ref: 008D30CC
Part of subcall function 008D3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008D30DC
Part of subcall function 008D3041: LoadIconW.USER32(000000A9), ref: 008D30F2
Part of subcall function 008D3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008D3101

Strings

AutoIt v3, xrefs: 008D3B17
0, xrefs: 008D3B06
#, xrefs: 008D3B0D

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 5fddb846da06304ac978c4f54cf8f966eb8cac824c3215870b0e603e1caf5199
Instruction ID: 49fe1214780a85d9ca720035c74a11f90dd6839301e1624feb81dbc555853a04
Opcode Fuzzy Hash: 5fddb846da06304ac978c4f54cf8f966eb8cac824c3215870b0e603e1caf5199
Instruction Fuzzy Hash: 0C214B70929308AFEB109FA9EC09B9D7BB4FB08711F00016BE514E62A0D7BA5654AF85

Function 008D3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 008D36D2
KillTimer.USER32(?,00000001), ref: 008D36FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 008D371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008D372A
CreatePopupMenu.USER32 ref: 008D373E
PostQuitMessage.USER32(00000000), ref: 008D375F

Strings

TaskbarCreated, xrefs: 008D3725

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 14f748a20bf134979fc70a377891bb7602e6c940c563fcfb90007392d6a478e7
Instruction ID: aa9b73438e1f7ef0e7793f1a750888fc81604db408cab3af49360a98abae74ad
Opcode Fuzzy Hash: 14f748a20bf134979fc70a377891bb7602e6c940c563fcfb90007392d6a478e7
Instruction Fuzzy Hash: C941D6B2128609ABDF246B6CEC09B793759FB15351F14033BF502D63E1DB609A50B763

Function 008D3778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/ErrorStdOut, xrefs: 008D388F
/AutoIt3ExecuteScript, xrefs: 008D38CE
/AutoIt3OutputDebug, xrefs: 008D38A4
CMDLINERAW, xrefs: 008D380D
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 008D37C0
CMDLINE, xrefs: 008D3834
/AutoIt3ExecuteLine, xrefs: 008D38B9

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 274612324a05227a37b877f7097a84a6018f91221faae8684b689e3bc0addb05
Instruction ID: 3b7829bd75ef56b38949dc4d11d1e1eccf0ddaad1280c3d184659de63c00107f
Opcode Fuzzy Hash: 274612324a05227a37b877f7097a84a6018f91221faae8684b689e3bc0addb05
Instruction Fuzzy Hash: 69A13E7181022D9ACB14EBA9CC95AEEB778FF14304F44062BF412F7291EF745A09CB62

Function 014C0920 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 014C0965

Memory Dump Source

Source File: 00000000.00000002.2075623042.00000000014C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14c0000_Arrival Notice.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction ID: f14f9de835ecc13fa54ed53bd7e7f9b403717ceeb374af118e86ed26489192e9
Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction Fuzzy Hash: A051FC79A50208FFEF60DFA4CC49FDE7778AF48B00F108659F609EB280DA7596458B60

Function 008D39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 008D3A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 008D3A36
ShowWindow.USER32(00000000,?,?), ref: 008D3A4A
ShowWindow.USER32(00000000,?,?), ref: 008D3A53

Strings

AutoIt v3, xrefs: 008D3A0D, 008D3A12, 008D3A13
edit, xrefs: 008D3A30

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 6f1880598302b1f66b812f5d1ddf0d23d1fb61c2fc7832c7fed0353d93ad7154
Instruction ID: aeccae158ba1cbf6db4f402208213c1f38d717e6daf6f521afa81d08784e6d21
Opcode Fuzzy Hash: 6f1880598302b1f66b812f5d1ddf0d23d1fb61c2fc7832c7fed0353d93ad7154
Instruction Fuzzy Hash: 02F03A706252907EEA30572B6C18E2B2E7DD7CAF61F00002AB910E21B0C2A51800EAB0

Function 008D410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0090D5EC

Part of subcall function 008D7D2C: _memmove.LIBCMT ref: 008D7D66

_memset.LIBCMT ref: 008D418D
_wcscpy.LIBCMT ref: 008D41E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 008D41F1

Strings

Line: , xrefs: 0090D615

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: b5321a5859b2bfdfbafdf8a17b0b7242eb72a96deb5ea88f65f0dbeadd2ea2e6
Instruction ID: 75c497f6d32490c43be2084ba4cc09d18fd0b2959cd8ccdf764025c738ee6faf
Opcode Fuzzy Hash: b5321a5859b2bfdfbafdf8a17b0b7242eb72a96deb5ea88f65f0dbeadd2ea2e6
Instruction Fuzzy Hash: 2A316B71018318ABEB21EB68DC46FEA77E8FB44314F10461BB595D22A1EB74A648C793

Function 008F564D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 008F56AB
_memcpy_s.LIBCMT ref: 008F571D
__read_nolock.LIBCMT ref: 008F577B
__filbuf.LIBCMT ref: 008F579E
_memset.LIBCMT ref: 008F57E2

Part of subcall function 008F8D68: __getptd_noexit.LIBCMT ref: 008F8D68

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction ID: bdb2862f83c6b5eacb373f09f0aaa778903c3b0d64c1cedab98b821125e2928f
Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction Fuzzy Hash: 09519C30A00B0DDBDB24AEB9888467EB7A5FF50324F648629FB35D62D0DB749E518B50

Function 008D69CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008D4F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,009962F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 008D4F6F

_free.LIBCMT ref: 0090E68C
_free.LIBCMT ref: 0090E6D3

Part of subcall function 008D6BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 008D6D0D

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0090E462
Bad directive syntax error, xrefs: 0090E6BB

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 7971f576260bff92e27a5b207d7c7e70f0e575f753d4cc3a2857406e9d435b5c
Instruction ID: 3acb943514eb9184b3e96c80ff158d0853392e97681444aa363808422f0be775
Opcode Fuzzy Hash: 7971f576260bff92e27a5b207d7c7e70f0e575f753d4cc3a2857406e9d435b5c
Instruction Fuzzy Hash: 46917A71910219AFCF14EFA8C8919EDB7B8FF19314F04496AF815EB2A1EB31A904CB51

Function 014C23B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 148fileCOMMON

Download Yara Rule

APIs

Part of subcall function 014C22A0: Sleep.KERNELBASE(000001F4), ref: 014C22B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 014C24C6

Strings

IVZM0OEL8NS77OJROJRE, xrefs: 014C2546, 014C2549

Memory Dump Source

Source File: 00000000.00000002.2075623042.00000000014C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14c0000_Arrival Notice.jbxd

Similarity

API ID: CreateFileSleep
String ID: IVZM0OEL8NS77OJROJRE
API String ID: 2694422964-710978338
Opcode ID: 35e527c39a3aa43f0af6714174fa8bcdca8aa5117285a43698b09e7ba92667df
Instruction ID: 98ad075bf48677df056d7520224c67df9ae81aed1a8246bd517fae80b77d98f6
Opcode Fuzzy Hash: 35e527c39a3aa43f0af6714174fa8bcdca8aa5117285a43698b09e7ba92667df
Instruction Fuzzy Hash: 53518D74D04249EBEF11DBA4C814BEFBB79AF15700F00419DE209BB2C1DAB91B49CBA5

Function 008D35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,008D35A1,SwapMouseButtons,00000004,?), ref: 008D35D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,008D35A1,SwapMouseButtons,00000004,?,?,?,?,008D2754), ref: 008D35F5
RegCloseKey.KERNELBASE(00000000,?,?,008D35A1,SwapMouseButtons,00000004,?,?,?,?,008D2754), ref: 008D3617

Strings

Control Panel\Mouse, xrefs: 008D35D2

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 85c61f71104f0d5ab62ce7a26a922b24e14aba1f6e6a09d28934e92e709c11da
Instruction ID: 804764dcfcb74642737a47b672f652d955bfdd014691c4c16d3d3a2adde21946
Opcode Fuzzy Hash: 85c61f71104f0d5ab62ce7a26a922b24e14aba1f6e6a09d28934e92e709c11da
Instruction Fuzzy Hash: E2113675554208BADB218FA5EC40EAAB7A8EF15750F00466AA805E7210D2719E40A761

Function 009397E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 008D5045: _fseek.LIBCMT ref: 008D505D

Part of subcall function 009399BE: _wcscmp.LIBCMT ref: 00939AAE
Part of subcall function 009399BE: _wcscmp.LIBCMT ref: 00939AC1

_free.LIBCMT ref: 0093992C
_free.LIBCMT ref: 00939933
_free.LIBCMT ref: 0093999E

Part of subcall function 008F2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,008F9C64), ref: 008F2FA9
Part of subcall function 008F2F95: GetLastError.KERNEL32(00000000,?,008F9C64), ref: 008F2FBB

_free.LIBCMT ref: 009399A6

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction ID: df36c3426dd6e265e1db0e304713de782e3d80129478edafbc75fe112a6d8896
Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction Fuzzy Hash: 92515EB1904618AFDF249F64DC81BAEBBB9FF48300F0004AEB209A7241DB715E80CF59

Function 008F493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 008F49D0
__flush.LIBCMT ref: 008F49F0
__write.LIBCMT ref: 008F4A23
__flsbuf.LIBCMT ref: 008F4A51

Part of subcall function 008F8D68: __getptd_noexit.LIBCMT ref: 008F8D68

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction ID: 9c492d4103b7505e0a8d78f89dd2c50de655089cc70b774ca06f2060912c0b3e
Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction Fuzzy Hash: E441C57070061E9BDF188E79C88097F7BA6FF80360B24913FEA55C7650EBB09D408B44

Function 008D73E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0090EE62
GetOpenFileNameW.COMDLG32(?), ref: 0090EEAC

Part of subcall function 008D48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008D48A1,?,?,008D37C0,?), ref: 008D48CE

Part of subcall function 008F09D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008F09F4

Strings

X, xrefs: 0090EE7A

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 8e71eafcd0ae34627e50d6f6b0546d80ce5f38a866af76c0b036f12ce0ebbcb1
Instruction ID: f20f1ca4db76897d5304730f72856f8ad31001cd7370065c40b3883f6c1f1a0e
Opcode Fuzzy Hash: 8e71eafcd0ae34627e50d6f6b0546d80ce5f38a866af76c0b036f12ce0ebbcb1
Instruction Fuzzy Hash: 2B21A170A1425C9BCB15AF98C845BEE7BF9EF49314F04401AE508E7381EBB459898BA2

Function 0093901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00939036
__fread_nolock.LIBCMT ref: 0093904B

Strings

EA06, xrefs: 0093907D

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 178b69adbe34d62e4654bd5b7d0f7658db419c2b896f322ce68bba96d2471f67
Instruction ID: 4e3361c6787b9ef62e9d5a788e72db9a1445a7e17d5815bec52dee496958648f
Opcode Fuzzy Hash: 178b69adbe34d62e4654bd5b7d0f7658db419c2b896f322ce68bba96d2471f67
Instruction Fuzzy Hash: 6301F971914218AEDB28CAA8C81AFFE7BFCDB01311F00419AF652D2181E5B5E6048B60

Function 014C1000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 014C1045
ExitProcess.KERNEL32(00000000), ref: 014C1064

Strings

D, xrefs: 014C1011

Memory Dump Source

Source File: 00000000.00000002.2075623042.00000000014C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14c0000_Arrival Notice.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: 145b7a1cfb31929a6d02ccf2d0a45045f2bdb13625618a76059d23da88a780f4
Instruction ID: 547c3e8cb8f9b1d5d924af35bba46dac0961d721e8d91a578ae54143be19219a
Opcode Fuzzy Hash: 145b7a1cfb31929a6d02ccf2d0a45045f2bdb13625618a76059d23da88a780f4
Instruction Fuzzy Hash: BAF0ECB564024CABDB60DFE1CC49FEE777CBF14B01F008509FB0A9A180DEB896088B61

Function 00939B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00939B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00939B99

Strings

aut, xrefs: 00939B93

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 85d74e82d2a72f8069bfe6d069df91298fedd41871929506f221dd923fd8f336
Instruction ID: 7d713f400a7cf7bb8ca1f1ef499c2b876f0a36edd6abc1fc81dbea6d361765be
Opcode Fuzzy Hash: 85d74e82d2a72f8069bfe6d069df91298fedd41871929506f221dd923fd8f336
Instruction Fuzzy Hash: BDD05EBA54430DABDB10ABA0DC0EF9A772CE704705F0042A1BE64961A1DEB055989B92

Function 0094CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2a514e78bdd931951d0de964344d7f71341d022cf2dfd8b95d665415fe981ad
Instruction ID: c426fa78a8d5c027f73e95040b127c105d4ad57b15ecfb5a54c8114e930e8d79
Opcode Fuzzy Hash: e2a514e78bdd931951d0de964344d7f71341d022cf2dfd8b95d665415fe981ad
Instruction Fuzzy Hash: 42F14875A083119FCB14DF28C480A6ABBE5FF88314F14892EF8A99B351D771E945CF82

Function 008DF8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 008F03A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 008F03D3
Part of subcall function 008F03A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 008F03DB
Part of subcall function 008F03A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 008F03E6
Part of subcall function 008F03A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 008F03F1
Part of subcall function 008F03A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 008F03F9
Part of subcall function 008F03A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 008F0401

Part of subcall function 008E6259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,008DFA90), ref: 008E62B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 008DFB2D
OleInitialize.OLE32(00000000), ref: 008DFBAA
CloseHandle.KERNEL32(00000000), ref: 009149F2

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: ab0852d4f05d4c9c25356c8ba59c1bf6431f9ce9a1c6b39a42e9993bd2e8ee59
Instruction ID: b27805b3a3d05d580d854c017278e4c12ab752c5308c7056fda188e9e4bb8564
Opcode Fuzzy Hash: ab0852d4f05d4c9c25356c8ba59c1bf6431f9ce9a1c6b39a42e9993bd2e8ee59
Instruction Fuzzy Hash: 9F81A8B09293408FC794EFBEE9516257BE8FB99748710862BE019C7372EB315444EF52

Function 008D43DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008D4401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 008D44A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 008D44C3

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 58cf4007bc612f1ff67f957c9606ea4fa9d1536cdad9934abbc8aa4c75263263
Instruction ID: 97a2ac2ca79ee2514dfde02fcc367ee9c3234bb04eca69b758c1776452713a8d
Opcode Fuzzy Hash: 58cf4007bc612f1ff67f957c9606ea4fa9d1536cdad9934abbc8aa4c75263263
Instruction Fuzzy Hash: 36314F705097018FD720DF28D88469BBBF8FB48318F000A2FE59AC2351D775A984DB96

Function 008F594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 008F5963

Part of subcall function 008FA3AB: __NMSG_WRITE.LIBCMT ref: 008FA3D2
Part of subcall function 008FA3AB: __NMSG_WRITE.LIBCMT ref: 008FA3DC

__NMSG_WRITE.LIBCMT ref: 008F596A

Part of subcall function 008FA408: GetModuleFileNameW.KERNEL32(00000000,009943BA,00000104,?,00000001,00000000), ref: 008FA49A
Part of subcall function 008FA408: ___crtMessageBoxW.LIBCMT ref: 008FA548

Part of subcall function 008F32DF: ___crtCorExitProcess.LIBCMT ref: 008F32E5
Part of subcall function 008F32DF: ExitProcess.KERNEL32 ref: 008F32EE

Part of subcall function 008F8D68: __getptd_noexit.LIBCMT ref: 008F8D68

RtlAllocateHeap.NTDLL(01550000,00000000,00000001,00000000,?,?,?,008F1013,?), ref: 008F598F

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 39b2f4bb82a2beb44e32d76131c3710f4c4866a8a18e0f4863e56f5effa96b28
Instruction ID: 267b43581e772eea058b6edd5e3d877e34e403b5c0fb46bd1f10c6bc069f6265
Opcode Fuzzy Hash: 39b2f4bb82a2beb44e32d76131c3710f4c4866a8a18e0f4863e56f5effa96b28
Instruction Fuzzy Hash: 2201C031304A1EEEE6293B38EC52B3E7688FF41731F50002AF704DB181DAB09D019262

Function 00939B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,009397D2,?,?,?,?,?,00000004), ref: 00939B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,009397D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00939B5B
CloseHandle.KERNEL32(00000000,?,009397D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00939B62

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: d5ad8748ad14edb44c1741664b5ff94e75cb1fd9bd41294965d1635041c41153
Instruction ID: 0b026bda8733539410518e969beec0e764b9bf90ef25af517d3b6b6320f69753
Opcode Fuzzy Hash: d5ad8748ad14edb44c1741664b5ff94e75cb1fd9bd41294965d1635041c41153
Instruction Fuzzy Hash: ACE08632195714B7E7212B55EC09FCA7B28AB05772F104120FB14A90E087B16511A798

Function 00938F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00938FA5

Part of subcall function 008F2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,008F9C64), ref: 008F2FA9
Part of subcall function 008F2F95: GetLastError.KERNEL32(00000000,?,008F9C64), ref: 008F2FBB

_free.LIBCMT ref: 00938FB6
_free.LIBCMT ref: 00938FC8

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction ID: ad82ae1d5211528b9d835c16876d450dd44d75f72b8f842db3b389858b8bccb7
Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction Fuzzy Hash: 79E012A16197055ACA34A57CAD44AA367FEFF48350B18081DB509DB142DE24E8418965

Function 008DAB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0091002B

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: ff0ee81ee8fb02ba88da43555742d905e4b92295e41f32a7726d5a7a0d09293f
Instruction ID: cdf31fe2089048c69eade474f722ff453aa8c019f67305d46835964a9d4e9476
Opcode Fuzzy Hash: ff0ee81ee8fb02ba88da43555742d905e4b92295e41f32a7726d5a7a0d09293f
Instruction Fuzzy Hash: 71224B74608255DFCB28DF14C494B6AB7E1FF84314F158A5EE8868B362DB71ED81CB82

Function 008D4DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 008D4E1A

Strings

EA06, xrefs: 0090DCF5

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: d1480dfb0bece9252020780bc119c08bdc40b0c8adbd38da152012cc6f816007
Instruction ID: 49c95feef1d8db1caec158e6706d9cc864da48a63d2e09aadaf40491cdfcfc64
Opcode Fuzzy Hash: d1480dfb0bece9252020780bc119c08bdc40b0c8adbd38da152012cc6f816007
Instruction Fuzzy Hash: 77418031A045587BDF115B68C8517BE7F66FF41324F685277E882DB382C5318D4087E2

Function 008D492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 008D4992

Part of subcall function 008F35AC: __lock.LIBCMT ref: 008F35B2
Part of subcall function 008F35AC: DecodePointer.KERNEL32(00000001,?,008D49A7,009281BC), ref: 008F35BE
Part of subcall function 008F35AC: EncodePointer.KERNEL32(?,?,008D49A7,009281BC), ref: 008F35C9

Part of subcall function 008D4A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 008D4A73
Part of subcall function 008D4A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 008D4A88

Part of subcall function 008D3B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008D3B7A
Part of subcall function 008D3B4C: IsDebuggerPresent.KERNEL32 ref: 008D3B8C
Part of subcall function 008D3B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,009962F8,009962E0,?,?), ref: 008D3BFD
Part of subcall function 008D3B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 008D3C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 008D49D2

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 53042549aff3a2d9ac37047317695e162d8a3faf2fd3e1c48f8ab9eae96672c2
Instruction ID: 0b4c13151cb48ec47527f15a3c0446e44e2bbaf1cf6d82b53466e6cb364d21f8
Opcode Fuzzy Hash: 53042549aff3a2d9ac37047317695e162d8a3faf2fd3e1c48f8ab9eae96672c2
Instruction Fuzzy Hash: 661167719283259BC700EF6DE80591AFFE8FB98710F00461BF095C32B2DB709645DB96

Function 008D5DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,008D5981,?,?,?,?), ref: 008D5E27
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,008D5981,?,?,?,?), ref: 0090E19C

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: dbc84549fc81392be779bae6b61279dbcf94aaf9500e7c8e02c407421a666e15
Instruction ID: 5d836ada2f89eb735b0b582ecb48264db61009b38278205436b634ce4be5ce84
Opcode Fuzzy Hash: dbc84549fc81392be779bae6b61279dbcf94aaf9500e7c8e02c407421a666e15
Instruction Fuzzy Hash: A201B970244708BEF3241E14CC86F66379CFB01768F108316BAE59A2D0C6B01D458B50

Function 008F0FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 008F594C: __FF_MSGBANNER.LIBCMT ref: 008F5963
Part of subcall function 008F594C: __NMSG_WRITE.LIBCMT ref: 008F596A
Part of subcall function 008F594C: RtlAllocateHeap.NTDLL(01550000,00000000,00000001,00000000,?,?,?,008F1013,?), ref: 008F598F

std::exception::exception.LIBCMT ref: 008F102C
__CxxThrowException@8.LIBCMT ref: 008F1041

Part of subcall function 008F87DB: RaiseException.KERNEL32(?,?,?,0098BAF8,00000000,?,?,?,?,008F1046,?,0098BAF8,?,00000001), ref: 008F8830

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: bd0331d31de2d091c971f8ac8732bf92f961b90f51f7f53986cda8e7bd0ee3ab
Instruction ID: f17dee6cb09c5631cc56c86a9667e9efc22fd272c54adccbe2fb37f1ce411f16
Opcode Fuzzy Hash: bd0331d31de2d091c971f8ac8732bf92f961b90f51f7f53986cda8e7bd0ee3ab
Instruction Fuzzy Hash: E4F0863550471DE6CB24BB78EC159FE77A8FF40351F100415FA04D5691EFB18A808691

Function 008F582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 008F585C
__lock_file.LIBCMT ref: 008F587D

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: c402eb2891d3d6ef3a40d6455ad845942a6fad2aed42894494faad097ee7739e
Instruction ID: 086eacd7e62c5aa94e11be31e3fdebf5e29d12921cab6af8cf20e7fe3d49fb18
Opcode Fuzzy Hash: c402eb2891d3d6ef3a40d6455ad845942a6fad2aed42894494faad097ee7739e
Instruction Fuzzy Hash: 21012571800A0DEBCF11AF7D9C055AF7B61FF807A0F144225BB24DB161DB358A21DB52

Function 008F55D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 008F8D68: __getptd_noexit.LIBCMT ref: 008F8D68

__lock_file.LIBCMT ref: 008F561B

Part of subcall function 008F6E4E: __lock.LIBCMT ref: 008F6E71

__fclose_nolock.LIBCMT ref: 008F5626

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 283fd6977afd8f2b5d601dbe6c9ae0e727cfd2a1b2f1e0715889c7f9dc4c4c20
Instruction ID: be5b2b68dfdc3f33d9985655f70bccd93ae7edaa6416f3df4c797a428b5d23ad
Opcode Fuzzy Hash: 283fd6977afd8f2b5d601dbe6c9ae0e727cfd2a1b2f1e0715889c7f9dc4c4c20
Instruction Fuzzy Hash: BCF09071900A0CDADB20BF7D880277E67A1FF51734F658209A764EB1C1DF7C89019B56

Function 008E2123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 143ae99585cb1405023a964bc6e09b897b36951cb81fa8be4f211c7c60c22d0e
Instruction ID: 57570c703741d43402759911574f3f93d55350c1322f86feb58c121c9ce00335
Opcode Fuzzy Hash: 143ae99585cb1405023a964bc6e09b897b36951cb81fa8be4f211c7c60c22d0e
Instruction Fuzzy Hash: 5D514E35700618AFCF14EF68C991EAE77A9FF85314F148169F956EB392DA30ED008B52

Function 014C1070 Relevance: 1.7, APIs: 1, Instructions: 157COMMON

Download Yara Rule

APIs

Part of subcall function 014C08E0: GetFileAttributesW.KERNELBASE(?), ref: 014C08EB

CreateDirectoryW.KERNELBASE(?,00000000), ref: 014C119F

Memory Dump Source

Source File: 00000000.00000002.2075623042.00000000014C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14c0000_Arrival Notice.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: 167712b6dc10c101621f85d1ffa6e81ed773490ba9fcaaeac8f5aea481633851
Instruction ID: 37e6a5d234e6ba45a3d97bc695c35287c3b896986d26dcc156adc8546d09d7d8
Opcode Fuzzy Hash: 167712b6dc10c101621f85d1ffa6e81ed773490ba9fcaaeac8f5aea481633851
Instruction Fuzzy Hash: 5A519635A10209D7EF14EFA4C954BEF733AEF58700F0045ADA609E7290EB799B44CBA5

Function 008D5C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 008D5CF6

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 85ca5bffb90f7c9a0e191670142fedda4cf357032f59d14cb17f570c44239756
Instruction ID: 227c865dc8abcf195d71a8af8e316022d7168475d7c38e59f68d53f3a9e03318
Opcode Fuzzy Hash: 85ca5bffb90f7c9a0e191670142fedda4cf357032f59d14cb17f570c44239756
Instruction Fuzzy Hash: 03313971A10B09AFCB18DF2DC484AADB7B6FF48320F14862BE819D3714D771A960DB91

Function 009100D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 009100E1

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 8daaeee1b0ffb6836ae37b1e24e367442a657010052e21a22560cd9e76511527
Instruction ID: e0075fc5059a4d6eaa9b1fb6484534cbc6a71a32b6a50ab9f7983e88d8af3e77
Opcode Fuzzy Hash: 8daaeee1b0ffb6836ae37b1e24e367442a657010052e21a22560cd9e76511527
Instruction Fuzzy Hash: 2D412574608345DFDB24DF18C484B1ABBE0FF85318F19899DE8898B362C772E885CB52

Function 008D80D7 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 008D8109

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: eb2710e5cb16ddfd39129744760223e1f4b56c2d8d4f4da250d44081183c863d
Instruction ID: 50b49aba2f187fea66efea9c511ff05f6c18e25dedafea083bcd49ee7237bcbe
Opcode Fuzzy Hash: eb2710e5cb16ddfd39129744760223e1f4b56c2d8d4f4da250d44081183c863d
Instruction Fuzzy Hash: 12111C75204605DFCB24DF28D481A16B7E9FF49354720C96EE98ACB761EB32E841CB50

Function 008D4F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 008D4D13: FreeLibrary.KERNEL32(00000000,?), ref: 008D4D4D

Part of subcall function 008F548B: __wfsopen.LIBCMT ref: 008F5496

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,009962F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 008D4F6F

Part of subcall function 008D4CC8: FreeLibrary.KERNEL32(00000000), ref: 008D4D02

Part of subcall function 008D4DD0: _memmove.LIBCMT ref: 008D4E1A

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: f4ff276917c3e88e8c98e1920e056c3854d3717c64eac1619895e32ca8b6b07e
Instruction ID: a08eff7756b824965d64778023d065f4b246f730dc3c8a31c72c390b6f0f3afe
Opcode Fuzzy Hash: f4ff276917c3e88e8c98e1920e056c3854d3717c64eac1619895e32ca8b6b07e
Instruction Fuzzy Hash: 1C11E732650709ABCB20FF79DC12B6E77A9EF40711F10852AF541E63C1DEB19A059B92

Function 009101AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 009101BB

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 5f0e1ceae91aeca820da1d5867614161225a378c67bb1e33fd9a6983cb7dedf2
Instruction ID: 8e7d18061a56adcc3ca9856fd7c1caba7c0a717b4b91875e59b46bf7adbca41b
Opcode Fuzzy Hash: 5f0e1ceae91aeca820da1d5867614161225a378c67bb1e33fd9a6983cb7dedf2
Instruction Fuzzy Hash: B82124B4608345DFCB28DF24C444A1ABBE0FF88714F158A69E98A87761D771E885CB53

Function 008D5D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,008D5807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 008D5D76

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 34e5eac6134ef8ae20b37bbc226e67131d3c1285ae637087ebdf8a33861faff0
Instruction ID: b3d52172fe7686ef59b8e43772f6e7102e7d3602a47f56b2de328371f18a6013
Opcode Fuzzy Hash: 34e5eac6134ef8ae20b37bbc226e67131d3c1285ae637087ebdf8a33861faff0
Instruction Fuzzy Hash: CD11F831204B059FE3208F15C484B66B7E6FB45764F148A2FE5AAC6A50D771E945CB60

Function 008F4A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 008F4AD6

Part of subcall function 008F8D68: __getptd_noexit.LIBCMT ref: 008F8D68

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 351cee4260270f6338280a70cb88a8a6ee4f30eefa5038d83a1715a3e0632510
Instruction ID: 973550aaf5bb9fc1e293d5f5e1b0aa4f7156bd555fe9d36936fcfa55bdf689c4
Opcode Fuzzy Hash: 351cee4260270f6338280a70cb88a8a6ee4f30eefa5038d83a1715a3e0632510
Instruction Fuzzy Hash: B1F08131A4021DDBDF51AF788C063BF3665FF00325F144515B624EA1D1DB788961DB52

Function 008D4FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,009962F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 008D4FDE

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 4b63cdae1eb40ee5132f4d1de347fb9c58d59d9fa6fdf05a03745365832ceedd
Instruction ID: bf51add0f31b8c99e408a61c20a2c2e96e89ba395975355b0b7093fabbf13274
Opcode Fuzzy Hash: 4b63cdae1eb40ee5132f4d1de347fb9c58d59d9fa6fdf05a03745365832ceedd
Instruction Fuzzy Hash: 02F01571509B16CFCB349F64E494822BBE1FF043293209A3EE2D6C2720CB32A844DB41

Function 008F09D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008F09F4

Part of subcall function 008D7D2C: _memmove.LIBCMT ref: 008D7D66

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 663271987e24e81dbfb9cab845d066cdd291f6d39291b5f98a5e5473fb6c4025
Instruction ID: 0318b5649dc554f4329fa6a7d7c441ee7959512091eca3f78adbbc412a3b35da
Opcode Fuzzy Hash: 663271987e24e81dbfb9cab845d066cdd291f6d39291b5f98a5e5473fb6c4025
Instruction Fuzzy Hash: 49E086769442285BC720E6589C05FFA77EDDF887A1F0401B6FC0CD7248E9649C818691

Function 00939129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 0093914B

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction ID: 17620665e2a5fec3c0dc0d049dc559d5c66b32a9b895098fb025d73b2dd622b0
Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction Fuzzy Hash: DBE092B0118B005FD7348A24D8507E373E4FB06315F00081CF29AD3341EBA278418B59

Function 014C08E0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 014C08EB

Memory Dump Source

Source File: 00000000.00000002.2075623042.00000000014C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14c0000_Arrival Notice.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: f9eb4952eee5ac742b1cd1f129e8fb6048587c3a6b386f1ef18e7e5ff3965641
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: 58E08C79A0520CEBEBA0CBBC8808BEA77A8DB08720F00865AF91AC3290D5308A419754

Function 008D5DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,0090E16B,?,?,00000000), ref: 008D5DBF

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 676833b75e8f31f163c489cc65de0a9a18e2bedb7bef7a36dafc58d72d9616d1
Instruction ID: 6d029c92c3c850cbe6350de71a710d46f45d7e2c458e8633bb1d6493a4ed5ee3
Opcode Fuzzy Hash: 676833b75e8f31f163c489cc65de0a9a18e2bedb7bef7a36dafc58d72d9616d1
Instruction Fuzzy Hash: 8CD0C77465430CBFE710DB81DC46FAA777CD705721F100194FD0497690D6B27D509795

Function 014C08B0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 014C08BB

Memory Dump Source

Source File: 00000000.00000002.2075623042.00000000014C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14c0000_Arrival Notice.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: 444ecb4afddfa3481016691fc5002bc086c1a5efa5fb5a8c72a8b2b76fb31938
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: A6D0A73490620CEBCB50CFB89C04ADB73A8DB04720F008759FD15D3281D63199449BA0

Function 008F548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 008F5496

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: ce350de4b08df158806ebca8a92aaed3a96e93d6cfab4538b195c443e53b488a
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: B9B092B684020C77DE012E96EC02A693F19AB50678F808020FB0C18162A673A6A0968E

Function 0093D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 0093D46A

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 5f2075110a62a938173e3e631d2c7b9205fedaabfbb14c4c799d37d576449e53
Instruction ID: 5b3945334d72eadb17cd4eb6a485290bc309fc81139bfb766abc85b69a915f50
Opcode Fuzzy Hash: 5f2075110a62a938173e3e631d2c7b9205fedaabfbb14c4c799d37d576449e53
Instruction Fuzzy Hash: 1F713E342057029FC714EF28D4A1A6AB7E4FF88314F044A6EF5969B3A2DB30A945CF52

Function 008F0E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 008F0EF7

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 5562889b37bb5d786943582350b0b92e021a60243e2d7d11876119b5f1fb0ea0
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: D031D370A00109DFC718DF68D480969F7A6FF59300B648AA5E50ACB752DB31EDC1CF90

Function 014C229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 014C22B1

Memory Dump Source

Source File: 00000000.00000002.2075623042.00000000014C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14c0000_Arrival Notice.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: e462c82f5e774763a9338a5949e728ccfff39d87310478621136daff319d7521
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 83E0BF7494020EEFDB00EFA8D6496EE7BB4EF04711F1005A5FD05D7691DB709E548A62

Function 014C22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 014C22B1

Memory Dump Source

Source File: 00000000.00000002.2075623042.00000000014C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14c0000_Arrival Notice.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 749255ce209797948ae027d2e94c0d992cfa5ebd2acb84ef18c3932a6352e1d7
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 3AE0E67494020EDFDB00EFB8D6496AE7FB4EF04701F100165FD01D2281D6709D508A72

Non-executed Functions

Function 0095CDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 008D2612: GetWindowLongW.USER32(?,000000EB), ref: 008D2623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0095CE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0095CE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0095CED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0095CF00
SendMessageW.USER32 ref: 0095CF29
_wcsncpy.LIBCMT ref: 0095CFA1
GetKeyState.USER32(00000011), ref: 0095CFC2
GetKeyState.USER32(00000009), ref: 0095CFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0095CFE5
GetKeyState.USER32(00000010), ref: 0095CFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0095D018
SendMessageW.USER32 ref: 0095D03F
SendMessageW.USER32(?,00001030,?,0095B602), ref: 0095D145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0095D15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0095D16E
SetCapture.USER32(?), ref: 0095D177
ClientToScreen.USER32(?,?), ref: 0095D1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0095D1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0095D203
ReleaseCapture.USER32 ref: 0095D20E
GetCursorPos.USER32(?), ref: 0095D248
ScreenToClient.USER32(?,?), ref: 0095D255
SendMessageW.USER32(?,00001012,00000000,?), ref: 0095D2B1
SendMessageW.USER32 ref: 0095D2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 0095D31C
SendMessageW.USER32 ref: 0095D34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0095D36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0095D37B
GetCursorPos.USER32(?), ref: 0095D39B
ScreenToClient.USER32(?,?), ref: 0095D3A8
GetParent.USER32(?), ref: 0095D3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 0095D431
SendMessageW.USER32 ref: 0095D462
ClientToScreen.USER32(?,?), ref: 0095D4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0095D4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 0095D51A
SendMessageW.USER32 ref: 0095D53D
ClientToScreen.USER32(?,?), ref: 0095D58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0095D5C3

