Edit tour

Windows Analysis Report
Termination_List_November_2024_pdf.exe

Overview

General Information

Sample name:	Termination_List_November_2024_pdf.exe
Analysis ID:	1549797
MD5:	983ba873783035b8788b52067fbd0da0
SHA1:	09388dea375a27a652493ed2d72af2007c67557c
SHA256:	a621353d9ba0b680e8f65d1951b47a74a08c1dc903eb071a64680a7a46793197
Tags:	exeuser-threatcat_ch
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Connects to many ports of the same IP (likely port scanning)

Contains functionality to log keystrokes (.Net Source)

Found API chain indicative of sandbox detection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses FTP

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Termination_List_November_2024_pdf.exe (PID: 7428 cmdline: "C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe" MD5: 983BA873783035B8788B52067FBD0DA0)

RegSvcs.exe (PID: 7444 cmdline: "C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

sgxIb.exe (PID: 7660 cmdline: "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 7668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sgxIb.exe (PID: 7892 cmdline: "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 7900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.haliza.com.my", "Username": "origin@haliza.com.my", "Password": "JesusChrist007$"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.4122762266.0000000002D9C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1680578108.00000000015F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1680578108.00000000015F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1680578108.00000000015F0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34f7c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34fee:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35078:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3510a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35174:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x351e6:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3527c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3530c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000000.00000002.1680578108.00000000015F0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x32170:$s2: GetPrivateProfileString 0x317fa:$s3: get_OSFullName 0x32f6b:$s5: remove_Key 0x33157:$s5: remove_Key 0x34075:$s6: FtpWebRequest 0x34f5e:$s7: logins 0x354d0:$s7: logins 0x38227:$s7: logins 0x38293:$s7: logins 0x39d12:$s7: logins 0x38e2d:$s9: 1.85 (Hash, version 2, native byte-order)
00000001.00000002.4122762266.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.4122762266.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.4121919060.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.4121919060.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Termination_List_November_2024_pdf.exe PID: 7428	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Termination_List_November_2024_pdf.exe PID: 7428	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 7444	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7444	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34f7c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34fee:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35078:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3510a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35174:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x351e6:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3527c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3530c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x32170:$s2: GetPrivateProfileString 0x317fa:$s3: get_OSFullName 0x32f6b:$s5: remove_Key 0x33157:$s5: remove_Key 0x34075:$s6: FtpWebRequest 0x34f5e:$s7: logins 0x354d0:$s7: logins 0x38227:$s7: logins 0x38293:$s7: logins 0x39d12:$s7: logins 0x38e2d:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.Termination_List_November_2024_pdf.exe.15f0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Termination_List_November_2024_pdf.exe.15f0000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Termination_List_November_2024_pdf.exe.15f0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34f7c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34fee:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35078:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3510a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35174:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x351e6:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3527c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3530c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Termination_List_November_2024_pdf.exe.15f0000.1.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x32170:$s2: GetPrivateProfileString 0x317fa:$s3: get_OSFullName 0x32f6b:$s5: remove_Key 0x33157:$s5: remove_Key 0x34075:$s6: FtpWebRequest 0x34f5e:$s7: logins 0x354d0:$s7: logins 0x38227:$s7: logins 0x38293:$s7: logins 0x39d12:$s7: logins 0x38e2d:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.Termination_List_November_2024_pdf.exe.15f0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Termination_List_November_2024_pdf.exe.15f0000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Termination_List_November_2024_pdf.exe.15f0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3317c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x331ee:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33278:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3330a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33374:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x333e6:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3347c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3350c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Termination_List_November_2024_pdf.exe.15f0000.1.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x30370:$s2: GetPrivateProfileString 0x2f9fa:$s3: get_OSFullName 0x3116b:$s5: remove_Key 0x31357:$s5: remove_Key 0x32275:$s6: FtpWebRequest 0x3315e:$s7: logins 0x336d0:$s7: logins 0x36427:$s7: logins 0x36493:$s7: logins 0x37f12:$s7: logins 0x3702d:$s9: 1.85 (Hash, version 2, native byte-order)
Click to see the 7 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 7444, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sgxIb

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-06T03:28:15.764740+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.4	49735	TCP
2024-11-06T03:28:44.296923+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.4	58527	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Termination_List_November_2024_pdf.exe

Avira: detected

Found malware configuration

Source: 1.2.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.haliza.com.my", "Username": "origin@haliza.com.my", "Password": "JesusChrist007$"}

Multi AV Scanner detection for submitted file

Source: Termination_List_November_2024_pdf.exe	ReversingLabs: Detection: 44%
Source: Termination_List_November_2024_pdf.exe	Virustotal: Detection: 36%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Termination_List_November_2024_pdf.exe

Joe Sandbox ML: detected

Source: Termination_List_November_2024_pdf.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49730 version: TLS 1.2

Source:	Binary string: RegSvcs.pdb, source: sgxIb.exe, 00000002.00000000.1792725324.0000000000162000.00000002.00000001.01000000.00000006.sdmp, sgxIb.exe.1.dr
Source:	Binary string: wntdll.pdbUGP source: Termination_List_November_2024_pdf.exe, 00000000.00000003.1670231196.0000000004240000.00000004.00001000.00020000.00000000.sdmp, Termination_List_November_2024_pdf.exe, 00000000.00000003.1670120433.00000000040A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Termination_List_November_2024_pdf.exe, 00000000.00000003.1670231196.0000000004240000.00000004.00001000.00020000.00000000.sdmp, Termination_List_November_2024_pdf.exe, 00000000.00000003.1670120433.00000000040A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: sgxIb.exe, 00000002.00000000.1792725324.0000000000162000.00000002.00000001.01000000.00000006.sdmp, sgxIb.exe.1.dr
Source:	Binary string: vcs.pdb source: RegSvcs.exe, 00000001.00000002.4125251318.00000000060D0000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_001768EE FindFirstFileW,FindClose,	0_2_001768EE
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_0017698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0017698F
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_0016D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0016D076
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_0016D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0016D3A9
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_00179642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00179642
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_0017979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0017979D
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_00179B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00179B2B
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_0016DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0016DBBE
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_00175C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00175C97

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 110.4.45.197 ports 49439,64531,49843,59650,62523,59112,1,63904,2,54121,60622,53366,51365,53635,60680,57659,21,65294

Source: global traffic

TCP traffic: 192.168.2.4:49733 -> 110.4.45.197:49439

Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 110.4.45.197 110.4.45.197

Source: Joe Sandbox View

ASN Name: EXABYTES-AS-APExaBytesNetworkSdnBhdMY EXABYTES-AS-APExaBytesNetworkSdnBhdMY

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.4:49735
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.4:58527

Source: unknown

FTP traffic detected: 110.4.45.197:21 -> 192.168.2.4:49732 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 15 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 15 of 50 allowed.220-Local time is now 10:28. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 15 of 50 allowed.220-Local time is now 10:28. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 15 of 50 allowed.220-Local time is now 10:28. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 15 of 50 allowed.220-Local time is now 10:28. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe

Code function: 0_2_0017CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_0017CE44

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: ftp.haliza.com.my

Source: RegSvcs.exe, 00000001.00000002.4122762266.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4122762266.0000000002F47000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4122762266.0000000002D9C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4122762266.0000000002E5C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4122762266.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ftp.haliza.com.my
Source: RegSvcs.exe, 00000001.00000002.4122762266.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Termination_List_November_2024_pdf.exe, 00000000.00000002.1680578108.00000000015F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4121919060.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: Termination_List_November_2024_pdf.exe, 00000000.00000002.1680578108.00000000015F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4122762266.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4121919060.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: RegSvcs.exe, 00000001.00000002.4122762266.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: RegSvcs.exe, 00000001.00000002.4122762266.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49730 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.Termination_List_November_2024_pdf.exe.15f0000.1.raw.unpack, SKTzxzsJw.cs

.Net Code: _71ZRqC1D

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Jump to behavior

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe

Code function: 0_2_0017EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0017EAFF

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe

Code function: 0_2_0017ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0017ED6A

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe

0_2_0017EAFF

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe

Code function: 0_2_0016AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0016AA57

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe

Code function: 0_2_00199576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00199576

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.Termination_List_November_2024_pdf.exe.15f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Termination_List_November_2024_pdf.exe.15f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.Termination_List_November_2024_pdf.exe.15f0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Termination_List_November_2024_pdf.exe.15f0000.1.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000000.00000002.1680578108.00000000015F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1680578108.00000000015F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: Termination_List_November_2024_pdf.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Termination_List_November_2024_pdf.exe, 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e259c524-8
Source: Termination_List_November_2024_pdf.exe, 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_6cafd150-1
Source: Termination_List_November_2024_pdf.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ad659498-6
Source: Termination_List_November_2024_pdf.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_00e50cb8-d

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Termination_List_November_2024_pdf.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe

Code function: 0_2_0016D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0016D5EB

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe

Code function: 0_2_00161201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00161201

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe

Code function: 0_2_0016E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0016E8F6