Part of subcall function 008D25DB: GetWindowLongW.USER32(?,000000EB), ref: 008D25EC

GetWindowLongW.USER32(?,000000F0), ref: 0095D65F

Strings

F, xrefs: 0095D543
@GUI_DRAGID, xrefs: 0095D1AA

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: c4315db96fec00fcaaff03092e7ce02be2d2474ddc0092629eb58ff2f435ac5a
Instruction ID: 14ad9e8bb95413fdb2e7fe6fdb4d6547eb3d5d5a53180e7b8681b2b64318d71f
Opcode Fuzzy Hash: c4315db96fec00fcaaff03092e7ce02be2d2474ddc0092629eb58ff2f435ac5a
Instruction Fuzzy Hash: 7C42AF70109341AFDB25CF2AC894F6ABBF9FF48315F140519FA59872A0D7319C49DB92

Function 0095804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0095873F

Strings

%d/%02d/%02d, xrefs: 00958478

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: f76f0c6177d480094c1f2013240049c9e8623d20a22005782a52cf29d1e915d0
Instruction ID: 9eceaec5d12b85b48e4c8db9967502e9deac5b9073dbe3377b730c366b02f583
Opcode Fuzzy Hash: f76f0c6177d480094c1f2013240049c9e8623d20a22005782a52cf29d1e915d0
Instruction Fuzzy Hash: 8412CF71505208ABEB258F2ACC49FAF7BF8EF49312F204569F915EA2E1DF748945CB10

Function 008E710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 008E75C2
_memset.LIBCMT ref: 008E76B1
_memmove.LIBCMT ref: 008E7C4B
_memmove.LIBCMT ref: 008E7E4F

Strings

Q\E, xrefs: 008E81C1
\b(?=\w), xrefs: 00923C34
DEFINE, xrefs: 009225AF
[:<:]], xrefs: 008E75F1
[:>:]], xrefs: 008E760A
\b(?<=\w), xrefs: 00923C41

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: f6554a290bb8575d8b195b770100ee5a0cd1f01c0f7725cecfe0dad9e1f94ba3
Instruction ID: d5a8845000bca7a29d9af94cdfd51b919674355986c0dd01440d0a3f7340e1c5
Opcode Fuzzy Hash: f6554a290bb8575d8b195b770100ee5a0cd1f01c0f7725cecfe0dad9e1f94ba3
Instruction Fuzzy Hash: 6F93C271A0422ADFDB24CF58D881BADB7B5FF48314F24856AE945EB384E7749E81CB40

Function 008D4A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 008D4A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0090DA8E
IsIconic.USER32(?), ref: 0090DA97
ShowWindow.USER32(?,00000009), ref: 0090DAA4
SetForegroundWindow.USER32(?), ref: 0090DAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0090DAC4
GetCurrentThreadId.KERNEL32 ref: 0090DACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 0090DAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 0090DAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 0090DAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 0090DAF8
SetForegroundWindow.USER32(?), ref: 0090DAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 0090DB10
keybd_event.USER32(00000012,00000000), ref: 0090DB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 0090DB25
keybd_event.USER32(00000012,00000000), ref: 0090DB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 0090DB33
keybd_event.USER32(00000012,00000000), ref: 0090DB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 0090DB42
keybd_event.USER32(00000012,00000000), ref: 0090DB47
SetForegroundWindow.USER32(?), ref: 0090DB4A
AttachThreadInput.USER32(?,?,00000000), ref: 0090DB71

Strings

Shell_TrayWnd, xrefs: 0090DA89

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 20563ab8fd90f577c7f8c4934b3983dd1b117adb0be92c19828e5821e180e4c2
Instruction ID: 058aacbc49254b55261a0fce2e3f0087a32eeba7b1af0a5239b03d38fb2151a9
Opcode Fuzzy Hash: 20563ab8fd90f577c7f8c4934b3983dd1b117adb0be92c19828e5821e180e4c2
Instruction Fuzzy Hash: 20317071A95318BFEB206FA29C49F7F3E6CEB44B61F114025FA04EB1D0D6B05901BBA0

Function 00928858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00928CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00928D0D
Part of subcall function 00928CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00928D3A
Part of subcall function 00928CC3: GetLastError.KERNEL32 ref: 00928D47

_memset.LIBCMT ref: 0092889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 009288ED
CloseHandle.KERNEL32(?), ref: 009288FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00928915
GetProcessWindowStation.USER32 ref: 0092892E
SetProcessWindowStation.USER32(00000000), ref: 00928938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00928952

Part of subcall function 00928713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00928851), ref: 00928728
Part of subcall function 00928713: CloseHandle.KERNEL32(?,?,00928851), ref: 0092873A

Strings

default, xrefs: 0092894D
winsta0, xrefs: 00928910
, xrefs: 009288AA

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 9c529aeeb3e6ef104745979b886fdd76ea2a618e6423c1e2d118b7370c8f3d6c
Instruction ID: 30198a170f9f04b1e56faf590e2e80e4fd6626464fd7947de5b2560af74187cf
Opcode Fuzzy Hash: 9c529aeeb3e6ef104745979b886fdd76ea2a618e6423c1e2d118b7370c8f3d6c
Instruction Fuzzy Hash: 3B814871902219AFDF11DFA4EC45AAFBBBCEF04315F08416AF910A6265DF318A159B60

Function 0094425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0095F910), ref: 00944284
IsClipboardFormatAvailable.USER32(0000000D), ref: 00944292
GetClipboardData.USER32(0000000D), ref: 0094429A
CloseClipboard.USER32 ref: 009442A6
GlobalLock.KERNEL32(00000000), ref: 009442C2
CloseClipboard.USER32 ref: 009442CC
GlobalUnlock.KERNEL32(00000000,00000000), ref: 009442E1
IsClipboardFormatAvailable.USER32(00000001), ref: 009442EE
GetClipboardData.USER32(00000001), ref: 009442F6
GlobalLock.KERNEL32(00000000), ref: 00944303
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00944337
CloseClipboard.USER32 ref: 00944447

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 980377ac79ec7a7398a760a84479f496b9a48b8041dcb8b880b5417f59e1916b
Instruction ID: 829164c59e7cfe094d2954b983b4e0a0d346dde53b4c0441dd33680d737f2e96
Opcode Fuzzy Hash: 980377ac79ec7a7398a760a84479f496b9a48b8041dcb8b880b5417f59e1916b
Instruction Fuzzy Hash: 6751A171208306ABD310EF65ECA5F7F77A8BF84B11F00462AF556D22A1DF70D9049B62

Function 0093C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0093C9F8
FindClose.KERNEL32(00000000), ref: 0093CA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0093CA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0093CA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 0093CAAF
__swprintf.LIBCMT ref: 0093CAFB
__swprintf.LIBCMT ref: 0093CB3E

Part of subcall function 008D7F41: _memmove.LIBCMT ref: 008D7F82

__swprintf.LIBCMT ref: 0093CB92

Part of subcall function 008F38D8: __woutput_l.LIBCMT ref: 008F3931

__swprintf.LIBCMT ref: 0093CBE0

Part of subcall function 008F38D8: __flsbuf.LIBCMT ref: 008F3953
Part of subcall function 008F38D8: __flsbuf.LIBCMT ref: 008F396B

__swprintf.LIBCMT ref: 0093CC2F
__swprintf.LIBCMT ref: 0093CC7E
__swprintf.LIBCMT ref: 0093CCCD

Strings

%4d, xrefs: 0093CB38
%02d, xrefs: 0093CB86, 0093CB90, 0093CBDE, 0093CC2D, 0093CC7C, 0093CCCB
%4d%02d%02d%02d%02d%02d, xrefs: 0093CAF5

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: c9903bcd93424a867fc5090ede8d5755021237eaddaf09ed2d6bcc1c1527408b
Instruction ID: c27a90bfcd4eb9ed5b1aad85bb3a3ab8013bec405cd186e925982f48921c3122
Opcode Fuzzy Hash: c9903bcd93424a867fc5090ede8d5755021237eaddaf09ed2d6bcc1c1527408b
Instruction Fuzzy Hash: FBA142B2418315ABC710EB68C895DAFB7ECFF94704F404A2AF595D3291EA34DA04CB63

Function 0093F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 0093F221
_wcscmp.LIBCMT ref: 0093F236
_wcscmp.LIBCMT ref: 0093F24D
GetFileAttributesW.KERNEL32(?), ref: 0093F25F
SetFileAttributesW.KERNEL32(?,?), ref: 0093F279
FindNextFileW.KERNEL32(00000000,?), ref: 0093F291
FindClose.KERNEL32(00000000), ref: 0093F29C
FindFirstFileW.KERNEL32(*.*,?), ref: 0093F2B8
_wcscmp.LIBCMT ref: 0093F2DF
_wcscmp.LIBCMT ref: 0093F2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 0093F308
SetCurrentDirectoryW.KERNEL32(0098A5A0), ref: 0093F326
FindNextFileW.KERNEL32(00000000,00000010), ref: 0093F330
FindClose.KERNEL32(00000000), ref: 0093F33D
FindClose.KERNEL32(00000000), ref: 0093F34F

Strings

*.*, xrefs: 0093F2B3

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 191efdcdd44f7733e4b614890f414a32674627a5e12d8e965e3dc036aef34923
Instruction ID: 8461ac7b01615347816d8a0bad5181ef4e943ad64c89d5c39bcf4630e598e0c9
Opcode Fuzzy Hash: 191efdcdd44f7733e4b614890f414a32674627a5e12d8e965e3dc036aef34923
Instruction Fuzzy Hash: E531B276900219AADF10EBB5DC68AEF73ACAF483A1F100176F914D31A0EB34DA45DF50

Function 00950AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00950BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,0095F910,00000000,?,00000000,?,?), ref: 00950C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00950C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00950D1D
RegCloseKey.ADVAPI32(?), ref: 0095103D
RegCloseKey.ADVAPI32(00000000), ref: 0095104A

Strings

REG_DWORD, xrefs: 00950F0E
REG_MULTI_SZ, xrefs: 00950E05
REG_BINARY, xrefs: 00950FD8
REG_QWORD, xrefs: 00950F8B
REG_SZ, xrefs: 00950D5B
REG_EXPAND_SZ, xrefs: 00950CBA

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: c9fe3a2aa4300b17687cf7e571d900618982f4247707adbce652f9c8ba8a54af
Instruction ID: c43a452364a1ae5850e93eb7970d03fc380388dbb9e86c63359b3199ee5d9862
Opcode Fuzzy Hash: c9fe3a2aa4300b17687cf7e571d900618982f4247707adbce652f9c8ba8a54af
Instruction Fuzzy Hash: 50025F75204611AFCB14EF29C895E2AB7E5FF89714F04895DF9899B3A2CB30EC44CB42

Function 0093F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 0093F37E
_wcscmp.LIBCMT ref: 0093F393
_wcscmp.LIBCMT ref: 0093F3AA

Part of subcall function 009345C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 009345DC

FindNextFileW.KERNEL32(00000000,?), ref: 0093F3D9
FindClose.KERNEL32(00000000), ref: 0093F3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 0093F400
_wcscmp.LIBCMT ref: 0093F427
_wcscmp.LIBCMT ref: 0093F43E
SetCurrentDirectoryW.KERNEL32(?), ref: 0093F450
SetCurrentDirectoryW.KERNEL32(0098A5A0), ref: 0093F46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 0093F478
FindClose.KERNEL32(00000000), ref: 0093F485
FindClose.KERNEL32(00000000), ref: 0093F497

Strings

*.*, xrefs: 0093F3FB

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 562cf2674d2d4b4ee61eed27b1e62412193d33f2f0ca89129c70a423a16dcee7
Instruction ID: 385f3f936b3fe071c017cf7447c746325f29cc884df6aba658f8ecbd0b1f8606
Opcode Fuzzy Hash: 562cf2674d2d4b4ee61eed27b1e62412193d33f2f0ca89129c70a423a16dcee7
Instruction Fuzzy Hash: 5931C2729012196ADB10AB65ECACAEF77AC9F49365F200175F914E31B0DB34DE84DF60

Function 009281F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0092874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00928766
Part of subcall function 0092874A: GetLastError.KERNEL32(?,0092822A,?,?,?), ref: 00928770
Part of subcall function 0092874A: GetProcessHeap.KERNEL32(00000008,?,?,0092822A,?,?,?), ref: 0092877F
Part of subcall function 0092874A: HeapAlloc.KERNEL32(00000000,?,0092822A,?,?,?), ref: 00928786
Part of subcall function 0092874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0092879D

Part of subcall function 009287E7: GetProcessHeap.KERNEL32(00000008,00928240,00000000,00000000,?,00928240,?), ref: 009287F3
Part of subcall function 009287E7: HeapAlloc.KERNEL32(00000000,?,00928240,?), ref: 009287FA
Part of subcall function 009287E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00928240,?), ref: 0092880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0092825B
_memset.LIBCMT ref: 00928270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0092828F
GetLengthSid.ADVAPI32(?), ref: 009282A0
GetAce.ADVAPI32(?,00000000,?), ref: 009282DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 009282F9
GetLengthSid.ADVAPI32(?), ref: 00928316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00928325
HeapAlloc.KERNEL32(00000000), ref: 0092832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0092834D
CopySid.ADVAPI32(00000000), ref: 00928354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00928385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 009283AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 009283BF

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 9ee18397c5c45e0c2331a7764782a7428876ec3604c56e95501c8b0b43564e7c
Instruction ID: e6e730f4d6fb5248252aec7a5d76be97ad09da0d00115daa63acff7a510c5ed6
Opcode Fuzzy Hash: 9ee18397c5c45e0c2331a7764782a7428876ec3604c56e95501c8b0b43564e7c
Instruction Fuzzy Hash: AF616A71905219EFDF00DFA5EC98AEEBBB9FF04710F188129F815A7291DB319A05DB60

Function 008E6843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON

Download Yara Rule

Strings

ANYCRLF), xrefs: 00921734
LIMIT_MATCH=, xrefs: 009215A9
BSR_UNICODE), xrefs: 00921771
LF), xrefs: 009216DD
ANY), xrefs: 00921717
UTF), xrefs: 00921533
LIMIT_RECURSION=, xrefs: 00921635
BSR_ANYCRLF), xrefs: 00921757
CRLF), xrefs: 009216FA
UTF16), xrefs: 00921508
CR), xrefs: 009216C0
NO_START_OPT), xrefs: 00921588
NO_AUTO_POSSESS), xrefs: 00921567
UCP), xrefs: 00921546

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: d2429f5dc1fa859d8c01f4adcd3fc8dca81174f4835cbaa3b6ec18e61aaafa42
Instruction ID: 2cb210ca25d5eb902f4529add3bcf9679f135e71f96bde00bb37ce117b0d8ef6
Opcode Fuzzy Hash: d2429f5dc1fa859d8c01f4adcd3fc8dca81174f4835cbaa3b6ec18e61aaafa42
Instruction Fuzzy Hash: B172A271E00269DBDB24DF59D8807AEB7F5FF69310F14816AE849EB284E7309D91CB90

Function 00950665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009510A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00950038,?,?), ref: 009510BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00950737

Part of subcall function 008D9997: __itow.LIBCMT ref: 008D99C2
Part of subcall function 008D9997: __swprintf.LIBCMT ref: 008D9A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 009507D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0095086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00950AAD
RegCloseKey.ADVAPI32(00000000), ref: 00950ABA

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 0d684e58bec188d835ba387d4f783ec88c62dd7b0f090dff091e1ff2452bb2fb
Instruction ID: 2fc98319bc2b73ec4307b94dd4a6980fa76617befbc8545854c092d2fb8f22d1
Opcode Fuzzy Hash: 0d684e58bec188d835ba387d4f783ec88c62dd7b0f090dff091e1ff2452bb2fb
Instruction Fuzzy Hash: 7AE13171604310AFCB14DF29C895E6ABBE8FF89714F04896DF899D7262DA30ED05CB52

Function 00930219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00930241
GetAsyncKeyState.USER32(000000A0), ref: 009302C2
GetKeyState.USER32(000000A0), ref: 009302DD
GetAsyncKeyState.USER32(000000A1), ref: 009302F7
GetKeyState.USER32(000000A1), ref: 0093030C
GetAsyncKeyState.USER32(00000011), ref: 00930324
GetKeyState.USER32(00000011), ref: 00930336
GetAsyncKeyState.USER32(00000012), ref: 0093034E
GetKeyState.USER32(00000012), ref: 00930360
GetAsyncKeyState.USER32(0000005B), ref: 00930378
GetKeyState.USER32(0000005B), ref: 0093038A

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 4f917f632f07b0f260cf14d422ddc5956073888951a2dd71f082f7d9e35083b3
Instruction ID: 6326b42d775799a1dda46e320bd05ba73825e244d91766c5dab46e004a4d03e6
Opcode Fuzzy Hash: 4f917f632f07b0f260cf14d422ddc5956073888951a2dd71f082f7d9e35083b3
Instruction Fuzzy Hash: 3A41B9645087C96EFF319A6488283B6BEA9BF92340F08409DD5D6471C2EBD55DC4CFA2

Function 009486D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 008D9997: __itow.LIBCMT ref: 008D99C2
Part of subcall function 008D9997: __swprintf.LIBCMT ref: 008D9A0C

CoInitialize.OLE32 ref: 00948718
CoUninitialize.OLE32 ref: 00948723
CoCreateInstance.OLE32(?,00000000,00000017,00962BEC,?), ref: 00948783
IIDFromString.OLE32(?,?), ref: 009487F6
VariantInit.OLEAUT32(?), ref: 00948890
VariantClear.OLEAUT32(?), ref: 009488F1

Strings

Failed to create object, xrefs: 0094878E, 00948844
NULL Pointer assignment, xrefs: 009487C8
Invalid parameter, xrefs: 0094880F

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: c97c22c2cc5cf653f62eb4292459441113af5f9d7639e4613ab2b140afd171c8
Instruction ID: 3924aabd4e059e730fb84b1f8b8ce5a3c4bd333f8c29c577208e9de06464d771
Opcode Fuzzy Hash: c97c22c2cc5cf653f62eb4292459441113af5f9d7639e4613ab2b140afd171c8
Instruction Fuzzy Hash: 37616770608301AFD710DF64C898E6FBBE8AF88714F10491AF9959B391DB74ED48CB92

Function 00944458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0094447F
EmptyClipboard.USER32 ref: 00944485
GlobalAlloc.KERNEL32(00000002,?), ref: 0094449A
CloseClipboard.USER32 ref: 00944539

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: e89b880b2c9b20db2b0759dab93f62ac2f7ce94a0c1f229a5a1848914778e1d2
Instruction ID: e1322b11137598c9c3ca75d4520d03a0bc0f51181492293b75d86667c6315b4a
Opcode Fuzzy Hash: e89b880b2c9b20db2b0759dab93f62ac2f7ce94a0c1f229a5a1848914778e1d2
Instruction Fuzzy Hash: E321AE35215224AFDB10AF25EC19F6E7BA8FF44722F10802AF946DB2B1CB35AC00DB55

Function 00933A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 008D48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008D48A1,?,?,008D37C0,?), ref: 008D48CE

Part of subcall function 00934CD3: GetFileAttributesW.KERNEL32(?,00933947), ref: 00934CD4

FindFirstFileW.KERNEL32(?,?), ref: 00933ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00933B87
MoveFileW.KERNEL32(?,?), ref: 00933B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00933BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 00933BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00933BF5

Strings

\*.*, xrefs: 00933A8A, 00933A93, 00933AA8

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 58a4eb2c08ce903590edc017e5216d1e9917790a87fb084a2802c89b0c029297
Instruction ID: ea5e4b567d3f0b6a9ce3f2b1499de0b4b4d9c4e74f7ea706c26436f1ed370517
Opcode Fuzzy Hash: 58a4eb2c08ce903590edc017e5216d1e9917790a87fb084a2802c89b0c029297
Instruction Fuzzy Hash: C55160318452599ACF15EBA4CD929FDB7B9EF14300F64826AE442B7191EF306F09CF61

Function 008E4140 Relevance: 13.4, APIs: 1, Strings: 6, Instructions: 1132COMMON

Download Yara Rule

Strings

ERCP, xrefs: 008E421F
VUUU, xrefs: 00917B0C
VUUU, xrefs: 008E44DB
%s%u, xrefs: 008E42A9
VUUU, xrefs: 008E44ED
VUUU, xrefs: 008E4520

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID:
String ID: %s%u$ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-2149088777
Opcode ID: f8f13be8e42c035ef07eb6fe6b2f081b392b0a41965f2b8a8f3da4b5d7fc2299
Instruction ID: 474b097fe9709529bd1e0a15d341f54804d27cd93056f1a838f1bf80cb978821
Opcode Fuzzy Hash: f8f13be8e42c035ef07eb6fe6b2f081b392b0a41965f2b8a8f3da4b5d7fc2299
Instruction Fuzzy Hash: 8DA27A74A0425E8BDF24CF59C9807EEB7B1FB56314F2491AAD85AE7280D7309EC5DB80

Function 0093F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 008D7F41: _memmove.LIBCMT ref: 008D7F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0093F6AB
Sleep.KERNEL32(0000000A), ref: 0093F6DB
_wcscmp.LIBCMT ref: 0093F6EF
_wcscmp.LIBCMT ref: 0093F70A
FindNextFileW.KERNEL32(?,?), ref: 0093F7A8
FindClose.KERNEL32(00000000), ref: 0093F7BE

Strings

*.*, xrefs: 0093F690

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 385613d298e23acaafc5039d93693a3d1ab5f8cb60430e4175a045866912647e
Instruction ID: 5f9de1f7afcfa30623b9828b0faad4a949b430658d3b0c3829752c6609bd9414
Opcode Fuzzy Hash: 385613d298e23acaafc5039d93693a3d1ab5f8cb60430e4175a045866912647e
Instruction Fuzzy Hash: 6F416D71D0421A9BDF11EF64CC95EEEBBB8FF05314F144566E819A22A0EB309E44CF91

Function 008E58C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 008E5A05
_memmove.LIBCMT ref: 008E5A55
_memmove.LIBCMT ref: 008E5ABB

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 81838ef3d76e79c1f1a51575f63aea7ee2c2eeb6556c5bb80011b00187dc9887
Instruction ID: e333aaee721e609c57b45a4aff371045eedc09e536e5d7a92461db0bb6ef30a9
Opcode Fuzzy Hash: 81838ef3d76e79c1f1a51575f63aea7ee2c2eeb6556c5bb80011b00187dc9887
Instruction Fuzzy Hash: E212BB70A00619DFDF14DFA9D981AAEB7F5FF88304F104229E406E7296EB35AD11CB51

Function 0093545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00928CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00928D0D
Part of subcall function 00928CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00928D3A
Part of subcall function 00928CC3: GetLastError.KERNEL32 ref: 00928D47

ExitWindowsEx.USER32(?,00000000), ref: 0093549B

Strings

SeShutdownPrivilege, xrefs: 0093546B
, xrefs: 00935489
@, xrefs: 0093548E

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: ac19edf39cc9dd1d5ba1b2c6933349d848efad085edc48f72bb567f087e4a893
Instruction ID: 36d5b986a4e6b5e8950304ba3fa1229cd3290aa03f02298350abca22654376de
Opcode Fuzzy Hash: ac19edf39cc9dd1d5ba1b2c6933349d848efad085edc48f72bb567f087e4a893
Instruction Fuzzy Hash: 9F01F7316A5B116AE72C6774EC4EBBB729CEB48353F250521FD47D20E3EA945C808A90

Function 00946596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 009465EF
WSAGetLastError.WSOCK32(00000000), ref: 009465FE
bind.WSOCK32(00000000,?,00000010), ref: 0094661A
listen.WSOCK32(00000000,00000005), ref: 00946629
WSAGetLastError.WSOCK32(00000000), ref: 00946643
closesocket.WSOCK32(00000000,00000000), ref: 00946657

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: bfddb2b2b03f992b2eeebbb9d557500f6487fc4a12c017d9df210a1ff5d51781
Instruction ID: 64e7cb7f1850f2e7a4d391becbc31b813ec6a7d8bf882aca474b1933fb54d62b
Opcode Fuzzy Hash: bfddb2b2b03f992b2eeebbb9d557500f6487fc4a12c017d9df210a1ff5d51781
Instruction Fuzzy Hash: 21219E71200210AFCB10AF28D859F6EB7A9EF49721F15825AF956E73D1CB70AD01DB52

Function 008E5680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 008F0FF6: std::exception::exception.LIBCMT ref: 008F102C
Part of subcall function 008F0FF6: __CxxThrowException@8.LIBCMT ref: 008F1041

_memmove.LIBCMT ref: 0092062F
_memmove.LIBCMT ref: 00920744
_memmove.LIBCMT ref: 009207EB

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 37cfc808d3f551a3c9980c0a4be73e25358751f8a75bc3e2f4197341451c829c
Instruction ID: 149bf06bd884185c3646c306f479399120ab2c0668eeef393e4c471b067a67e2
Opcode Fuzzy Hash: 37cfc808d3f551a3c9980c0a4be73e25358751f8a75bc3e2f4197341451c829c
Instruction Fuzzy Hash: 6C029F70A00219DFDF04DF69E981AAE7BB5FF84304F148069E806DB396EB35DA54CB91

Function 008D1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 008D2612: GetWindowLongW.USER32(?,000000EB), ref: 008D2623

DefDlgProcW.USER32(?,?,?,?,?), ref: 008D19FA
GetSysColor.USER32(0000000F), ref: 008D1A4E
SetBkColor.GDI32(?,00000000), ref: 008D1A61

Part of subcall function 008D1290: DefDlgProcW.USER32(?,00000020,?), ref: 008D12D8

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 9bdecfb8912e7fd60ed44b4007fbd47173bdffaca32a0fbf1ecfe27aebba7553
Instruction ID: fabf5b1bc1af014d2824ec947adc0b863d91199c18926d99ff70efadb9857803
Opcode Fuzzy Hash: 9bdecfb8912e7fd60ed44b4007fbd47173bdffaca32a0fbf1ecfe27aebba7553
Instruction Fuzzy Hash: E0A125B1115668BEEE28AA2E9C5CE7B379CFF82746B14031BF442D63D5CA148C0192B2

Function 00946A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 009480A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 009480CB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00946AB1
WSAGetLastError.WSOCK32(00000000), ref: 00946ADA
bind.WSOCK32(00000000,?,00000010), ref: 00946B13
WSAGetLastError.WSOCK32(00000000), ref: 00946B20
closesocket.WSOCK32(00000000,00000000), ref: 00946B34

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 172cb61f565d45c73981dcdce1c6d92a171d0c4b35d1acc0297330d58dc54e1f
Instruction ID: f51def1013c581f8cf17604f845ca88ca58eeaa15878c3104d8282eed46c712b
Opcode Fuzzy Hash: 172cb61f565d45c73981dcdce1c6d92a171d0c4b35d1acc0297330d58dc54e1f
Instruction Fuzzy Hash: E541D775740210AFEB10BF28DC86F6E77A9EB45720F04815EF956EB3C2DA705D008B92

Function 009555FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 0095564C
IsWindowEnabled.USER32 ref: 0095565A
GetForegroundWindow.USER32(?,?,00000001), ref: 00955667
IsIconic.USER32 ref: 00955675
IsZoomed.USER32 ref: 00955683

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: da1a48f3bb720c6b0d4ad77ba99bd88fbd9f57314301d0545feea4f4fabf05e4
Instruction ID: f8e7b93c5d05f2fc18daf6d74174b1d7e79f7afd0e4ae5168ec2a7d5d8b64d7b
Opcode Fuzzy Hash: da1a48f3bb720c6b0d4ad77ba99bd88fbd9f57314301d0545feea4f4fabf05e4
Instruction Fuzzy Hash: 2111B6323026606FD7119F27DC64B2F7B9CFF44722B824429F846D7242DB309905CB95

Function 0094C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00911D88,?), ref: 0094C312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0094C324

Strings

GetSystemWow64DirectoryW, xrefs: 0094C31E
kernel32.dll, xrefs: 0094C30D

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 04bbea7b59cae4539c13c4d4f5039beda11e9184a1bba1acc961bc5eedd94e88
Instruction ID: 0b1ef49272448a6c3f9056a89884fddd01514564e5fcfcc46e34afae58b85b37
Opcode Fuzzy Hash: 04bbea7b59cae4539c13c4d4f5039beda11e9184a1bba1acc961bc5eedd94e88
Instruction Fuzzy Hash: C4E012B4615713CFDB705F26D814E4676D8EF4976AF80C439E899D66A0E770E840CB60

Function 008E3190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: dafeb343b29524dfcaff597b66b52a21c8e32115695367e2abaa77e6d613718d
Instruction ID: b2aa45701d88ed7e9c5f9953320790b0ebe58cf1e6ed23495a45b1996d6211d3
Opcode Fuzzy Hash: dafeb343b29524dfcaff597b66b52a21c8e32115695367e2abaa77e6d613718d
Instruction Fuzzy Hash: C32264716083459BC724DF68C885BAAB7E4FF85314F104A2DF99A97391DB30EE44CB92

Function 0094F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0094F151
Process32FirstW.KERNEL32(00000000,?), ref: 0094F15F

Part of subcall function 008D7F41: _memmove.LIBCMT ref: 008D7F82

Process32NextW.KERNEL32(00000000,?), ref: 0094F21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0094F22E

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: a187a467733ce38040a3cd30198d2bda791772834eccd8c9475893ec0d1bfc8d
Instruction ID: 08d7baee105a5bd811e6b124dd0b1fdf2e37a10c5d942d2478bed047204fe964
Opcode Fuzzy Hash: a187a467733ce38040a3cd30198d2bda791772834eccd8c9475893ec0d1bfc8d
Instruction Fuzzy Hash: 5E514971508711AFD310EF24D895E6BBBE8FF98710F14492EF495D72A1EB70A904CB92

Function 009340B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 009340D1
_memset.LIBCMT ref: 009340F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00934144
CloseHandle.KERNEL32(00000000), ref: 0093414D

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: c40e67df592eddf810a580ea3b4ee294d4a5cc6604431057ad617d9ad9b034eb
Instruction ID: 96004b5c32d24a6af1999dddb554284eab8341cef5b755725e5aa192ef6f8188
Opcode Fuzzy Hash: c40e67df592eddf810a580ea3b4ee294d4a5cc6604431057ad617d9ad9b034eb
Instruction Fuzzy Hash: DA11E7759013287AE7309BA5AC4DFABBB7CEF44760F1041AAF908E7180D6744E808BA4

Function 0092EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0092EB19

Strings

|, xrefs: 0092EB49
(, xrefs: 0092EB5F

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: ca50e3cc06b9417b1752676078357afc4a0e9f396a0d6fe607d2ef8b1c1dd28d
Instruction ID: b3123e56bac689f4fcf83506996231539b991a8b13d88ba417242597b4a68e86
Opcode Fuzzy Hash: ca50e3cc06b9417b1752676078357afc4a0e9f396a0d6fe607d2ef8b1c1dd28d
Instruction Fuzzy Hash: A0324775A007159FDB28CF29D481A6AB7F0FF48320B15C56EE89ADB3A5DB70E941CB40

Function 009425E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 009426D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 0094270C

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: cd29be6df1d3604b401d3749a5b8dc60a26d66ea69a2a0ebd682be0cd641d876
Instruction ID: d7be72ec2f1b617d375c5e50b1a0aba7bb1d065bde0f22d77ab8d89fcde2c170
Opcode Fuzzy Hash: cd29be6df1d3604b401d3749a5b8dc60a26d66ea69a2a0ebd682be0cd641d876
Instruction Fuzzy Hash: 5041E271904309BFEB20DF94CC85EBBB7BCFB40728F50406AFA01A6141EA71AE419B64

Function 0093B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0093B5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0093B608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0093B655

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 678b2d036f3d9d448626b78e673b3fe80a3e4f52dbfb40ed59084baa27411e5c
Instruction ID: 86f31f80d6015790b5689e1a770527982cfe02e234c10e4ab63afcd2ac99e672
Opcode Fuzzy Hash: 678b2d036f3d9d448626b78e673b3fe80a3e4f52dbfb40ed59084baa27411e5c
Instruction Fuzzy Hash: FB217135A10618EFCB00EFA5D891EADBBB8FF48314F1480AAE945EB351DB31A915CF51

Function 00928CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 008F0FF6: std::exception::exception.LIBCMT ref: 008F102C
Part of subcall function 008F0FF6: __CxxThrowException@8.LIBCMT ref: 008F1041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00928D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00928D3A
GetLastError.KERNEL32 ref: 00928D47

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: bb86074bda6da0f75c7f32c1958f91afbd70dfa922b0c66973d7e6588f3da0e8
Instruction ID: d63dff2b57d87f31b1df164f65a50746ca513552b52ef497791bff4706ef4f06
Opcode Fuzzy Hash: bb86074bda6da0f75c7f32c1958f91afbd70dfa922b0c66973d7e6588f3da0e8
Instruction Fuzzy Hash: 6E1160B1414209AFD728DF68EC85D6BB7BCFB44721B24852EF45593685EF30A8448B60

Function 00934C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00934C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00934C43
FreeSid.ADVAPI32(?), ref: 00934C53

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 54ea15a62d73d5321659e10fba1ee1241ae2d83d8b11b13265e20e551f45f951
Instruction ID: eaf7e735263a1f50a15d825458d66b3e048c5e608426f96a925e32cc5ca147e0
Opcode Fuzzy Hash: 54ea15a62d73d5321659e10fba1ee1241ae2d83d8b11b13265e20e551f45f951
Instruction Fuzzy Hash: E1F04975A1130CBFDF04DFF1DC99AAEBBBCEF08311F0044A9A902E2181E6706A049B50

Function 008DE060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9cf685d22c431171c11ae8861ccf6fef6a00e006885d21e770bb3dc4293e073
Instruction ID: a5eaeb5508531c576f4210f8ff0ad30e4f000e805d4fad765b03f238187d0d1c
Opcode Fuzzy Hash: c9cf685d22c431171c11ae8861ccf6fef6a00e006885d21e770bb3dc4293e073
Instruction Fuzzy Hash: 15228E74A00219DFDB24EF68C480ABEB7B5FF04310F14866AE956DB351E734A985CB91

Function 0093C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0093C966
FindClose.KERNEL32(00000000), ref: 0093C996

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f75aa2e31a99ea19af35574a68cbecafbc62e33fe4116ca9a10c1a8bb70c8756
Instruction ID: cb094adcd6b06a84d7f78a96056096d1a80072f6667d026b3bc5b104ce052b56
Opcode Fuzzy Hash: f75aa2e31a99ea19af35574a68cbecafbc62e33fe4116ca9a10c1a8bb70c8756
Instruction Fuzzy Hash: D01161726146109FD710EF29D855A2AF7E9FF84325F018A1EF9A9D73A1DB34AC00CB81