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_00172046	0_2_00172046
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_00108060	0_2_00108060
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_00168298	0_2_00168298
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_0013E4FF	0_2_0013E4FF
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_0013676B	0_2_0013676B
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_00194873	0_2_00194873
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_0012CAA0	0_2_0012CAA0
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_0010CAF0	0_2_0010CAF0
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_0011CC39	0_2_0011CC39
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_00136DD9	0_2_00136DD9
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_0011B119	0_2_0011B119
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_001091C0	0_2_001091C0
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_00121394	0_2_00121394
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_00121706	0_2_00121706
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_0012781B	0_2_0012781B
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_00107920	0_2_00107920
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_0011997D	0_2_0011997D
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_001219B0	0_2_001219B0
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_00127A4A	0_2_00127A4A
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_00121C77	0_2_00121C77
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_00127CA7	0_2_00127CA7
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_0018BE44	0_2_0018BE44
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_00139EEE	0_2_00139EEE
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_00121F32	0_2_00121F32
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_01A29DE0	0_2_01A29DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_012BE8FD	1_2_012BE8FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_012B4A68	1_2_012B4A68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_012B3E50	1_2_012B3E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_012BAE87	1_2_012BAE87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_012B4198	1_2_012B4198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0677C74C	1_2_0677C74C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_067755E8	1_2_067755E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_067755D8	1_2_067755D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_067856B0	1_2_067856B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_06787E98	1_2_06787E98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_06786708	1_2_06786708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_06783580	1_2_06783580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_067877B8	1_2_067877B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0678E4D0	1_2_0678E4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_06785DFF	1_2_06785DFF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_06780040	1_2_06780040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0678003E	1_2_0678003E

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: String function: 00120A30 appears 46 times
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: String function: 0011F9F2 appears 31 times

Source: Termination_List_November_2024_pdf.exe, 00000000.00000003.1670461434.00000000041C3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Termination_List_November_2024_pdf.exe
Source: Termination_List_November_2024_pdf.exe, 00000000.00000003.1671254430.000000000436D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Termination_List_November_2024_pdf.exe
Source: Termination_List_November_2024_pdf.exe, 00000000.00000002.1680578108.00000000015F0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename472d0e4f-32a4-4ea2-b137-597340264f0d.exe4 vs Termination_List_November_2024_pdf.exe

Source: Termination_List_November_2024_pdf.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.Termination_List_November_2024_pdf.exe.15f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Termination_List_November_2024_pdf.exe.15f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.Termination_List_November_2024_pdf.exe.15f0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Termination_List_November_2024_pdf.exe.15f0000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000000.00000002.1680578108.00000000015F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.1680578108.00000000015F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: 0.2.Termination_List_November_2024_pdf.exe.15f0000.1.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Termination_List_November_2024_pdf.exe.15f0000.1.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Termination_List_November_2024_pdf.exe.15f0000.1.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Termination_List_November_2024_pdf.exe.15f0000.1.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Termination_List_November_2024_pdf.exe.15f0000.1.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Termination_List_November_2024_pdf.exe.15f0000.1.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Termination_List_November_2024_pdf.exe.15f0000.1.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Termination_List_November_2024_pdf.exe.15f0000.1.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/5@2/2

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe

Code function: 0_2_001737B5 GetLastError,FormatMessageW,

0_2_001737B5

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_001610BF AdjustTokenPrivileges,CloseHandle,		0_2_001610BF
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_001616C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_001616C3

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe

Code function: 0_2_001751CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_001751CD

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe

Code function: 0_2_0018A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0018A67C

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe

Code function: 0_2_0017648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0017648E

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe

Code function: 0_2_001042A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_001042A2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\sgxIb

Jump to behavior

Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7668:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7900:120:WilError_03

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe

File created: C:\Users\user\AppData\Local\Temp\peristeronic

Jump to behavior

Source: Termination_List_November_2024_pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Termination_List_November_2024_pdf.exe	ReversingLabs: Detection: 44%
Source: Termination_List_November_2024_pdf.exe	Virustotal: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe "C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe"
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Termination_List_November_2024_pdf.exe

Static file information: File size 1438208 > 1048576

Source: Termination_List_November_2024_pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Termination_List_November_2024_pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Termination_List_November_2024_pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Termination_List_November_2024_pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Termination_List_November_2024_pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Termination_List_November_2024_pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Termination_List_November_2024_pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: RegSvcs.pdb, source: sgxIb.exe, 00000002.00000000.1792725324.0000000000162000.00000002.00000001.01000000.00000006.sdmp, sgxIb.exe.1.dr
Source:	Binary string: wntdll.pdbUGP source: Termination_List_November_2024_pdf.exe, 00000000.00000003.1670231196.0000000004240000.00000004.00001000.00020000.00000000.sdmp, Termination_List_November_2024_pdf.exe, 00000000.00000003.1670120433.00000000040A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Termination_List_November_2024_pdf.exe, 00000000.00000003.1670231196.0000000004240000.00000004.00001000.00020000.00000000.sdmp, Termination_List_November_2024_pdf.exe, 00000000.00000003.1670120433.00000000040A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: sgxIb.exe, 00000002.00000000.1792725324.0000000000162000.00000002.00000001.01000000.00000006.sdmp, sgxIb.exe.1.dr
Source:	Binary string: vcs.pdb source: RegSvcs.exe, 00000001.00000002.4125251318.00000000060D0000.00000004.00000020.00020000.00000000.sdmp

Source: Termination_List_November_2024_pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Termination_List_November_2024_pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Termination_List_November_2024_pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Termination_List_November_2024_pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Termination_List_November_2024_pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe

Code function: 0_2_001042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001042DE

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_00120A76 push ecx; ret	0_2_00120A89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_012B0C6D push edi; retf	1_2_012B0C7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_012B0C45 push ebx; retf	1_2_012B0C52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_012B0C53 push ebx; retf	1_2_012B0C52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0677ECB0 push es; ret	1_2_0677ECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0677AAB2 push es; ret	1_2_0677AAC0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sgxIb			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sgxIb			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_0011F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0011F98E
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_00191C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00191C41

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-97744

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe

API/Special instruction interceptor: Address: 1A29A04

Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: 2380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: 2440000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: 4440000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: 28D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: 2AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: 4AA0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599103	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598961	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596255	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596100	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595925	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593735	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2697			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7143			Jump to behavior

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe

API coverage: 3.5 %

Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7712	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7940	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_001768EE FindFirstFileW,FindClose,	0_2_001768EE
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_0017698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0017698F
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_0016D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0016D076
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_0016D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0016D3A9
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_00179642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00179642
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_0017979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0017979D
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_00179B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00179B2B
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_0016DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0016DBBE
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_00175C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00175C97

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe

Code function: 0_2_001042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001042DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599103	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598961	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596255	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596100	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595925	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593735	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RegSvcs.exe, 00000001.00000002.4125251318.00000000060D0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe

Code function: 0_2_0017EAA2 BlockInput,

0_2_0017EAA2

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe

Code function: 0_2_00132622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00132622

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe

Code function: 0_2_001042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001042DE

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_00124CE8 mov eax, dword ptr fs:[00000030h]	0_2_00124CE8
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_01A285F0 mov eax, dword ptr fs:[00000030h]	0_2_01A285F0
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_01A29CD0 mov eax, dword ptr fs:[00000030h]	0_2_01A29CD0
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_01A29C70 mov eax, dword ptr fs:[00000030h]	0_2_01A29C70

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe

Code function: 0_2_00160B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00160B62

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_00132622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00132622
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_0012083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0012083F
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_001209D5 SetUnhandledExceptionFilter,	0_2_001209D5
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_00120C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00120C21

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: DDA008

Jump to behavior

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe

0_2_00161201

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe

Code function: 0_2_00142BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00142BA5

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe

Code function: 0_2_0016B226 SendInput,keybd_event,

0_2_0016B226

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe

Code function: 0_2_001822DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_001822DA

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe

0_2_00160B62

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe

Code function: 0_2_00161663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00161663

Source: Termination_List_November_2024_pdf.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: RegSvcs.exe, 00000001.00000002.4122762266.0000000002E4D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Termination_List_November_2024_pdf.exe	Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 00000001.00000002.4122762266.0000000002E4D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $tq3<b>[ Program Manager]</b> (06/11/2024 10:12:04)<br>
Source: RegSvcs.exe, 00000001.00000002.4122762266.0000000002E4D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRtq
Source: RegSvcs.exe, 00000001.00000002.4122762266.0000000002E4D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $tq8<b>[ Program Manager]</b> (06/11/2024 10:12:04)<br>{Win}THyq`
Source: RegSvcs.exe, 00000001.00000002.4122762266.0000000002E5C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: <html>Time: 11/20/2024 00:56:08<br>User Name: user<br>Computer Name: 367706<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br>IP Address: 173.254.250.80<br><hr><b>[ Program Manager]</b> (06/11/2024 10:12:04)<br>{Win}r</html>
Source: RegSvcs.exe, 00000001.00000002.4122762266.0000000002E4D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $tq9<b>[ Program Manager]</b> (06/11/2024 10:12:04)<br>{Win}rTHyq`

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe

Code function: 0_2_00120698 cpuid

0_2_00120698

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Queries volume information: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Queries volume information: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe

Code function: 0_2_00178195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00178195

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe

Code function: 0_2_0015D27A GetUserNameW,

0_2_0015D27A

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe

Code function: 0_2_0013BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0013BB6F

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe

Code function: 0_2_001042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001042DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Termination_List_November_2024_pdf.exe.15f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Termination_List_November_2024_pdf.exe.15f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4122762266.0000000002D9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1680578108.00000000015F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4122762266.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4121919060.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Termination_List_November_2024_pdf.exe PID: 7428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7444, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Termination_List_November_2024_pdf.exe	Binary or memory string: WIN_81
Source: Termination_List_November_2024_pdf.exe	Binary or memory string: WIN_XP
Source: Termination_List_November_2024_pdf.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Termination_List_November_2024_pdf.exe	Binary or memory string: WIN_XPe
Source: Termination_List_November_2024_pdf.exe	Binary or memory string: WIN_VISTA
Source: Termination_List_November_2024_pdf.exe	Binary or memory string: WIN_7
Source: Termination_List_November_2024_pdf.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Termination_List_November_2024_pdf.exe.15f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Termination_List_November_2024_pdf.exe.15f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1680578108.00000000015F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4122762266.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4121919060.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Termination_List_November_2024_pdf.exe PID: 7428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7444, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Termination_List_November_2024_pdf.exe.15f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Termination_List_November_2024_pdf.exe.15f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4122762266.0000000002D9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1680578108.00000000015F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4122762266.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4121919060.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Termination_List_November_2024_pdf.exe PID: 7428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7444, type: MEMORYSTR

Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_00181204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00181204
Source: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe	Code function: 0_2_00181806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00181806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	1 Exfiltration Over Alternative Protocol	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	221 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	2 Valid Accounts	2 Obfuscated Files or Information	1 Credentials in Registry	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	138 System Information Discovery	Distributed Component Object Model	221 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 Masquerading	LSA Secrets	331 Security Software Discovery	SSH	4 Clipboard Data	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	241 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	241 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Hidden Files and Directories	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Termination_List_November_2024_pdf.exe	45%	ReversingLabs	Win32.Trojan.Generic
Termination_List_November_2024_pdf.exe	36%	Virustotal		Browse
Termination_List_November_2024_pdf.exe	100%	Avira	DR/AutoIt.Gen8
Termination_List_November_2024_pdf.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	0%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
ftp.haliza.com.my	2%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	104.26.12.205	true	false		high
ftp.haliza.com.my	110.4.45.197	true	true	2%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://api.ipify.org	Termination_List_November_2024_pdf.exe, 00000000.00000002.1680578108.00000000015F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4122762266.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4121919060.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	high
https://account.dyn.com/	Termination_List_November_2024_pdf.exe, 00000000.00000002.1680578108.00000000015F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4121919060.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	high
http://ftp.haliza.com.my	RegSvcs.exe, 00000001.00000002.4122762266.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4122762266.0000000002F47000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4122762266.0000000002D9C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4122762266.0000000002E5C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4122762266.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.ipify.org/t	RegSvcs.exe, 00000001.00000002.4122762266.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000001.00000002.4122762266.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.12.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false
110.4.45.197	ftp.haliza.com.my	Malaysia		46015	EXABYTES-AS-APExaBytesNetworkSdnBhdMY	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1549797
Start date and time:	2024-11-06 03:27:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Termination_List_November_2024_pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/5@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 43 Number of non-executed functions: 311
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, 4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target sgxIb.exe, PID 7660 because it is empty
Execution Graph export aborted for target sgxIb.exe, PID 7892 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:28:01	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run sgxIb C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
02:28:09	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run sgxIb C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
21:28:00	API Interceptor	12556397x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.12.205	Ransomware Mallox.exe	Get hash	malicious	Targeted Ransomware	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	6706e721f2c06.exe	Get hash	malicious	Remcos	Browse	api.ipify.org/
	perfcc.elf	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	hloRQZmlfg.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
110.4.45.197	Payment_Advice_USD_48,054.40_.exe	Get hash	malicious	AgentTesla	Browse
	Payslip_October_2024.exe	Get hash	malicious	AgentTesla	Browse
	Payslip_October_2024_pdf.exe	Get hash	malicious	AgentTesla	Browse
	Payslip_October_2024_pdf.exe	Get hash	malicious	AgentTesla	Browse
	Payslip_October_2024.pdf.exe	Get hash	malicious	AgentTesla	Browse
	rMT103_126021720924.exe	Get hash	malicious	AgentTesla	Browse
	z1Transaction_ID_REF2418_cmd.bat	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse
	z20SWIFT_MT103_Payment_552016_pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Order Specifications for Materials.docx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	z14Employee_Contract_pdf.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	https://averellharriman.sharefile.com/public/share/web-sab7e0a816d3e4e0ca3a0899254901a6d	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://averellharriman.sharefile.com/public/share/web-s3b96c17360cd43e7bdcaf25a23709fd0	Get hash	malicious	Unknown	Browse	104.26.13.205
	https://www.canva.com/design/DAGVnZ3mr_Y/4CQQbX1-EKRcha16TVbYxQ/view?utm_content=DAGVnZ3mr_Y&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Mamba2FA	Browse	104.26.12.205
	Payment_Advice_USD_48,054.40_.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	AENiBH7X1q.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	172.67.74.152
	H096Ewc7ki.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.12.205
	Steelcase Series 1 Sustainable Office Chair _ Steelcase.html	Get hash	malicious	Unknown	Browse	104.26.12.205
	REnBTVfW8q.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	ulf4JrCRk2.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	D6yz87XjgM.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
ftp.haliza.com.my	Payment_Advice_USD_48,054.40_.exe	Get hash	malicious	AgentTesla	Browse	110.4.45.197
	Payslip_October_2024.exe	Get hash	malicious	AgentTesla	Browse	110.4.45.197
	Payslip_October_2024_pdf.exe	Get hash	malicious	AgentTesla	Browse	110.4.45.197
	Payslip_October_2024_pdf.exe	Get hash	malicious	AgentTesla	Browse	110.4.45.197
	Payslip_October_2024.pdf.exe	Get hash	malicious	AgentTesla	Browse	110.4.45.197
	rMT103_126021720924.exe	Get hash	malicious	AgentTesla	Browse	110.4.45.197
	z1Transaction_ID_REF2418_cmd.bat	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	110.4.45.197
	z20SWIFT_MT103_Payment_552016_pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	110.4.45.197
	Order Specifications for Materials.docx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	110.4.45.197
	z14Employee_Contract_pdf.exe	Get hash	malicious	AgentTesla	Browse	110.4.45.197

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC, Stealc	Browse	172.67.133.135
	1V4xpXT91O.exe	Get hash	malicious	Stealc, Vidar	Browse	162.159.61.3
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	104.21.5.155
	https://tuy.naturdon.com/iVYo/#Dinnovative.courses@tea.texas.gov	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://ssintegra.com/Noel/webb/index.html	Get hash	malicious	Unknown	Browse	1.1.1.1
	file.exe	Get hash	malicious	LummaC	Browse	172.67.133.135
	Remittance_Ref;-49743170932be73dd68e9130949b1b5dbf8aa216bc0f0729cd.html	Get hash	malicious	Unknown	Browse	188.114.96.3
	ICBM.exe	Get hash	malicious	Xmrig	Browse	172.67.69.46
	Order.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.5.155
EXABYTES-AS-APExaBytesNetworkSdnBhdMY	https://www.canva.com/design/DAGVnZ3mr_Y/4CQQbX1-EKRcha16TVbYxQ/view?utm_content=DAGVnZ3mr_Y&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Mamba2FA	Browse	103.6.199.200
	Payment_Advice_USD_48,054.40_.exe	Get hash	malicious	AgentTesla	Browse	110.4.45.197
	Payslip_October_2024.exe	Get hash	malicious	AgentTesla	Browse	110.4.45.197
	Payslip_October_2024_pdf.exe	Get hash	malicious	AgentTesla	Browse	110.4.45.197
	Payslip_October_2024_pdf.exe	Get hash	malicious	AgentTesla	Browse	110.4.45.197
	Txwd 4063517991 djxjdlxmbk.pdf	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	103.6.199.200
	Payslip_October_2024.pdf.exe	Get hash	malicious	AgentTesla	Browse	110.4.45.197
	rMT103_126021720924.exe	Get hash	malicious	AgentTesla	Browse	110.4.45.197
	z1Transaction_ID_REF2418_cmd.bat	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	110.4.45.197
	z20SWIFT_MT103_Payment_552016_pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	110.4.45.197

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	https://raw.githubusercontent.com/EthanBrooks1955/2x4Q/main/OCPEC.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	Remittance_Ref;-49743170932be73dd68e9130949b1b5dbf8aa216bc0f0729cd.html	Get hash	malicious	Unknown	Browse	104.26.12.205
	Order.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.12.205
	http://alnassers.net	Get hash	malicious	Unknown	Browse	104.26.12.205
	8CwKupnahl.exe	Get hash	malicious	Stealc, Vidar	Browse	104.26.12.205
	https://online.telecoms.click/provisional.html?private=yummy.burger@saic.com	Get hash	malicious	Unknown	Browse	104.26.12.205
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	104.26.12.205
	Bestellung - 20240001833.com.exe	Get hash	malicious	Quasar	Browse	104.26.12.205
	http://app.kodexglobal.com/binance/signup	Get hash	malicious	Unknown	Browse	104.26.12.205
	rFerrecsa_D7011001.vbs	Get hash	malicious	Unknown	Browse	104.26.12.205