Function 0093A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0094977D,?,0095FB84,?), ref: 0093A302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0094977D,?,0095FB84,?), ref: 0093A314

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: d33834564ef357acc022fad35199d3ddf335a2cfec818f7e2efa1005e4998644
Instruction ID: eacc73c500e6d946b4bb10581e9eca141aec155abb0a657bebeaec6e67dcfd40
Opcode Fuzzy Hash: d33834564ef357acc022fad35199d3ddf335a2cfec818f7e2efa1005e4998644
Instruction Fuzzy Hash: 22F0823555932DABEB20AFA4CC48FEA776DFF08761F004266B919D7181DA309940CBA1

Function 00928713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00928851), ref: 00928728
CloseHandle.KERNEL32(?,?,00928851), ref: 0092873A

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 804ed1e4bf7ffb723fa9149a17fd6d1978072d5c5df01a27c329257144bd2844
Instruction ID: ed20e07e4eb3e798a069f412269461c3b54e3e363ffecea2f52a0d08241a6a52
Opcode Fuzzy Hash: 804ed1e4bf7ffb723fa9149a17fd6d1978072d5c5df01a27c329257144bd2844
Instruction Fuzzy Hash: 1AE0B676015A10EEEB252B65EC09D777BADFB443617248829F596C0470DB72AC90EB10

Function 008FA395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,008F8F97,?,?,?,00000001), ref: 008FA39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 008FA3A3

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 41092d3f23a7102f245b5c6d905953c8fd49fb3f3f3d9e6fca8a7806066e07e3
Instruction ID: 328893d15005c77b136d064f12a613d9be7f6f304b4378d551a5dc8d77e7cc4e
Opcode Fuzzy Hash: 41092d3f23a7102f245b5c6d905953c8fd49fb3f3f3d9e6fca8a7806066e07e3
Instruction Fuzzy Hash: BFB09231068308ABEA002F92ED19B893F68EB44BF3F404020F60D84070CB725450AB91

Function 008FF419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e8b94a26842ac2ad9a5458dee61f853d390ff30dcf2a5be7b993129e41d8a31
Instruction ID: 709590350ed58bad18c2a9240fa463c04057c4516eabf14f160a8aa9665c4149
Opcode Fuzzy Hash: 3e8b94a26842ac2ad9a5458dee61f853d390ff30dcf2a5be7b993129e41d8a31
Instruction Fuzzy Hash: CD32F222D7DF194DD7239634D832335A248EFB73D8F15D73BE929B5AA6EB2884835100

Function 0090267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0240142389a6a5bcebd9486c48166dffa7144921f5c3818cdf44f60359826ba8
Instruction ID: 5d555873f34a24d23827fe7ce8f094e70f05a1167bae86e91c01038c09b807b4
Opcode Fuzzy Hash: 0240142389a6a5bcebd9486c48166dffa7144921f5c3818cdf44f60359826ba8
Instruction Fuzzy Hash: 2FB11120D3AF414DD32396398835336B64CAFBB2C5F51D71BFC2674E62EB6285835541

Function 00938B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00938B25

Part of subcall function 008F543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,009391F8,00000000,?,?,?,?,009393A9,00000000,?), ref: 008F5443
Part of subcall function 008F543A: __aulldiv.LIBCMT ref: 008F5463

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 1de603937128a76839698961b8bdca4904947f52c36ceffd0ae88330bc798c08
Instruction ID: c344142aa82e183db6a4fe994dc61dc39e08f9d43e3ac80ce94af29b7a97efdd
Opcode Fuzzy Hash: 1de603937128a76839698961b8bdca4904947f52c36ceffd0ae88330bc798c08
Instruction Fuzzy Hash: E0210272638610CBC729CF29D441A52F3E1EBA4311F288E2DE0E5CB2D0CE30B905DB94

Function 009441FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00944218

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 28356779bfdb7bf5f8bd16c562a11420e78c3bb6fce1c745a3eacbe7ba4a73ef
Instruction ID: 68177d9baca06afde06d9c37d51e8935176d21a14636b41c991caf48dbcb6693
Opcode Fuzzy Hash: 28356779bfdb7bf5f8bd16c562a11420e78c3bb6fce1c745a3eacbe7ba4a73ef
Instruction Fuzzy Hash: C7E01A32250214AFCB10AF5AD844E9AB7E8EF94761F008426F849C7352DAB0A8408BA1

Function 00934EC9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00934EEC

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: b5ef4481c6ab9e99333799d54a8c0fdbc194a490723bf99baca8838745c34018
Instruction ID: e48638165ba7662d97d75923edd50095f19c3feaff7a25ef5b049eac6ec67177
Opcode Fuzzy Hash: b5ef4481c6ab9e99333799d54a8c0fdbc194a490723bf99baca8838745c34018
Instruction Fuzzy Hash: E3D052AA1607083AED388B249C6FF77020CF301782FD24AAAB102890C2E8D47C91A830

Function 00928C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,009288D1), ref: 00928CB3

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: d8a774f8f4fee9ad64d344fc89de0da576e2d0e2f84edf52b777c0396812002a
Instruction ID: 7e88ea938d2ac91c3ccf57b250997a4dd33f0f02d12478232e71bc3d267be582
Opcode Fuzzy Hash: d8a774f8f4fee9ad64d344fc89de0da576e2d0e2f84edf52b777c0396812002a
Instruction Fuzzy Hash: 5FD05E3226460EABEF018EA4DC01EAE3B69EB04B01F408111FE15C50A1C775D835AB60

Function 00912230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00912242

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 34b75094bd983f56924365694103fdca81e64779454a7f2e1161c7dc0dbcbcc2
Instruction ID: 3435465bf640b75798ea134221bff654c01cae254ea2146140eb59c8abc51466
Opcode Fuzzy Hash: 34b75094bd983f56924365694103fdca81e64779454a7f2e1161c7dc0dbcbcc2
Instruction Fuzzy Hash: 64C04CF181510DDBDB05DBA0D998DEE77BCAB04315F144455A101F2140D7749B449B71

Function 008FA364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 008FA36A

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f7c1b747307fd1b8f95e9f16735467971bca9b8a435ceb560a165ceab5071557
Instruction ID: 56b09929b066e25f495ee163d01d500f06eb3e1bbdd375f9a00ebd24b304a8cc
Opcode Fuzzy Hash: f7c1b747307fd1b8f95e9f16735467971bca9b8a435ceb560a165ceab5071557
Instruction Fuzzy Hash: 92A0113002820CAB8A002F82EC08888BFACEA002E2B008020F80C800328B32A820AA80

Function 008E8A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a57937ee475359391447dcc58e1df00aafe76dc0e56f5ca1eb0f7603274cee
Instruction ID: 935929ede7cc3a9c63ce89878bb45285be28103d555cbbeae45d7234bfe81f70
Opcode Fuzzy Hash: 57a57937ee475359391447dcc58e1df00aafe76dc0e56f5ca1eb0f7603274cee
Instruction Fuzzy Hash: 7F2268305056A6DBCF28CB2AD4C467DB7A1FB43314F3A842AD84ADB295DB34DD81CB61

Function 008F2405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 381811f22137f033ad7afd389aa5dd92bba000ae51c39f3262036e5b7a1247a9
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: B9C193322150974ADF6D863AD43413EBAE1FEA27B131A076DE5B3CB5D4EF20D624D620

Function 008F283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 1a1fb9d43765e6f513b19cdd1b0370ea6fbef9c86bcb691d1fce38dadc36ded2
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 7FC196322151A749DF2D463AD43403EBBE1FBA27B131A076DE5B2DB5D4EF20D624E620

Function 008F1BB8 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: d7eb66ba0e846e79f89c1dfa1ddf65a4e0dcd00146cd69c6d28bb450359566a1
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: CBC1833221519789DF2D463A947803EBBE1FBA27B131A076DE5B3CB5D4EF20D624D620

Function 00947B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00947B70
DeleteObject.GDI32(00000000), ref: 00947B82
DestroyWindow.USER32 ref: 00947B90
GetDesktopWindow.USER32 ref: 00947BAA
GetWindowRect.USER32(00000000), ref: 00947BB1
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00947CF2
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00947D02
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00947D4A
GetClientRect.USER32(00000000,?), ref: 00947D56
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00947D90
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00947DB2
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00947DC5
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00947DD0
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00947DD9
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00947DE8
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00947DF1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00947DF8
GlobalFree.KERNEL32(00000000), ref: 00947E03
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00947E15
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00962CAC,00000000), ref: 00947E2B
GlobalFree.KERNEL32(00000000), ref: 00947E3B
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00947E61
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00947E80
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00947EA2
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0094808F

Strings

AutoIt v3, xrefs: 00947D42
DISPLAY, xrefs: 00947EF2
, xrefs: 00948015
static, xrefs: 00947D8A, 00947EE1

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 4a68b0e7ccc12a5b873e9f9e3031f2b687ec0defdd33fb398cf2ea8d18ce884b
Instruction ID: 6383733445ec12157292f9c3f06991053421b4c786abaceea4b3d742c2459f13
Opcode Fuzzy Hash: 4a68b0e7ccc12a5b873e9f9e3031f2b687ec0defdd33fb398cf2ea8d18ce884b
Instruction Fuzzy Hash: A0029D71914209EFDB14DFA9CC99EAEBBB9FB48311F108559F915EB2A0CB309D00DB60

Function 009537F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0095F910), ref: 009538AF
IsWindowVisible.USER32(?), ref: 009538D3

Strings

ISCHECKED, xrefs: 00953AC1
GETSELECTED, xrefs: 00953B2B
TABLEFT, xrefs: 0095390F
HIDEDROPDOWN, xrefs: 00953988
DELSTRING, xrefs: 009539D1
CURRENTTAB, xrefs: 00953945
GETCURRENTLINE, xrefs: 00953B75
GETCURRENTSELECTION, xrefs: 00953A6B
ISENABLED, xrefs: 009538F3
GETLINE, xrefs: 00953C23
CHECK, xrefs: 00953AF5
TABRIGHT, xrefs: 00953925
UNCHECK, xrefs: 00953B0B
GETCURRENTCOL, xrefs: 00953BB0
SHOWDROPDOWN, xrefs: 00953968
SELECTSTRING, xrefs: 00953A8E
EDITPASTE, xrefs: 00953BE7
GETLINECOUNT, xrefs: 00953B4E
ADDSTRING, xrefs: 0095399E
SENDCOMMANDID, xrefs: 00953C62
ISVISIBLE, xrefs: 009538BF
SETCURRENTSELECTION, xrefs: 00953A3E
FINDSTRING, xrefs: 009539FE

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: d4fbeff6d1da22ecc341983b022da16d518ecaffa3c564d4c2c52f88b8f9b804
Instruction ID: 624cb20c85889a29d0a6bf4c8d4e07366bafae22dbc723ace254745d339b4b46
Opcode Fuzzy Hash: d4fbeff6d1da22ecc341983b022da16d518ecaffa3c564d4c2c52f88b8f9b804
Instruction Fuzzy Hash: 7FD1A030204315DBCB24FF25C451A6AB7A5FF95385F048959FC869B3A3CB25EE0ACB52

Function 0095A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0095A89F
GetSysColorBrush.USER32(0000000F), ref: 0095A8D0
GetSysColor.USER32(0000000F), ref: 0095A8DC
SetBkColor.GDI32(?,000000FF), ref: 0095A8F6
SelectObject.GDI32(?,?), ref: 0095A905
InflateRect.USER32(?,000000FF,000000FF), ref: 0095A930
GetSysColor.USER32(00000010), ref: 0095A938
CreateSolidBrush.GDI32(00000000), ref: 0095A93F
FrameRect.USER32(?,?,00000000), ref: 0095A94E
DeleteObject.GDI32(00000000), ref: 0095A955
InflateRect.USER32(?,000000FE,000000FE), ref: 0095A9A0
FillRect.USER32(?,?,?), ref: 0095A9D2
GetWindowLongW.USER32(?,000000F0), ref: 0095A9FD

Part of subcall function 0095AB60: GetSysColor.USER32(00000012), ref: 0095AB99
Part of subcall function 0095AB60: SetTextColor.GDI32(?,?), ref: 0095AB9D
Part of subcall function 0095AB60: GetSysColorBrush.USER32(0000000F), ref: 0095ABB3
Part of subcall function 0095AB60: GetSysColor.USER32(0000000F), ref: 0095ABBE
Part of subcall function 0095AB60: GetSysColor.USER32(00000011), ref: 0095ABDB
Part of subcall function 0095AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0095ABE9
Part of subcall function 0095AB60: SelectObject.GDI32(?,00000000), ref: 0095ABFA
Part of subcall function 0095AB60: SetBkColor.GDI32(?,00000000), ref: 0095AC03
Part of subcall function 0095AB60: SelectObject.GDI32(?,?), ref: 0095AC10
Part of subcall function 0095AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 0095AC2F
Part of subcall function 0095AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0095AC46
Part of subcall function 0095AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 0095AC5B

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 2ed8c49b0247f39f077ff89e005142b6fcbe4ab044b506144ee5c9111c08828c
Instruction ID: b04bfe3678a7fa48848e7e8c0546df5e0d4729ed255ad0cc62d938a264d4bd57
Opcode Fuzzy Hash: 2ed8c49b0247f39f077ff89e005142b6fcbe4ab044b506144ee5c9111c08828c
Instruction Fuzzy Hash: 7FA18F72018301AFDB10DF66DC18A6B7BA9FF89332F104B29F962961E0D734D949DB52

Function 009477BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 009477F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 009478B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 009478EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00947900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00947946
GetClientRect.USER32(00000000,?), ref: 00947952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00947996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 009479A5
GetStockObject.GDI32(00000011), ref: 009479B5
SelectObject.GDI32(00000000,00000000), ref: 009479B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 009479C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 009479D2
DeleteDC.GDI32(00000000), ref: 009479DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00947A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 00947A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00947A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00947A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 00947A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00947AAE
GetStockObject.GDI32(00000011), ref: 00947AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00947AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00947ACE

Strings

AutoIt v3, xrefs: 0094793E
DISPLAY, xrefs: 0094799B
static, xrefs: 00947990, 00947AA8
msctls_progress32, xrefs: 00947A4F

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 5a771e51a54380e57ef887f6611b1cb6d3e53649dadb1aaf8275c36eec72f501
Instruction ID: 8045a95c8ead72def2d9bc710f13bc0a7e067212290fc11dbcc2533ad7dbac21
Opcode Fuzzy Hash: 5a771e51a54380e57ef887f6611b1cb6d3e53649dadb1aaf8275c36eec72f501
Instruction Fuzzy Hash: 66A1A371A14209BFEB14DBA9DD4AFAEBBB9EB44711F004215FA14E72E0D770AD00DB60

Function 0093AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0093AF89
GetDriveTypeW.KERNEL32(?,0095FAC0,?,\\.\,0095F910), ref: 0093B066
SetErrorMode.KERNEL32(00000000,0095FAC0,?,\\.\,0095F910), ref: 0093B1C4

Strings

\\.\, xrefs: 0093AFDB
FileBackedVirtual, xrefs: 0093B193
SATA, xrefs: 0093B177
Virtual, xrefs: 0093B18C
1394, xrefs: 0093B146
MMC, xrefs: 0093B185
iSCSI, xrefs: 0093B169
CDROM, xrefs: 0093B09A
ATA, xrefs: 0093B13F
Fixed, xrefs: 0093B0AE
Network, xrefs: 0093B0A4
Removable, xrefs: 0093B0B8
ATAPI, xrefs: 0093B138
SCSI, xrefs: 0093B131
PhysicalDrive, xrefs: 0093B012
SSD, xrefs: 0093B0F1
USB, xrefs: 0093B15B
SSA, xrefs: 0093B14D
Unknown, xrefs: 0093B086, 0093B12A
RAID, xrefs: 0093B162
RAMDisk, xrefs: 0093B090
Fibre, xrefs: 0093B154
SAS, xrefs: 0093B170

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 9878feb287db6ed086377e3e726dd7e6a700518b4ac2d57a338ac71e34e24661
Instruction ID: ab0c40183cc1af8bb741d6ec0a205953adc310cc943e20fba3b795207c898bb3
Opcode Fuzzy Hash: 9878feb287db6ed086377e3e726dd7e6a700518b4ac2d57a338ac71e34e24661
Instruction Fuzzy Hash: 9351E330A88305ABDB04EB94C9A297D73B1FB94345F204517E60AE7390D7B9AD01EF83

Function 008D6A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 008D6A91
__wcsnicmp.LIBCMT ref: 008D6AA9
__wcsnicmp.LIBCMT ref: 008D6AC1
__wcsnicmp.LIBCMT ref: 008D6AD9
__wcsnicmp.LIBCMT ref: 008D6AF1
__wcsnicmp.LIBCMT ref: 008D6B09
__wcsnicmp.LIBCMT ref: 008D6B21
__wcsnicmp.LIBCMT ref: 008D6B35
__wcsnicmp.LIBCMT ref: 008D6B76
__wcsnicmp.LIBCMT ref: 008D6B8A
__wcsnicmp.LIBCMT ref: 008D6B9E
__wcsnicmp.LIBCMT ref: 008D6BB2

Strings

#notrayicon, xrefs: 008D6AA3
#ce, xrefs: 008D6BAC
Unterminated group of comments, xrefs: 0090E82C
#comments-end, xrefs: 008D6B98
#include, xrefs: 008D6B03
#cs, xrefs: 008D6B2F, 008D6B84
#OnAutoItStartRegister, xrefs: 008D6AD3
Bad directive syntax error, xrefs: 0090E743
Cannot parse #include, xrefs: 0090E819
#requireadmin, xrefs: 008D6ABB
#include-once, xrefs: 008D6AEB
#comments-start, xrefs: 008D6B1B, 008D6B70
#pragma compile, xrefs: 008D6A8B

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 24567dfa5fc6aae010cfa843c32b48d8604e3678f7f40059e555f3433c76e7f2
Instruction ID: dc570d1deb418c4218636993bbf8975c8bc3703acf3dcf58fe2fa4f01bc4b2a8
Opcode Fuzzy Hash: 24567dfa5fc6aae010cfa843c32b48d8604e3678f7f40059e555f3433c76e7f2
Instruction Fuzzy Hash: 888129B0600619BACB20AB75CC92FBE7758FF10714F044127FE46EA2C2FB60DA55C692

Function 00959C8B Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00959D41
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00959DFA
SendMessageW.USER32(?,00001102,00000002,?), ref: 00959E16

Strings

0, xrefs: 00959E53

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 38d9ab519e60bd5b80203b8e0d7d8aa43346caa327fedd9f42f70b887dee6b1d
Instruction ID: b0ea67a6530c1d16cb4f81f57b9da02440bbb21267c769ed96221b2d141ed541
Opcode Fuzzy Hash: 38d9ab519e60bd5b80203b8e0d7d8aa43346caa327fedd9f42f70b887dee6b1d
Instruction Fuzzy Hash: 5F02F130118301AFE715CF26C859BAABBE9FF49316F048A2DFC95D62A1C734D948DB52

Function 0095AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0095AB99
SetTextColor.GDI32(?,?), ref: 0095AB9D
GetSysColorBrush.USER32(0000000F), ref: 0095ABB3
GetSysColor.USER32(0000000F), ref: 0095ABBE
CreateSolidBrush.GDI32(?), ref: 0095ABC3
GetSysColor.USER32(00000011), ref: 0095ABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0095ABE9
SelectObject.GDI32(?,00000000), ref: 0095ABFA
SetBkColor.GDI32(?,00000000), ref: 0095AC03
SelectObject.GDI32(?,?), ref: 0095AC10
InflateRect.USER32(?,000000FF,000000FF), ref: 0095AC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0095AC46
GetWindowLongW.USER32(00000000,000000F0), ref: 0095AC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0095ACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0095ACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 0095ACEC
DrawFocusRect.USER32(?,?), ref: 0095ACF7
GetSysColor.USER32(00000011), ref: 0095AD05
SetTextColor.GDI32(?,00000000), ref: 0095AD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0095AD21
SelectObject.GDI32(?,0095A869), ref: 0095AD38
DeleteObject.GDI32(?), ref: 0095AD43
SelectObject.GDI32(?,?), ref: 0095AD49
DeleteObject.GDI32(?), ref: 0095AD4E
SetTextColor.GDI32(?,?), ref: 0095AD54
SetBkColor.GDI32(?,?), ref: 0095AD5E

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 181eec5b9e26dbb81e79a2c764ac20064bdc2452be6ce428c5ad75edbc7ebff4
Instruction ID: b3833a80cb817223c5a85b8f6b63534b056184bc0ab89a9ad6c3b018fea8afa4
Opcode Fuzzy Hash: 181eec5b9e26dbb81e79a2c764ac20064bdc2452be6ce428c5ad75edbc7ebff4
Instruction Fuzzy Hash: 8C616C71904218EFDF11DFAADC48EAE7BB9EB08332F104225F915AB2A1D6759940DB90

Function 00958C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00958D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00958D45
CharNextW.USER32(0000014E), ref: 00958D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00958DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00958DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00958DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00958DF9
SetWindowTextW.USER32(?,0000014E), ref: 00958E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00958E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 00958E8C
_memset.LIBCMT ref: 00958EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00958EFA
_memset.LIBCMT ref: 00958F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00958F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 00958FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 00959088
InvalidateRect.USER32(?,00000000,00000001), ref: 009590AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 009590F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00959121
DrawMenuBar.USER32(?), ref: 00959130
SetWindowTextW.USER32(?,0000014E), ref: 00959158

Strings

0, xrefs: 009590C2

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: f7a1d2c28e5007e8421f5ac6e5426a86f207d6d69403f8b0020d01ed0f094de6
Instruction ID: 732caf5ba85c43e1ad41390708ab91a5d2b5e91e0d09f95d7caec8c874384ead
Opcode Fuzzy Hash: f7a1d2c28e5007e8421f5ac6e5426a86f207d6d69403f8b0020d01ed0f094de6
Instruction Fuzzy Hash: 66E1A070905219AADF20DF66CC88EEF7BB9EF05311F008159FD15AA291DB348A89DF60

Function 00954B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00954C51
GetDesktopWindow.USER32 ref: 00954C66
GetWindowRect.USER32(00000000), ref: 00954C6D
GetWindowLongW.USER32(?,000000F0), ref: 00954CCF
DestroyWindow.USER32(?), ref: 00954CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00954D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00954D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00954D68
SendMessageW.USER32(?,00000421,?,?), ref: 00954D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00954D90
IsWindowVisible.USER32(?), ref: 00954DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00954DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00954DDF
GetWindowRect.USER32(?,?), ref: 00954DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 00954E1D
GetMonitorInfoW.USER32(00000000,?), ref: 00954E37
CopyRect.USER32(?,?), ref: 00954E4E
SendMessageW.USER32(?,00000412,00000000), ref: 00954EB9

Strings

(, xrefs: 00954E2A
tooltips_class32, xrefs: 00954D1D
0, xrefs: 00954BFC

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 3dce3b85487e1454baff78f379e64273d4c39a1a24bbc8af92f2a40ab31e6435
Instruction ID: d9c4f25edf634ffadafb2ab9057b5922c9d1c056e189e4cd36d88db2b118e51f
Opcode Fuzzy Hash: 3dce3b85487e1454baff78f379e64273d4c39a1a24bbc8af92f2a40ab31e6435
Instruction Fuzzy Hash: 72B19E71618341AFDB44DF26C849B6ABBE4FF84315F008A1DF9999B2A1D770EC48CB52

Function 009346D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 009346E8
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0093470E
_wcscpy.LIBCMT ref: 0093473C
_wcscmp.LIBCMT ref: 00934747
_wcscat.LIBCMT ref: 0093475D
_wcsstr.LIBCMT ref: 00934768
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00934784
_wcscat.LIBCMT ref: 009347CD
_wcscat.LIBCMT ref: 009347D4
_wcsncpy.LIBCMT ref: 009347FF

Strings

\VarFileInfo\Translation, xrefs: 0093477C
DefaultLangCodepage, xrefs: 009347E7
04090000, xrefs: 009347BA
%u.%u.%u.%u, xrefs: 00934862
StringFileInfo\, xrefs: 00934757

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: f3dd0b718c492bf182b6e3a54f33d12e185ad28569130784e2110a1575234623
Instruction ID: b753a199a91b13c1b1af369062cc9986b37228c5d64e1387a6441fcbcc57a7b8
Opcode Fuzzy Hash: f3dd0b718c492bf182b6e3a54f33d12e185ad28569130784e2110a1575234623
Instruction Fuzzy Hash: B7412D716042087ADB10F7798C47EBF77ACEF45720F140166FA05E6182EF74AA015BA7

Function 008D27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008D28BC
GetSystemMetrics.USER32(00000007), ref: 008D28C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008D28EF
GetSystemMetrics.USER32(00000008), ref: 008D28F7
GetSystemMetrics.USER32(00000004), ref: 008D291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 008D2939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 008D2949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 008D297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 008D2990
GetClientRect.USER32(00000000,000000FF), ref: 008D29AE
GetStockObject.GDI32(00000011), ref: 008D29CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 008D29D5

Part of subcall function 008D2344: GetCursorPos.USER32(?), ref: 008D2357
Part of subcall function 008D2344: ScreenToClient.USER32(009967B0,?), ref: 008D2374
Part of subcall function 008D2344: GetAsyncKeyState.USER32(00000001), ref: 008D2399
Part of subcall function 008D2344: GetAsyncKeyState.USER32(00000002), ref: 008D23A7

SetTimer.USER32(00000000,00000000,00000028,008D1256), ref: 008D29FC

Strings

AutoIt v3 GUI, xrefs: 008D2974

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: f6d3b1c765bd7d123ca3e8f7f8d5f41acf03750adb0e490c65bbe03e054d9bdf
Instruction ID: 4acf832e4b44fc9ed255f9750d10602053c5b2a05c8b60ab50245472e80a560c
Opcode Fuzzy Hash: f6d3b1c765bd7d123ca3e8f7f8d5f41acf03750adb0e490c65bbe03e054d9bdf
Instruction Fuzzy Hash: A9B1AD70A1420AEFDB14DFA9CC55BAE7BB4FB18315F10822AFA15E72D0DB30A841DB50

Function 00954069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009540F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 009541B6

Strings

GETSELECTED, xrefs: 009542E4
SELECTCLEAR, xrefs: 00954235
GETSELECTEDCOUNT, xrefs: 00954199
SELECT, xrefs: 00954250
GETITEMCOUNT, xrefs: 00954128
SELECTINVERT, xrefs: 00954286
SELECTALL, xrefs: 0095421D
ISSELECTED, xrefs: 009541C1
DESELECT, xrefs: 009542A4
GETSUBITEMCOUNT, xrefs: 00954141
VIEWCHANGE, xrefs: 00954375
GETTEXT, xrefs: 0095415F
FINDITEM, xrefs: 00954329

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: cf3093af5bced55a50037e255ab2e33be540ded6497de3dc3b8e5713423d3622
Instruction ID: be40cf9ed67d5b3cf2dbc72525da9a72049fc062469ba30b41e4e638a32adef6
Opcode Fuzzy Hash: cf3093af5bced55a50037e255ab2e33be540ded6497de3dc3b8e5713423d3622
Instruction Fuzzy Hash: D8A1D1302143159FCB14FF25C951A6AB3E5FF84319F144A29F8A69B3A2DB34EC49CB52

Function 009452F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00945309
LoadCursorW.USER32(00000000,00007F8A), ref: 00945314
LoadCursorW.USER32(00000000,00007F00), ref: 0094531F
LoadCursorW.USER32(00000000,00007F03), ref: 0094532A
LoadCursorW.USER32(00000000,00007F8B), ref: 00945335
LoadCursorW.USER32(00000000,00007F01), ref: 00945340
LoadCursorW.USER32(00000000,00007F81), ref: 0094534B
LoadCursorW.USER32(00000000,00007F88), ref: 00945356
LoadCursorW.USER32(00000000,00007F80), ref: 00945361
LoadCursorW.USER32(00000000,00007F86), ref: 0094536C
LoadCursorW.USER32(00000000,00007F83), ref: 00945377
LoadCursorW.USER32(00000000,00007F85), ref: 00945382
LoadCursorW.USER32(00000000,00007F82), ref: 0094538D
LoadCursorW.USER32(00000000,00007F84), ref: 00945398
LoadCursorW.USER32(00000000,00007F04), ref: 009453A3
LoadCursorW.USER32(00000000,00007F02), ref: 009453AE
GetCursorInfo.USER32(?), ref: 009453BE
GetLastError.KERNEL32(00000001,00000000), ref: 009453E9

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 163f7eb3d468be947c5ef46d525a91f0046817df36641b17e2b36d0cab5e8113
Instruction ID: 67f0fff8d178dad98fcd44aa0ef0b58ee516ee17cb7a084a7ffe71f7c2ac3f2b
Opcode Fuzzy Hash: 163f7eb3d468be947c5ef46d525a91f0046817df36641b17e2b36d0cab5e8113
Instruction Fuzzy Hash: 53415370E083196BDB109FBA8C49D6EFFB8EF51B50B10452BE509E7291DAB89401CE61

Function 0092AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0092AAA5
__swprintf.LIBCMT ref: 0092AB46
_wcscmp.LIBCMT ref: 0092AB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0092ABAE
_wcscmp.LIBCMT ref: 0092ABEA
GetClassNameW.USER32(?,?,00000400), ref: 0092AC21
GetDlgCtrlID.USER32(?), ref: 0092AC73
GetWindowRect.USER32(?,?), ref: 0092ACA9
GetParent.USER32(?), ref: 0092ACC7
ScreenToClient.USER32(00000000), ref: 0092ACCE
GetClassNameW.USER32(?,?,00000100), ref: 0092AD48
_wcscmp.LIBCMT ref: 0092AD5C
GetWindowTextW.USER32(?,?,00000400), ref: 0092AD82
_wcscmp.LIBCMT ref: 0092AD96

Part of subcall function 008F386C: _iswctype.LIBCMT ref: 008F3874

Strings

%s%u, xrefs: 0092AB40

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: de095ad93c8ee894d1bbaad6d04f45f1706180af5e3919dc47c880c664c59643
Instruction ID: 25909872810f6ad264a32c1b5cfc6adb52945e00fecb3b5574b9cbe8ab5d5aff
Opcode Fuzzy Hash: de095ad93c8ee894d1bbaad6d04f45f1706180af5e3919dc47c880c664c59643
Instruction Fuzzy Hash: C5A1E072204726AFDB14EF24E884BAAF7ECFF44315F104629F999D2194DB30E945CB92

Function 0092B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0092B3DB
_wcscmp.LIBCMT ref: 0092B3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 0092B414
CharUpperBuffW.USER32(?,00000000), ref: 0092B431
_wcscmp.LIBCMT ref: 0092B44F
_wcsstr.LIBCMT ref: 0092B460
GetClassNameW.USER32(00000018,?,00000400), ref: 0092B498
_wcscmp.LIBCMT ref: 0092B4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 0092B4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 0092B518
_wcscmp.LIBCMT ref: 0092B528
GetClassNameW.USER32(00000010,?,00000400), ref: 0092B550
GetWindowRect.USER32(00000004,?), ref: 0092B5B9

Strings

ThumbnailClass, xrefs: 0092B4A3, 0092B523
@, xrefs: 0092B3BC

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 46d8ef9e0effaa56854ea83898d2f999b2b90f5f557b63d6169919597972b78d
Instruction ID: b5c92f45a5a59be1d9b3f221f40097d7daa4b500b02772e9492245d6785b9113
Opcode Fuzzy Hash: 46d8ef9e0effaa56854ea83898d2f999b2b90f5f557b63d6169919597972b78d
Instruction Fuzzy Hash: F081C0710083199BDB00DF14E885FAA7BECFF44324F18856AFD858A1AADB34DD45CBA1

Function 0092B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0092B23F

Strings

HANDLE=, xrefs: 0092B238
[LAST, xrefs: 0092B2EC
[REGEXPTITLE:, xrefs: 0092B267
REGEXP=, xrefs: 0092B254
ACTIVE, xrefs: 0092B21A
[HANDLE:, xrefs: 0092B24B
ALL, xrefs: 0092B2D3
[CLASS:, xrefs: 0092B28F
LAST, xrefs: 0092B204
CLASSNAME=, xrefs: 0092B27C
[ACTIVE, xrefs: 0092B22C
[ALL, xrefs: 0092B2E5

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: a81bc272aa114ac4817bec8690d870d2ef51ca302d2948c85c61cd8a5eda51f0
Instruction ID: 349b10a32f76477bc0ba07e59d61b1e32ff5a229b56d0547e2c650c75660292d
Opcode Fuzzy Hash: a81bc272aa114ac4817bec8690d870d2ef51ca302d2948c85c61cd8a5eda51f0
Instruction Fuzzy Hash: BF31E331544329E6DB14FA64DD43EFE77A8FF20754F64051AB412B12D9FF116E04C652

Function 0092C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0092C4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0092C4E6
SetWindowTextW.USER32(?,?), ref: 0092C4FD
GetDlgItem.USER32(?,000003EA), ref: 0092C512
SetWindowTextW.USER32(00000000,?), ref: 0092C518
GetDlgItem.USER32(?,000003E9), ref: 0092C528
SetWindowTextW.USER32(00000000,?), ref: 0092C52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0092C54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0092C569
GetWindowRect.USER32(?,?), ref: 0092C572
SetWindowTextW.USER32(?,?), ref: 0092C5DD
GetDesktopWindow.USER32 ref: 0092C5E3
GetWindowRect.USER32(00000000), ref: 0092C5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0092C636
GetClientRect.USER32(?,?), ref: 0092C643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0092C668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0092C693

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: dce078018822b6618a0aeaf17117d98aec2f7c44c30151ed41b57390684ffb7b
Instruction ID: edfbd3059b8f99149ec76eec8de9216169a7772d8e7e9c342b3ea8320f936587
Opcode Fuzzy Hash: dce078018822b6618a0aeaf17117d98aec2f7c44c30151ed41b57390684ffb7b
Instruction Fuzzy Hash: E8517A71900709AFDB209FA9DE89F6FBBF9FF04705F004928E686A25A4C775E904DB50

Function 0095A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0095A4C8
DestroyWindow.USER32(?,?), ref: 0095A542

Part of subcall function 008D7D2C: _memmove.LIBCMT ref: 008D7D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0095A5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0095A5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0095A5F1
DestroyWindow.USER32(00000000), ref: 0095A613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,008D0000,00000000), ref: 0095A64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0095A663
GetDesktopWindow.USER32 ref: 0095A67C
GetWindowRect.USER32(00000000), ref: 0095A683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0095A69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0095A6B3

Part of subcall function 008D25DB: GetWindowLongW.USER32(?,000000EB), ref: 008D25EC