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Payment_Advice_USD_48,054.40_.exe	Get hash	malicious	AgentTesla	Browse
	M1Y6kc9FpE.exe	Get hash	malicious	FormBook	Browse
	mJIvCBk5vF.exe	Get hash	malicious	FormBook	Browse
	1aG5DoOsAW.exe	Get hash	malicious	FormBook	Browse
	copto de pago.exe	Get hash	malicious	AgentTesla	Browse
	purchase order P857248 dated 04112024.exe	Get hash	malicious	XWorm	Browse
	dJpo3HPctv.exe	Get hash	malicious	XWorm	Browse
	Payslip_October_2024_pdf.exe	Get hash	malicious	AgentTesla	Browse
	Payslip_October_2024.pdf.exe	Get hash	malicious	AgentTesla	Browse
	Massive.exe	Get hash	malicious	AgentTesla	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sgxIb.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	142
Entropy (8bit):	5.090621108356562
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
MD5:	8C0458BB9EA02D50565175E38D577E35
SHA1:	F0B50702CD6470F3C17D637908F83212FDBDB2F2
SHA-256:	C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
SHA-512:	804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Temp\peristeronic

Download File

Process:	C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	247808
Entropy (8bit):	6.788297558797732
Encrypted:	false
SSDEEP:	6144:iiUcxSPRmS56qM9Hk2GGV9utqmHP4kGOrBQhyFitJS98dG:iiUcQPAS56qM9NVAtq0ZbuHG
MD5:	135D9EC0CB6F7E19E86A36CE2447B8D9
SHA1:	CDF6B717766FC187306EEB45C493A4E8F4BD6B2B
SHA-256:	FCEFE3861797EAC708CAD24DE0DA4F6B5DB91A5CA51BB0A7CCF80E58A5EDDA6C
SHA-512:	1E56DAC848E6DC58A3483364C8407DB0AB1C83F63A047BBE441463DCAA11215AC9DD063AB41BB0FDA1DB268AD6CFB2AD92581A9EFB3033108B67A306BDAD4C6E
Malicious:	false
Reputation:	low
Preview:	}..IN8PCOJ9D..D9.373H8YH.WPCYZ0ATIM8PCKJ9DX2D9C373H8YHRWPCYZ.ATIC'.MK.0.y.Eu..c[!Ky8 87187."5'#W$c)/.6-\dP-.s\|..4'62~NTP.ATIM8PC..9D.3G9\|9_UH8YHRWPC.Z2@_HF8P.HJ9LX2D9C3..K8YhRWP.ZZ0A.IM.PCKH9D\2D9C373L8YHRWPCYz4ATKM8PCKJ;D..D9S37#H8YHBWPSYZ0ATI]8PCKJ9DX2D9..43.8YHR.SC._0ATIM8PCKJ9DX2D9C373L8UHRWPCYZ0ATIM8PCKJ9DX2D9C373H8YHRWPCYZ0ATIM8PCKJ9DX2D.C3?3H8YHRWPCYZ8aTI.8PCKJ9DX2D9mGRK<8YH..SCYz0AT.N8PAKJ9DX2D9C373H8yHR7~1(SATI.=PCK.:DX4D9C.43H8YHRWPCYZ0A.IMx~1.&V'X2H9C373L8YJRWP.ZZ0ATIM8PCKJ9D.2D{C373H8YHRWPCYZ0At.N8PCKJqDX2F9F3..J8mrSWSCYZ1ATOM8PCKJ9DX2D9C373H8YHRWPCYZ0ATIM8PCKJ9DX2D9C373H8D......dx<jC/?.e.-.G..W..J.\|GyL.)C...=....w6M.pD.=t...>....=._U:X.....uX[2E"j3w=%.^..o..x<...E7.J...3..-Mn.m....`....7-....7..S.9g,H /.dj%>S6P.1.2H8YH.......=1.b}@DT.V d...!0n....CYZTATI?8PCJ9D.2D9,373&8YH,WPC'Z0A.IM8.CKJ.DX2a9C3Z3H8}HRW.CYZ.<[F..8..DX2D9v...U.....t..w%.3c2{... .y.cF`.< .......W....Zj;Eh.aCY4@<A430D.W....b[^4DVNI;\~E............(...9.&0ATIM8.CK.9DX..9.373.8.H..PCY..A.I.8...J