Strings

0, xrefs: 0095A4DE
tooltips_class32, xrefs: 0095A5B5, 0095A643

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 32737b73eb9979a5e4b95c8c86bdd316f2109fd0d84481693cbcd4ba2fdbdc44
Instruction ID: 54688f0d99a070ae1c5ccd2383360d3198596cd46d1264d92cc09ea6979d50ca
Opcode Fuzzy Hash: 32737b73eb9979a5e4b95c8c86bdd316f2109fd0d84481693cbcd4ba2fdbdc44
Instruction Fuzzy Hash: 7D71E174154309AFD720CF29DC59F6A7BEAFB88315F08062DF985872A0D770E90ADB16

Function 0095C8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 008D2612: GetWindowLongW.USER32(?,000000EB), ref: 008D2623

DragQueryPoint.SHELL32(?,?), ref: 0095C917

Part of subcall function 0095ADF1: ClientToScreen.USER32(?,?), ref: 0095AE1A
Part of subcall function 0095ADF1: GetWindowRect.USER32(?,?), ref: 0095AE90
Part of subcall function 0095ADF1: PtInRect.USER32(?,?,0095C304), ref: 0095AEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 0095C980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0095C98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0095C9AE
_wcscat.LIBCMT ref: 0095C9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0095C9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 0095CA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 0095CA25
SendMessageW.USER32(?,000000B1,?,?), ref: 0095CA47
DragFinish.SHELL32(?), ref: 0095CA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0095CB41

Strings

@GUI_DRAGFILE, xrefs: 0095CAF0
@GUI_DRAGID, xrefs: 0095CAB9
@GUI_DROPID, xrefs: 0095CA6E

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 6fabbcd98335636c3065b8dd408aa876545cc7835ef76a646b57a00e4041376c
Instruction ID: 4d44e8b9006a5d0432929c6b91610abe3b6ac66d9d717741e203a97ea7499a99
Opcode Fuzzy Hash: 6fabbcd98335636c3065b8dd408aa876545cc7835ef76a646b57a00e4041376c
Instruction Fuzzy Hash: 05615771108311AFC711EF69CC95E9BBBE8FF88754F000A2EF591922A1DB709A49CB52

Function 00954619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009546AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 009546F6

Strings

ISCHECKED, xrefs: 00954879
UNCHECK, xrefs: 009548D2
GETSELECTED, xrefs: 00954806
SELECT, xrefs: 009548A7
EXPAND, xrefs: 009547A8
COLLAPSE, xrefs: 0095473C
GETITEMCOUNT, xrefs: 009547D8
GETTOTALCOUNT, xrefs: 009546DD
GETTEXT, xrefs: 00954849
CHECK, xrefs: 00954716
EXISTS, xrefs: 0095475F

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: c156ed47fd213c5e877e95b28dc426e936df36252ea4dec2c90b9d3baad23047
Instruction ID: ff3b456205c0c297b7281687a8767c847984ff7c6d4df57b9e82d5ee678e7efa
Opcode Fuzzy Hash: c156ed47fd213c5e877e95b28dc426e936df36252ea4dec2c90b9d3baad23047
Instruction Fuzzy Hash: 63917B342043159FCB14EF25C461A6ABBA5FF85318F04495DFC969B3A2CB34ED4ACB82

Function 0095BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0095BB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00959431), ref: 0095BBCA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0095BC03
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0095BC46
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0095BC7D
FreeLibrary.KERNEL32(?), ref: 0095BC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0095BC99
DestroyIcon.USER32(?,?,?,?,?,00959431), ref: 0095BCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0095BCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0095BCD1

Part of subcall function 008F313D: __wcsicmp_l.LIBCMT ref: 008F31C6

Strings

.dll, xrefs: 0095BB27
.exe, xrefs: 0095BB04
.icl, xrefs: 0095BAE4

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 661a2f5ffcb670b7cf6b81b280283f1ed001c1ff28388c8ca989d2eb1571e435
Instruction ID: a507c30a6f9bb4845098f6d3f3003213af750afcf94bb108adc12b2463bcb9ff
Opcode Fuzzy Hash: 661a2f5ffcb670b7cf6b81b280283f1ed001c1ff28388c8ca989d2eb1571e435
Instruction Fuzzy Hash: B5610271500219BAEB14DF69CC45FBE7BACFB08722F104219FD15D61C0DB74AA94DBA0

Function 0093A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 008D9997: __itow.LIBCMT ref: 008D99C2
Part of subcall function 008D9997: __swprintf.LIBCMT ref: 008D9A0C

CharLowerBuffW.USER32(?,?), ref: 0093A636
GetDriveTypeW.KERNEL32 ref: 0093A683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0093A6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0093A702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0093A730

Part of subcall function 008D7D2C: _memmove.LIBCMT ref: 008D7D66

Strings

wait, xrefs: 0093A6ED
close, xrefs: 0093A63C
type cdaudio alias cd wait, xrefs: 0093A6AE
closed, xrefs: 0093A64A, 0093A653
open , xrefs: 0093A692
open, xrefs: 0093A65D
close cd wait, xrefs: 0093A71B
set cd door , xrefs: 0093A6D1

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: dd87298ae46ffadb29722aaf742680165dd3d98c4078863349e66c4a33881c7c
Instruction ID: 366db89d8c7abf375c1cb473daf004bad58ada480267cb97eea26f188035c1f0
Opcode Fuzzy Hash: dd87298ae46ffadb29722aaf742680165dd3d98c4078863349e66c4a33881c7c
Instruction Fuzzy Hash: B35138711043059FD710EF24C89196AB7E8FF94718F044A6EF89697361EB35AE0ACB52

Function 0093A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0093A47A
__swprintf.LIBCMT ref: 0093A49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 0093A4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0093A4FE
_memset.LIBCMT ref: 0093A51D
_wcsncpy.LIBCMT ref: 0093A559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0093A58E
CloseHandle.KERNEL32(00000000), ref: 0093A599
RemoveDirectoryW.KERNEL32(?), ref: 0093A5A2
CloseHandle.KERNEL32(00000000), ref: 0093A5AC

Strings

\, xrefs: 0093A4B2
:, xrefs: 0093A4BD
\??\%s, xrefs: 0093A496

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 240514883a5a7f324089f8313e17712dc55e9bdb7cc81c5fec673563daf55dd3
Instruction ID: 1501c0cda75ec97e8c5aa93bfd7981035b8d68018589f85215a56aad4fe07468
Opcode Fuzzy Hash: 240514883a5a7f324089f8313e17712dc55e9bdb7cc81c5fec673563daf55dd3
Instruction Fuzzy Hash: 5531BEB2604209ABDB219FA1DC48FEF33BCEF88751F1040B6FA08D6160EB7096448B25

Function 0095BCED Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00959476,?,?), ref: 0095BD10
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00959476,?,?,00000000,?), ref: 0095BD27
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00959476,?,?,00000000,?), ref: 0095BD32
CloseHandle.KERNEL32(00000000,?,?,?,?,00959476,?,?,00000000,?), ref: 0095BD3F
GlobalLock.KERNEL32(00000000,?,?,?,?,00959476,?,?,00000000,?), ref: 0095BD48
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00959476,?,?,00000000,?), ref: 0095BD57
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00959476,?,?,00000000,?), ref: 0095BD60
CloseHandle.KERNEL32(00000000,?,?,?,?,00959476,?,?,00000000,?), ref: 0095BD67
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00959476,?,?,00000000,?), ref: 0095BD78
OleLoadPicture.OLEAUT32(?,00000000,00000000,00962CAC,?), ref: 0095BD91
GlobalFree.KERNEL32(00000000), ref: 0095BDA1
GetObjectW.GDI32(00000000,00000018,?), ref: 0095BDC5
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0095BDF0
DeleteObject.GDI32(00000000), ref: 0095BE18
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0095BE2E

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 86af560ed69f0526232596a247cfb66234c723b07a0ec73c2a3da32ef6dedad7
Instruction ID: 69a90e73100fa2a8f85c26ebe7c58e3ab3e3f053e6e95d8fdd89638b9d766e0f
Opcode Fuzzy Hash: 86af560ed69f0526232596a247cfb66234c723b07a0ec73c2a3da32ef6dedad7
Instruction Fuzzy Hash: E6412775604208AFDB11DF66DC58EABBBB8EB89722F104068F905D72A0D7309905DB60

Function 0093DB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0093DC7B
_wcscat.LIBCMT ref: 0093DC93
_wcscat.LIBCMT ref: 0093DCA5
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0093DCBA
SetCurrentDirectoryW.KERNEL32(?), ref: 0093DCCE
GetFileAttributesW.KERNEL32(?), ref: 0093DCE6
SetFileAttributesW.KERNEL32(?,00000000), ref: 0093DD00
SetCurrentDirectoryW.KERNEL32(?), ref: 0093DD12

Strings

*.*, xrefs: 0093DD51

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 96a79ffec15e94ac1875da63fd8e4bedad1ab088aef873a9bbc545b345cae3f9
Instruction ID: 90fdfcf1e6c905882c69ae68d4623716c7aa375a13199dbd8d48b5d3350ad353
Opcode Fuzzy Hash: 96a79ffec15e94ac1875da63fd8e4bedad1ab088aef873a9bbc545b345cae3f9
Instruction Fuzzy Hash: 6E8180725153459FCB24EF28D8659AAB7E8FB88310F198C2EF899C7250EB34D944CF52

Function 0095C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008D2612: GetWindowLongW.USER32(?,000000EB), ref: 008D2623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0095C4EC
GetFocus.USER32 ref: 0095C4FC
GetDlgCtrlID.USER32(00000000), ref: 0095C507
_memset.LIBCMT ref: 0095C632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0095C65D
GetMenuItemCount.USER32(?), ref: 0095C67D
GetMenuItemID.USER32(?,00000000), ref: 0095C690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0095C6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0095C70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0095C744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0095C779

Strings

0, xrefs: 0095C62A

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 9690cde8921c2e16c7f869c8b38e705ba233b8c82fa47c4bb7b94379cdcc5af2
Instruction ID: 282981d862cc4af99946fa62313c0657b09769c95aa36d55d9b2271b878aa6b5
Opcode Fuzzy Hash: 9690cde8921c2e16c7f869c8b38e705ba233b8c82fa47c4bb7b94379cdcc5af2
Instruction Fuzzy Hash: D68180B0209305AFD710CF26C984A6BBBE8FB88355F10492EFD9597291D770E909DF92

Function 009283F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0092874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00928766
Part of subcall function 0092874A: GetLastError.KERNEL32(?,0092822A,?,?,?), ref: 00928770
Part of subcall function 0092874A: GetProcessHeap.KERNEL32(00000008,?,?,0092822A,?,?,?), ref: 0092877F
Part of subcall function 0092874A: HeapAlloc.KERNEL32(00000000,?,0092822A,?,?,?), ref: 00928786
Part of subcall function 0092874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0092879D

Part of subcall function 009287E7: GetProcessHeap.KERNEL32(00000008,00928240,00000000,00000000,?,00928240,?), ref: 009287F3
Part of subcall function 009287E7: HeapAlloc.KERNEL32(00000000,?,00928240,?), ref: 009287FA
Part of subcall function 009287E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00928240,?), ref: 0092880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00928458
_memset.LIBCMT ref: 0092846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0092848C
GetLengthSid.ADVAPI32(?), ref: 0092849D
GetAce.ADVAPI32(?,00000000,?), ref: 009284DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 009284F6
GetLengthSid.ADVAPI32(?), ref: 00928513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00928522
HeapAlloc.KERNEL32(00000000), ref: 00928529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0092854A
CopySid.ADVAPI32(00000000), ref: 00928551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00928582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 009285A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 009285BC

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 105e21f915047bbdb8fde2080944b25dbc5723d388e9484179e48170056ba817
Instruction ID: 4c84bc515e20d784d7f46d56f5c7cb7dbbad14c0439c397a7963fac88e5400e9
Opcode Fuzzy Hash: 105e21f915047bbdb8fde2080944b25dbc5723d388e9484179e48170056ba817
Instruction Fuzzy Hash: 0E61597190121AABDF00DFA5EC48EAEBBB9FF04311F088169F815A7291DB349A04DF60

Function 0094762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 009476A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 009476AE
CreateCompatibleDC.GDI32(?), ref: 009476BA
SelectObject.GDI32(00000000,?), ref: 009476C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 0094771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00947757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 0094777B
SelectObject.GDI32(00000006,?), ref: 00947783
DeleteObject.GDI32(?), ref: 0094778C
DeleteDC.GDI32(00000006), ref: 00947793
ReleaseDC.USER32(00000000,?), ref: 0094779E

Strings

(, xrefs: 00947723

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 5e3194bf0a6b55a18e9d2bfc55f39f993cb899636c23f3f73c5097b58468653e
Instruction ID: 98c0d330b6954667366003622b029db2a99b686f78f5cdbd09539a8bd1abbcb9
Opcode Fuzzy Hash: 5e3194bf0a6b55a18e9d2bfc55f39f993cb899636c23f3f73c5097b58468653e
Instruction Fuzzy Hash: 86513875908309EFCB15CFA9CC85EAEBBB9EF48710F14852DF94AA7250D731A940CB60

Function 0093A0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,0095FB78), ref: 0093A0FC

Part of subcall function 008D7F41: _memmove.LIBCMT ref: 008D7F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 0093A11E
__swprintf.LIBCMT ref: 0093A177
__swprintf.LIBCMT ref: 0093A190
_wprintf.LIBCMT ref: 0093A246
_wprintf.LIBCMT ref: 0093A264

Strings

"%s" (%d) : ==> %s:, xrefs: 0093A25F
Error: , xrefs: 0093A20E
"%s" (%d) : ==> %s:%s%s, xrefs: 0093A241
Line %d (File "%s"):, xrefs: 0093A171, 0093A18A
^ ERROR, xrefs: 0093A1E8

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: eb5eb1eed25adf99cd34a109c5e0b1951bd72f068c2364f4ffe84b42fb7ab84f
Instruction ID: 1bed7ac30e7368332a35a8a5f77a3daed82b37a5a8c364dba0f3f0169289e060
Opcode Fuzzy Hash: eb5eb1eed25adf99cd34a109c5e0b1951bd72f068c2364f4ffe84b42fb7ab84f
Instruction Fuzzy Hash: 99518E31904219AACF15EBE4CD86EEEB779FF04300F100266F515B22A1EB356F48DB52

Function 008D6BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 008F0B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,008D6C6C,?,00008000), ref: 008F0BB7

Part of subcall function 008D48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008D48A1,?,?,008D37C0,?), ref: 008D48CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 008D6D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 008D6E5A

Part of subcall function 008D59CD: _wcscpy.LIBCMT ref: 008D5A05

Part of subcall function 008F387D: _iswctype.LIBCMT ref: 008F3885

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0090E8BF
EA06, xrefs: 0090E87B
Bad directive syntax error, xrefs: 0090EBC6
Unterminated string, xrefs: 0090EC0D
Error opening the file, xrefs: 0090E866, 0090E8E1
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0090E84A
AU3!, xrefs: 008D6CC1

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 48e519085459b35d7f45786fbf7e3f36f57b85194464837b72756317532b3815
Instruction ID: a58f73cf7a9e53af7b390a34907c0f4d4aeaec2c76a1d7b2d05812229d7ed005
Opcode Fuzzy Hash: 48e519085459b35d7f45786fbf7e3f36f57b85194464837b72756317532b3815
Instruction Fuzzy Hash: F90258711083459FC724EF28C891AAEBBE5FF99314F144A1EF496972A1EB30D949CB43

Function 008D45DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008D45F9
GetMenuItemCount.USER32(00996890), ref: 0090D7CD
GetMenuItemCount.USER32(00996890), ref: 0090D87D
GetCursorPos.USER32(?), ref: 0090D8C1
SetForegroundWindow.USER32(00000000), ref: 0090D8CA
TrackPopupMenuEx.USER32(00996890,00000000,?,00000000,00000000,00000000), ref: 0090D8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0090D8E9

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 5228ef222ceb6f1570638235e8120e8866fe1d03683537be6a88c9be7f10527c
Instruction ID: 9a2cd65d1f3c659cbac32df0e509da6f9454a894e8b3c014bcad660c33da3088
Opcode Fuzzy Hash: 5228ef222ceb6f1570638235e8120e8866fe1d03683537be6a88c9be7f10527c
Instruction Fuzzy Hash: 90712770645209BFFB208F55DC89FAABF68FF45368F204216F515A61E1C7B1AC10DB90

Function 009510A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00950038,?,?), ref: 009510BC

Strings

HKCR, xrefs: 00951164
HKCC, xrefs: 0095118A
HKEY_CURRENT_USER, xrefs: 0095119B
HKEY_CURRENT_CONFIG, xrefs: 00951179
HKLM, xrefs: 0095113A
HKEY_CLASSES_ROOT, xrefs: 0095114F
HKU, xrefs: 009511CE
HKEY_LOCAL_MACHINE, xrefs: 00951125
HKEY_USERS, xrefs: 009511BD
HKCU, xrefs: 009511AC

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 7ca2330b5612b2297167b27a947e5a29615d188f074210b38decf3c03318c94b
Instruction ID: a95214c18fc70f1c7ff697f61253cb2b48a8c22c9f4b075f1ff0c0d58faf1d8e
Opcode Fuzzy Hash: 7ca2330b5612b2297167b27a947e5a29615d188f074210b38decf3c03318c94b
Instruction Fuzzy Hash: 39415B3015834E8BCF20FFA5D891AEA3764FF12301F544655EDA19B292DB34AD1ACB61

Function 0092FCB1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0090E6C9,00000010,?,Bad directive syntax error,0095F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0092FCD2
LoadStringW.USER32(00000000,?,0090E6C9,00000010), ref: 0092FCD9

Part of subcall function 008D7F41: _memmove.LIBCMT ref: 008D7F82

_wprintf.LIBCMT ref: 0092FD0C
__swprintf.LIBCMT ref: 0092FD2E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0092FD9D

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 0092FD07
Error: , xrefs: 0092FD6B
Line %d (File "%s"):, xrefs: 0092FD43
., xrefs: 0092FD83
Line %d:, xrefs: 0092FD28

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 91de62f0b7f9d813a0a3a4b96489748ffeadfed5e3a42721fb5a2ec4ab735e7c
Instruction ID: 349e1b22a7d3c8653d47b3ddb00e8b6dabfdbcefe1adc328957bb0c15419ceca
Opcode Fuzzy Hash: 91de62f0b7f9d813a0a3a4b96489748ffeadfed5e3a42721fb5a2ec4ab735e7c
Instruction Fuzzy Hash: EF21B13290421EABCF22EFA4CC56EFE7739FF14704F040466F505A21A2EB719A18DB52

Function 00935569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 008D7D2C: _memmove.LIBCMT ref: 008D7D66

Part of subcall function 008D7A84: _memmove.LIBCMT ref: 008D7B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 009355D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 009355E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009355F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0093560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0093561C

Strings

play PlayMe wait, xrefs: 00935606
play PlayMe, xrefs: 00935617
close PlayMe, xrefs: 009355E3, 00935610
status PlayMe mode, xrefs: 009355CD
open , xrefs: 00935581
alias PlayMe, xrefs: 009355AB

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 93ec20d324fd1785b76fd7e9859aa17f91ec4f1613fd34804244d446a74ee58d
Instruction ID: 80320b10b32f745538a3090c05f33ddf6e413757b73ba5d043e913536d0a37ca
Opcode Fuzzy Hash: 93ec20d324fd1785b76fd7e9859aa17f91ec4f1613fd34804244d446a74ee58d
Instruction Fuzzy Hash: 6D11942055016979E720B665DC4ADFF7B7CFFD5F04F40056BB401E21D1EE641E05CAA2

Function 009348F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0093490E
gethostname.WSOCK32(?,00000100), ref: 00934928
gethostbyname.WSOCK32(?), ref: 00934935
_wcscpy.LIBCMT ref: 0093495D
_memmove.LIBCMT ref: 00934970
inet_ntoa.WSOCK32(?), ref: 0093497B
_strcat.LIBCMT ref: 00934989
_wcscpy.LIBCMT ref: 009349A0
WSACleanup.WSOCK32 ref: 009349AE
_wcscpy.LIBCMT ref: 009349BC

Strings

0.0.0.0, xrefs: 00934957

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 8f16d0e0c4cd20bc23a142a99fb21193f4818f468d5e191353c08306ea3cdfaf
Instruction ID: 31b282a6ed3ab05f0ee6d4964ec7d9e6ef3c08333f871838dd7b31b4a58b59e9
Opcode Fuzzy Hash: 8f16d0e0c4cd20bc23a142a99fb21193f4818f468d5e191353c08306ea3cdfaf
Instruction Fuzzy Hash: 1511EB31918118ABCB20EB34EC4AFEB77BCEF44721F050176F505D6161EF759A819B52

Function 00935217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0093521C

Part of subcall function 008F0719: timeGetTime.WINMM(?,7694B400,008E0FF9), ref: 008F071D

Sleep.KERNEL32(0000000A), ref: 00935248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 0093526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0093528E
SetActiveWindow.USER32 ref: 009352AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 009352BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 009352DA
Sleep.KERNEL32(000000FA), ref: 009352E5
IsWindow.USER32 ref: 009352F1
EndDialog.USER32(00000000), ref: 00935302

Strings

BUTTON, xrefs: 00935280

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 1e64b250915191ec7f7c041fa7f0500bad8d321f1b6d30e103f15fa2547de7f4
Instruction ID: e9d76c599801249e69990f9e2c6ed9853b7001c8967ad21712aff18efbc1bed9
Opcode Fuzzy Hash: 1e64b250915191ec7f7c041fa7f0500bad8d321f1b6d30e103f15fa2547de7f4
Instruction Fuzzy Hash: 6C21C37022D704AFE7005BB5EC98B2B7B6DEB8A35BF060425F412821B1DB61DC40BF22

Function 0093D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 008D9997: __itow.LIBCMT ref: 008D99C2
Part of subcall function 008D9997: __swprintf.LIBCMT ref: 008D9A0C

CoInitialize.OLE32(00000000), ref: 0093D855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0093D8E8
SHGetDesktopFolder.SHELL32(?), ref: 0093D8FC
CoCreateInstance.OLE32(00962D7C,00000000,00000001,0098A89C,?), ref: 0093D948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0093D9B7
CoTaskMemFree.OLE32(?,?), ref: 0093DA0F
_memset.LIBCMT ref: 0093DA4C
SHBrowseForFolderW.SHELL32(?), ref: 0093DA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0093DAAB
CoTaskMemFree.OLE32(00000000), ref: 0093DAB2
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0093DAE9
CoUninitialize.OLE32(00000001,00000000), ref: 0093DAEB

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: fe168db6f03784960e5f882b99d1bf93d5a47d6b64a9e15cdf7e581426d5bde8
Instruction ID: 188d1d9b1f6575fc805c3dd846bc6981d86f6d6d9476a8fb4fba71f00408a84a
Opcode Fuzzy Hash: fe168db6f03784960e5f882b99d1bf93d5a47d6b64a9e15cdf7e581426d5bde8
Instruction Fuzzy Hash: 60B1F975A00219AFDB04DFA5D898EAEBBB9FF48314F048469F506EB261DB30AD41CF51

Function 0093052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 009305A7
SetKeyboardState.USER32(?), ref: 00930612
GetAsyncKeyState.USER32(000000A0), ref: 00930632
GetKeyState.USER32(000000A0), ref: 00930649
GetAsyncKeyState.USER32(000000A1), ref: 00930678
GetKeyState.USER32(000000A1), ref: 00930689
GetAsyncKeyState.USER32(00000011), ref: 009306B5
GetKeyState.USER32(00000011), ref: 009306C3
GetAsyncKeyState.USER32(00000012), ref: 009306EC
GetKeyState.USER32(00000012), ref: 009306FA
GetAsyncKeyState.USER32(0000005B), ref: 00930723
GetKeyState.USER32(0000005B), ref: 00930731

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 7d8aa5143ee2937812e3f03efd267fa14e0b1b75248a5c4a5982c59fc4db10c9
Instruction ID: 50ccd1a8150bb4a8286277c35cd9580d30ede7a86c8b3d3d72a616d643a340e9
Opcode Fuzzy Hash: 7d8aa5143ee2937812e3f03efd267fa14e0b1b75248a5c4a5982c59fc4db10c9
Instruction Fuzzy Hash: CD511C60A0878829FB34DBB088757EABFB89F81380F08459DD5C2571C2DA64DB4CCF65

Function 0092C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0092C746
GetWindowRect.USER32(00000000,?), ref: 0092C758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0092C7B6
GetDlgItem.USER32(?,00000002), ref: 0092C7C1
GetWindowRect.USER32(00000000,?), ref: 0092C7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0092C827
GetDlgItem.USER32(?,000003E9), ref: 0092C835
GetWindowRect.USER32(00000000,?), ref: 0092C846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0092C889
GetDlgItem.USER32(?,000003EA), ref: 0092C897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0092C8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 0092C8C1

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: f0d8a6904a55f76cc8ced231efacce4701a58ca36abc7b403393635f03c6a1b7
Instruction ID: ee36cd5273971fccbbe29ec03b327a54cbadd5843a4e6df41afdef45403ec2bc
Opcode Fuzzy Hash: f0d8a6904a55f76cc8ced231efacce4701a58ca36abc7b403393635f03c6a1b7
Instruction Fuzzy Hash: F6512FB1B10209AFDF18CFA9DD99AAEBBBAEB88311F14812DF515D7294D7709D008B50

Function 008D201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 008D1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,008D2036,?,00000000,?,?,?,?,008D16CB,00000000,?), ref: 008D1B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 008D20D3
KillTimer.USER32(-00000001,?,?,?,?,008D16CB,00000000,?,?,008D1AE2,?,?), ref: 008D216E
DestroyAcceleratorTable.USER32(00000000), ref: 0090BEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,008D16CB,00000000,?,?,008D1AE2,?,?), ref: 0090BF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,008D16CB,00000000,?,?,008D1AE2,?,?), ref: 0090BF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,008D16CB,00000000,?,?,008D1AE2,?,?), ref: 0090BF5A
DeleteObject.GDI32(00000000), ref: 0090BF6C

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: d0be54da5a1d3b47206ee63a0a16fae6172362372c11e45f68308182d1345207
Instruction ID: 734fc19d3c193a9710e8f1bd9823ed642188231f67e2c32d04b6ee174b5d206d
Opcode Fuzzy Hash: d0be54da5a1d3b47206ee63a0a16fae6172362372c11e45f68308182d1345207
Instruction Fuzzy Hash: 60619D31118715DFCB25AF1ACD58B29B7F1FF60326F10862AE542876A0C771AC80EF51

Function 008D21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 008D25DB: GetWindowLongW.USER32(?,000000EB), ref: 008D25EC

GetSysColor.USER32(0000000F), ref: 008D21D3

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: eeea387df8b71074010389edf2b4dcb381aacfc07fd163d1f32f80a97cb27a24
Instruction ID: c0ea6cff6a20cc939848548d6d8e9a2cb02019877bb5f971e0de3a8e377aa5dd
Opcode Fuzzy Hash: eeea387df8b71074010389edf2b4dcb381aacfc07fd163d1f32f80a97cb27a24
Instruction Fuzzy Hash: 064190311086449FDB215F29DC58BB97B66FB16332F144366FD65CA2E2C7318C42EB61

Function 0093AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0095F910), ref: 0093AB76
GetDriveTypeW.KERNEL32(00000061,0098A620,00000061), ref: 0093AC40
_wcscpy.LIBCMT ref: 0093AC6A

Strings

unknown, xrefs: 0093AC01
fixed, xrefs: 0093ABBE
cdrom, xrefs: 0093AB92
ramdisk, xrefs: 0093ABEA
removable, xrefs: 0093ABA8
network, xrefs: 0093ABD4
all, xrefs: 0093AB7C

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 45280b8ad8d603025d107cc81811377d91e71925df0742f57a4b8dc59b1f593e
Instruction ID: f3da8230815c4fb4ddfb50f7bfa166cf5d31fbb939ea40ef5b41e0e1955d8c6a
Opcode Fuzzy Hash: 45280b8ad8d603025d107cc81811377d91e71925df0742f57a4b8dc59b1f593e
Instruction Fuzzy Hash: 255199301083059FC720EF28C891AAEB7A9FF91304F10492AF4D6972A2EB359D49CB53

Function 008D9997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 008D99C2
__swprintf.LIBCMT ref: 008D9A0C
__i64tow.LIBCMT ref: 0090FA0F

Strings

0x%p, xrefs: 0090F9F1
%.15g, xrefs: 008D9A06
False, xrefs: 0090F9D7
True, xrefs: 0090F9D0

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 215c86eabe379f132ff24836810a450d366f0d53c071527d1601ea01004a17b0
Instruction ID: b5cb0fb94b00cd52971abd8eae64cc580988c75daadd93aa8b48d5ce5b0c08cc
Opcode Fuzzy Hash: 215c86eabe379f132ff24836810a450d366f0d53c071527d1601ea01004a17b0
Instruction Fuzzy Hash: 9D41F271604209BEEB34AB38D852F7A77E8FB44304F20456FE689D7391EE3199418B12

Function 009573C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009573D9
CreateMenu.USER32 ref: 009573F4
SetMenu.USER32(?,00000000), ref: 00957403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00957490
IsMenu.USER32(?), ref: 009574A6
CreatePopupMenu.USER32 ref: 009574B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 009574DD
DrawMenuBar.USER32 ref: 009574E5

Strings

F, xrefs: 009574D1
0, xrefs: 009573CF

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 4ee17ec899e79d31822ad28f39cbfef396cff8857683bce66e593686b1d4846d
Instruction ID: 7e1c30c7c52951f28f24f3d440d45074c3dcdd390505862432e48b058cf34ea0
Opcode Fuzzy Hash: 4ee17ec899e79d31822ad28f39cbfef396cff8857683bce66e593686b1d4846d
Instruction Fuzzy Hash: 2E416A74A04205EFDB10DFAAE884EAABBFAFF49351F140429FD0597360D730AA14DB50

Function 0095772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 009577CD
CreateCompatibleDC.GDI32(00000000), ref: 009577D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 009577E7
SelectObject.GDI32(00000000,00000000), ref: 009577EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 009577FA
DeleteDC.GDI32(00000000), ref: 00957803
GetWindowLongW.USER32(?,000000EC), ref: 0095780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00957821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0095782D

Strings

static, xrefs: 00957765

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 337d4a1737100f9ec8bc6f8c37f32933c4e017e917c49e704a051e569f744462
Instruction ID: 6c468aa79ffa58a1329e084202f6026935e123e68e016afa7a056191bdfdc5de
Opcode Fuzzy Hash: 337d4a1737100f9ec8bc6f8c37f32933c4e017e917c49e704a051e569f744462
Instruction Fuzzy Hash: BA319C32119214ABDF119FA6EC18FDA3B6DEF0D332F100224FA15920A0C7319815EBA4

Function 008F7040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008F707B

Part of subcall function 008F8D68: __getptd_noexit.LIBCMT ref: 008F8D68

__gmtime64_s.LIBCMT ref: 008F7114
__gmtime64_s.LIBCMT ref: 008F714A
__gmtime64_s.LIBCMT ref: 008F7167
__allrem.LIBCMT ref: 008F71BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008F71D9
__allrem.LIBCMT ref: 008F71F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008F720E
__allrem.LIBCMT ref: 008F7225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008F7243
__invoke_watson.LIBCMT ref: 008F72B4

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: cb98adcfd6d0b827bc88b54009ec6f437519a0cfffd369ceac9761ca5d34408a
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: 2D71B671A04B1BABF7149E79CC41B7AB3A8FF54324F14422AFA15D66C1EB70DA508790

Function 00932A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00932A31
GetMenuItemInfoW.USER32(00996890,000000FF,00000000,00000030), ref: 00932A92
SetMenuItemInfoW.USER32(00996890,00000004,00000000,00000030), ref: 00932AC8
Sleep.KERNEL32(000001F4), ref: 00932ADA
GetMenuItemCount.USER32(?), ref: 00932B1E
GetMenuItemID.USER32(?,00000000), ref: 00932B3A
GetMenuItemID.USER32(?,-00000001), ref: 00932B64
GetMenuItemID.USER32(?,?), ref: 00932BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00932BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00932C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00932C24

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: c8f7d0e87f83840a11aebd60eb2eea37f989a9221ae83be348248a3c963405e8
Instruction ID: c199c4941697658ff36fe33d20d1a1542c982ff397dbf29db4d35d7eeb345305
Opcode Fuzzy Hash: c8f7d0e87f83840a11aebd60eb2eea37f989a9221ae83be348248a3c963405e8
Instruction Fuzzy Hash: CC619DB0914249AFDB21CF64D888EBEBBB8EB41314F140599F841E7251E735AD45EF21

Function 00957192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00957214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00957217
GetWindowLongW.USER32(?,000000F0), ref: 0095723B
_memset.LIBCMT ref: 0095724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0095725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 009572D6

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 7336fedc0a3990dbb96a68bf5cdc1caca51f1fa7a7f5872f95f5870299cb1cf1
Instruction ID: ac6f11b6b43193d512bd3aad581d41397b2486c0c6d43ec2be7a75d5269169b6
Opcode Fuzzy Hash: 7336fedc0a3990dbb96a68bf5cdc1caca51f1fa7a7f5872f95f5870299cb1cf1
Instruction Fuzzy Hash: E9618B71904208AFDB10DFA9DC81EEEB7F8EB09710F14015AFE14A72A1D770AE45DBA0

Function 0092710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00927135
SafeArrayAllocData.OLEAUT32(?), ref: 0092718E
VariantInit.OLEAUT32(?), ref: 009271A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 009271C0
VariantCopy.OLEAUT32(?,?), ref: 00927213
SafeArrayUnaccessData.OLEAUT32(?), ref: 00927227
VariantClear.OLEAUT32(?), ref: 0092723C
SafeArrayDestroyData.OLEAUT32(?), ref: 00927249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00927252
VariantClear.OLEAUT32(?), ref: 00927264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0092726F

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 49ce0514f20d76f30559703d9322ba5d2197bb3d960cbe1e959c271365c09b03
Instruction ID: de1e5fe39e6ff30410b9f3df429615becca7f91fa55ed1015bbdc1e413c51073
Opcode Fuzzy Hash: 49ce0514f20d76f30559703d9322ba5d2197bb3d960cbe1e959c271365c09b03
Instruction Fuzzy Hash: 65414135904229EFCF00EFA9D858DAEBBB9FF48355F008069F955E7261CB30A945DB90

Function 00945A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00945AA6
inet_addr.WSOCK32(?,?,?), ref: 00945AEB
gethostbyname.WSOCK32(?), ref: 00945AF7
IcmpCreateFile.IPHLPAPI ref: 00945B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00945B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00945B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00945C00
WSACleanup.WSOCK32 ref: 00945C06