C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	45984
Entropy (8bit):	6.16795797263964
Encrypted:	false
SSDEEP:	768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7
MD5:	9D352BC46709F0CB5EC974633A0C3C94
SHA1:	1969771B2F022F9A86D77AC4D4D239BECDF08D07
SHA-256:	2C1EEB7097023C784C2BD040A2005A5070ED6F3A4ABF13929377A9E39FAB1390
SHA-512:	13C714244EC56BEEB202279E4109D59C2A43C3CF29F90A374A751C04FD472B45228CA5A0178F41109ED863DBD34E0879E4A21F5E38AE3D89559C57E6BE990A9B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: Payment_Advice_USD_48,054.40_.exe, Detection: malicious, Browse Filename: M1Y6kc9FpE.exe, Detection: malicious, Browse Filename: mJIvCBk5vF.exe, Detection: malicious, Browse Filename: 1aG5DoOsAW.exe, Detection: malicious, Browse Filename: copto de pago.exe, Detection: malicious, Browse Filename: purchase order P857248 dated 04112024.exe, Detection: malicious, Browse Filename: dJpo3HPctv.exe, Detection: malicious, Browse Filename: Payslip_October_2024_pdf.exe, Detection: malicious, Browse Filename: Payslip_October_2024.pdf.exe, Detection: malicious, Browse Filename: Massive.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0..d..........V.... ........@.. ..............................s.....`.....................................O.......8............r...A.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........\|...P...........................................r...p(....2.(....(....z..r...p(....(....(......}......{.....s..........0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t........0..(....... ....s$........o%....X..(....-...o&....0...........('......&.........................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1141
Entropy (8bit):	4.442398121585593
Encrypted:	false
SSDEEP:	24:zKLXkhDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0hDQntKKH1MqJC
MD5:	6FB4D27A716A8851BC0505666E7C7A10
SHA1:	AD2A232C6E709223532C4D1AB892303273D8C814
SHA-256:	1DC36F296CE49BDF1D560B527DB06E1E9791C10263459A67EACE706C6DDCDEAE
SHA-512:	3192095C68C6B7AD94212B7BCA0563F2058BCE00C0C439B90F0E96EA2F029A37C2F2B69487591B494C1BA54697FE891E214582E392127CB8C90AB682E0D81ADB
Malicious:	false
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.305547486592424
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Termination_List_November_2024_pdf.exe
File size:	1'438'208 bytes
MD5:	983ba873783035b8788b52067fbd0da0
SHA1:	09388dea375a27a652493ed2d72af2007c67557c
SHA256:	a621353d9ba0b680e8f65d1951b47a74a08c1dc903eb071a64680a7a46793197
SHA512:	9f871b235beefa675f3cc7a38a0ffad52d6ef2679e87fb62df5c599dfbe5ff3b0f6d9b5d081970deddf39cd986ae91f8262198174eb2908d9a5c0eacabb92b35
SSDEEP:	24576:4qDEvCTbMWu7rQYlBQcBiT6rprG8aisEcuhF2Z/R9vwzmx8ZCcP1INkZerYJ:4TvC/MTQYxsWR7aioZ/fvwax2ZerY
TLSH:	0A65D0027391D062FF9B92334B5AF6115ABC6A260123F61F13A81D7DBE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x672AA823 [Tue Nov 5 23:20:03 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FE2FD032BD3h
jmp 00007FE2FD0324DFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FE2FD0326BDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FE2FD03268Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FE2FD03527Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FE2FD0352C8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FE2FD0352B1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x8876c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x15d000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x8876c	0x88800	c329dcaa04d0512f31d5f3a69fdf0804	False	0.952076894459707	data	7.943452153222614	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x15d000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x7fa32	data			1.0003175198258614
RT_GROUP_ICON	0x15c1ec	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x15c264	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x15c278	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x15c28c	0x14	data	English	Great Britain	1.25
RT_VERSION	0x15c2a0	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x15c37c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-06T03:28:15.764740+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.245.163.56	443	192.168.2.4	49735	TCP
2024-11-06T03:28:44.296923+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.245.163.56	443	192.168.2.4	58527	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 6, 2024 03:27:59.121036053 CET	49730	443	192.168.2.4	104.26.12.205
Nov 6, 2024 03:27:59.121066093 CET	443	49730	104.26.12.205	192.168.2.4
Nov 6, 2024 03:27:59.121125937 CET	49730	443	192.168.2.4	104.26.12.205
Nov 6, 2024 03:27:59.136631012 CET	49730	443	192.168.2.4	104.26.12.205
Nov 6, 2024 03:27:59.136646986 CET	443	49730	104.26.12.205	192.168.2.4
Nov 6, 2024 03:27:59.817188978 CET	443	49730	104.26.12.205	192.168.2.4
Nov 6, 2024 03:27:59.817290068 CET	49730	443	192.168.2.4	104.26.12.205
Nov 6, 2024 03:27:59.821763992 CET	49730	443	192.168.2.4	104.26.12.205
Nov 6, 2024 03:27:59.821778059 CET	443	49730	104.26.12.205	192.168.2.4
Nov 6, 2024 03:27:59.822026968 CET	443	49730	104.26.12.205	192.168.2.4
Nov 6, 2024 03:27:59.862554073 CET	49730	443	192.168.2.4	104.26.12.205
Nov 6, 2024 03:27:59.869525909 CET	49730	443	192.168.2.4	104.26.12.205
Nov 6, 2024 03:27:59.911322117 CET	443	49730	104.26.12.205	192.168.2.4
Nov 6, 2024 03:28:00.046783924 CET	443	49730	104.26.12.205	192.168.2.4
Nov 6, 2024 03:28:00.046839952 CET	443	49730	104.26.12.205	192.168.2.4
Nov 6, 2024 03:28:00.046972036 CET	49730	443	192.168.2.4	104.26.12.205
Nov 6, 2024 03:28:00.054095030 CET	49730	443	192.168.2.4	104.26.12.205
Nov 6, 2024 03:28:00.828824997 CET	49731	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:28:00.833847046 CET	21	49731	110.4.45.197	192.168.2.4
Nov 6, 2024 03:28:00.833923101 CET	49731	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:28:00.837302923 CET	49731	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:28:00.842150927 CET	21	49731	110.4.45.197	192.168.2.4
Nov 6, 2024 03:28:00.842206001 CET	49731	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:28:00.865736008 CET	49732	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:28:00.870620012 CET	21	49732	110.4.45.197	192.168.2.4
Nov 6, 2024 03:28:00.870683908 CET	49732	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:28:01.789045095 CET	21	49732	110.4.45.197	192.168.2.4
Nov 6, 2024 03:28:01.798157930 CET	49732	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:28:01.802944899 CET	21	49732	110.4.45.197	192.168.2.4
Nov 6, 2024 03:28:02.306466103 CET	21	49732	110.4.45.197	192.168.2.4
Nov 6, 2024 03:28:02.306756973 CET	49732	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:28:02.311697960 CET	21	49732	110.4.45.197	192.168.2.4
Nov 6, 2024 03:28:02.678149939 CET	21	49732	110.4.45.197	192.168.2.4
Nov 6, 2024 03:28:02.678409100 CET	49732	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:28:02.683182955 CET	21	49732	110.4.45.197	192.168.2.4
Nov 6, 2024 03:28:03.015470982 CET	21	49732	110.4.45.197	192.168.2.4
Nov 6, 2024 03:28:03.015645027 CET	49732	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:28:03.020489931 CET	21	49732	110.4.45.197	192.168.2.4
Nov 6, 2024 03:28:03.352417946 CET	21	49732	110.4.45.197	192.168.2.4
Nov 6, 2024 03:28:03.352799892 CET	49732	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:28:03.357608080 CET	21	49732	110.4.45.197	192.168.2.4
Nov 6, 2024 03:28:03.689845085 CET	21	49732	110.4.45.197	192.168.2.4
Nov 6, 2024 03:28:03.690134048 CET	49732	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:28:03.694919109 CET	21	49732	110.4.45.197	192.168.2.4
Nov 6, 2024 03:28:04.027106047 CET	21	49732	110.4.45.197	192.168.2.4
Nov 6, 2024 03:28:04.027690887 CET	49733	49439	192.168.2.4	110.4.45.197
Nov 6, 2024 03:28:04.032597065 CET	49439	49733	110.4.45.197	192.168.2.4
Nov 6, 2024 03:28:04.032666922 CET	49733	49439	192.168.2.4	110.4.45.197
Nov 6, 2024 03:28:04.032711983 CET	49732	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:28:04.037558079 CET	21	49732	110.4.45.197	192.168.2.4
Nov 6, 2024 03:28:04.953937054 CET	21	49732	110.4.45.197	192.168.2.4
Nov 6, 2024 03:28:04.954332113 CET	49733	49439	192.168.2.4	110.4.45.197
Nov 6, 2024 03:28:04.954332113 CET	49733	49439	192.168.2.4	110.4.45.197
Nov 6, 2024 03:28:04.959114075 CET	49439	49733	110.4.45.197	192.168.2.4
Nov 6, 2024 03:28:04.959187031 CET	49439	49733	110.4.45.197	192.168.2.4
Nov 6, 2024 03:28:04.959196091 CET	49439	49733	110.4.45.197	192.168.2.4
Nov 6, 2024 03:28:04.959532022 CET	49439	49733	110.4.45.197	192.168.2.4
Nov 6, 2024 03:28:04.959589005 CET	49733	49439	192.168.2.4	110.4.45.197
Nov 6, 2024 03:28:05.003319979 CET	49732	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:28:05.294531107 CET	21	49732	110.4.45.197	192.168.2.4
Nov 6, 2024 03:28:05.294974089 CET	49732	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:28:05.299736977 CET	21	49732	110.4.45.197	192.168.2.4
Nov 6, 2024 03:28:05.632144928 CET	21	49732	110.4.45.197	192.168.2.4
Nov 6, 2024 03:28:05.632767916 CET	49734	53366	192.168.2.4	110.4.45.197
Nov 6, 2024 03:28:05.637542963 CET	53366	49734	110.4.45.197	192.168.2.4
Nov 6, 2024 03:28:05.637680054 CET	49734	53366	192.168.2.4	110.4.45.197
Nov 6, 2024 03:28:05.637681007 CET	49732	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:28:05.642472982 CET	21	49732	110.4.45.197	192.168.2.4
Nov 6, 2024 03:28:06.544385910 CET	21	49732	110.4.45.197	192.168.2.4
Nov 6, 2024 03:28:06.544611931 CET	49734	53366	192.168.2.4	110.4.45.197
Nov 6, 2024 03:28:06.549983978 CET	53366	49734	110.4.45.197	192.168.2.4
Nov 6, 2024 03:28:06.550049067 CET	49734	53366	192.168.2.4	110.4.45.197
Nov 6, 2024 03:28:06.596927881 CET	49732	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:28:06.884769917 CET	21	49732	110.4.45.197	192.168.2.4
Nov 6, 2024 03:28:06.940689087 CET	49732	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:32.285765886 CET	58717	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:32.290611029 CET	21	58717	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:32.291157961 CET	58717	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:32.327434063 CET	58718	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:32.332294941 CET	21	58718	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:32.332433939 CET	58718	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:32.332751989 CET	58718	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:32.337945938 CET	21	58718	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:32.338390112 CET	58718	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:33.219414949 CET	21	58717	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:33.219537020 CET	58717	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:33.224359035 CET	21	58717	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:33.569905996 CET	21	58717	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:33.573812008 CET	58717	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:33.578648090 CET	21	58717	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:34.318530083 CET	21	58717	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:34.318681002 CET	58717	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:34.323601961 CET	21	58717	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:34.670238018 CET	21	58717	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:34.670416117 CET	58717	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:34.675211906 CET	21	58717	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:35.019610882 CET	21	58717	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:35.019840002 CET	58717	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:35.024627924 CET	21	58717	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:35.369612932 CET	21	58717	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:35.369757891 CET	58717	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:35.374548912 CET	21	58717	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:35.718926907 CET	21	58717	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:35.719316006 CET	58739	59650	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:35.724132061 CET	59650	58739	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:35.724198103 CET	58739	59650	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:35.724281073 CET	58717	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:35.729034901 CET	21	58717	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:36.653867960 CET	21	58717	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:36.654145002 CET	58739	59650	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:36.654215097 CET	58739	59650	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:36.659075975 CET	59650	58739	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:36.659459114 CET	59650	58739	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:36.659544945 CET	58739	59650	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:36.709434986 CET	58717	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:36.998789072 CET	21	58717	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:37.049949884 CET	58717	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:43.442147017 CET	58717	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:43.447026014 CET	21	58717	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:43.791662931 CET	21	58717	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:43.792037010 CET	58784	51365	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:43.796838999 CET	51365	58784	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:43.796911955 CET	58784	51365	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:43.796966076 CET	58717	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:43.801753044 CET	21	58717	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:44.733119965 CET	21	58717	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:44.733387947 CET	58784	51365	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:44.738230944 CET	51365	58784	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:44.738240004 CET	51365	58784	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:44.738248110 CET	51365	58784	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:44.738265038 CET	51365	58784	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:44.738272905 CET	51365	58784	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:44.738276958 CET	51365	58784	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:44.738312960 CET	51365	58784	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:44.738321066 CET	58784	51365	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:44.738382101 CET	51365	58784	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:44.738392115 CET	51365	58784	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:44.738406897 CET	51365	58784	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:44.738425970 CET	58784	51365	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:44.738528013 CET	58784	51365	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:44.743170023 CET	51365	58784	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:44.743179083 CET	51365	58784	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:44.743235111 CET	51365	58784	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:44.743243933 CET	51365	58784	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:44.743252993 CET	51365	58784	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:44.743261099 CET	51365	58784	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:44.743288040 CET	58784	51365	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:44.743335009 CET	51365	58784	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:44.743335962 CET	58784	51365	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:44.743390083 CET	51365	58784	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:44.743397951 CET	51365	58784	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:44.743463039 CET	51365	58784	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:44.743519068 CET	58784	51365	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:44.748130083 CET	51365	58784	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:44.748229027 CET	51365	58784	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:44.748236895 CET	51365	58784	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:44.748295069 CET	51365	58784	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:44.748342991 CET	51365	58784	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:44.748398066 CET	51365	58784	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:44.748414993 CET	51365	58784	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:44.748759031 CET	51365	58784	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:44.748847008 CET	58784	51365	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:44.865624905 CET	58717	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:45.543734074 CET	21	58717	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:45.592618942 CET	58717	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:49.525970936 CET	58717	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:49.530810118 CET	21	58717	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:49.875897884 CET	21	58717	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:49.876305103 CET	58797	54121	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:49.881066084 CET	54121	58797	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:49.881213903 CET	58797	54121	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:49.882388115 CET	58717	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:49.887167931 CET	21	58717	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:50.789984941 CET	21	58717	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:50.790345907 CET	58797	54121	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:50.795278072 CET	54121	58797	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:50.795305967 CET	54121	58797	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:50.795336008 CET	58797	54121	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:50.795361996 CET	54121	58797	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:50.795371056 CET	54121	58797	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:50.795401096 CET	58797	54121	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:50.795434952 CET	54121	58797	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:50.795444012 CET	54121	58797	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:50.795475006 CET	58797	54121	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:50.795510054 CET	54121	58797	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:50.795519114 CET	54121	58797	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:50.795531034 CET	58797	54121	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:50.795597076 CET	58797	54121	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:50.795597076 CET	54121	58797	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:50.795665979 CET	54121	58797	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:50.795700073 CET	58797	54121	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:50.795728922 CET	58797	54121	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:50.800189018 CET	54121	58797	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:50.800241947 CET	54121	58797	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:50.800276995 CET	58797	54121	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:50.800340891 CET	58797	54121	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:50.800364017 CET	54121	58797	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:50.800374031 CET	54121	58797	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:50.800395012 CET	54121	58797	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:50.800431967 CET	58797	54121	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:50.800438881 CET	54121	58797	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:50.800447941 CET	54121	58797	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:50.800527096 CET	58797	54121	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:50.800578117 CET	54121	58797	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:50.800668001 CET	54121	58797	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:50.800770044 CET	58797	54121	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:50.800777912 CET	54121	58797	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:50.800786018 CET	54121	58797	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:50.800968885 CET	54121	58797	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:50.805280924 CET	54121	58797	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:50.805326939 CET	54121	58797	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:50.805419922 CET	54121	58797	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:50.805445910 CET	54121	58797	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:50.805591106 CET	54121	58797	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:50.805659056 CET	54121	58797	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:50.805668116 CET	54121	58797	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:50.805742025 CET	54121	58797	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:50.805851936 CET	54121	58797	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:50.806477070 CET	54121	58797	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:50.807493925 CET	58797	54121	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:50.865442991 CET	58717	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:29:51.561877012 CET	21	58717	110.4.45.197	192.168.2.4
Nov 6, 2024 03:29:51.624233961 CET	58717	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:02.770656109 CET	58717	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:02.775535107 CET	21	58717	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:03.120295048 CET	21	58717	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:03.125571966 CET	58798	64531	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:03.130459070 CET	64531	58798	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:03.130521059 CET	58798	64531	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:03.130590916 CET	58717	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:03.135380983 CET	21	58717	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:04.041052103 CET	21	58717	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:04.041301012 CET	58798	64531	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:04.046184063 CET	64531	58798	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:04.046204090 CET	64531	58798	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:04.046212912 CET	64531	58798	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:04.046230078 CET	64531	58798	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:04.046233892 CET	58798	64531	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:04.046236992 CET	64531	58798	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:04.046246052 CET	58798	64531	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:04.046283960 CET	58798	64531	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:04.046333075 CET	64531	58798	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:04.046375990 CET	58798	64531	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:04.046525002 CET	64531	58798	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:04.046533108 CET	64531	58798	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:04.046536922 CET	64531	58798	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:04.046545029 CET	64531	58798	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:04.046578884 CET	58798	64531	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:04.046603918 CET	58798	64531	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:04.051069975 CET	64531	58798	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:04.051079988 CET	64531	58798	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:04.051095963 CET	64531	58798	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:04.051104069 CET	64531	58798	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:04.051126957 CET	58798	64531	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:04.051153898 CET	64531	58798	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:04.051156998 CET	58798	64531	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:04.051162004 CET	64531	58798	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:04.051209927 CET	58798	64531	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:04.051219940 CET	64531	58798	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:04.051259995 CET	64531	58798	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:04.051265955 CET	58798	64531	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:04.051307917 CET	58798	64531	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:04.051381111 CET	64531	58798	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:04.051398993 CET	64531	58798	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:04.051424026 CET	58798	64531	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:04.051450968 CET	64531	58798	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:04.051518917 CET	64531	58798	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:04.056313992 CET	64531	58798	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:04.056442976 CET	64531	58798	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:04.056514978 CET	64531	58798	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:04.056684971 CET	64531	58798	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:04.056756973 CET	64531	58798	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:04.057274103 CET	64531	58798	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:04.057310104 CET	58798	64531	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:04.159389019 CET	58717	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:04.819842100 CET	21	58717	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:04.959386110 CET	58717	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:33.321399927 CET	58799	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:33.331336975 CET	21	58799	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:33.331413984 CET	58799	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:34.214066982 CET	21	58799	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:34.219362974 CET	58799	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:34.224198103 CET	21	58799	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:34.544270039 CET	21	58799	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:34.547436953 CET	58799	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:34.552261114 CET	21	58799	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:34.905484915 CET	21	58799	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:34.905631065 CET	58799	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:34.910435915 CET	21	58799	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:35.230592012 CET	21	58799	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:35.230851889 CET	58799	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:35.235640049 CET	21	58799	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:35.555893898 CET	21	58799	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:35.556011915 CET	58799	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:35.560806036 CET	21	58799	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:35.730788946 CET	58800	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:35.735618114 CET	21	58800	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:35.735686064 CET	58800	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:35.735893011 CET	58800	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:35.740760088 CET	21	58800	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:35.740818977 CET	58800	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:35.881057024 CET	21	58799	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:35.884629965 CET	58799	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:35.889492989 CET	21	58799	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:36.213385105 CET	21	58799	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:36.215851068 CET	58801	53635	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:36.220973015 CET	53635	58801	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:36.223423004 CET	58801	53635	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:36.223426104 CET	58799	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:36.228363037 CET	21	58799	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:37.109307051 CET	21	58799	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:37.111540079 CET	58801	53635	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:37.116429090 CET	53635	58801	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:37.116439104 CET	53635	58801	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:37.116447926 CET	53635	58801	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:37.116468906 CET	53635	58801	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:37.116476059 CET	53635	58801	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:37.116496086 CET	58801	53635	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:37.116553068 CET	53635	58801	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:37.116560936 CET	53635	58801	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:37.116571903 CET	53635	58801	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:37.116588116 CET	53635	58801	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:37.116607904 CET	58801	53635	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:37.116631985 CET	58801	53635	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:37.116638899 CET	53635	58801	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:37.116648912 CET	58801	53635	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:37.116728067 CET	58801	53635	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:37.121500015 CET	53635	58801	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:37.121509075 CET	53635	58801	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:37.121635914 CET	53635	58801	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:37.121671915 CET	58801	53635	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:37.121686935 CET	53635	58801	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:37.121695995 CET	53635	58801	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:37.121704102 CET	53635	58801	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:37.121715069 CET	58801	53635	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:37.121798992 CET	58801	53635	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:37.122884989 CET	53635	58801	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:37.123003960 CET	58801	53635	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:37.126595020 CET	53635	58801	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:37.126688957 CET	53635	58801	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:37.126696110 CET	53635	58801	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:37.126756907 CET	58801	53635	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:37.128101110 CET	53635	58801	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:37.128164053 CET	53635	58801	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:37.128365040 CET	53635	58801	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:37.131644011 CET	53635	58801	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:37.132148027 CET	53635	58801	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:37.135365009 CET	58801	53635	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:37.159197092 CET	58799	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:30:37.856267929 CET	21	58799	110.4.45.197	192.168.2.4
Nov 6, 2024 03:30:37.909234047 CET	58799	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:02.161395073 CET	58799	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:02.166244030 CET	21	58799	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:02.487757921 CET	21	58799	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:02.489696980 CET	58802	65294	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:02.494513988 CET	65294	58802	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:02.497396946 CET	58802	65294	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:02.497400999 CET	58799	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:02.502296925 CET	21	58799	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:03.402453899 CET	21	58799	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:03.408869982 CET	58802	65294	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:03.413829088 CET	65294	58802	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:03.413841963 CET	65294	58802	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:03.413846970 CET	65294	58802	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:03.413852930 CET	65294	58802	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:03.413872957 CET	65294	58802	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:03.413913965 CET	58802	65294	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:03.413943052 CET	58802	65294	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:03.413949013 CET	65294	58802	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:03.413959980 CET	65294	58802	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:03.413969040 CET	65294	58802	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:03.413979053 CET	65294	58802	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:03.413996935 CET	58802	65294	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:03.414015055 CET	58802	65294	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:03.414033890 CET	58802	65294	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:03.414108038 CET	65294	58802	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:03.414150953 CET	58802	65294	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:03.418817043 CET	65294	58802	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:03.418832064 CET	65294	58802	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:03.418872118 CET	58802	65294	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:03.418890953 CET	58802	65294	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:03.418900013 CET	65294	58802	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:03.418910980 CET	65294	58802	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:03.418919086 CET	65294	58802	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:03.418930054 CET	65294	58802	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:03.418958902 CET	58802	65294	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:03.418982029 CET	58802	65294	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:03.419020891 CET	65294	58802	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:03.419039965 CET	65294	58802	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:03.419064045 CET	58802	65294	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:03.419105053 CET	58802	65294	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:03.419182062 CET	65294	58802	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:03.419203997 CET	65294	58802	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:03.419342041 CET	65294	58802	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:03.423856020 CET	65294	58802	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:03.423865080 CET	65294	58802	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:03.423949957 CET	65294	58802	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:03.423958063 CET	65294	58802	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:03.424004078 CET	65294	58802	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:03.424010992 CET	65294	58802	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:03.424082041 CET	65294	58802	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:03.424168110 CET	65294	58802	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:03.424493074 CET	65294	58802	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:03.424550056 CET	58802	65294	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:03.456058979 CET	58799	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:03.807394028 CET	58803	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:03.812227011 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:03.812304974 CET	58803	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:04.180286884 CET	21	58799	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:04.223315954 CET	58799	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:04.720079899 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:04.720211983 CET	58803	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:04.725105047 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:05.054861069 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:05.055082083 CET	58803	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:05.059853077 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:05.425643921 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:05.425860882 CET	58803	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:05.430628061 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:05.760627031 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:05.760745049 CET	58803	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:05.765548944 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:06.097362041 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:06.097554922 CET	58803	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:06.102407932 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:06.612008095 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:06.612134933 CET	58803	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:06.616977930 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:06.948785067 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:06.951729059 CET	58804	60680	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:06.956557035 CET	60680	58804	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:06.956679106 CET	58804	60680	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:06.956779003 CET	58803	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:06.961622953 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:07.863445044 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:07.863769054 CET	58804	60680	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:07.868679047 CET	60680	58804	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:07.868690014 CET	60680	58804	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:07.868697882 CET	60680	58804	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:07.868700981 CET	60680	58804	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:07.868707895 CET	60680	58804	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:07.868762970 CET	58804	60680	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:07.868850946 CET	60680	58804	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:07.868859053 CET	60680	58804	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:07.868863106 CET	60680	58804	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:07.868870974 CET	60680	58804	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:07.868911028 CET	58804	60680	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:07.868988991 CET	60680	58804	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:07.869039059 CET	58804	60680	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:07.873666048 CET	60680	58804	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:07.873673916 CET	60680	58804	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:07.873717070 CET	58804	60680	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:07.873769045 CET	60680	58804	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:07.873776913 CET	60680	58804	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:07.873784065 CET	60680	58804	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:07.873792887 CET	60680	58804	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:07.873812914 CET	60680	58804	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:07.873826027 CET	58804	60680	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:07.873864889 CET	58804	60680	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:07.874058008 CET	60680	58804	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:07.874113083 CET	58804	60680	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:07.878642082 CET	60680	58804	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:07.878650904 CET	60680	58804	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:07.878699064 CET	60680	58804	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:07.878840923 CET	60680	58804	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:07.878887892 CET	60680	58804	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:07.879025936 CET	60680	58804	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:07.879117012 CET	60680	58804	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:07.879450083 CET	60680	58804	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:07.879492998 CET	58804	60680	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:07.909176111 CET	58803	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:08.626807928 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:08.674882889 CET	58803	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:17.100698948 CET	58803	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:17.105581999 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:17.437263966 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:17.437902927 CET	58805	62523	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:17.442733049 CET	62523	58805	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:17.442800999 CET	58805	62523	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:17.442893982 CET	58803	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:17.447657108 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:18.340233088 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:18.340610981 CET	58805	62523	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:18.345475912 CET	62523	58805	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:18.345487118 CET	62523	58805	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:18.345503092 CET	62523	58805	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:18.345510960 CET	62523	58805	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:18.345544100 CET	62523	58805	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:18.345598936 CET	58805	62523	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:18.345654964 CET	62523	58805	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:18.345664024 CET	62523	58805	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:18.345668077 CET	62523	58805	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:18.345674992 CET	62523	58805	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:18.345726967 CET	62523	58805	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:18.345740080 CET	58805	62523	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:18.349442959 CET	58805	62523	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:18.350419044 CET	62523	58805	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:18.350428104 CET	62523	58805	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:18.350438118 CET	62523	58805	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:18.350516081 CET	62523	58805	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:18.350518942 CET	58805	62523	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:18.350523949 CET	62523	58805	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:18.350533009 CET	62523	58805	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:18.350548983 CET	62523	58805	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:18.350558043 CET	62523	58805	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:18.350649118 CET	62523	58805	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:18.350656033 CET	62523	58805	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:18.350672007 CET	62523	58805	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:18.350706100 CET	58805	62523	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:18.353360891 CET	58805	62523	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:18.354269028 CET	62523	58805	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:18.355283976 CET	62523	58805	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:18.355365038 CET	62523	58805	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:18.355506897 CET	62523	58805	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:18.355535984 CET	62523	58805	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:18.355572939 CET	62523	58805	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:18.355581045 CET	62523	58805	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:18.355705976 CET	62523	58805	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:18.355772972 CET	62523	58805	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:18.355781078 CET	62523	58805	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:18.358182907 CET	62523	58805	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:18.358760118 CET	62523	58805	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:18.365473986 CET	58805	62523	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:18.393640995 CET	58803	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:19.088221073 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:19.147293091 CET	58803	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:23.336199999 CET	58803	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:23.341097116 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:23.670943975 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:23.671458960 CET	58806	63904	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:23.676323891 CET	63904	58806	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:23.676394939 CET	58806	63904	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:23.676453114 CET	58803	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:23.681268930 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:24.581120968 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:24.581379890 CET	58806	63904	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:24.586268902 CET	63904	58806	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:24.586317062 CET	63904	58806	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:24.586327076 CET	63904	58806	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:24.586333990 CET	58806	63904	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:24.586338043 CET	63904	58806	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:24.586349964 CET	63904	58806	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:24.586390972 CET	58806	63904	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:24.586460114 CET	63904	58806	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:24.586478949 CET	63904	58806	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:24.586487055 CET	63904	58806	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:24.586497068 CET	63904	58806	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:24.586520910 CET	58806	63904	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:24.586525917 CET	63904	58806	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:24.586575985 CET	58806	63904	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:24.591151953 CET	63904	58806	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:24.591190100 CET	63904	58806	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:24.591213942 CET	58806	63904	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:24.591233969 CET	63904	58806	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:24.591274023 CET	58806	63904	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:24.591375113 CET	63904	58806	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:24.591383934 CET	63904	58806	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:24.591387033 CET	63904	58806	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:24.591466904 CET	58806	63904	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:24.591516972 CET	63904	58806	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:24.591526985 CET	63904	58806	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:24.591631889 CET	58806	63904	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:24.591653109 CET	63904	58806	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:24.591661930 CET	63904	58806	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:24.591751099 CET	63904	58806	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:24.591766119 CET	63904	58806	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:24.591793060 CET	58806	63904	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:24.591981888 CET	63904	58806	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:24.596209049 CET	63904	58806	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:24.596263885 CET	63904	58806	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:24.596271992 CET	63904	58806	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:24.596333981 CET	63904	58806	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:24.596441984 CET	63904	58806	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:24.596546888 CET	63904	58806	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:24.596554995 CET	63904	58806	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:24.596564054 CET	63904	58806	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:24.596575022 CET	63904	58806	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:24.596745014 CET	63904	58806	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:24.597495079 CET	63904	58806	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:24.597587109 CET	58806	63904	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:24.628144026 CET	58803	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:25.363502026 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:25.409168005 CET	58803	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:33.915693998 CET	58803	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:33.921745062 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:34.251508951 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:34.255721092 CET	58807	57659	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:34.260504007 CET	57659	58807	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:34.260617971 CET	58807	57659	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:34.260765076 CET	58803	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:34.265506983 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:35.181025028 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:35.181282997 CET	58807	57659	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:35.186166048 CET	57659	58807	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:35.186175108 CET	57659	58807	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:35.186219931 CET	57659	58807	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:35.186228037 CET	57659	58807	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:35.186238050 CET	57659	58807	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:35.186269045 CET	58807	57659	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:35.186290026 CET	58807	57659	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:35.186355114 CET	57659	58807	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:35.186362982 CET	57659	58807	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:35.186369896 CET	57659	58807	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:35.186378002 CET	57659	58807	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:35.186403990 CET	57659	58807	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:35.186418056 CET	58807	57659	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:35.186501026 CET	58807	57659	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:35.191186905 CET	57659	58807	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:35.191205978 CET	57659	58807	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:35.191267014 CET	58807	57659	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:35.191335917 CET	57659	58807	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:35.191345930 CET	57659	58807	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:35.191400051 CET	57659	58807	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:35.191409111 CET	57659	58807	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:35.191418886 CET	57659	58807	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:35.191450119 CET	58807	57659	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:35.191462040 CET	57659	58807	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:35.191472054 CET	57659	58807	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:35.191483974 CET	57659	58807	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:35.191484928 CET	58807	57659	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:35.191525936 CET	58807	57659	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:35.191576958 CET	57659	58807	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:35.191699982 CET	58807	57659	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:35.196132898 CET	57659	58807	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:35.196228981 CET	58807	57659	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:35.196373940 CET	57659	58807	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:35.196425915 CET	57659	58807	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:35.196451902 CET	57659	58807	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:35.196489096 CET	57659	58807	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:35.196590900 CET	57659	58807	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:35.196640015 CET	57659	58807	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:35.196650028 CET	57659	58807	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:35.196707010 CET	57659	58807	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:35.196716070 CET	57659	58807	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:35.196758986 CET	57659	58807	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:35.201216936 CET	57659	58807	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:35.201574087 CET	57659	58807	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:35.201673031 CET	58807	57659	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:35.377916098 CET	58803	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:35.973961115 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:36.190418959 CET	58803	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:38.661422968 CET	58803	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:38.666294098 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:38.996103048 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:38.996577978 CET	58808	49843	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:39.001445055 CET	49843	58808	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:39.001620054 CET	58808	49843	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:39.001679897 CET	58803	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:39.007006884 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:39.890305996 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:39.890607119 CET	58808	49843	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:39.895565033 CET	49843	58808	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:39.895575047 CET	49843	58808	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:39.895582914 CET	49843	58808	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:39.895586967 CET	49843	58808	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:39.895607948 CET	49843	58808	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:39.895620108 CET	58808	49843	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:39.895648003 CET	58808	49843	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:39.895670891 CET	58808	49843	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:39.895687103 CET	49843	58808	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:39.895720005 CET	49843	58808	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:39.895728111 CET	49843	58808	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:39.895729065 CET	58808	49843	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:39.895757914 CET	49843	58808	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:39.895776033 CET	58808	49843	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:39.895807028 CET	58808	49843	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:39.895965099 CET	49843	58808	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:39.896006107 CET	58808	49843	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:39.900531054 CET	49843	58808	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:39.900540113 CET	49843	58808	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:39.900543928 CET	49843	58808	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:39.900609016 CET	49843	58808	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:39.900618076 CET	49843	58808	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:39.900624990 CET	49843	58808	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:39.900635004 CET	49843	58808	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:39.900646925 CET	58808	49843	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:39.900676012 CET	58808	49843	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:39.900712013 CET	58808	49843	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:39.900763035 CET	49843	58808	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:39.900815010 CET	58808	49843	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:39.900898933 CET	49843	58808	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:39.905472994 CET	49843	58808	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:39.905520916 CET	49843	58808	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:39.905566931 CET	49843	58808	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:39.905575037 CET	49843	58808	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:39.905581951 CET	49843	58808	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:39.905630112 CET	49843	58808	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:39.905672073 CET	49843	58808	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:39.905718088 CET	49843	58808	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:39.905761957 CET	49843	58808	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:39.905844927 CET	49843	58808	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:39.906187057 CET	49843	58808	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:39.906299114 CET	58808	49843	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:39.987298965 CET	58803	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:40.639200926 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:40.690421104 CET	58803	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:41.100122929 CET	58803	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:41.105230093 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:41.434815884 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:41.435347080 CET	58809	59112	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:41.440238953 CET	59112	58809	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:41.440304041 CET	58809	59112	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:41.440346003 CET	58803	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:41.445086956 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:42.425790071 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:42.426059961 CET	58809	59112	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:42.430922031 CET	59112	58809	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:42.430948019 CET	59112	58809	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:42.430955887 CET	59112	58809	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:42.430964947 CET	59112	58809	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:42.430998087 CET	58809	59112	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:42.431049109 CET	58809	59112	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:42.431082010 CET	59112	58809	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:42.431092978 CET	59112	58809	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:42.431109905 CET	59112	58809	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:42.431118965 CET	59112	58809	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:42.431123018 CET	59112	58809	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:42.431147099 CET	58809	59112	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:42.431180000 CET	58809	59112	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:42.431221008 CET	59112	58809	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:42.431277990 CET	58809	59112	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:42.435801029 CET	59112	58809	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:42.435810089 CET	59112	58809	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:42.435884953 CET	59112	58809	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:42.435892105 CET	59112	58809	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:42.435946941 CET	59112	58809	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:42.435959101 CET	58809	59112	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:42.435965061 CET	59112	58809	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:42.435992002 CET	58809	59112	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:42.436048985 CET	59112	58809	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:42.436053991 CET	58809	59112	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:42.436058044 CET	59112	58809	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:42.436065912 CET	59112	58809	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:42.436197996 CET	58809	59112	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:42.436232090 CET	59112	58809	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:42.436342955 CET	59112	58809	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:42.440773010 CET	59112	58809	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:42.440804958 CET	59112	58809	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:42.440882921 CET	59112	58809	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:42.440932035 CET	59112	58809	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:42.440999031 CET	59112	58809	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:42.441092014 CET	59112	58809	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:42.441109896 CET	59112	58809	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:42.441169024 CET	59112	58809	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:42.441178083 CET	59112	58809	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:42.441447973 CET	59112	58809	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:42.441519022 CET	58809	59112	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:42.474543095 CET	58803	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:31:43.178364992 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:31:43.223269939 CET	58803	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:32:03.615286112 CET	58803	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:32:03.620206118 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:32:03.949758053 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:32:03.950118065 CET	58810	60622	192.168.2.4	110.4.45.197
Nov 6, 2024 03:32:03.954926968 CET	60622	58810	110.4.45.197	192.168.2.4
Nov 6, 2024 03:32:03.955048084 CET	58810	60622	192.168.2.4	110.4.45.197
Nov 6, 2024 03:32:03.955049038 CET	58803	21	192.168.2.4	110.4.45.197
Nov 6, 2024 03:32:03.959860086 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:32:04.875210047 CET	21	58803	110.4.45.197	192.168.2.4
Nov 6, 2024 03:32:04.924782991 CET	58803	21	192.168.2.4	110.4.45.197