Strings

Ping, xrefs: 00945B29

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 9ee7a6f08287010709fb635efeab24b11f7f4034c8ec26765ba32cbd8265e03c
Instruction ID: e50c7be3d1dc556383e2263819fabdb752c261b92cbb99a419a13a533a6b2a4e
Opcode Fuzzy Hash: 9ee7a6f08287010709fb635efeab24b11f7f4034c8ec26765ba32cbd8265e03c
Instruction Fuzzy Hash: 1E5191316187009FD711AF65CC55F2ABBE4EF48720F15892AF556DB2A2DB74EC00DB42

Function 0093B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0093B73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0093B7B1
GetLastError.KERNEL32 ref: 0093B7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 0093B828

Strings

NOTREADY, xrefs: 0093B7E7
UNKNOWN, xrefs: 0093B7E0
INVALID, xrefs: 0093B7FA
READY, xrefs: 0093B801
READONLY, xrefs: 0093B7F3

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: dbd3d59a70ccb4d87171923f78643d462cda26225de34be39ccc7577312b07b5
Instruction ID: d2e8416881b0c4b3c043b22a4d290ca6ecf1c507f54509b98e43e7595cec6d0b
Opcode Fuzzy Hash: dbd3d59a70ccb4d87171923f78643d462cda26225de34be39ccc7577312b07b5
Instruction Fuzzy Hash: 02319335A00209AFDB10EF68C885ABE7BB8FF84754F14412AF602D7391DB759942CF91

Function 00929471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008D7F41: _memmove.LIBCMT ref: 008D7F82

Part of subcall function 0092B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0092B0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 009294F6
GetDlgCtrlID.USER32 ref: 00929501
GetParent.USER32 ref: 0092951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00929520
GetDlgCtrlID.USER32(?), ref: 00929529
GetParent.USER32(?), ref: 00929545
SendMessageW.USER32(00000000,?,?,00000111), ref: 00929548

Strings

ListBox, xrefs: 009294B3
ComboBox, xrefs: 0092947E

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 5845f50df6613dd662ee221d49fa8e799e0ef0fbb7bc020be6960917b409539f
Instruction ID: 769943ab54caec7f6ff8059178a641af7aeb5f3aabee278c0e6d40ad7762a3b0
Opcode Fuzzy Hash: 5845f50df6613dd662ee221d49fa8e799e0ef0fbb7bc020be6960917b409539f
Instruction Fuzzy Hash: 70210670A00218BBCF01AB65DC95EFEBBB8FF45310F100116B962972E6DB755919DB20

Function 0092955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008D7F41: _memmove.LIBCMT ref: 008D7F82

Part of subcall function 0092B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0092B0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 009295DF
GetDlgCtrlID.USER32 ref: 009295EA
GetParent.USER32 ref: 00929606
SendMessageW.USER32(00000000,?,00000111,?), ref: 00929609
GetDlgCtrlID.USER32(?), ref: 00929612
GetParent.USER32(?), ref: 0092962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00929631

Strings

ListBox, xrefs: 0092959E
ComboBox, xrefs: 00929569

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 76743fb12b14714d8494e31a151680f3df6ddefbd8b3770442c3b979c23fe272
Instruction ID: d1b709a7c2ac5996ab6bda0355e8b85ed949f506ec1d9463741d04511315c3d6
Opcode Fuzzy Hash: 76743fb12b14714d8494e31a151680f3df6ddefbd8b3770442c3b979c23fe272
Instruction Fuzzy Hash: 3C21D474A00218BBDF01AB65DCD5EFEBBB8FF48310F140116F921972A5DB759919DB20

Function 00929645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00929651
GetClassNameW.USER32(00000000,?,00000100), ref: 00929666
_wcscmp.LIBCMT ref: 00929678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 009296F3

Strings

list, xrefs: 009296D5
largeicons, xrefs: 00929687
smallicons, xrefs: 009296BB
details, xrefs: 009296A1
SHELLDLL_DefView, xrefs: 00929672

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: acb8e61dea35252b6bb143b76d1e93f6ebb7c438d13fe359ca41106c0b00a68f
Instruction ID: 9b85fdc53e51227ccee87ac7a825af1438f0b540e1b4abb5cc51f1ec4d3c5137
Opcode Fuzzy Hash: acb8e61dea35252b6bb143b76d1e93f6ebb7c438d13fe359ca41106c0b00a68f
Instruction Fuzzy Hash: 5111067624832BBAFA013635FC1ADB677DCDF05374F200026FE01E50D5FEA5A9505A59

Function 00948BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00948BEC
CoInitialize.OLE32(00000000), ref: 00948C19
CoUninitialize.OLE32 ref: 00948C23
GetRunningObjectTable.OLE32(00000000,?), ref: 00948D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00948E50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00962C0C), ref: 00948E84
CoGetObject.OLE32(?,00000000,00962C0C,?), ref: 00948EA7
SetErrorMode.KERNEL32(00000000), ref: 00948EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00948F3A
VariantClear.OLEAUT32(?), ref: 00948F4A

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 078895433c47e226ff48036c842008af77756b791e575afb498e5a9ab9a3a815
Instruction ID: c7dd7df549d036c372a96f49be5f59a1f52041313a0dd576c23e1fea4b70dfa5
Opcode Fuzzy Hash: 078895433c47e226ff48036c842008af77756b791e575afb498e5a9ab9a3a815
Instruction Fuzzy Hash: 4FC1F071608305AFC700EF68C88492BB7E9FF89758F00496DF58A9B251DB71ED05CB52

Function 00937C1A Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00937CF6

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: e30624dfdaf7186739abf27ce951dee9908d0c3b75bdbc47f8d3247bb29819cd
Instruction ID: 820b5e2259bf2f284be26589d475620bdf408033fc79e38ea52d0b3c2892403c
Opcode Fuzzy Hash: e30624dfdaf7186739abf27ce951dee9908d0c3b75bdbc47f8d3247bb29819cd
Instruction Fuzzy Hash: 94B17DB190821A9FDB20DFE8C485BBEB7B8FF49321F204469E650E7291D7349941CFA1

Function 00934189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 0093419D
__swprintf.LIBCMT ref: 009341AA

Part of subcall function 008F38D8: __woutput_l.LIBCMT ref: 008F3931

FindResourceW.KERNEL32(?,?,0000000E), ref: 009341D4
LoadResource.KERNEL32(?,00000000), ref: 009341E0
LockResource.KERNEL32(00000000), ref: 009341ED
FindResourceW.KERNEL32(?,?,00000003), ref: 0093420D
LoadResource.KERNEL32(?,00000000), ref: 0093421F
SizeofResource.KERNEL32(?,00000000), ref: 0093422E
LockResource.KERNEL32(?), ref: 0093423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 0093429B

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 828cf22486969beb7b215c12728f09913f0611109d2ac4daf0654797829a7035
Instruction ID: d5ec9c966c69c508ba9a08144c8d9f814ba61fc9e654edd14841ffbacc5aace1
Opcode Fuzzy Hash: 828cf22486969beb7b215c12728f09913f0611109d2ac4daf0654797829a7035
Instruction Fuzzy Hash: 2431CEB161920AABCB019FA1DC98EBF7BACEF04311F014425F925E2150E734EA519BA1

Function 008DFBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 008DFC06
OleUninitialize.OLE32(?,00000000), ref: 008DFCA5
UnregisterHotKey.USER32(?), ref: 008DFDFC
DestroyWindow.USER32(?), ref: 00914A00
FreeLibrary.KERNEL32(?), ref: 00914A65
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00914A92

Strings

close all, xrefs: 008DFC01

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: fb25c7e42c3ff76d52a0c16ab991eb7941b2440abb08172edc0fecd67e53f14e
Instruction ID: 045412f97ded9cc562f4f9e51cad1458d5bf8c1480acc2583d1d4e6037401576
Opcode Fuzzy Hash: fb25c7e42c3ff76d52a0c16ab991eb7941b2440abb08172edc0fecd67e53f14e
Instruction Fuzzy Hash: 47A16A307012268FCB29EF15C494B69F768FF08710F1542AEE90AEB262DB30AD56DF55

Function 0092A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0092AA64), ref: 0092A9A2

Strings

CLASS, xrefs: 0092A721
CLASSNN, xrefs: 0092A744
REGEXPCLASS, xrefs: 0092A767
TEXT, xrefs: 0092A8D9
NAME, xrefs: 0092A7D4
INSTANCE, xrefs: 0092A8B0

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: fd188792b2617ec4aa8eccd762cc6a5faa45d116f836392e08cc4ff7d3d460bd
Instruction ID: 478fc39edc082877840723c54fcc61787560e1a157895c08a639b7b1f05c0c38
Opcode Fuzzy Hash: fd188792b2617ec4aa8eccd762cc6a5faa45d116f836392e08cc4ff7d3d460bd
Instruction Fuzzy Hash: 7B91C53190061ADBCB18EF74D481BF9FB78FF04304F508129D98AE7245DB306999CBA2

Function 008D2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 008D2EAE

Part of subcall function 008D1DB3: GetClientRect.USER32(?,?), ref: 008D1DDC
Part of subcall function 008D1DB3: GetWindowRect.USER32(?,?), ref: 008D1E1D
Part of subcall function 008D1DB3: ScreenToClient.USER32(?,?), ref: 008D1E45

GetDC.USER32 ref: 0090CF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0090CF95
SelectObject.GDI32(00000000,00000000), ref: 0090CFA3
SelectObject.GDI32(00000000,00000000), ref: 0090CFB8
ReleaseDC.USER32(?,00000000), ref: 0090CFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0090D04B

Strings

U, xrefs: 0090CF20

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 6d8dc0140cbe3fa13fc4fbb30fb7877f36be43c70e4169a9e6af1ca4cb3029b9
Instruction ID: 961702889541f84b5b191a63f341b3418c1501f192eca46db7057a2f2274e96d
Opcode Fuzzy Hash: 6d8dc0140cbe3fa13fc4fbb30fb7877f36be43c70e4169a9e6af1ca4cb3029b9
Instruction Fuzzy Hash: 9871F771500205EFCF21DF64C884ABA7BBAFF48364F14436AED55962A6C7318C41DF61

Function 0095C27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008D2612: GetWindowLongW.USER32(?,000000EB), ref: 008D2623

Part of subcall function 008D2344: GetCursorPos.USER32(?), ref: 008D2357
Part of subcall function 008D2344: ScreenToClient.USER32(009967B0,?), ref: 008D2374
Part of subcall function 008D2344: GetAsyncKeyState.USER32(00000001), ref: 008D2399
Part of subcall function 008D2344: GetAsyncKeyState.USER32(00000002), ref: 008D23A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0095C2E4
ImageList_EndDrag.COMCTL32 ref: 0095C2EA
ReleaseCapture.USER32 ref: 0095C2F0
SetWindowTextW.USER32(?,00000000), ref: 0095C39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0095C3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0095C48F

Strings

@GUI_DRAGFILE, xrefs: 0095C424
@GUI_DROPID, xrefs: 0095C3E1

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 77ab7e11ceb0661608f79977ec1082c655170d9ee80760a9a72bd34dce6f3cf8
Instruction ID: 899a608f590157710c59053d066ed3a72878f22ec76e83f5c6dba2a8c8d4bbaa
Opcode Fuzzy Hash: 77ab7e11ceb0661608f79977ec1082c655170d9ee80760a9a72bd34dce6f3cf8
Instruction Fuzzy Hash: 3051AC70218304AFDB10EF29C855F6A7BE5FB88315F04462EF9918B2F1DB30A949DB52

Function 00948F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0095F910), ref: 0094903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0095F910), ref: 00949071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 009491EB
SysFreeString.OLEAUT32(?), ref: 00949215

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 9d79744ca6f3adecdaacf92b328aea0bd64b434ee19213575cde950d4efddd39
Instruction ID: a81db9a925529c752259133bd0cd38fc69d2c2168b71b105461b4a38f6dfc96d
Opcode Fuzzy Hash: 9d79744ca6f3adecdaacf92b328aea0bd64b434ee19213575cde950d4efddd39
Instruction Fuzzy Hash: 93F15E71A00219EFCF04DF94C888EAEB7B9FF89315F108599F516AB290DB31AE45CB50

Function 0094F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0094F9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0094FB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0094FB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0094FBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0094FBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0094FD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0094FD90
CloseHandle.KERNEL32(?), ref: 0094FDBF
CloseHandle.KERNEL32(?), ref: 0094FE36

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 5c64d193e923a81eb743b549a01aa9569248c9e43ade8013faa123e91b9c82a4
Instruction ID: 121495971ebcfebcb5442164d39cc43aaff47e0b3b07ef03596793043ac130fb
Opcode Fuzzy Hash: 5c64d193e923a81eb743b549a01aa9569248c9e43ade8013faa123e91b9c82a4
Instruction Fuzzy Hash: 40E19031604242DFCB14EF28C4A1E6ABBE5FF85354F14896DF9998B2A2DB31DC44CB52

Function 00934F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 009348AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,009338D3,?), ref: 009348C7

Part of subcall function 009348AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,009338D3,?), ref: 009348E0

Part of subcall function 00934CD3: GetFileAttributesW.KERNEL32(?,00933947), ref: 00934CD4

lstrcmpiW.KERNEL32(?,?), ref: 00934FE2
_wcscmp.LIBCMT ref: 00934FFC
MoveFileW.KERNEL32(?,?), ref: 00935017

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: bb30ba51a860ceb9b443df61b2c5f636abda498feed874736df7af09c8bd4348
Instruction ID: b4c50bdcbe11c0c65ee028c5686e57d7deef0a75c3695fdcaeb266a7fc17d04c
Opcode Fuzzy Hash: bb30ba51a860ceb9b443df61b2c5f636abda498feed874736df7af09c8bd4348
Instruction Fuzzy Hash: AB5144B200C7859BC724DBA4C8819DFB3ECEF85351F10492EB289D3151EE75A6888B67

Function 009588B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0095896E

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: a876474d616032efb9acca0833c336be15d67839691ed61e03aac9b42109f9ea
Instruction ID: f9272e586302fa8c9ed42c77e71df0da7148a5ad34dd4a689d83a89fdf97b9f1
Opcode Fuzzy Hash: a876474d616032efb9acca0833c336be15d67839691ed61e03aac9b42109f9ea
Instruction Fuzzy Hash: BE51B830504208BFDF20DF2ACC85B6B7B69FB05362F504516FE15F61A1DF71A9889B81

Function 008D2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0090C547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0090C569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0090C581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0090C59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0090C5C0
DestroyIcon.USER32(00000000), ref: 0090C5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0090C5EC
DestroyIcon.USER32(?), ref: 0090C5FB

Part of subcall function 0095A71E: DeleteObject.GDI32(00000000), ref: 0095A757

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 338b2d15716b26450da098d74cb66cee294469527023786d9d74169ab2d94747
Instruction ID: 97a4d28d8edf9acd4b9394f63f2704b5b0d65601ea685cebd5c64871c3cc249c
Opcode Fuzzy Hash: 338b2d15716b26450da098d74cb66cee294469527023786d9d74169ab2d94747
Instruction Fuzzy Hash: 5F514974614209EFDB20DF25DC45BAA77B9FB58361F10062AF902D72A0DBB0ED90EB50

Function 00929B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0092AE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 0092AE77
Part of subcall function 0092AE57: GetCurrentThreadId.KERNEL32 ref: 0092AE7E
Part of subcall function 0092AE57: AttachThreadInput.USER32(00000000,?,00929B65,?,00000001), ref: 0092AE85

MapVirtualKeyW.USER32(00000025,00000000), ref: 00929B70
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00929B8D
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00929B90
MapVirtualKeyW.USER32(00000025,00000000), ref: 00929B99
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00929BB7
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00929BBA
MapVirtualKeyW.USER32(00000025,00000000), ref: 00929BC3
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00929BDA
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00929BDD

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 0635da8eb403e9a0775220dd9e7c5e857e046fe30d097a0645dab02f31ad4b2f
Instruction ID: 9a4e637aa9830d14c9d30b79b06e948a8ecc605ff1999cb11e36366a086dead2
Opcode Fuzzy Hash: 0635da8eb403e9a0775220dd9e7c5e857e046fe30d097a0645dab02f31ad4b2f
Instruction Fuzzy Hash: 0511E171564618BFF7106B61EC8AF6A3B2DEB4C766F110425F244AB0A0C9F25C10EBA4

Function 00928E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00928A84,00000B00,?,?), ref: 00928E0C
HeapAlloc.KERNEL32(00000000,?,00928A84,00000B00,?,?), ref: 00928E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00928A84,00000B00,?,?), ref: 00928E28
GetCurrentProcess.KERNEL32(?,00000000,?,00928A84,00000B00,?,?), ref: 00928E30
DuplicateHandle.KERNEL32(00000000,?,00928A84,00000B00,?,?), ref: 00928E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00928A84,00000B00,?,?), ref: 00928E43
GetCurrentProcess.KERNEL32(00928A84,00000000,?,00928A84,00000B00,?,?), ref: 00928E4B
DuplicateHandle.KERNEL32(00000000,?,00928A84,00000B00,?,?), ref: 00928E4E
CreateThread.KERNEL32(00000000,00000000,00928E74,00000000,00000000,00000000), ref: 00928E68

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 97a3fea865031ac2508772dccd5c0d782fde76aff770905da8171514500c6d5e
Instruction ID: f11369d5a785db0fa316710c0e6733b1fb12d16c35a4d8ec1bf91c90a4946d08
Opcode Fuzzy Hash: 97a3fea865031ac2508772dccd5c0d782fde76aff770905da8171514500c6d5e
Instruction Fuzzy Hash: 3E01BFB5654704FFE710AB75EC4DF5B3B6CEB89711F014421FA05DB191CA709800DB20

Function 00949428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0094947C
VariantInit.OLEAUT32(?), ref: 0094954D
VariantInit.OLEAUT32(?), ref: 0094964E
VariantClear.OLEAUT32(?), ref: 00949658
VariantClear.OLEAUT32(?), ref: 009496B5

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00949631
Null Object assignment in FOR..IN loop, xrefs: 009494DD, 0094960B, 009496C3

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: f9303d62a5f17e675ef67a95e15461d8aefe54ff722aa6e0e24c769ec9607d59
Instruction ID: d57593983bc782f5075fc739014cef96f70a5f37fa766414b15c8b32f0fa4363
Opcode Fuzzy Hash: f9303d62a5f17e675ef67a95e15461d8aefe54ff722aa6e0e24c769ec9607d59
Instruction Fuzzy Hash: 0791CE71A00219AFDF24DFA5C848FAFBBB8EF85314F10855AF915AB290D7749901CFA0

Function 00949A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00927652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0092758C,80070057,?,?,?,0092799D), ref: 0092766F
Part of subcall function 00927652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0092758C,80070057,?,?), ref: 0092768A
Part of subcall function 00927652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0092758C,80070057,?,?), ref: 00927698
Part of subcall function 00927652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0092758C,80070057,?), ref: 009276A8

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00949B1B
_memset.LIBCMT ref: 00949B28
_memset.LIBCMT ref: 00949C6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00949C97
CoTaskMemFree.OLE32(?), ref: 00949CA2

Strings

NULL Pointer assignment, xrefs: 00949CF0

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 370dadb4100dc8f2b6bc74020bfde620d05803a191288e34d47bdcb0583fd8b2
Instruction ID: 6ded148a7491c6cf35c7fa0e22d64ab9ca6963e96ffa69ef9d72a99f3125d426
Opcode Fuzzy Hash: 370dadb4100dc8f2b6bc74020bfde620d05803a191288e34d47bdcb0583fd8b2
Instruction Fuzzy Hash: ED912571D00229ABDB10DFA5DC81EDEBBB9FF08310F20415AF519A7281EB319A44CFA1

Function 00956FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00957093
SendMessageW.USER32(?,00001036,00000000,?), ref: 009570A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 009570C1
_wcscat.LIBCMT ref: 0095711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 00957133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00957161

Strings

SysListView32, xrefs: 00957065

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 127b7e853cf601c4b0ab1ff59e89a7c68892b16922d1446821f78203dfd6dc07
Instruction ID: 9a14542ec94d5119e1a729e919f3ab29714d4fe2d76dea6a4c62c2ee179dd868
Opcode Fuzzy Hash: 127b7e853cf601c4b0ab1ff59e89a7c68892b16922d1446821f78203dfd6dc07
Instruction Fuzzy Hash: 92418F71A04308ABDB21DFB5DC85BEAB7E8EF48355F10052AF944E7291D6719E888B60

Function 0094EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00933E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00933EB6
Part of subcall function 00933E91: Process32FirstW.KERNEL32(00000000,?), ref: 00933EC4
Part of subcall function 00933E91: CloseHandle.KERNEL32(00000000), ref: 00933F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0094ECB8
GetLastError.KERNEL32 ref: 0094ECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0094ECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 0094ED77
GetLastError.KERNEL32(00000000), ref: 0094ED82
CloseHandle.KERNEL32(00000000), ref: 0094EDB7

Strings

SeDebugPrivilege, xrefs: 0094ECD6

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 32e8e4c9a5c540d11597273d2566aa907e122d45ab22f18c51c135c4d3f6c03b
Instruction ID: 402ae15890f824f61732231fe888dc0ae156d45b07c96455879a91bfdf089979
Opcode Fuzzy Hash: 32e8e4c9a5c540d11597273d2566aa907e122d45ab22f18c51c135c4d3f6c03b
Instruction Fuzzy Hash: 2A419A716042109FDB14EF28CC95F6EB7A5BF80714F088459F9829B2D2DB75A804CB96

Function 00933226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 009332C5

Strings

info, xrefs: 00933266
stop, xrefs: 00933296
question, xrefs: 0093327E
warning, xrefs: 009332AE
blank, xrefs: 00933247

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 9bf69f6f3b138ceee70dcb1638c52c3e13f1c89f47ae1272e1fb92200a5e6d2b
Instruction ID: 65321a41cfa93936f875d656da20933b74f40c471a69a8a448506cda3db60a33
Opcode Fuzzy Hash: 9bf69f6f3b138ceee70dcb1638c52c3e13f1c89f47ae1272e1fb92200a5e6d2b
Instruction Fuzzy Hash: E2110D3568C34A7BE7015B65DC43C6BB39CEF19374F10402AF52196281D7759B804FB6

Function 00934534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0093454E
LoadStringW.USER32(00000000), ref: 00934555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0093456B
LoadStringW.USER32(00000000), ref: 00934572
_wprintf.LIBCMT ref: 00934598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 009345B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00934593

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 3aac6418ffc0a9ba4ed8672e8301c50d40d95b3fc990de2988f763185634a8aa
Instruction ID: e610336130bf61fbc7b5e7e65021faf231f108b96c94a559c1d02b6fe762bb03
Opcode Fuzzy Hash: 3aac6418ffc0a9ba4ed8672e8301c50d40d95b3fc990de2988f763185634a8aa
Instruction Fuzzy Hash: 9A014FF290430CBFE711A7A5DD89EFB776CEB08312F0005A5BB45D2051EA749E858B71

Function 0095D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008D2612: GetWindowLongW.USER32(?,000000EB), ref: 008D2623

GetSystemMetrics.USER32(0000000F), ref: 0095D78A
GetSystemMetrics.USER32(0000000F), ref: 0095D7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0095D9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0095DA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0095DA24
ShowWindow.USER32(00000003,00000000), ref: 0095DA43
InvalidateRect.USER32(?,00000000,00000001), ref: 0095DA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 0095DA8B

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: a62c733a8c27c6dd6bd197057ebfbbc280bd2563853c3c337bf4095a41342b84
Instruction ID: c1a592af52ac8a3f0f6028f2c529d71b651ae88c71775d973c8c871f6fa8d8ac
Opcode Fuzzy Hash: a62c733a8c27c6dd6bd197057ebfbbc280bd2563853c3c337bf4095a41342b84
Instruction Fuzzy Hash: EDB1DA71602215EFDF24CF6AC9947BE7BB5FF08702F088069EC489B295D734A958CB90

Function 008D2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0090C417,00000004,00000000,00000000,00000000), ref: 008D2ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0090C417,00000004,00000000,00000000,00000000,000000FF), ref: 008D2B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0090C417,00000004,00000000,00000000,00000000), ref: 0090C46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0090C417,00000004,00000000,00000000,00000000), ref: 0090C4D6

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 11687efd34c8d2fe11a99ddd3946f3be9bc0ba028fa5f2a3c34f0a8468ae84f5
Instruction ID: 5d072d1df8b08348e5f202028a72d1a28636aa8208d90dd259fd1d6567c3d8b7
Opcode Fuzzy Hash: 11687efd34c8d2fe11a99ddd3946f3be9bc0ba028fa5f2a3c34f0a8468ae84f5
Instruction Fuzzy Hash: FE4105303187949EC7358B298C9CB7A7B96FBA5324F588A1BE047C67B0C675A881E710

Function 00937368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0093737F

Part of subcall function 008F0FF6: std::exception::exception.LIBCMT ref: 008F102C
Part of subcall function 008F0FF6: __CxxThrowException@8.LIBCMT ref: 008F1041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 009373B6
EnterCriticalSection.KERNEL32(?), ref: 009373D2
_memmove.LIBCMT ref: 00937420
_memmove.LIBCMT ref: 0093743D
LeaveCriticalSection.KERNEL32(?), ref: 0093744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00937461
InterlockedExchange.KERNEL32(?,000001F6), ref: 00937480

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: aa981fd92d692b7e85b86585c985ebd347fc6922c35d1904efa644a04871b220
Instruction ID: 93a9b1364d1332c2bc019e400f669f7800e52de5d6251c1b7be9e330de07167d
Opcode Fuzzy Hash: aa981fd92d692b7e85b86585c985ebd347fc6922c35d1904efa644a04871b220
Instruction Fuzzy Hash: CB317071904205EBCF10DFA9DC89AAFBBB8FF44711F1441A5FA04DB296DB309A10DBA1

Function 00956442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0095645A
GetDC.USER32(00000000), ref: 00956462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0095646D
ReleaseDC.USER32(00000000,00000000), ref: 00956479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 009564B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 009564C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00959299,?,?,000000FF,00000000,?,000000FF,?), ref: 00956500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00956520

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: e0ea5ad6c3f838ccb522cf7a8383ad1e352f6648315e4ac1fab88d581ee20708
Instruction ID: e33fdd96c9e3faa88618f8e00d5f61bf769131c45fd0b87334e33d1ef35aadde
Opcode Fuzzy Hash: e0ea5ad6c3f838ccb522cf7a8383ad1e352f6648315e4ac1fab88d581ee20708
Instruction Fuzzy Hash: 97318D72215214BFEF108F11CC4AFEB3FADEF09766F040065FE089A191D6759842CB60

Function 0092C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0092C087
_memcmp.LIBCMT ref: 0092C0A9
_memcmp.LIBCMT ref: 0092C0C1
_memcmp.LIBCMT ref: 0092C0D4
_memcmp.LIBCMT ref: 0092C0EE
_memcmp.LIBCMT ref: 0092C101
_memcmp.LIBCMT ref: 0092C119
_memcmp.LIBCMT ref: 0092C134

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 9a74799085ca5bf9ef76cf30976ef769522fb32bdc085118cba7aae79fe62014
Instruction ID: 13fcdbe2bd46aad93df2a042b37884b2300dbec41a1d8da2b11f5a516cce8b35
Opcode Fuzzy Hash: 9a74799085ca5bf9ef76cf30976ef769522fb32bdc085118cba7aae79fe62014
Instruction Fuzzy Hash: 1D21C5E1684629B7DA14A735AC46FBF339CEF70799B040020FE05D62C7E759DD2181A6

Function 0093ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 008D9997: __itow.LIBCMT ref: 008D99C2
Part of subcall function 008D9997: __swprintf.LIBCMT ref: 008D9A0C

Part of subcall function 008EFEC6: _wcscpy.LIBCMT ref: 008EFEE9

_wcstok.LIBCMT ref: 0093EEFF
_wcscpy.LIBCMT ref: 0093EF8E
_memset.LIBCMT ref: 0093EFC1

Strings

X, xrefs: 0093EFFE

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 3ca1320d650749d78950d51ea0ebb0ee4fda3bade7996511e2512954e6f36a34
Instruction ID: 9fca097b5fb82d4c02491ed4d8fc218d1172441cae4f1fde280209cd87557833
Opcode Fuzzy Hash: 3ca1320d650749d78950d51ea0ebb0ee4fda3bade7996511e2512954e6f36a34
Instruction Fuzzy Hash: F4C119715087419FC724EF28D895A6AB7E4FF85310F044A2EF899973A2DB70ED45CB82

Function 00946E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00946F14
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00946F35
WSAGetLastError.WSOCK32(00000000), ref: 00946F48
htons.WSOCK32(?,?,?,00000000,?), ref: 00946FFE
inet_ntoa.WSOCK32(?), ref: 00946FBB

Part of subcall function 0092AE14: _strlen.LIBCMT ref: 0092AE1E
Part of subcall function 0092AE14: _memmove.LIBCMT ref: 0092AE40

_strlen.LIBCMT ref: 00947058
_memmove.LIBCMT ref: 009470C1

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 26fa6d50fc039c96d0fc0b54ecbad4be4f78e034359a9fea408fc13897156e88
Instruction ID: 10416b602624d8a5d5865876443649ea28808228e793232903e255fb01639db9
Opcode Fuzzy Hash: 26fa6d50fc039c96d0fc0b54ecbad4be4f78e034359a9fea408fc13897156e88
Instruction Fuzzy Hash: 7681EF71108300ABD710EF68CC86F6BB7E9EF84724F104A1EF5559B2A2DB70AD04CB92

Function 008D1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4edece54643b447409d759252d084299f045aaf93a3d3871bc5f0ec5777784a2
Instruction ID: 7f65a58d7afb5a1199f4821ff10a9da9b5bf65a9bd9b1cb3f0b631541a94154e
Opcode Fuzzy Hash: 4edece54643b447409d759252d084299f045aaf93a3d3871bc5f0ec5777784a2
Instruction Fuzzy Hash: 8C714B30904109FFCF049F99C849AAEBB7AFF85324F14825AF915AB351C734AA51CBA5

Function 0095B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(015676F8), ref: 0095B6A5
IsWindowEnabled.USER32(015676F8), ref: 0095B6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0095B795
SendMessageW.USER32(015676F8,000000B0,?,?), ref: 0095B7CC
IsDlgButtonChecked.USER32(?,?), ref: 0095B809
GetWindowLongW.USER32(015676F8,000000EC), ref: 0095B82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0095B843

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 9eb5b22bf60adc1dde7e4cf520f5e624d579775c2a3b2b3ac42338cdef4d383b
Instruction ID: a895e0ecbd20efbff94687cbeadc8793a3cb76a97fc905b58d5939a80186fff2
Opcode Fuzzy Hash: 9eb5b22bf60adc1dde7e4cf520f5e624d579775c2a3b2b3ac42338cdef4d383b
Instruction Fuzzy Hash: 6371BB34605304AFDB20DF66C8A4FAABBF9FF89352F144469FD45972A1C731A848DB10

Function 0094F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0094F75C
_memset.LIBCMT ref: 0094F825
ShellExecuteExW.SHELL32(?), ref: 0094F86A

Part of subcall function 008D9997: __itow.LIBCMT ref: 008D99C2
Part of subcall function 008D9997: __swprintf.LIBCMT ref: 008D9A0C

Part of subcall function 008EFEC6: _wcscpy.LIBCMT ref: 008EFEE9

GetProcessId.KERNEL32(00000000), ref: 0094F8E1
CloseHandle.KERNEL32(00000000), ref: 0094F910

Strings

@, xrefs: 0094F839

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: c82eee7e3fcde8c9ebc21b8d5c1579465238792d7b43fbb725d3756728c27005
Instruction ID: 6982b11894ba824591fb8afd2f7c124e0d3ae5bb7413b4152e691fbbfd620450
Opcode Fuzzy Hash: c82eee7e3fcde8c9ebc21b8d5c1579465238792d7b43fbb725d3756728c27005
Instruction Fuzzy Hash: A5619075A0061AEFCF14EF68C5909AEBBF5FF48310F14856AE846AB351CB30AD40CB91

Function 0093145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0093149C
GetKeyboardState.USER32(?), ref: 009314B1
SetKeyboardState.USER32(?), ref: 00931512
PostMessageW.USER32(?,00000101,00000010,?), ref: 00931540
PostMessageW.USER32(?,00000101,00000011,?), ref: 0093155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 009315A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 009315C8

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 23b48c09f54163f09856e001563f97d46c5c50db436fa55751cf87779215bc82
Instruction ID: 17903c1724b1cd883894ce21c6e6f4e39c7850791889ac3fd752bdf1f4cd52ad
Opcode Fuzzy Hash: 23b48c09f54163f09856e001563f97d46c5c50db436fa55751cf87779215bc82
Instruction Fuzzy Hash: F35103A0A087D53EFB3643748C09BBA7EAD5B46304F0C8489F1D6468E2C3D8EC94DB51

Function 00931276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 009312B5
GetKeyboardState.USER32(?), ref: 009312CA
SetKeyboardState.USER32(?), ref: 0093132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00931357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00931374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 009313B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 009313D9

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 8294b3b03e5f88d6d5bf0be25a61a9e2af2129ecd1b97cae8d4f1c2c95185048
Instruction ID: 97c37354f7b2fe3f0c6b5ca71ff02ca6b7a20d283c4a8544834e0b9f45d35e94
Opcode Fuzzy Hash: 8294b3b03e5f88d6d5bf0be25a61a9e2af2129ecd1b97cae8d4f1c2c95185048
Instruction Fuzzy Hash: 9D51F5A05087D53DFB3287248C55BBABFAD5F06300F0C8589F1D5468E2D795EC94EB61

Function 0093589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 009358AC
_wcsncpy.LIBCMT ref: 009358E1
_wcsncpy.LIBCMT ref: 00935913
_wcsncpy.LIBCMT ref: 00935946
_wcsncpy.LIBCMT ref: 00935988
_wcsncpy.LIBCMT ref: 009359C2
_wcsncpy.LIBCMT ref: 009359F1

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: b190f9e7f9a7708977f82bb4b04916e78474c58573a86ed4733d36c0963ff015
Instruction ID: 8241e98bedef40682154c11ad196435e1623e8c407e4804011aaa20d1a3f171f
Opcode Fuzzy Hash: b190f9e7f9a7708977f82bb4b04916e78474c58573a86ed4733d36c0963ff015
Instruction Fuzzy Hash: 15418365C2161876CB10FBB888869DFB7A8EF04310F519566F618E3122E634E715CBA6

Function 009338AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 009348AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,009338D3,?), ref: 009348C7

Part of subcall function 009348AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,009338D3,?), ref: 009348E0

lstrcmpiW.KERNEL32(?,?), ref: 009338F3
_wcscmp.LIBCMT ref: 0093390F
MoveFileW.KERNEL32(?,?), ref: 00933927
_wcscat.LIBCMT ref: 0093396F
SHFileOperationW.SHELL32(?), ref: 009339DB