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 6, 2024 03:27:59.105937958 CET	61296	53	192.168.2.4	1.1.1.1
Nov 6, 2024 03:27:59.113238096 CET	53	61296	1.1.1.1	192.168.2.4
Nov 6, 2024 03:28:00.560626030 CET	49280	53	192.168.2.4	1.1.1.1
Nov 6, 2024 03:28:00.827877045 CET	53	49280	1.1.1.1	192.168.2.4
Nov 6, 2024 03:28:41.838020086 CET	53	54852	162.159.36.2	192.168.2.4
Nov 6, 2024 03:28:42.633582115 CET	53	57494	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 6, 2024 03:27:59.105937958 CET	192.168.2.4	1.1.1.1	0x6f64	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Nov 6, 2024 03:28:00.560626030 CET	192.168.2.4	1.1.1.1	0xe581	Standard query (0)	ftp.haliza.com.my	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 6, 2024 03:27:59.113238096 CET	1.1.1.1	192.168.2.4	0x6f64	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Nov 6, 2024 03:27:59.113238096 CET	1.1.1.1	192.168.2.4	0x6f64	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Nov 6, 2024 03:27:59.113238096 CET	1.1.1.1	192.168.2.4	0x6f64	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Nov 6, 2024 03:28:00.827877045 CET	1.1.1.1	192.168.2.4	0xe581	No error (0)	ftp.haliza.com.my	110.4.45.197	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.26.12.205	443	7444	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-06 02:27:59 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-11-06 02:28:00 UTC	397	IN	HTTP/1.1 200 OK Date: Wed, 06 Nov 2024 02:27:59 GMT Content-Type: text/plain Content-Length: 14 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8de1a5cbbac3c978-IAD server-timing: cfL4;desc="?proto=TCP&rtt=40190&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2818&recv_bytes=769&delivery_rate=72187&cwnd=32&unsent_bytes=0&cid=f5d81b2c4dae8546&ts=238&x=0"
2024-11-06 02:28:00 UTC	14	IN	Data Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 30 Data Ascii: 173.254.250.80