Strings

\*.*, xrefs: 00933969

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 5fb10019f93aa9a50141444eca8613c03d1f4a9ec2d895e662a4c4d213a6737c
Instruction ID: 10a3f23d99c0559db7f9636ca66e57d8c52e8d406d54e04bab9bef19dee7f278
Opcode Fuzzy Hash: 5fb10019f93aa9a50141444eca8613c03d1f4a9ec2d895e662a4c4d213a6737c
Instruction Fuzzy Hash: BA416DB254C384DAC751EF64C881AEBB7ECEF89350F14592EB48AC3151EA74D688CB52

Function 00957500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00957519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009575C0
IsMenu.USER32(?), ref: 009575D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00957620
DrawMenuBar.USER32 ref: 00957633

Strings

0, xrefs: 0095750D

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 5f322e1bfb6895010d2ec10f1a61a5f7ee4ae8a6f8391db3b511d457e35576c0
Instruction ID: bc1c881ff8fee560561bc115891e9b3b6fedb4c055212a8e623b9060725fed09
Opcode Fuzzy Hash: 5f322e1bfb6895010d2ec10f1a61a5f7ee4ae8a6f8391db3b511d457e35576c0
Instruction Fuzzy Hash: 4A416A74A05608EFDB10DF9AE884EAABBF8FB04361F048029FD1597250D730AE45DFA1

Function 0095122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 0095125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00951286
FreeLibrary.KERNEL32(00000000), ref: 0095133D

Part of subcall function 0095122D: RegCloseKey.ADVAPI32(?), ref: 009512A3
Part of subcall function 0095122D: FreeLibrary.KERNEL32(?), ref: 009512F5
Part of subcall function 0095122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00951318

RegDeleteKeyW.ADVAPI32(?,?), ref: 009512E0

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: f3f3fb08c2ba271bacfd41f232113529392d98d83ff3f91436a1c0169e1598f6
Instruction ID: 04a00da72d790442b2590a581b2c22e2c59c3c05acb3b31fd4994a5f7f5c90f0
Opcode Fuzzy Hash: f3f3fb08c2ba271bacfd41f232113529392d98d83ff3f91436a1c0169e1598f6
Instruction Fuzzy Hash: BB315E71911209BFDB14DBA1DC99EFFB7BCEF08311F000169E911E2151DB749E499BA0

Function 0095653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 0095655B
GetWindowLongW.USER32(015676F8,000000F0), ref: 0095658E
GetWindowLongW.USER32(015676F8,000000F0), ref: 009565C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 009565F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 0095661F
GetWindowLongW.USER32(00000000,000000F0), ref: 00956630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0095664A

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: aeff89f29008a2a1c9cfab0fc9f4ded3b696a1a40ffd9d45524bdc7f3c2b870b
Instruction ID: bc99fd222ded3c58595779b4d08b54c161685ece3f06a962dfa5f78d2f03eee6
Opcode Fuzzy Hash: aeff89f29008a2a1c9cfab0fc9f4ded3b696a1a40ffd9d45524bdc7f3c2b870b
Instruction Fuzzy Hash: DD315730659214AFDB20CF1ADC88F553BE5FB4A362F9801A8F9018B2B5DB31EC45EB41

Function 00946486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 009480A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 009480CB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 009464D9
WSAGetLastError.WSOCK32(00000000), ref: 009464E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00946521
connect.WSOCK32(00000000,?,00000010), ref: 0094652A
WSAGetLastError.WSOCK32 ref: 00946534
closesocket.WSOCK32(00000000), ref: 0094655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00946576

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: ed365bba1650f3a59dd75c43f8dcdb50a0417777c91ac5e91f5ccdc59b0099d1
Instruction ID: 590e1f927b2442d1e415a6699ced31718cfa2af096c810601d47c4a6d8db216d
Opcode Fuzzy Hash: ed365bba1650f3a59dd75c43f8dcdb50a0417777c91ac5e91f5ccdc59b0099d1
Instruction Fuzzy Hash: D931A171610218ABDF10AF24CC95FBE7BBCEB45721F004029F94AD7291DB74AD04DB62

Function 0092E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0092E0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0092E120
SysAllocString.OLEAUT32(00000000), ref: 0092E123
SysAllocString.OLEAUT32 ref: 0092E144
SysFreeString.OLEAUT32 ref: 0092E14D
StringFromGUID2.OLE32(?,?,00000028), ref: 0092E167
SysAllocString.OLEAUT32(?), ref: 0092E175

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 2cd840b602cc202e86cd193c33977fcf06580c3388dc6cc37a15e96259b0a8ef
Instruction ID: f823bfc70b503edf149603e4a263878b556f95ab1667cf1e3d4ae59427865b53
Opcode Fuzzy Hash: 2cd840b602cc202e86cd193c33977fcf06580c3388dc6cc37a15e96259b0a8ef
Instruction Fuzzy Hash: 46217435608218AFDB10AFA9DCC8CAB77ECEB09760B108135F915CB2A5DB74DC419B64

Function 0092FB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0092FB81
__wcsnicmp.LIBCMT ref: 0092FBA2
__wcsnicmp.LIBCMT ref: 0092FBBC

Strings

#notrayicon, xrefs: 0092FB79
#OnAutoItStartRegister, xrefs: 0092FBB6
#requireadmin, xrefs: 0092FB9C

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 4be5c4903158541882a0033b1761ce5d62a5dba179c18425b165f17e4b62281a
Instruction ID: e2a227eeae932f17c81e9921cea8191e72c2cdcce8935dd624cba0cdc3a8e32b
Opcode Fuzzy Hash: 4be5c4903158541882a0033b1761ce5d62a5dba179c18425b165f17e4b62281a
Instruction Fuzzy Hash: 03214572100A75A6D230E738ED22EB773ACEF51300F104436F98AC7189EB50AD818792

Function 0095783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008D1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 008D1D73
Part of subcall function 008D1D35: GetStockObject.GDI32(00000011), ref: 008D1D87
Part of subcall function 008D1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 008D1D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 009578A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 009578AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 009578B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 009578C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 009578D4

Strings

Msctls_Progress32, xrefs: 00957872

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 78331897f83ccfc4e46c9979a0c5bda8ab12fc804465c8ef96a922d98fc3caf4
Instruction ID: 7241f2dc5ea4287ee4f2dbb09eee557b03eb32adfa16dd1ea0891b0dd59d2fc9
Opcode Fuzzy Hash: 78331897f83ccfc4e46c9979a0c5bda8ab12fc804465c8ef96a922d98fc3caf4
Instruction Fuzzy Hash: CA1190B2114219BFEF159FA5CC85EEB7F6DEF48768F014115BB04A2090C772AC21DBA0

Function 008F41C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,008F4292,?), ref: 008F41E3
GetProcAddress.KERNEL32(00000000), ref: 008F41EA
EncodePointer.KERNEL32(00000000), ref: 008F41F6
DecodePointer.KERNEL32(00000001,008F4292,?), ref: 008F4213

Strings

combase.dll, xrefs: 008F41DE
RoInitialize, xrefs: 008F41D2

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 293a392d95c8caf67bf91bfa1eda11eb273fe6dbd0bdc8ed006bbd50eec10998
Instruction ID: cb1a9d7d4a3f6578c7ec438bc82c37105aba5963ea12667d71712f28e8e292da
Opcode Fuzzy Hash: 293a392d95c8caf67bf91bfa1eda11eb273fe6dbd0bdc8ed006bbd50eec10998
Instruction Fuzzy Hash: E2E01AB06BC700AFEB216BBAEC29F153AA4F760757F504436B522D50E0DBB54096AF00

Function 008F429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,008F41B8), ref: 008F42B8
GetProcAddress.KERNEL32(00000000), ref: 008F42BF
EncodePointer.KERNEL32(00000000), ref: 008F42CA
DecodePointer.KERNEL32(008F41B8), ref: 008F42E5

Strings

combase.dll, xrefs: 008F42B3
RoUninitialize, xrefs: 008F42A7

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 96396605e42c14df6fb3b771f17121169c851a19d1c0ab93773f0ee4ef9b043d
Instruction ID: 8c24f56cba16ab32d6949d6035112c49b12526ab5c0cdc827b11f5a763e543ec
Opcode Fuzzy Hash: 96396605e42c14df6fb3b771f17121169c851a19d1c0ab93773f0ee4ef9b043d
Instruction Fuzzy Hash: CEE012785AD700ABEA21AB36EC18F023AA4B73079AF100036F105E20B0CBB04541EB08

Function 0093675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 009368AD
_memmove.LIBCMT ref: 009367E8

Part of subcall function 008D9997: __itow.LIBCMT ref: 008D99C2
Part of subcall function 008D9997: __swprintf.LIBCMT ref: 008D9A0C

_memmove.LIBCMT ref: 0093685B
_memmove.LIBCMT ref: 00936942
_memmove.LIBCMT ref: 0093695B
_memmove.LIBCMT ref: 00936977

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: f343bbedb4053b5325c5b3423e46e20e90ca18b2e29f67c49e07f67a5b03233d
Instruction ID: f35fb2ae296d3f5e98ecfe5ec2cc4cb5bb276deac6ce40353c2ad024c0cbef86
Opcode Fuzzy Hash: f343bbedb4053b5325c5b3423e46e20e90ca18b2e29f67c49e07f67a5b03233d
Instruction Fuzzy Hash: 3B619E3050065AABCF11EF28C895FFE7BA9FF44318F04861AF9959B292DB349941CB52

Function 0095046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 008D7F41: _memmove.LIBCMT ref: 008D7F82

Part of subcall function 009510A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00950038,?,?), ref: 009510BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00950548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00950588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 009505AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 009505D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00950617
RegCloseKey.ADVAPI32(00000000), ref: 00950624

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: c3d81dffd75238552549f3d3abeb54046eaa277e39e11982a18efbb6e3c58a91
Instruction ID: 2aa46fb912f62add0161c2df0999fd948767cd5eed17b567bfaab6462bef832e
Opcode Fuzzy Hash: c3d81dffd75238552549f3d3abeb54046eaa277e39e11982a18efbb6e3c58a91
Instruction Fuzzy Hash: 9D513A31108200AFCB14EF29D895E6ABBE8FF85315F04491EF995972A1EB31E909DB52

Function 00955A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00955A82
GetMenuItemCount.USER32(00000000), ref: 00955AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00955AE1
GetMenuItemID.USER32(?,?), ref: 00955B50
GetSubMenu.USER32(?,?), ref: 00955B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 00955BAF

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: d4e5826293ef4e640a58737d5f23b5a4b29884fce973ba136f3dccfeaf3d2b2c
Instruction ID: 0e8ff3a8d07144d79c67b4fc80e3523580a80556d30f9737406988b1b4a6d099
Opcode Fuzzy Hash: d4e5826293ef4e640a58737d5f23b5a4b29884fce973ba136f3dccfeaf3d2b2c
Instruction Fuzzy Hash: DA517C31A00619EFCF11EFA5C855AAEBBB4FF48321F11446AED01A7352DB34AE458B91

Function 0092F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0092F3F7
VariantClear.OLEAUT32(00000013), ref: 0092F469
VariantClear.OLEAUT32(00000000), ref: 0092F4C4
_memmove.LIBCMT ref: 0092F4EE
VariantClear.OLEAUT32(?), ref: 0092F53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0092F569

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: df30a1f9bbef558cf682f4ff47a7fe8b9444363e3bac0d2c1d3464e71d317bfc
Instruction ID: 92769d2c883e08054995728610082c6abd8387facbc067a62fb8e9e522e10015
Opcode Fuzzy Hash: df30a1f9bbef558cf682f4ff47a7fe8b9444363e3bac0d2c1d3464e71d317bfc
Instruction Fuzzy Hash: 7D5167B5A00219AFCB10DF58D894EAAB7B8FF48314B158569F959DB314D730E911CBA0

Function 009326F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00932747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00932792
IsMenu.USER32(00000000), ref: 009327B2
CreatePopupMenu.USER32 ref: 009327E6
GetMenuItemCount.USER32(000000FF), ref: 00932844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00932875

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: b72b28ab1aad7cc8b12ec8b3deeed67e2d3848cec91f6f2910d0871efdcde405
Instruction ID: e85b34f5e612faa4cae7f1e346d728e30ff3d9b82e0026410b22cca28a313f10
Opcode Fuzzy Hash: b72b28ab1aad7cc8b12ec8b3deeed67e2d3848cec91f6f2910d0871efdcde405
Instruction Fuzzy Hash: 00519B70A0430AEFDF25CF68D888BAEBBF9BF44314F104669E911AB291E7709945CF51

Function 008D1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 008D2612: GetWindowLongW.USER32(?,000000EB), ref: 008D2623

BeginPaint.USER32(?,?,?,?,?,?), ref: 008D179A
GetWindowRect.USER32(?,?), ref: 008D17FE
ScreenToClient.USER32(?,?), ref: 008D181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 008D182C
EndPaint.USER32(?,?), ref: 008D1876

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: edf1197478b1c948c94bda92e44a3a9e90a8a07f4cdc890664f597ac37db7a2f
Instruction ID: 718dac23d1c991d497a593184a8fd1be7c01433d6df58ddde113e87ba615dbfd
Opcode Fuzzy Hash: edf1197478b1c948c94bda92e44a3a9e90a8a07f4cdc890664f597ac37db7a2f
Instruction Fuzzy Hash: B4418171218305AFDB10DF2ADC88B7A7BE8FF45724F14066AF554C72A1C7319845EB62

Function 0095B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(009967B0,00000000,015676F8,?,?,009967B0,?,0095B862,?,?), ref: 0095B9CC
EnableWindow.USER32(00000000,00000000), ref: 0095B9F0
ShowWindow.USER32(009967B0,00000000,015676F8,?,?,009967B0,?,0095B862,?,?), ref: 0095BA50
ShowWindow.USER32(00000000,00000004,?,0095B862,?,?), ref: 0095BA62
EnableWindow.USER32(00000000,00000001), ref: 0095BA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0095BAA9

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 633f58ec7066f84bea06bffcf88a0cf5900f210440e05b4c39c57df767088407
Instruction ID: 01d2c56cb506be7b6aa89333d30ec64a300ccb85e6b7dc5d02878d98ed7b3a1a
Opcode Fuzzy Hash: 633f58ec7066f84bea06bffcf88a0cf5900f210440e05b4c39c57df767088407
Instruction Fuzzy Hash: 16416230604645AFDB22CF16C499B957BE4FF05316F5842B9FE488F2A2C731A849DB51

Function 009473B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00945134,?,?,00000000,00000001), ref: 009473BF

Part of subcall function 00943C94: GetWindowRect.USER32(?,?), ref: 00943CA7

GetDesktopWindow.USER32 ref: 009473E9
GetWindowRect.USER32(00000000), ref: 009473F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00947422

Part of subcall function 009354E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0093555E

GetCursorPos.USER32(?), ref: 0094744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 009474AC

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: f21c79d161c03aac5c41c7f4f52649cf260fbf07dd44c9cad00c0a203621acc3
Instruction ID: 84a33562c709011568c2678e0bec0cd7ce390791ed3371945c5aa530ad6104ff
Opcode Fuzzy Hash: f21c79d161c03aac5c41c7f4f52649cf260fbf07dd44c9cad00c0a203621acc3
Instruction Fuzzy Hash: 4031D572509309AFD720DF55D849FABBBEAFF88314F004919F58997191D730EA09CB92

Function 00928D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009285F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00928608
Part of subcall function 009285F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00928612
Part of subcall function 009285F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00928621
Part of subcall function 009285F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00928628
Part of subcall function 009285F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0092863E

GetLengthSid.ADVAPI32(?,00000000,00928977), ref: 00928DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00928DB8
HeapAlloc.KERNEL32(00000000), ref: 00928DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 00928DD8
GetProcessHeap.KERNEL32(00000000,00000000,00928977), ref: 00928DEC
HeapFree.KERNEL32(00000000), ref: 00928DF3

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: d83888666d1ab695550a74c1cc815a10fdbd2b0207b9d5679c07286943de3979
Instruction ID: 0fc38eb1ed93206e3ac73cd04b0e172127d55213fa13ab66499d29d472c87c9d
Opcode Fuzzy Hash: d83888666d1ab695550a74c1cc815a10fdbd2b0207b9d5679c07286943de3979
Instruction Fuzzy Hash: F611EE31516615FFDB109FA5EC18BAF7BADEF55326F108029F84593294CB32A908DB60

Function 00928AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00928B2A
OpenProcessToken.ADVAPI32(00000000), ref: 00928B31
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00928B40
CloseHandle.KERNEL32(00000004), ref: 00928B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00928B7A
DestroyEnvironmentBlock.USERENV(00000000), ref: 00928B8E

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: b789e5f1dc6c4ee465f56e4f966ee23b3177f2b40af34442da644b4981393134
Instruction ID: bfa3f92b95002f4fce24764d3ad021f3b69f3afd6804c12759869760269cf51f
Opcode Fuzzy Hash: b789e5f1dc6c4ee465f56e4f966ee23b3177f2b40af34442da644b4981393134
Instruction Fuzzy Hash: 261159B2505209ABDF018FA5ED49FEB7BADEF08315F044068FE04A2160C7768D60AB60

Function 0095C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 008D12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008D134D
Part of subcall function 008D12F3: SelectObject.GDI32(?,00000000), ref: 008D135C
Part of subcall function 008D12F3: BeginPath.GDI32(?), ref: 008D1373
Part of subcall function 008D12F3: SelectObject.GDI32(?,00000000), ref: 008D139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0095C1C4
LineTo.GDI32(00000000,00000003,?), ref: 0095C1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0095C1E6
LineTo.GDI32(00000000,00000000,?), ref: 0095C1F6
EndPath.GDI32(00000000), ref: 0095C206
StrokePath.GDI32(00000000), ref: 0095C216

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: a06190fbf9f8491361c0119430b8db034d3fa22e84ed58e34d3013eb21a72579
Instruction ID: 7631ae9aab7f6467f48126c4cc4fcca64c642a5a93fc7ea8deb06e4eae5374e2
Opcode Fuzzy Hash: a06190fbf9f8491361c0119430b8db034d3fa22e84ed58e34d3013eb21a72579
Instruction Fuzzy Hash: DC111E7640820CBFDF119F96DC48E9A7FADEF04365F048061B918861A1D7729D55EBA0

Function 008F03A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 008F03D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 008F03DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 008F03E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 008F03F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 008F03F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 008F0401

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 97723496fea2b7f950df184d99432f972522807f63507749ef768fe358c42002
Instruction ID: ebbae5c9f9b1315f16270a8ddf1aaf284ae5189a378a817feee3d88da7310b22
Opcode Fuzzy Hash: 97723496fea2b7f950df184d99432f972522807f63507749ef768fe358c42002
Instruction Fuzzy Hash: 42016CB09027597DE3009F5A8C85B52FFE8FF19354F00411BA15C47941C7F5A864CBE5

Function 0093568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0093569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 009356B1
GetWindowThreadProcessId.USER32(?,?), ref: 009356C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009356CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009356D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009356E0

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 32248c7cd49c5bf2f4000e93223da8bd1519667c43035021643cef142b0e477e
Instruction ID: b58564f9a424215c935efad7fc888ce60b8a33fc88400c18efa78dcf63374ff0
Opcode Fuzzy Hash: 32248c7cd49c5bf2f4000e93223da8bd1519667c43035021643cef142b0e477e
Instruction Fuzzy Hash: 76F0123115A658BBE7215B539C0DEAB7B7CEBC6B22F000169FA04D105096A11A0197B5

Function 009374D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 009374E5
EnterCriticalSection.KERNEL32(?,?,008E1044,?,?), ref: 009374F6
TerminateThread.KERNEL32(00000000,000001F6,?,008E1044,?,?), ref: 00937503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,008E1044,?,?), ref: 00937510

Part of subcall function 00936ED7: CloseHandle.KERNEL32(00000000,?,0093751D,?,008E1044,?,?), ref: 00936EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 00937523
LeaveCriticalSection.KERNEL32(?,?,008E1044,?,?), ref: 0093752A

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: f3089ed2b331c9b9c17bdd236ffecf57311e5db46ca7cf5ad1c7b58dc58a8c6d
Instruction ID: bf67e45c651568dac1ff1318c59fd46dba8b8c9df6974a6eec94e4904e215e1f
Opcode Fuzzy Hash: f3089ed2b331c9b9c17bdd236ffecf57311e5db46ca7cf5ad1c7b58dc58a8c6d
Instruction Fuzzy Hash: 8BF05EBA159B12EBEB212B65FC9CAEB772AEF45323F000531F202914B0CB755811EF60

Function 00928E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00928E7F
UnloadUserProfile.USERENV(?,?), ref: 00928E8B
CloseHandle.KERNEL32(?), ref: 00928E94
CloseHandle.KERNEL32(?), ref: 00928E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 00928EA5
HeapFree.KERNEL32(00000000), ref: 00928EAC

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 9befc3d3b3a3fb891010adcbb87557263ad97929d51555d26ea1b2bd9d8397eb
Instruction ID: 6fa208dc5ab3ac009fb1253b928113c5a644ba4b0e00cf32fa6d8d5bf01144fa
Opcode Fuzzy Hash: 9befc3d3b3a3fb891010adcbb87557263ad97929d51555d26ea1b2bd9d8397eb
Instruction Fuzzy Hash: 7AE05276119A05FBDA012FE6EC1C95ABB69FB89773B508631F21981470CB32A461EB50

Function 00948902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00948928
CharUpperBuffW.USER32(?,?), ref: 00948A37
VariantClear.OLEAUT32(?), ref: 00948BAF

Part of subcall function 00937804: VariantInit.OLEAUT32(00000000), ref: 00937844
Part of subcall function 00937804: VariantCopy.OLEAUT32(00000000,?), ref: 0093784D
Part of subcall function 00937804: VariantClear.OLEAUT32(00000000), ref: 00937859

Strings

Incorrect Parameter format, xrefs: 00948960, 00948B22
AUTOIT.ERROR, xrefs: 00948A3D

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: fd35833bb33927a031f10ab9b41610cc7a5af3a09889d456260cdeb5d4040b88
Instruction ID: 4e6d45d07431a9eda622af34a0d2c990c910bb08f5ffa885b96af37d857047fa
Opcode Fuzzy Hash: fd35833bb33927a031f10ab9b41610cc7a5af3a09889d456260cdeb5d4040b88
Instruction Fuzzy Hash: 389137756087019FC714EF28C48496BBBE8EF89354F044A6EF89A8B361DB31E945CB52

Function 00932F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008EFEC6: _wcscpy.LIBCMT ref: 008EFEE9

_memset.LIBCMT ref: 00933077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009330A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00933159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00933187

Strings

0, xrefs: 00933063

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 057db6533e9b25366efec559c4db10926896c20d34c3a3832242661dede959d9
Instruction ID: c86eea49272971f70cb2a76f8726bdb1dfd3f145dfafce95f35c2db333a30eac
Opcode Fuzzy Hash: 057db6533e9b25366efec559c4db10926896c20d34c3a3832242661dede959d9
Instruction Fuzzy Hash: 8D51B33165C3009ED725DF68C845A6BB7E8EF85360F048A2EF895D7291DB74CE448F92

Function 0092DA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0092DAC5
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0092DAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0092DB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0092DB8E

Strings

DllGetClassObject, xrefs: 0092DB01

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 2eb2ad613d2cbd24378248836d58902ffa45df9e547486387f108a9e6ce891f5
Instruction ID: 9c4cfdb5bbd5a724a098ab9ca35f716d6f1a02acf90da82c7ccc7f5209bbe730
Opcode Fuzzy Hash: 2eb2ad613d2cbd24378248836d58902ffa45df9e547486387f108a9e6ce891f5
Instruction Fuzzy Hash: DC41C0B1601318EFDB14CF65D894BAA7BB9EF44310F1580A9AD05DF249D7B0DE40DBA0

Function 00932C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00932CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00932CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 00932D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00996890,00000000), ref: 00932D5A

Strings

0, xrefs: 00932CA4

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 514e5cf8f45b99896bdd531ef308a1516c4164595779a368ded17479cc3b03c6
Instruction ID: 1a690cb7f380787b703f269de2913779c6ad2699d21d83ef08b4d26b02e47715
Opcode Fuzzy Hash: 514e5cf8f45b99896bdd531ef308a1516c4164595779a368ded17479cc3b03c6
Instruction Fuzzy Hash: 28416D302043029FD720DF24C845B6ABBE8EF85720F14465EF965972D1DB70E905CF92

Function 0094DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0094DAD9

Part of subcall function 008D79AB: _memmove.LIBCMT ref: 008D79F9

Strings

stdcall, xrefs: 0094DB5B
winapi, xrefs: 0094DB4A
none, xrefs: 0094DBB4
cdecl, xrefs: 0094DB30

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: ec389411829ef7fd71196598b126b51dff4848c99de693ff21ff31be2224b341
Instruction ID: 17d8aca3329868fd2df9c865f7ab86e72bef78b7a7697c3fc2b87707d6aa74e9
Opcode Fuzzy Hash: ec389411829ef7fd71196598b126b51dff4848c99de693ff21ff31be2224b341
Instruction Fuzzy Hash: 1F31A17450061AAFCF10EF68C890DBEB3B4FF05310B108B2AE866E7795DB31A905CB90

Function 00929372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008D7F41: _memmove.LIBCMT ref: 008D7F82

Part of subcall function 0092B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0092B0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 009293F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00929409
SendMessageW.USER32(?,00000189,?,00000000), ref: 00929439

Part of subcall function 008D7D2C: _memmove.LIBCMT ref: 008D7D66

Strings

ListBox, xrefs: 009293B5
ComboBox, xrefs: 00929380

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: f340294fdabd72b6daffdc46643ceb16180856ab7e170249f22754c122c81e5d
Instruction ID: 2140341865b5843939b0b745020db6974db68d6ffe404b5f4a04949edd7d7deb
Opcode Fuzzy Hash: f340294fdabd72b6daffdc46643ceb16180856ab7e170249f22754c122c81e5d
Instruction Fuzzy Hash: 37212671940118BFDB14AB74EC85DFFB7BCEF45324F14422AF921972E4DB38090A9610

Function 00941B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00941B40
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00941B66
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00941B96
InternetCloseHandle.WININET(00000000), ref: 00941BDD

Part of subcall function 00942777: GetLastError.KERNEL32(?,?,00941B0B,00000000,00000000,00000001), ref: 0094278C
Part of subcall function 00942777: SetEvent.KERNEL32(?,?,00941B0B,00000000,00000000,00000001), ref: 009427A1

Strings

, xrefs: 00941B87

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: f918870e64e84d672d8a4eb49c1ace523641ea1791b9f294d24ad3e7e4a18d17
Instruction ID: ac0d7e7e0d1589450799e11f5238e95a6be509503740e0eb02d60521e94cd314
Opcode Fuzzy Hash: f918870e64e84d672d8a4eb49c1ace523641ea1791b9f294d24ad3e7e4a18d17
Instruction Fuzzy Hash: 0F21CAB1604308BFEB119F219CD5EBF76ECEB89B58F10012AF905A7240EB249D44A7A1

Function 00956656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 008D1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 008D1D73
Part of subcall function 008D1D35: GetStockObject.GDI32(00000011), ref: 008D1D87
Part of subcall function 008D1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 008D1D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 009566D0
LoadLibraryW.KERNEL32(?), ref: 009566D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 009566EC
DestroyWindow.USER32(?), ref: 009566F4

Strings

SysAnimate32, xrefs: 009566AB

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 4d2828c8f78219101159d3e4d1fe664f717d779989b73727d28e864163592699
Instruction ID: 23902a479bde9961816dfcba1cafff86f2600363d7559d349c77aa7de9046b5d
Opcode Fuzzy Hash: 4d2828c8f78219101159d3e4d1fe664f717d779989b73727d28e864163592699
Instruction Fuzzy Hash: C721BE71100205ABEF108E6AEC90EAB77ADEB5937AF900629FD1093190C771CC45A760

Function 0093703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 0093705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00937091
GetStdHandle.KERNEL32(0000000C), ref: 009370A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 009370DD

Strings

nul, xrefs: 009370D8

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 0ae7e64425638d4e18ef81c2de8ce43bdef47caaaf71836a713486cce1fadbd7
Instruction ID: 1e0d55557bb864c7b9efcdb201e05d1daedda35dc56351a769eda7401a3c461a
Opcode Fuzzy Hash: 0ae7e64425638d4e18ef81c2de8ce43bdef47caaaf71836a713486cce1fadbd7
Instruction Fuzzy Hash: C4215EB4508309ABDB349FB9DC05A9AB7A8AF84720F208A19FCA1D72D0E77098509F50

Function 0093710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 0093712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0093715D
GetStdHandle.KERNEL32(000000F6), ref: 0093716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 009371A8

Strings

nul, xrefs: 009371A3

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 044ecd815acb7e44fd9c4d5e2d7606af79873452cd8305071f26068bbd363b1f
Instruction ID: 3282a5c7224a14a5f94ef7759eb55df171a5bd57dbad5da89f4cab2e521edb05
Opcode Fuzzy Hash: 044ecd815acb7e44fd9c4d5e2d7606af79873452cd8305071f26068bbd363b1f
Instruction Fuzzy Hash: 7A215EB650C309ABDB309FE99C04AAAB7A8AF55730F204A19F9A1D72D0D77098418F61

Function 0093AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0093AEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0093AF13
__swprintf.LIBCMT ref: 0093AF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,0095F910), ref: 0093AF6A

Strings

%lu, xrefs: 0093AF26

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 6cce2733b04d874708e37687d6c7aa5d80e35dce664bd4585b3db028ab257f0b
Instruction ID: e9b2810ccc84b56ed67b4fb9200802c2409aeb3e357056054bb2dcad93176af3
Opcode Fuzzy Hash: 6cce2733b04d874708e37687d6c7aa5d80e35dce664bd4585b3db028ab257f0b
Instruction Fuzzy Hash: F7216230600209AFCB10EF65C885EAE7BB8FF89714F004069F945DB351DB31EA41DB61

Function 0092A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008D7D2C: _memmove.LIBCMT ref: 008D7D66

Part of subcall function 0092A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0092A399
Part of subcall function 0092A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0092A3AC
Part of subcall function 0092A37C: GetCurrentThreadId.KERNEL32 ref: 0092A3B3
Part of subcall function 0092A37C: AttachThreadInput.USER32(00000000), ref: 0092A3BA

GetFocus.USER32 ref: 0092A554

Part of subcall function 0092A3C5: GetParent.USER32(?), ref: 0092A3D3

GetClassNameW.USER32(?,?,00000100), ref: 0092A59D
EnumChildWindows.USER32(?,0092A615), ref: 0092A5C5
__swprintf.LIBCMT ref: 0092A5DF

Strings

%s%d, xrefs: 0092A5D9

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 4d14e3163f31924aa4492541247c5ff27206ca42999ae1002ce1e99c8265801a
Instruction ID: c647ea0dad858d9fb9d8bac10321d9953a060e68d5d290c85e4c2bf158f3586a
Opcode Fuzzy Hash: 4d14e3163f31924aa4492541247c5ff27206ca42999ae1002ce1e99c8265801a
Instruction Fuzzy Hash: BA11DF72204218ABDF10BF64EC85FEA377DEF88310F0440B6B908AA19ADB7459458B36

Function 00932017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00932048

Strings

REMOVE, xrefs: 0093204E
KEYS, xrefs: 0093205F
APPEND, xrefs: 00932081
EXISTS, xrefs: 00932070

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 4ed4dcbf88ef53b227b11285972d510a1f8f15a128a272a86746e29ef97411a4
Instruction ID: 201d8669a9bd9e12d6e4df284ae95ea1e1a17200e83fc962b93b6f49050dffab
Opcode Fuzzy Hash: 4ed4dcbf88ef53b227b11285972d510a1f8f15a128a272a86746e29ef97411a4
Instruction Fuzzy Hash: 601179309042098FCF24EFA8D8904BEB3B5FF16300F10896AD851A7362EB36690ACF51

Function 0094EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0094EF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0094EF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0094F07E
CloseHandle.KERNEL32(?), ref: 0094F0FF

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: d9aeb0b668fa41c08907052901e40be85100a824e394705be0d40a926deb8cd0
Instruction ID: 467aadc1ec105f4c55ad972a96e7999fbf47fee9379c90db78c913f08114a26b
Opcode Fuzzy Hash: d9aeb0b668fa41c08907052901e40be85100a824e394705be0d40a926deb8cd0
Instruction Fuzzy Hash: 1D813D716043119FD720EF29C856F2AB7E5FF88720F14895EF595DB392DA70AC408B52

Function 009502C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 008D7F41: _memmove.LIBCMT ref: 008D7F82

Part of subcall function 009510A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00950038,?,?), ref: 009510BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00950388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009503C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0095040E
RegCloseKey.ADVAPI32(?,?), ref: 0095043A
RegCloseKey.ADVAPI32(00000000), ref: 00950447

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 08222471ca3b9b7bf86b1c4e04b59ad19d0d6889c627d23e7ebcc684a13a8a02
Instruction ID: 09bab635fd8702d38f21ab8932a77ec96eb4e1f64d772ea21dbdf5cbe180f17d
Opcode Fuzzy Hash: 08222471ca3b9b7bf86b1c4e04b59ad19d0d6889c627d23e7ebcc684a13a8a02
Instruction Fuzzy Hash: 42514E31108204AFD704EF69D891F6EB7E8FF84315F04891EF995872A1DB31E908DB52

Function 0094DBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 008D9997: __itow.LIBCMT ref: 008D99C2
Part of subcall function 008D9997: __swprintf.LIBCMT ref: 008D9A0C

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0094DC3B
GetProcAddress.KERNEL32(00000000,?), ref: 0094DCBE
GetProcAddress.KERNEL32(00000000,00000000), ref: 0094DCDA
GetProcAddress.KERNEL32(00000000,?), ref: 0094DD1B
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0094DD35

Part of subcall function 008D5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00937B20,?,?,00000000), ref: 008D5B8C
Part of subcall function 008D5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00937B20,?,?,00000000,?,?), ref: 008D5BB0

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 880ff486219500fdc9ac7cda604ea12aa912d2fb864d44906db23928b4bb4c40
Instruction ID: 611be3238d34781e0345b547301e0541dacc5d54cef7a411ecedcae1a353ae3a
Opcode Fuzzy Hash: 880ff486219500fdc9ac7cda604ea12aa912d2fb864d44906db23928b4bb4c40
Instruction Fuzzy Hash: 4F512839A04605EFCB00EF68C494DADB7F4FF49321B04816AE855AB351DB30AD45CB91

Function 0093E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0093E88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0093E8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0093E8F2

Part of subcall function 008D9997: __itow.LIBCMT ref: 008D99C2
Part of subcall function 008D9997: __swprintf.LIBCMT ref: 008D9A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0093E917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0093E91F