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 6, 2024 03:28:01.789045095 CET	21	49732	110.4.45.197	192.168.2.4	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 15 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 15 of 50 allowed.220-Local time is now 10:28. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 15 of 50 allowed.220-Local time is now 10:28. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 15 of 50 allowed.220-Local time is now 10:28. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 15 of 50 allowed.220-Local time is now 10:28. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Nov 6, 2024 03:28:01.798157930 CET	49732	21	192.168.2.4	110.4.45.197	USER origin@haliza.com.my
Nov 6, 2024 03:28:02.306466103 CET	21	49732	110.4.45.197	192.168.2.4	331 User origin@haliza.com.my OK. Password required
Nov 6, 2024 03:28:02.306756973 CET	49732	21	192.168.2.4	110.4.45.197	PASS JesusChrist007$
Nov 6, 2024 03:28:02.678149939 CET	21	49732	110.4.45.197	192.168.2.4	230 OK. Current restricted directory is /
Nov 6, 2024 03:28:03.015470982 CET	21	49732	110.4.45.197	192.168.2.4	504 Unknown command
Nov 6, 2024 03:28:03.015645027 CET	49732	21	192.168.2.4	110.4.45.197	PWD
Nov 6, 2024 03:28:03.352417946 CET	21	49732	110.4.45.197	192.168.2.4	257 "/" is your current location
Nov 6, 2024 03:28:03.352799892 CET	49732	21	192.168.2.4	110.4.45.197	TYPE I
Nov 6, 2024 03:28:03.689845085 CET	21	49732	110.4.45.197	192.168.2.4	200 TYPE is now 8-bit binary
Nov 6, 2024 03:28:03.690134048 CET	49732	21	192.168.2.4	110.4.45.197	PASV
Nov 6, 2024 03:28:04.027106047 CET	21	49732	110.4.45.197	192.168.2.4	227 Entering Passive Mode (110,4,45,197,193,31)
Nov 6, 2024 03:28:04.032711983 CET	49732	21	192.168.2.4	110.4.45.197	STOR CO_Chrome_Default.txt_user-367706_2024_11_05_21_48_00.txt
Nov 6, 2024