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: fa26c749779e9e422c5ef200a8adaa19b72344cc9457a49c4e4610c46bfcc142
Instruction ID: 5dcbc9edcc68c3844fd12bb3ff1b5750064024c74d53806eef89cae91e3a0db9
Opcode Fuzzy Hash: fa26c749779e9e422c5ef200a8adaa19b72344cc9457a49c4e4610c46bfcc142
Instruction Fuzzy Hash: FC510935A00215EFCB01EF69C991AAEBBF5FF08310F1480A9E849AB361DB31AD51DF51

Function 0095A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71bfaf0f0f3b2c27485b0496cd987908e2c8857dfebeebb6128914124b5c8c96
Instruction ID: d5845f388459736b7d8fe1652fdd5377d732c942b428882e6ae93eca7f30b005
Opcode Fuzzy Hash: 71bfaf0f0f3b2c27485b0496cd987908e2c8857dfebeebb6128914124b5c8c96
Instruction Fuzzy Hash: FD410135904204AFC720DF6ACC58FA9BBA8FB09326F140365FC55A72E0D770AE49DB59

Function 008D2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 008D2357
ScreenToClient.USER32(009967B0,?), ref: 008D2374
GetAsyncKeyState.USER32(00000001), ref: 008D2399
GetAsyncKeyState.USER32(00000002), ref: 008D23A7

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 479d0b78e1ad051b8e2e75c613acd7681a1c4d5f626c683cdcb3f4f0884f1e98
Instruction ID: c07e74e3ee606e593a58441710734f1992d2201dddba65fb887b50e0526ce138
Opcode Fuzzy Hash: 479d0b78e1ad051b8e2e75c613acd7681a1c4d5f626c683cdcb3f4f0884f1e98
Instruction Fuzzy Hash: 10417C75508219FFDB199F69C844AEABB74FB45360F20435AF828E23A0C734A994DB91

Function 00926920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0092695D
TranslateAcceleratorW.USER32(?,?,?), ref: 009269A9
TranslateMessage.USER32(?), ref: 009269D2
DispatchMessageW.USER32(?), ref: 009269DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009269EB

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 12b012e6b968601877977ced2b985863cb0de75387f986c2f0f912a487b389fe
Instruction ID: 1acbef16926005580111ac9a2205c5fb25590bcb3d91f4555bb69ac2f4ae06ab
Opcode Fuzzy Hash: 12b012e6b968601877977ced2b985863cb0de75387f986c2f0f912a487b389fe
Instruction Fuzzy Hash: 89313931919326AFDB20CF79EC84FB67BACAB01310F14456AE421D38A4DB34D8C9E790

Function 00928F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00928F12
PostMessageW.USER32(?,00000201,00000001), ref: 00928FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00928FC4
PostMessageW.USER32(?,00000202,00000000), ref: 00928FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00928FDA

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: beff1b03b2a0516174f3269eca9c3c8ddd02678ea1f8fbe9022df4705a6bcfc9
Instruction ID: fe005f2f5813a26915d564289b2dcbbb40ba874b726d555a3575b40e4c1f33ba
Opcode Fuzzy Hash: beff1b03b2a0516174f3269eca9c3c8ddd02678ea1f8fbe9022df4705a6bcfc9
Instruction Fuzzy Hash: C231EE71505229EFDB00CF68EA4CADF7BBAEB04326F104229F924EB1D4C7B09914DB90

Function 0092B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0092B6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0092B6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0092B71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0092B742
_wcsstr.LIBCMT ref: 0092B74C

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: cfdcd2ae9038a1482e8093435125242fff436caf31a3a24df784fa678dcd9282
Instruction ID: 356487c47d4dc5b8082f5676ed65c9e28179809df8dcac9dd8a95fcfe14de290
Opcode Fuzzy Hash: cfdcd2ae9038a1482e8093435125242fff436caf31a3a24df784fa678dcd9282
Instruction Fuzzy Hash: 9121F932205258BBEB255B39AC49E7B7BECEF85721F104039FD05CA1A5EF61DC409761

Function 0095B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 008D2612: GetWindowLongW.USER32(?,000000EB), ref: 008D2623

GetWindowLongW.USER32(?,000000F0), ref: 0095B44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0095B471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0095B489
GetSystemMetrics.USER32(00000004), ref: 0095B4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00941184,00000000), ref: 0095B4D0

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: ce71c3d6ee845132f29c19637d634e3050090fff6ee36d8bbb6fbb3fb1adfe0e
Instruction ID: 930126f99ea25d8090172e8131c241c1d4feb44e9eb54652e0dee2aa0c394a67
Opcode Fuzzy Hash: ce71c3d6ee845132f29c19637d634e3050090fff6ee36d8bbb6fbb3fb1adfe0e
Instruction Fuzzy Hash: AD218031524215AFCB20DF3ACC48A6A37A8EB05732F154B29FD26C71F1E7309855DB80

Function 009297E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00929802

Part of subcall function 008D7D2C: _memmove.LIBCMT ref: 008D7D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00929834
__itow.LIBCMT ref: 0092984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00929874
__itow.LIBCMT ref: 00929885

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 2b4ffc16647450a425ef18aa4813cb4ad68360aed9d7535fd03ca8c8cb1a8911
Instruction ID: 595851084b7b89222d4ed821da1a2f6604e765eb53e7396b9b68791de569d119
Opcode Fuzzy Hash: 2b4ffc16647450a425ef18aa4813cb4ad68360aed9d7535fd03ca8c8cb1a8911
Instruction Fuzzy Hash: 2A210731B00218ABDB10AA759C86EEE3BADEF4A724F080035FD05DB245E6708D459792

Function 008D12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008D134D
SelectObject.GDI32(?,00000000), ref: 008D135C
BeginPath.GDI32(?), ref: 008D1373
SelectObject.GDI32(?,00000000), ref: 008D139C

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 4022d698002c35d9af9d758aebb506fee5c4994f6bd4c3713fb9da96d0d132e4
Instruction ID: 12c5776058c5ff15cc563cc58bd6a682d5ca09a2bb2472ffbec4109ebe3f4a13
Opcode Fuzzy Hash: 4022d698002c35d9af9d758aebb506fee5c4994f6bd4c3713fb9da96d0d132e4
Instruction Fuzzy Hash: 3A213A70828308EFDF159F2ADC087A97BB9FB10366F148327F814D66A0D7759991EB90

Function 0092C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0092C176
_memcmp.LIBCMT ref: 0092C194
_memcmp.LIBCMT ref: 0092C1A7
_memcmp.LIBCMT ref: 0092C1BF
_memcmp.LIBCMT ref: 0092C1D7

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: ad877e83ff1a72d83bd0bef4af1bc62ef3ff6eaf6283b4d57ab08c0f3c61d012
Instruction ID: a519a8cc4bda5a7eb563719aeafc98025492f98413cb730c30fb6a68d130ac77
Opcode Fuzzy Hash: ad877e83ff1a72d83bd0bef4af1bc62ef3ff6eaf6283b4d57ab08c0f3c61d012
Instruction Fuzzy Hash: CD0192E16085297BE604A7246C47EBF675CEF7139CB444121FE04E6287E6599E2182E1

Function 00934D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00934D5C
__beginthreadex.LIBCMT ref: 00934D7A
MessageBoxW.USER32(?,?,?,?), ref: 00934D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00934DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00934DAC

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: ad547d89eae25207a04efccd655237fd9ce7e9c950d469d607f034b90529d7b5
Instruction ID: ebbc1c9f8f23f714df34ac3e1be2bc99787feeb9700c553fc6eb2c5de2be0f22
Opcode Fuzzy Hash: ad547d89eae25207a04efccd655237fd9ce7e9c950d469d607f034b90529d7b5
Instruction Fuzzy Hash: B9110876918608BBC7019BBC9C04A9F7FACEB85321F144266F924D3290D6759D009BA1

Function 0092874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00928766
GetLastError.KERNEL32(?,0092822A,?,?,?), ref: 00928770
GetProcessHeap.KERNEL32(00000008,?,?,0092822A,?,?,?), ref: 0092877F
HeapAlloc.KERNEL32(00000000,?,0092822A,?,?,?), ref: 00928786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0092879D

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: c8f010614bf6b050622d2d470751e0c08dc9e0d8804498f319a339ee4cbb0eb5
Instruction ID: 0c856279265d5e97c7a724ac666efdd0993f001b4102fbe3014535700ba40b9b
Opcode Fuzzy Hash: c8f010614bf6b050622d2d470751e0c08dc9e0d8804498f319a339ee4cbb0eb5
Instruction Fuzzy Hash: 01014B71216618FFDB204FA6EC98D6B7BACEF893667200469F849C3260DA318C10DB60

Function 009354E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00935502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00935510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00935518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00935522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0093555E

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 9f43b760cafdd61ec01b90425535c07740283fe0eb5f33ed82f72bd14e8cfa7f
Instruction ID: 95e65d9bbfb4b25fe31eb3872604ce5740f7a14b0983512fae9eab13da7ba96a
Opcode Fuzzy Hash: 9f43b760cafdd61ec01b90425535c07740283fe0eb5f33ed82f72bd14e8cfa7f
Instruction Fuzzy Hash: C9015E71C19A19DBCF00EFE5E8585EDBB78FB0D712F020456E401B2140DB305554DBA1

Function 00927652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0092758C,80070057,?,?,?,0092799D), ref: 0092766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0092758C,80070057,?,?), ref: 0092768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0092758C,80070057,?,?), ref: 00927698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0092758C,80070057,?), ref: 009276A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0092758C,80070057,?,?), ref: 009276B4

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 14a9cf5059475a5e716343ee24b64ade103a9c8170b815f024db31cdb20dd00d
Instruction ID: fedccec81b449809786acff6c32221e1c22bbe22971f8f120d891d07f60ba332
Opcode Fuzzy Hash: 14a9cf5059475a5e716343ee24b64ade103a9c8170b815f024db31cdb20dd00d
Instruction Fuzzy Hash: 4C01A772615728BFDB105F99EC44BAABFADEF44762F140028FD05E2215E731DD4197A0

Function 009285F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00928608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00928612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00928621
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00928628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0092863E

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 5817edd58c4884742b4fa9d00378d1bce4198649da8773cbd95135f317c073b3
Instruction ID: e2127bf4cc6c6c0428a8b8acfaa1e5207c56c74c43c3eff09b043668406dc5b3
Opcode Fuzzy Hash: 5817edd58c4884742b4fa9d00378d1bce4198649da8773cbd95135f317c073b3
Instruction Fuzzy Hash: E1F06235216315AFEB200FA6EC9DE6B3BACEF89765B040425F945C7190CB719C45EB60

Function 00928652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00928669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00928673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00928682
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00928689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0092869F

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 98671c837ea9412634b5de6ebc08ff5c8f8a94b4e66df23c95ac799cc4dbac04
Instruction ID: 19559e1e1b9d30e0d8b075a75f4063339466edc0659579da4373ef3dac91b0bc
Opcode Fuzzy Hash: 98671c837ea9412634b5de6ebc08ff5c8f8a94b4e66df23c95ac799cc4dbac04
Instruction Fuzzy Hash: D3F0AF70216314BFEB111FA6EC98E6B3BADEF89766B140025F905C2190CA709800EB60

Function 0092C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0092C6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 0092C6D1
MessageBeep.USER32(00000000), ref: 0092C6E9
KillTimer.USER32(?,0000040A), ref: 0092C705
EndDialog.USER32(?,00000001), ref: 0092C71F

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: a9de9b18f5f0763fe28fd16b5953eb0b757a17b30e102c4d33bdb12a6b13cd49
Instruction ID: 6209bc716fb74fef9d34b75ad8e35312451d0b99d7fde3917401de36871c4268
Opcode Fuzzy Hash: a9de9b18f5f0763fe28fd16b5953eb0b757a17b30e102c4d33bdb12a6b13cd49
Instruction Fuzzy Hash: 6F01D670415718ABEB206B21EC6EF9A77BCFF00702F000669F542A10E0EBF4A9549F81

Function 008D13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 008D13BF
StrokeAndFillPath.GDI32(?,?,0090BAD8,00000000,?), ref: 008D13DB
SelectObject.GDI32(?,00000000), ref: 008D13EE
DeleteObject.GDI32 ref: 008D1401
StrokePath.GDI32(?), ref: 008D141C

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 90f70813f158ef4969b174e3a726d34c04780daa5e2422ce393263d09fb2a2e7
Instruction ID: f4383737da5a959f786a61ed16d086150cb73bf84ff2831bae0fde9de216f0ed
Opcode Fuzzy Hash: 90f70813f158ef4969b174e3a726d34c04780daa5e2422ce393263d09fb2a2e7
Instruction Fuzzy Hash: C3F0B230028708ABDB155F2BEC0C7587FA6FB01326F088326E429856F1C7358995EF54

Function 0093C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0093C69D
CoCreateInstance.OLE32(00962D6C,00000000,00000001,00962BDC,?), ref: 0093C6B5

Part of subcall function 008D7F41: _memmove.LIBCMT ref: 008D7F82

CoUninitialize.OLE32 ref: 0093C922

Strings

.lnk, xrefs: 0093C631, 0093C659, 0093C663

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: c183869bf01e628d53fddb1bb3dea66ff7dbebbc53e7adbfbb688c81145e4de8
Instruction ID: 79cb01a6314df2ef4113d0bc52e0dde0c2c1b7682f931b0787a213b35e054db3
Opcode Fuzzy Hash: c183869bf01e628d53fddb1bb3dea66ff7dbebbc53e7adbfbb688c81145e4de8
Instruction Fuzzy Hash: EAA12C71108215AFD700EF58C891EABB7E8FF94714F004A5DF196D7292EB70EA49CB52

Function 008E2E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 008F0FF6: std::exception::exception.LIBCMT ref: 008F102C
Part of subcall function 008F0FF6: __CxxThrowException@8.LIBCMT ref: 008F1041

Part of subcall function 008D7F41: _memmove.LIBCMT ref: 008D7F82

Part of subcall function 008D7BB1: _memmove.LIBCMT ref: 008D7C0B

__swprintf.LIBCMT ref: 008E302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 008E2EC6

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 0c848371b11e6b099face223bab7fb04aaf1653a0ee2ebbf29fd2017261f2efe
Instruction ID: e444406973f21fd42a5bc7823f2fe5c1457321e3b3f5d9a45097c229f4cec1ff
Opcode Fuzzy Hash: 0c848371b11e6b099face223bab7fb04aaf1653a0ee2ebbf29fd2017261f2efe
Instruction Fuzzy Hash: 24917D71508745AFC728EF28D985C6EB7A8FF86750F00491EF581D73A1EA20EE45CB52

Function 0093BBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 008D48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008D48A1,?,?,008D37C0,?), ref: 008D48CE

CoInitialize.OLE32(00000000), ref: 0093BC26
CoCreateInstance.OLE32(00962D6C,00000000,00000001,00962BDC,?), ref: 0093BC3F
CoUninitialize.OLE32 ref: 0093BC5C

Part of subcall function 008D9997: __itow.LIBCMT ref: 008D99C2
Part of subcall function 008D9997: __swprintf.LIBCMT ref: 008D9A0C

Strings

.lnk, xrefs: 0093BC08, 0093BC16

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 7a3c03c359676ff25b0f61f75224edc231ff7d9314a53d80b714816a0bfff6b9
Instruction ID: 41117454846bbb18e5527c140555caac12c3e834306682a75f90d078901df7be
Opcode Fuzzy Hash: 7a3c03c359676ff25b0f61f75224edc231ff7d9314a53d80b714816a0bfff6b9
Instruction Fuzzy Hash: BFA13575204311AFCB10DF18C494E5ABBE5FF88314F148A99F99A9B3A1CB31ED45CB92

Function 008F524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 008F52DD

Part of subcall function 00900340: __87except.LIBCMT ref: 0090037B

Strings

pow, xrefs: 008F52B5, 008F52D2

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: f309da572b73b6ac79f201d41379313cdda6c2d191489e32d82c25b5d7fdd56d
Instruction ID: cd25ca473e2b7983e9e9fd4447f9e398b53b2a29a8ae4be0f861c58709b38fc9
Opcode Fuzzy Hash: f309da572b73b6ac79f201d41379313cdda6c2d191489e32d82c25b5d7fdd56d
Instruction Fuzzy Hash: A7516B21A1CA098BCB117738C95137E7B94FB81754F204E59E3D5C23E9EE788CD4AA4A

Function 008F023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

#, xrefs: 008F0280
+, xrefs: 008F0277

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 42854e42d7c37e1214e4e582f3c47e5d644a3a8220471d5bad310f10df51263b
Instruction ID: 3c484206fdc5efc77a020d57f8248aabcb142ba28fafd73fa35123af30586ff0
Opcode Fuzzy Hash: 42854e42d7c37e1214e4e582f3c47e5d644a3a8220471d5bad310f10df51263b
Instruction Fuzzy Hash: AB51317510426ACFCF259F28E8886FA7BA8FF15310F184056E8919B3E5D7349C42CB61

Function 008E62F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008E63A8
_memmove.LIBCMT ref: 008E6446
_memset.LIBCMT ref: 008E646A

Strings

ERCP, xrefs: 008E6313

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 5c5fb3e91bd97406be946d1fb2e31b5a907c0740f443c1d44fd1164a0928c5b8
Instruction ID: 415b10acdff143a84746cf73f96ee342bda53662045e39944b6076ceaa22d3fe
Opcode Fuzzy Hash: 5c5fb3e91bd97406be946d1fb2e31b5a907c0740f443c1d44fd1164a0928c5b8
Instruction Fuzzy Hash: B451B171900759DBCB24CF65C8817AABBF4FF14358F20856EE94ACB281F771A5A0CB45

Function 00929CD7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009319CC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00929778,?,?,00000034,00000800,?,00000034), ref: 009319F6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00929D21

Part of subcall function 00931997: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009297A7,?,?,00000800,?,00001073,00000000,?,?), ref: 009319C1

Part of subcall function 009318EE: GetWindowThreadProcessId.USER32(?,?), ref: 00931919
Part of subcall function 009318EE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0092973C,00000034,?,?,00001004,00000000,00000000), ref: 00931929
Part of subcall function 009318EE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0092973C,00000034,?,?,00001004,00000000,00000000), ref: 0093193F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00929D8E
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00929DDB

Strings

@, xrefs: 00929DF3

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 3ecd2729d885b65e27b90123a0d4b7f9a6b92bbbc528711d9d9cee8881a7db81
Instruction ID: 8930df3d749d2f737c6a32e4e08539f21823a82b0685bf631ae28c1ccbeca63d
Opcode Fuzzy Hash: 3ecd2729d885b65e27b90123a0d4b7f9a6b92bbbc528711d9d9cee8881a7db81
Instruction Fuzzy Hash: D3415976901218AFCB10DBA4DC91BEEBBB8EF49700F004095FA45B7191DA706E84DFA1

Function 00957BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0095F910,00000000,?,?,?,?), ref: 00957C4E
GetWindowLongW.USER32 ref: 00957C6B
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00957C7B

Strings

SysTreeView32, xrefs: 00957C20

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 5d6204ead54346e0c6d63bdf7a492d1f1b33d6f029cb0f6d538edda44d1dab61
Instruction ID: 20165358eec5a9520996a2c105f03a8bce3ebb552ff23e9654ea085448b7d3ad
Opcode Fuzzy Hash: 5d6204ead54346e0c6d63bdf7a492d1f1b33d6f029cb0f6d538edda44d1dab61
Instruction Fuzzy Hash: 1531ED31204206AADB118F79DC05BEAB7A9EF44335F244725FCB5D32E0C730E9549B50

Function 00957648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 009576D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 009576E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 00957708

Strings

SysMonthCal32, xrefs: 0095769B

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: ba78da16905792386daccdbe642801199c71156d84d9f919879b45ab4c6238b9
Instruction ID: d8ea52db55cc0bfb9b443ea8c6986a503507d9acc1f26e16da86a86d7e3527a2
Opcode Fuzzy Hash: ba78da16905792386daccdbe642801199c71156d84d9f919879b45ab4c6238b9
Instruction Fuzzy Hash: 4B21E232514219BBDF11CFA5DC46FEB3B79EF88724F110214FE15AB1D0D6B1A8549BA0

Function 00956F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00956FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00956FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00956FDF

Strings

Listbox, xrefs: 00956F77

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 0284565c55879bd3b9d737a908711dfec0da0751d0237941fde9203e2497d141
Instruction ID: 667fe6bb97883ceabdbb6e17788b1050a7a28e6f2db3f9cec332ffd45476e885
Opcode Fuzzy Hash: 0284565c55879bd3b9d737a908711dfec0da0751d0237941fde9203e2497d141
Instruction Fuzzy Hash: 7921F232A10218BFEF11CF55EC84FAB3BAEEF89765F418124FD049B190C671AC158BA0

Function 0095797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 009579E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 009579F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00957A03

Strings

msctls_trackbar32, xrefs: 009579B8

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 72245ff50da9fb2998e0cdc7a71570152c759c9ec6f41aa03deeaa5f3f8276c6
Instruction ID: 1a5e7048cab3a70798ef498ca733c3d916215d01bfcedfefa4c235e62cac42f3
Opcode Fuzzy Hash: 72245ff50da9fb2998e0cdc7a71570152c759c9ec6f41aa03deeaa5f3f8276c6
Instruction Fuzzy Hash: A211E332254208BAEF109FB6DC05FAB77ADEFC9B65F010519FA41A6090D271E811DB60

Function 008D4C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,008D4C2E), ref: 008D4CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 008D4CB5

Strings

GetNativeSystemInfo, xrefs: 008D4CAF
kernel32.dll, xrefs: 008D4C9E

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: eb81768c771114ba3439b07db9d204913eef73d85811d9c5a2fbac6ed5782c5f
Instruction ID: 3bced59d69797077790ba5dd3992cb326921d865eb115b6a8014a9ff29181b9b
Opcode Fuzzy Hash: eb81768c771114ba3439b07db9d204913eef73d85811d9c5a2fbac6ed5782c5f
Instruction Fuzzy Hash: 1ED01731524B23CFD7209F32DA28A0677E9EF057A6F11883A988AD6250E670D884CB51

Function 008D4D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,008D4CE1,?), ref: 008D4DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 008D4DB4

Strings

kernel32.dll, xrefs: 008D4D9D
Wow64RevertWow64FsRedirection, xrefs: 008D4DAE

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 00766311015ce71f030ca163bcc9168f15e4d3762f06eb8e5f956c1d3ae8646f
Instruction ID: 76c8c10c3be61cf3a9e7974b474de784b24cc4886de712c1832a033e9e0dfe27
Opcode Fuzzy Hash: 00766311015ce71f030ca163bcc9168f15e4d3762f06eb8e5f956c1d3ae8646f
Instruction Fuzzy Hash: 8FD01731568B13CFD720AF72D818A46B7E5EF0536AF21883AD8D6D6250E770D884CB50

Function 008D4D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,008D4D2E,?,008D4F4F,?,009962F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 008D4D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 008D4D81

Strings

kernel32.dll, xrefs: 008D4D6A
Wow64DisableWow64FsRedirection, xrefs: 008D4D7B

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 56f210fb60b3219de310e7f8e6f1aa241f5ee80c55a22da3c60bb552fe17a8a4
Instruction ID: 9d10dff14b8222de2707dda598fc1d7056d158c93f86f5bfc5b7af3796f30cb7
Opcode Fuzzy Hash: 56f210fb60b3219de310e7f8e6f1aa241f5ee80c55a22da3c60bb552fe17a8a4
Instruction Fuzzy Hash: 3BD01730528B13CFD720AF72D818616B7E9FF15376F21893A9896D6350E670D880CB60

Function 00951072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,009512C1), ref: 00951080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00951092

Strings

advapi32.dll, xrefs: 0095107B
RegDeleteKeyExW, xrefs: 0095108C

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: babcdfdf6de20d7fdc399a2d85ea7fe8f882cd7116170af055563894fc8ddfde
Instruction ID: 91598db695000a3e4a06a52ed3280a3414a3697fa3d89bc1d70670e54670bb77
Opcode Fuzzy Hash: babcdfdf6de20d7fdc399a2d85ea7fe8f882cd7116170af055563894fc8ddfde
Instruction Fuzzy Hash: A6D01230514712CFD720AF36D86861A76E8AF553A6B158C3DA8D5D7290D770C4C0C750

Function 009493F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00949009,?,0095F910), ref: 00949403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00949415

Strings

GetModuleHandleExW, xrefs: 0094940F
kernel32.dll, xrefs: 009493FE

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 2d9588faa3fae8d6b668994ab8db4b97ef65c1e632a0be8f8e816af476a2951f
Instruction ID: 02a92b2146dab6d07efaa9f10d911db4edfbe48560a35bc0d4d471efd0ed740a
Opcode Fuzzy Hash: 2d9588faa3fae8d6b668994ab8db4b97ef65c1e632a0be8f8e816af476a2951f
Instruction Fuzzy Hash: 1ED01234518723CFD7209F32D91D90776D9AF05366F11C83A94D5D6560DA70C480D751

Function 00911B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00911B42
__swprintf.LIBCMT ref: 00911B73

Strings

%.3d, xrefs: 00911B4D
WIN_XPe, xrefs: 00911BB2

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 60480a1a38e94eaceadca0076ea2bc4eca6beb1872a6ddf6c55d8564ba0ee6ba
Instruction ID: acde5a8c40393bf53db9feef0c735704ce957bc3239394d61e660e27e24bad8c
Opcode Fuzzy Hash: 60480a1a38e94eaceadca0076ea2bc4eca6beb1872a6ddf6c55d8564ba0ee6ba
Instruction Fuzzy Hash: 2CD0ECB195811CFACA449A9098448FA737CB704311F5009A2F602D1544F2289BC4EB25

Function 009276C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e13b252062d31f95caec5efd70f0bf9efa69a325177365a7fbf78e384e880d57
Instruction ID: c1d71467a96dcf16717e311c4563b510a0b49530943ad153b4a6af46e47d09c1
Opcode Fuzzy Hash: e13b252062d31f95caec5efd70f0bf9efa69a325177365a7fbf78e384e880d57
Instruction Fuzzy Hash: B7C16D79A04226EFCB14CF94D884EAEF7B9FF48710B118599E805EB255D730ED81CB90

Function 0094E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0094E3D2
CharLowerBuffW.USER32(?,?), ref: 0094E415

Part of subcall function 0094DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0094DAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0094E615
_memmove.LIBCMT ref: 0094E628

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: bf14680c49395032a09d7b62691e61ae12bb8667c1aac3be667b82821edaf145
Instruction ID: 865d22332ffcae3a00bc09d330aa6b4aa8a2d00af2c4836fe5108c8ba9711165
Opcode Fuzzy Hash: bf14680c49395032a09d7b62691e61ae12bb8667c1aac3be667b82821edaf145
Instruction Fuzzy Hash: 54C126716083119FCB14DF28C490A6ABBE4FF88714F14896EF999DB351E731E946CB82

Function 009483A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 009483D8
CoUninitialize.OLE32 ref: 009483E3

Part of subcall function 0092DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0092DAC5

VariantInit.OLEAUT32(?), ref: 009483EE
VariantClear.OLEAUT32(?), ref: 009486BF

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: c7ecae4bee786f68ab40719728166da85e284534f8b11f46e597f125bf90dca3
Instruction ID: 2038cbc398a21e020b354cdb874455b7820fd11653e438ff53cddcb8070d7375
Opcode Fuzzy Hash: c7ecae4bee786f68ab40719728166da85e284534f8b11f46e597f125bf90dca3
Instruction Fuzzy Hash: 55A1F475204711AFCB10EF28C495E2ABBE5FF88314F154959F99A9B3A2CB34ED44CB42

Function 00927A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00962C7C,?), ref: 00927C32
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00962C7C,?), ref: 00927C4A
CLSIDFromProgID.OLE32(?,?,00000000,0095FB80,000000FF,?,00000000,00000800,00000000,?,00962C7C,?), ref: 00927C6F
_memcmp.LIBCMT ref: 00927C90

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: cdf9de91238fe829cf54f96888a36abbd14cb328a6591c089ae5021a9fde7689
Instruction ID: dfec31bcd41f31adaaf921c43d4ec5a4f4a0e3665480dc11453942d02a2e906d
Opcode Fuzzy Hash: cdf9de91238fe829cf54f96888a36abbd14cb328a6591c089ae5021a9fde7689
Instruction Fuzzy Hash: 30811771A00119EFCB00DFE4C884EAEB7B9FF89315F204599E506BB254DB31AE06CB61

Function 00926DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00926E04
SysAllocString.OLEAUT32(00000000), ref: 00926EAD
VariantCopy.OLEAUT32 ref: 00926EDC
VariantClear.OLEAUT32(?), ref: 00926F03

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 7b40ca8add096d088587859b6ac17547dc04b6367281e90a6311b6392b9901ca
Instruction ID: 89a8766e89b0864bf2c6d30c9e953607b2736108e256c738fd3bdceb0f27eb41
Opcode Fuzzy Hash: 7b40ca8add096d088587859b6ac17547dc04b6367281e90a6311b6392b9901ca
Instruction Fuzzy Hash: 0451FA306483119EDB30AFA9F491B7AF3E9EF49310F208C1FE596D7695DB3498449B01

Function 00959A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(01570690,?), ref: 00959AD2
ScreenToClient.USER32(00000002,00000002), ref: 00959B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00959B72

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 7678cff716fac743c8e80b0f6cdeffc9cb49adca38841907c5f1320626cb10ea
Instruction ID: da719275b2388c5b9bd3c3a42db86dca27a58252d111f25e0e5d31a0bb865070
Opcode Fuzzy Hash: 7678cff716fac743c8e80b0f6cdeffc9cb49adca38841907c5f1320626cb10ea
Instruction Fuzzy Hash: 0E514F34A00209EFEF10DF69E980AAE7BBAFF55361F148259FC159B290D730AD45DB90

Function 00946CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00946CE4
WSAGetLastError.WSOCK32(00000000), ref: 00946CF4

Part of subcall function 008D9997: __itow.LIBCMT ref: 008D99C2
Part of subcall function 008D9997: __swprintf.LIBCMT ref: 008D9A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00946D58
WSAGetLastError.WSOCK32(00000000), ref: 00946D64

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 45b858cefe0764f54f909291d2ac5aa1d992afb107a5a22523772b5ba738476f
Instruction ID: 3b731d2c1efa7e1caf5542c00606a6b20a45f2234a97ad0f71b5bf55c4bd3868
Opcode Fuzzy Hash: 45b858cefe0764f54f909291d2ac5aa1d992afb107a5a22523772b5ba738476f
Instruction Fuzzy Hash: 7C41B475740210AFEB10AF28DC86F3A77E9EB44B24F448519FA59DB3D2DB709C008B92

Function 0094672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0095F910), ref: 009467BA
_strlen.LIBCMT ref: 009467EC

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 491657f5086816cf3383b33163c7dda65add704adc9cc4f83b57615df9d4b254
Instruction ID: d4eaeeaeee38ae14acbbaf48949b48c854e7b0864beb2741895cf90542402c7d
Opcode Fuzzy Hash: 491657f5086816cf3383b33163c7dda65add704adc9cc4f83b57615df9d4b254
Instruction Fuzzy Hash: E4418071A00214ABCB14EB68DCD5FAEB7A9EF49314F148266F91697392DB30AD01CB52

Function 0093BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0093BB09
GetLastError.KERNEL32(?,00000000), ref: 0093BB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0093BB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0093BB80

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 164f9bfe9fcd1c64347448062300bbcf2c50f85a559a8c3993058bbf7a80a071
Instruction ID: 756979e02bdf42f23b05415bc9c019313bb9f7bb54907dee682be9b7db5ecdac
Opcode Fuzzy Hash: 164f9bfe9fcd1c64347448062300bbcf2c50f85a559a8c3993058bbf7a80a071
Instruction Fuzzy Hash: 42411A39200610EFCB10EF19C594A59BBE1FF49320F099499F98A9B362CB34FD01DB92

Function 00958AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00958B4D

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 5721055007c7e62a8de883eeaaf49dcd8ae868f42c5476e60cdf03ed38ee309f
Instruction ID: bc16fce6d17c96a3f332ccad33bd29bac8678c5d4b0d8bbac73436990bbcd30b
Opcode Fuzzy Hash: 5721055007c7e62a8de883eeaaf49dcd8ae868f42c5476e60cdf03ed38ee309f
Instruction Fuzzy Hash: 8531E674605208BFEF20DF5ACC55FAB37ADEB05362F244A12FE51F62A0DE34A9489741

Function 0095ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0095AE1A
GetWindowRect.USER32(?,?), ref: 0095AE90
PtInRect.USER32(?,?,0095C304), ref: 0095AEA0
MessageBeep.USER32(00000000), ref: 0095AF11

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: e1d742e2554a87e0719e5534d87612769bf30e66772b0d77bcf75bcdc537245e
Instruction ID: f402670e29ca290a51618ec01509616127bab3fe3d341b7eded0b1ee794f73a8
Opcode Fuzzy Hash: e1d742e2554a87e0719e5534d87612769bf30e66772b0d77bcf75bcdc537245e
Instruction Fuzzy Hash: D041CF70604209DFCB11CF5AD885B697BF5FF89352F1482A9EC05DB250D730A849DF56

Function 00930FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00931037
SetKeyboardState.USER32(00000080,?,00000001), ref: 00931053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 009310B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 0093110B

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 2c2d4e0f4901b9fd431552f4541f854b1054bb12a32873279f0e91af327b1f09
Instruction ID: c22ea8a976997c111b712f90e8da32f1a474aab7dc8f937d9d1648b0a12d7b1b
Opcode Fuzzy Hash: 2c2d4e0f4901b9fd431552f4541f854b1054bb12a32873279f0e91af327b1f09
Instruction Fuzzy Hash: 6A314B30E44688AEFF388B668C057F9BBADAB88320F04421AF581561F1C37489D19F52

Function 00931121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00931176
SetKeyboardState.USER32(00000080,?,00008000), ref: 00931192
PostMessageW.USER32(00000000,00000101,00000000), ref: 009311F1
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00931243

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: d8579b3a7d79d35b2e587a05ecc1bcc6a690806799b4d7ef8b0926d81b1ff147
Instruction ID: fe605353d409402c2fa03745df5489bde6e23dfdc2a16cf1e6a96ee9705d0ebe
Opcode Fuzzy Hash: d8579b3a7d79d35b2e587a05ecc1bcc6a690806799b4d7ef8b0926d81b1ff147
Instruction Fuzzy Hash: 83313A3094870C5EFF348AA68C187FA7BAEAB89320F04475AF591921F1D37849559F61

Function 00906415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0090644B
__isleadbyte_l.LIBCMT ref: 00906479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 009064A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 009064DD

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 6ad180f7b122917408abcf1d058ca88bc0ce677e633f3b762105dbaa5e8a1c86
Instruction ID: 155c4ad5c2281d3e9629e39ba3db26ff3d60acc90a2f8efaa15caf9489eff4ef
Opcode Fuzzy Hash: 6ad180f7b122917408abcf1d058ca88bc0ce677e633f3b762105dbaa5e8a1c86
Instruction Fuzzy Hash: 4D31AF3160425AEFDB218F79CC85BBA7BA9FF41320F154429F854971E1EB31D860DB90

Function 00955175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00955189

Part of subcall function 0093387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00933897
Part of subcall function 0093387D: GetCurrentThreadId.KERNEL32 ref: 0093389E
Part of subcall function 0093387D: AttachThreadInput.USER32(00000000,?,009352A7), ref: 009338A5

GetCaretPos.USER32(?), ref: 0095519A
ClientToScreen.USER32(00000000,?), ref: 009551D5
GetForegroundWindow.USER32 ref: 009551DB

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: c05bdc0cfe6942c5101a93cb4bd3aed3f1db307e9f5af3e56b3b0903ec584c87
Instruction ID: da6be9bc43f8d199a3cd1c6de19f1b98549b053c253dca4be15fdf2c69899ed5
Opcode Fuzzy Hash: c05bdc0cfe6942c5101a93cb4bd3aed3f1db307e9f5af3e56b3b0903ec584c87
Instruction Fuzzy Hash: ED312F72900118AFDB00EFA9C885EEFB7FDEF98304F10406AE455E7241EA759E05CBA1

Function 0095C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008D2612: GetWindowLongW.USER32(?,000000EB), ref: 008D2623

GetCursorPos.USER32(?), ref: 0095C7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0090BBFB,?,?,?,?,?), ref: 0095C7D7
GetCursorPos.USER32(?), ref: 0095C824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0090BBFB,?,?,?), ref: 0095C85E

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 0f259609608cfb25d11b70638647843b8acab02eb5eb1abfc695c19f296bda27
Instruction ID: ed6f4afef8106c4dfb34c500f5097474373163956ef954ff72fe5ffc4c2a86e4
Opcode Fuzzy Hash: 0f259609608cfb25d11b70638647843b8acab02eb5eb1abfc695c19f296bda27
Instruction Fuzzy Hash: 7231A075600218BFCB15CF5AC898EFA7BBAEB49321F044169FE058B261C7319D55EFA0

Function 00928B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00928652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00928669
Part of subcall function 00928652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00928673
Part of subcall function 00928652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00928682
Part of subcall function 00928652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00928689
Part of subcall function 00928652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0092869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00928BEB
_memcmp.LIBCMT ref: 00928C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00928C44
HeapFree.KERNEL32(00000000), ref: 00928C4B

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 016e77a47f3b9de1113120fe44358b0869c6b8400d503611aaf6f102aafd04db
Instruction ID: 190de50f9766d74c27574e4a6f3d1da81e1a024d12757b528eb73ce6b93559d4
Opcode Fuzzy Hash: 016e77a47f3b9de1113120fe44358b0869c6b8400d503611aaf6f102aafd04db
Instruction Fuzzy Hash: EC21AC71E02219EFDB00DFA4D949BEFB7B8EF40355F144099E494A7240DB30AE06DB60

Function 008F0BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 008F0BF2

Part of subcall function 008D5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00937B20,?,?,00000000), ref: 008D5B8C
Part of subcall function 008D5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00937B20,?,?,00000000,?,?), ref: 008D5BB0

_fprintf.LIBCMT ref: 008F0C29
OutputDebugStringW.KERNEL32(?), ref: 00926331

Part of subcall function 008F4CDA: _flsall.LIBCMT ref: 008F4CF3

__setmode.LIBCMT ref: 008F0C5E

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: c3f848c2cc4f240b1eb3128c476cda48c4b9ec87e57e6da908aa7c444fa37805
Instruction ID: 69c24eb68a251795358ac08e35916be241a60a22fdd5168f46cefe16103429b1
Opcode Fuzzy Hash: c3f848c2cc4f240b1eb3128c476cda48c4b9ec87e57e6da908aa7c444fa37805
Instruction Fuzzy Hash: 9B11E432A0421C7EDB04B7B8AC46ABF7B69FF81320F14021BF314D7292DE615D969796

Function 00941A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00941A97

Part of subcall function 00941B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00941B40
Part of subcall function 00941B21: InternetCloseHandle.WININET(00000000), ref: 00941BDD

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 56a904dff1a65ee16b6081ff6683d671e35c90604ba3cb7d286981d06e286363
Instruction ID: b4f4f0f2432e8ceaa88e7eb874e14f8a79adc77d0fab8d42afe86ceac652bc14
Opcode Fuzzy Hash: 56a904dff1a65ee16b6081ff6683d671e35c90604ba3cb7d286981d06e286363
Instruction Fuzzy Hash: F721C035204701BFEB169F61CC01FBBBBADFF88711F10041AFA5596661EB71E851ABA0

Function 0092E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0092F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0092E1C4,?,?,?,0092EFB7,00000000,000000EF,00000119,?,?), ref: 0092F5BC
Part of subcall function 0092F5AD: lstrcpyW.KERNEL32(00000000,?), ref: 0092F5E2
Part of subcall function 0092F5AD: lstrcmpiW.KERNEL32(00000000,?,0092E1C4,?,?,?,0092EFB7,00000000,000000EF,00000119,?,?), ref: 0092F613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,0092EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0092E1DD
lstrcpyW.KERNEL32(00000000,?), ref: 0092E203
lstrcmpiW.KERNEL32(00000002,cdecl,?,0092EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0092E237

Strings

cdecl, xrefs: 0092E22E

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 8763670225b38cef816ee53ce0952629742e85910618dcc8320ab7bb7eebff10
Instruction ID: ebcf3625d89c4506b92f1674e448805c6bb9adfe5d58f5494a2a8a9fc5fe59f6
Opcode Fuzzy Hash: 8763670225b38cef816ee53ce0952629742e85910618dcc8320ab7bb7eebff10
Instruction Fuzzy Hash: 4211BE36204315EFCB25AF74E885E7A77BCFF84350B40402AF816CB2A8EB719850D7A0

Function 00905332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00905351

Part of subcall function 008F594C: __FF_MSGBANNER.LIBCMT ref: 008F5963
Part of subcall function 008F594C: __NMSG_WRITE.LIBCMT ref: 008F596A
Part of subcall function 008F594C: RtlAllocateHeap.NTDLL(01550000,00000000,00000001,00000000,?,?,?,008F1013,?), ref: 008F598F

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 85ecc728b172c37cb5f7fca5717d0e607c20ad8a6692dd1e720d550292642dfa
Instruction ID: 7143e846d785f827ee5087700180d90fe0ed179ec404125032aa140ce7e22f2d
Opcode Fuzzy Hash: 85ecc728b172c37cb5f7fca5717d0e607c20ad8a6692dd1e720d550292642dfa
Instruction Fuzzy Hash: 9611BC32508A19EECB213B78AC0566E3B98EF143E0B21482AFA04DB1D0DAB589409B91

Function 008D4531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008D4560

Part of subcall function 008D410D: _memset.LIBCMT ref: 008D418D
Part of subcall function 008D410D: _wcscpy.LIBCMT ref: 008D41E1
Part of subcall function 008D410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 008D41F1

KillTimer.USER32(?,00000001,?,?), ref: 008D45B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 008D45C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0090D6CE

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 85fdf4aa4cc2da5e37beadc3c2c1c6c611082ec4b6c64be38f13e2541cdeeb2c
Instruction ID: a2d86a8ec1b8739e3e84a2cd44cb6f2eb47cd709ea9a3ccfb7349d5a3cde6602
Opcode Fuzzy Hash: 85fdf4aa4cc2da5e37beadc3c2c1c6c611082ec4b6c64be38f13e2541cdeeb2c
Instruction Fuzzy Hash: DE212670909784AFEB328B64DC55BEBBBECEF01318F00009EE29E96281C7755A84DB51

Function 0094667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 008D5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00937B20,?,?,00000000), ref: 008D5B8C
Part of subcall function 008D5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00937B20,?,?,00000000,?,?), ref: 008D5BB0

gethostbyname.WSOCK32(?,?,?), ref: 009466AC
WSAGetLastError.WSOCK32(00000000), ref: 009466B7
_memmove.LIBCMT ref: 009466E4
inet_ntoa.WSOCK32(?), ref: 009466EF

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 9216577ce57842baa244939c9eea3d55a73b11a7cffe5842613e6351097f3de5
Instruction ID: fd78022b14feaab3e49f25633349861fceb0bc92cabad645fbdf6b93d8521e5d
Opcode Fuzzy Hash: 9216577ce57842baa244939c9eea3d55a73b11a7cffe5842613e6351097f3de5
Instruction Fuzzy Hash: C5114C75500609ABCB00EBA8D996DEEB7B8FF44321B144166F502E7261DF30AE04DB62

Function 00929023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00929043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00929055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0092906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00929086

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: fea8a1854e2d8bffbf4a70f2a3e442a6c83ed85ee264c993baaa1ca59713fb83
Instruction ID: a695fa15c3964655df57dec3570881cfdc6276c726d0f0a77854c6dad6234b17
Opcode Fuzzy Hash: fea8a1854e2d8bffbf4a70f2a3e442a6c83ed85ee264c993baaa1ca59713fb83
Instruction Fuzzy Hash: 8A115E79941218FFEB10DFA5CC84F9DBBB8FB48710F2040A5EA04B7254D6716E10DB90

Function 008D1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 008D2612: GetWindowLongW.USER32(?,000000EB), ref: 008D2623

DefDlgProcW.USER32(?,00000020,?), ref: 008D12D8
GetClientRect.USER32(?,?), ref: 0090B84B
GetCursorPos.USER32(?), ref: 0090B855
ScreenToClient.USER32(?,?), ref: 0090B860

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 579b2f6ddd071662e310177520dda3e94cfd9b366226bbc135a2744625d5a047
Instruction ID: 03d24d2a1ccc9487e5ff16f126f3de375634f2ccc9c22ae906c3bd9ebc9b51ff
Opcode Fuzzy Hash: 579b2f6ddd071662e310177520dda3e94cfd9b366226bbc135a2744625d5a047
Instruction Fuzzy Hash: C0115535A10119BFCF00EFA9D8899BE77B9FF05311F000556F901E3250D731AA519BA6

Function 00931652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,009301FD,?,00931250,?,00008000), ref: 0093166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,009301FD,?,00931250,?,00008000), ref: 00931694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,009301FD,?,00931250,?,00008000), ref: 0093169E
Sleep.KERNEL32(?,?,?,?,?,?,?,009301FD,?,00931250,?,00008000), ref: 009316D1

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: a86d2c8d712de97ce443eb2cbf8354a17357d9009e61c8a985123a9c83dae9d5
Instruction ID: 0a8249b35282ba83904329bff9db0212b1c894d5442070127d2666fbae45815c
Opcode Fuzzy Hash: a86d2c8d712de97ce443eb2cbf8354a17357d9009e61c8a985123a9c83dae9d5
Instruction Fuzzy Hash: 4B118E31C19A1DDBCF00AFE6D85AAEEBB78FF09716F044055E940B2250CB3055609FD6

Function 00907207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0090722B

Part of subcall function 00907912: __fltout2.LIBCMT ref: 0090793B

__cftog_l.LIBCMT ref: 00907251
__cftoe_l.LIBCMT ref: 00907283

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 50feec98bb02685a66ee99191c3714038b3b2e333de5373225d2bacb1f164c80
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 5001403684414EBFCF525FC8CC018EE7F66BF59361B588515FA2898071D237E9B1AB81

Function 0095B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0095B59E
ScreenToClient.USER32(?,?), ref: 0095B5B6
ScreenToClient.USER32(?,?), ref: 0095B5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0095B5F5

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: d699e4bef185bfb73447fbc1799b5ccf32507646214166304f749e0f740a8098
Instruction ID: 45db50ad3ecf49609e8eeb2f93bf6b93c9a0177b6e350097ff796e382a47d646
Opcode Fuzzy Hash: d699e4bef185bfb73447fbc1799b5ccf32507646214166304f749e0f740a8098
Instruction Fuzzy Hash: A91143B9D0520DEFDB41CFA9C8849EEFBB9FB08311F108166E914E3220D735AA559F90

Function 0095B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0095B8FE
_memset.LIBCMT ref: 0095B90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00997F20,00997F64), ref: 0095B93C
CloseHandle.KERNEL32 ref: 0095B94E

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: fe0cf9e19f27710dba5f2ffccae03677ba3d6db99ee6ffcda8473b32dae80e09
Instruction ID: 58e3c4c0585d91f5852d6419ebf3f165516767347c61c2482da2c82a212693b5
Opcode Fuzzy Hash: fe0cf9e19f27710dba5f2ffccae03677ba3d6db99ee6ffcda8473b32dae80e09
Instruction Fuzzy Hash: 07F054B25683047BF61027B9AC05F7BBA9CEB09355F000022BB08F51A1DB71490097B9

Function 00936E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00936E88

Part of subcall function 0093794E: _memset.LIBCMT ref: 00937983

_memmove.LIBCMT ref: 00936EAB
_memset.LIBCMT ref: 00936EB8
LeaveCriticalSection.KERNEL32(?), ref: 00936EC8

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 57e41c5e726ba1d3e1f9600a050de37cf1740896fc2ed57213395a360d6ebe5f
Instruction ID: 7b443750da0e5bb8b4840ca9a520a7b103ba4976f4337b7caa1e78eb3eaba952
Opcode Fuzzy Hash: 57e41c5e726ba1d3e1f9600a050de37cf1740896fc2ed57213395a360d6ebe5f
Instruction Fuzzy Hash: A5F0547A104204ABCF016F55EC85B5ABB2AEF85331F048061FE089E216CB31E911DBB5

Function 0095C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 008D12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008D134D
Part of subcall function 008D12F3: SelectObject.GDI32(?,00000000), ref: 008D135C
Part of subcall function 008D12F3: BeginPath.GDI32(?), ref: 008D1373
Part of subcall function 008D12F3: SelectObject.GDI32(?,00000000), ref: 008D139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0095C030
LineTo.GDI32(00000000,?,?), ref: 0095C03D
EndPath.GDI32(00000000), ref: 0095C04D
StrokePath.GDI32(00000000), ref: 0095C05B

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: e58f6793d579b1a73c9c6a321423bc340464137b5d29a13cb080c55b5b79be95
Instruction ID: 4ba7b46bc202bbc4ca189d3107df04a7f388fbf9e3dfd7cfaf6c2c80c294844d
Opcode Fuzzy Hash: e58f6793d579b1a73c9c6a321423bc340464137b5d29a13cb080c55b5b79be95
Instruction Fuzzy Hash: 7FF05E32019359BBDB126F66AC0DFCE3F99AF05322F084041FA11610E287765655EB95

Function 0092A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0092A399
GetWindowThreadProcessId.USER32(?,00000000), ref: 0092A3AC
GetCurrentThreadId.KERNEL32 ref: 0092A3B3
AttachThreadInput.USER32(00000000), ref: 0092A3BA

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: e1632420bde5400da70a55caee6e4cec00feafaaf5cca2b0203d0856f1a593f0
Instruction ID: e030ebeaa1d8e0d8fe0f96d38a1bccfa9038d48f72998930b422d6f6651f8ef3
Opcode Fuzzy Hash: e1632420bde5400da70a55caee6e4cec00feafaaf5cca2b0203d0856f1a593f0
Instruction Fuzzy Hash: A3E0C93254A338BBDB205BA2EC1DED77F5CEF167B2F008025F50995061C6758540EBA1

Function 008D2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008D2231
SetTextColor.GDI32(?,000000FF), ref: 008D223B
SetBkMode.GDI32(?,00000001), ref: 008D2250
GetStockObject.GDI32(00000005), ref: 008D2258
GetWindowDC.USER32(?,00000000), ref: 0090C0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 0090C0E0
GetPixel.GDI32(00000000,?,00000000), ref: 0090C0F9
GetPixel.GDI32(00000000,00000000,?), ref: 0090C112
GetPixel.GDI32(00000000,?,?), ref: 0090C132
ReleaseDC.USER32(?,00000000), ref: 0090C13D

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 3d13aad587642c60d34225dbb1164a027fcc18088846611f08c157310b3cddf9
Instruction ID: bb8df2bcfcfe8eacbd397610e7cafb7482f6f4a3abeace38bc7e96c3b08200ee
Opcode Fuzzy Hash: 3d13aad587642c60d34225dbb1164a027fcc18088846611f08c157310b3cddf9
Instruction Fuzzy Hash: 7EE06D32118644EEDF215F75FC0DBE87B24EB15337F008366FAA9880E187714980EB11

Function 00928C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00928C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,0092882E), ref: 00928C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0092882E), ref: 00928C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,0092882E), ref: 00928C7E

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 3b285bfec36db69dc6259576304a74f0e2e998115b5503db8568a10d7c62b68e
Instruction ID: 2149930eb374ee11bcc46ade4f8fdef31c842e63e0847fc13e1ee9b1321c0d1e
Opcode Fuzzy Hash: 3b285bfec36db69dc6259576304a74f0e2e998115b5503db8568a10d7c62b68e
Instruction Fuzzy Hash: C2E04F766563219BD7205FB26D0CB573BACAF507A3F084828E285DA080DA3484469B61

Function 00912187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00912187
GetDC.USER32(00000000), ref: 00912191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 009121B1
ReleaseDC.USER32(?), ref: 009121D2

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 53a6db4ab56a91d51f71ec3871b1af0890a87277f33c41dcb96ddb4702d06f44
Instruction ID: b5dd09ccb19f8fcf9419e4143687c996df38310b0de1e38845d125809d5bdb3f
Opcode Fuzzy Hash: 53a6db4ab56a91d51f71ec3871b1af0890a87277f33c41dcb96ddb4702d06f44
Instruction Fuzzy Hash: EAE0E575815218EFDF019F65C818A9D7BB1FB4C362F108426F95AD7260DB388141AF40

Function 0091219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0091219B
GetDC.USER32(00000000), ref: 009121A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 009121B1
ReleaseDC.USER32(?), ref: 009121D2

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: f9cc9678b2b2b8c5de61d517dcd0ef41cad7e502ef2ebbad9e35816c17e89dc6
Instruction ID: d263022b694de0612c51030fae312d5fdbf13dc65630a9f6cd20f2335961c0ec
Opcode Fuzzy Hash: f9cc9678b2b2b8c5de61d517dcd0ef41cad7e502ef2ebbad9e35816c17e89dc6
Instruction Fuzzy Hash: CAE0E575815218AFCF019F75C81869D7BA1FB4C322F108025F95AD7260DB389141AF40

Function 0092B7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0092B981

Strings

AutoIt3GUI, xrefs: 0092B8F9
Container, xrefs: 0092B8FE

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 63b4cae441ba62fdf5d55b74796a6530b6b14a97ad8b0188e1dd95ed7b7e0d78
Instruction ID: d4ede75b38e32853593a7d578d5830362cbc4d79ccbc7d06588ae1176134e5c5
Opcode Fuzzy Hash: 63b4cae441ba62fdf5d55b74796a6530b6b14a97ad8b0188e1dd95ed7b7e0d78
Instruction Fuzzy Hash: 88914874600611AFDB24DF28D884B6ABBE8FF48710F24856EF94ACB395DB70E840CB50

Function 0093B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 008EFEC6: _wcscpy.LIBCMT ref: 008EFEE9

Part of subcall function 008D9997: __itow.LIBCMT ref: 008D99C2
Part of subcall function 008D9997: __swprintf.LIBCMT ref: 008D9A0C

__wcsnicmp.LIBCMT ref: 0093B298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0093B361

Strings

LPT, xrefs: 0093B292

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 8ca278b2a63a4bf5dd374ec467bdfbc3d2b4e6552abd68b1a421f819645c0cec
Instruction ID: a18586d81db84e23d65d9573d0c84a2583e6d3ddf2fdea25287252dbbeb2c337
Opcode Fuzzy Hash: 8ca278b2a63a4bf5dd374ec467bdfbc3d2b4e6552abd68b1a421f819645c0cec
Instruction Fuzzy Hash: A5618075A00215AFCB14EF58C895EAEB7B8FF08310F11455AFA46AB351DB70AE40CF51

Function 008E2AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 008E2AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 008E2AE1

Strings

@, xrefs: 008E2AD5

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: cde099e30fcd4881c979679fbb11e8cf1c3e9f1930335c71f2b7d1931099cebf
Instruction ID: d3deeebdd65cf07a098acdf2c68f0959c74e045e26f4d78fd8326464a69ab52e
Opcode Fuzzy Hash: cde099e30fcd4881c979679fbb11e8cf1c3e9f1930335c71f2b7d1931099cebf
Instruction Fuzzy Hash: 145149724187549BD320AF14DC86BAFBBE8FF84314F42895DF1D9911A1DB308969CB17

Function 009399BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 008D506B: __fread_nolock.LIBCMT ref: 008D5089

_wcscmp.LIBCMT ref: 00939AAE
_wcscmp.LIBCMT ref: 00939AC1

Strings

FILE, xrefs: 009399FA

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: d44468d34b05add16fd8f4abdb7c6f8c3f93d73d8df7f1f87dab173a80f86dca
Instruction ID: ef3ffbdadb66cd9429189ac044ac68dcb712c089fd61023f2410428a8b3daed5
Opcode Fuzzy Hash: d44468d34b05add16fd8f4abdb7c6f8c3f93d73d8df7f1f87dab173a80f86dca
Instruction Fuzzy Hash: BC41B971A00619BBDF209AA4DC45FEFBBBDEF45714F00047AF900E7281D6B59E048BA2

Function 00942882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00942892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 009428C8

Strings

|, xrefs: 00942899

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 4da88296863468b5854cb5a88ce0f88744450f040d481f30c079062507bc228a
Instruction ID: e2ffff8a16f45eeb488dce2a1e09f72ef8e3111f991670cf451c3825fc10de96
Opcode Fuzzy Hash: 4da88296863468b5854cb5a88ce0f88744450f040d481f30c079062507bc228a
Instruction Fuzzy Hash: 82313D71810119AFCF01EFA5CC85EEEBFB9FF08350F10412AF815A6266EB315A56DB61

Function 00957CE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00957DD0
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00957DE5

Strings

', xrefs: 00957D39

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: ab500cc3c625afe5c320de8dc69b5223ee4432fb51709cb0c3435e6fb7bcf137
Instruction ID: c6afd8b25af3d03e46b0364a0e6aab46c265426a857ab64e168bbddfa7deff0d
Opcode Fuzzy Hash: ab500cc3c625afe5c320de8dc69b5223ee4432fb51709cb0c3435e6fb7bcf137
Instruction Fuzzy Hash: 7F411874A053099FDB10CFAAD881BEABBB9FF09301F10016AED059B381D730AA45CF90

Function 00956CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00956D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00956DC2

Strings

static, xrefs: 00956D22

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: a010839821e8d447d0b87f4b8f21649ca00717efcb6f2fcbfb50dfb5c6177d42
Instruction ID: 3ef9ab8e8e864e38fd453157e207d27c96601a6d16f37aa0d79d4e2650b70a8f
Opcode Fuzzy Hash: a010839821e8d447d0b87f4b8f21649ca00717efcb6f2fcbfb50dfb5c6177d42
Instruction Fuzzy Hash: 16318D71210604AAEB10DF69CC90BFB77BDFF88721F508A19F9A5C7190DA31AC95DB60

Function 00932D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00932E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00932E3B

Strings

0, xrefs: 00932DF9

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 3cd25ac0aad85ed16b987c4869cf10a3b07640d2590d2cc1ff8aecbd4a295dde
Instruction ID: 970e71f70e5052ff2bd37142bf204db9dc936f0c2fc1f8dfc25098eeb418c538
Opcode Fuzzy Hash: 3cd25ac0aad85ed16b987c4869cf10a3b07640d2590d2cc1ff8aecbd4a295dde
Instruction Fuzzy Hash: DB31E631604309EBEB34CF58D846BAEBBBDFF45350F14042AE995E61A0E7749940CF51

Function 00943CDD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00943D5A

Part of subcall function 008D7F41: _memmove.LIBCMT ref: 008D7F82

Strings

, $, xrefs: 00943D9A
AUTOITCALLVARIABLE%d, xrefs: 00943D4C

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: 073512f4a0b5587660b6d64e8f392473020a2c28578d8c3e26b041c1c29baebd
Instruction ID: 8d4a3f8a926ff8498c66c948a18f0053dfa002a72bc2124d6f07e3ec3a21974a
Opcode Fuzzy Hash: 073512f4a0b5587660b6d64e8f392473020a2c28578d8c3e26b041c1c29baebd
Instruction Fuzzy Hash: 69215371A00219ABCF14EF68CC81FAD77A5FF94714F444595F405E7281EB34EA45CBA2

Function 00956943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 009569D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009569DB

Strings

Combobox, xrefs: 0095699D

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: d754452f6bd9f58746caab25234981be885daa6effa0a71bf431f2ac499bf8f0
Instruction ID: bc95859719afc3e439746260e4795f8388d7b2aa4e4f14c4b6f343b28314ea71
Opcode Fuzzy Hash: d754452f6bd9f58746caab25234981be885daa6effa0a71bf431f2ac499bf8f0
Instruction Fuzzy Hash: C911E2712002086FEF11DF29CCA0EAB376EEB893A5F500125FD5897290D6319C5587A0

Function 00956E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 008D1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 008D1D73
Part of subcall function 008D1D35: GetStockObject.GDI32(00000011), ref: 008D1D87
Part of subcall function 008D1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 008D1D91

GetWindowRect.USER32(00000000,?), ref: 00956EE0
GetSysColor.USER32(00000012), ref: 00956EFA

Strings

static, xrefs: 00956EBD

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 3e3d094274cafbf68da204c23156a7515122066a4d0075cb8d44bfe1f0307575
Instruction ID: 5edfa7d760ccc140129fabe42328147d42e1ea5c5f2b986c9587a8f23c52e240
Opcode Fuzzy Hash: 3e3d094274cafbf68da204c23156a7515122066a4d0075cb8d44bfe1f0307575
Instruction Fuzzy Hash: 0A215972A20209AFDF04DFA9CD45AFA7BB8FB08315F044629FD55D3250E734E8659B50

Function 00956B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00956C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00956C20

Strings

edit, xrefs: 00956BF5

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: fe1da73ba937cb233a278f7da8836a57ac3fc5254ef9052d46b7eec46c4c06a2
Instruction ID: 963f336128aa6f40f84ca6a71e51c579438b46e170c8bc0acf60ebad0ddfc638
Opcode Fuzzy Hash: fe1da73ba937cb233a278f7da8836a57ac3fc5254ef9052d46b7eec46c4c06a2
Instruction Fuzzy Hash: B1119D71105208ABEF108E65DC41ABB376DEB4437AF904724FEA0D71E0C735EC99A760

Function 00932E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00932F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00932F30

Strings

0, xrefs: 00932F07

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: c0497647065d15a94f7e5e893b3049e83399340784f3a0ee6fef6b70534be4d9
Instruction ID: 584e98762585e5163e780864cd5d3de32f596a1def4fe8157f98d26f65a556e7
Opcode Fuzzy Hash: c0497647065d15a94f7e5e893b3049e83399340784f3a0ee6fef6b70534be4d9
Instruction Fuzzy Hash: 4A11EF32915228ABCB20DF5DDC45BAA73BDEB05350F0800A2E944AB2A0D7B0EE04CF91

Function 009424CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00942520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00942549

Strings

<local>, xrefs: 00942511

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 8c19d645ed4071586db50a43fcae1d4646fcfdf15be39471c64c4be4be0a70a5
Instruction ID: 0545f3ff47917798ff7909409b367131ae73dd72d74cb75d98cb02cc83a6ed47
Opcode Fuzzy Hash: 8c19d645ed4071586db50a43fcae1d4646fcfdf15be39471c64c4be4be0a70a5
Instruction Fuzzy Hash: 2511CEB0601225BADB249F628C99EBBFFACFF06765F50812AF90547140D2B46981DBF0

Function 009480A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0094830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,009480C8,?,00000000,?,?), ref: 00948322

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 009480CB
htons.WSOCK32(00000000,?,00000000), ref: 00948108

Strings

255.255.255.255, xrefs: 009480E3

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: a7b417bcce42cbe6dec7ff20cb9a998fed83079c5fb2cbe1614b091edf6c8bf5
Instruction ID: 77d721b0b6140bc6f6a72d44cedac2c3806a7994ab4ee22986e176c5aa93ee6c
Opcode Fuzzy Hash: a7b417bcce42cbe6dec7ff20cb9a998fed83079c5fb2cbe1614b091edf6c8bf5
Instruction Fuzzy Hash: 5811E134204315ABDB20AF64CC46FFEB374FF48320F108627EA1197291DB72A801C795

Function 009292E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008D7F41: _memmove.LIBCMT ref: 008D7F82

Part of subcall function 0092B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0092B0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00929355

Strings

ListBox, xrefs: 0092931F
ComboBox, xrefs: 009292F4

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 85421f5ef8c8f6da53ded5d0ca38c873cd19739fbc6ddf33d72ef8bd23f3b5e2
Instruction ID: 70e8b66d5859eb8edc93bd502d8b9a9eda559996b6ed9cf05463f3b3fbce777e
Opcode Fuzzy Hash: 85421f5ef8c8f6da53ded5d0ca38c873cd19739fbc6ddf33d72ef8bd23f3b5e2
Instruction Fuzzy Hash: F801D271A45224AB8B04EB64CC919FE73A9FF46320F14071AF832973D5DB3158088751

Function 009291DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008D7F41: _memmove.LIBCMT ref: 008D7F82

Part of subcall function 0092B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0092B0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 0092924D

Strings

ListBox, xrefs: 00929217
ComboBox, xrefs: 009291EC

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 27956885180476ef610eed7dd3408ef88e8575347100e5d49a62e74ba400b812
Instruction ID: 9d2dec4d3a30373e916e36b4dd9dd3b0554678679891507972658e05f7d1d726
Opcode Fuzzy Hash: 27956885180476ef610eed7dd3408ef88e8575347100e5d49a62e74ba400b812
Instruction Fuzzy Hash: DB01A771A41229BBCB19EBA4D992EFF73ACEF45300F14011AB912A7385EE155F0C9672

Function 00929264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008D7F41: _memmove.LIBCMT ref: 008D7F82

Part of subcall function 0092B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0092B0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 009292D0

Strings

ListBox, xrefs: 0092929C
ComboBox, xrefs: 00929271

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 49b543d439fc1db811a79c667c995634192eefe9ad73b52e5547d5d0db36b8cc
Instruction ID: 00c925ab828ce528732a40b5914afc989610b15927147081fb6d9a9cfe2c57fe
Opcode Fuzzy Hash: 49b543d439fc1db811a79c667c995634192eefe9ad73b52e5547d5d0db36b8cc
Instruction Fuzzy Hash: CE01DB71A41129BBCB15F7A4D982EFF77ACEF11300F2401167812B3385DA155F0C9272

Function 009351CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 009351E8
_wcscmp.LIBCMT ref: 009351FA

Strings

#32770, xrefs: 009351F4

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: a6409c16e708413ab8a8695bcf5506fc047be029fe5fbf337673c567853bee3d
Instruction ID: f16886632beba5ca38535d41774f72b1d745b1f9b7334211f5dbeb9ab4e54635
Opcode Fuzzy Hash: a6409c16e708413ab8a8695bcf5506fc047be029fe5fbf337673c567853bee3d
Instruction Fuzzy Hash: CFE06832A0432C2BE320AAA9AC09FA7F7ACFB45731F01006BFD20D3040E5609A448BE1

Function 009281BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 009281CA

Part of subcall function 008F3598: _doexit.LIBCMT ref: 008F35A2

Strings

Error allocating memory., xrefs: 009281C3
AutoIt, xrefs: 009281BE

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 84979de4cb037e32dd153df2295cb313443d3a576e5f9b4452dd2ea1c8b515ee
Instruction ID: 4d3136990a6419524a47071e204eb867983ff5b05d85df88e2ded27ab2500383
Opcode Fuzzy Hash: 84979de4cb037e32dd153df2295cb313443d3a576e5f9b4452dd2ea1c8b515ee
Instruction Fuzzy Hash: A7D05B323C672C32D21432BD6C0BFDA76489B55B56F044016FB08D55D38DD5599153DA

Function 0090B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0090B564: _memset.LIBCMT ref: 0090B571

Part of subcall function 008F0B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0090B540,?,?,?,008D100A), ref: 008F0B89

IsDebuggerPresent.KERNEL32(?,?,?,008D100A), ref: 0090B544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,008D100A), ref: 0090B553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0090B54E

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: da9ba24fdac47746fe095abe0ad5c8ffd7ab6ec01f5c8b61791ab115cf7f80f6
Instruction ID: 77ba2ab8ae57e57134ff3d9313f73e678687964873c5250856590428173a2fbb
Opcode Fuzzy Hash: da9ba24fdac47746fe095abe0ad5c8ffd7ab6ec01f5c8b61791ab115cf7f80f6
Instruction Fuzzy Hash: 06E06DB02147118FD720DF29D8047467BE4AF00755F00896DF456C3791E7B4D408CB61

Function 00955BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00955BF5
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00955C08

Part of subcall function 009354E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0093555E

Strings

Shell_TrayWnd, xrefs: 00955BEE

Memory Dump Source

Source File: 00000000.00000002.2075171700.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.2075141804.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.000000000095F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075223628.0000000000985000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075272392.000000000098F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2075292679.0000000000998000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_Arrival Notice.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: c69e9f36f3ab309c762895e714999fc5ee136c17118e87f31b25a086676329a3
Instruction ID: 9dc280995aa2b0834ea28c11cc717bcf8f28f976c1b808aa94b39cde71cbfe89
Opcode Fuzzy Hash: c69e9f36f3ab309c762895e714999fc5ee136c17118e87f31b25a086676329a3
Instruction Fuzzy Hash: 88D0C9313AC311B7E768BB71AC5FFA76A14AB44B62F050825B745AA1E0D9E45801D750

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Arrival Notice.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\autA3B6.tmp

C:\Users\user\AppData\Local\Temp\autA405.tmp

C:\Users\user\AppData\Local\Temp\autA6F2.tmp

C:\Users\user\AppData\Local\Temp\autA731.tmp

C:\Users\user\AppData\Local\Temp\autDC1B.tmp

C:\Users\user\AppData\Local\Temp\autDC8A.tmp

C:\Users\user\AppData\Local\Temp\brawlys

C:\Users\user\AppData\Local\Temp\misrun

C:\Users\user\AppData\Local\directory\name.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Static File Info

Windows Analysis Report
Arrival Notice.exe

Function 008D3B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 008D4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 008D4FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 009393DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 008D3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Function 008D3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 008D71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 008D3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre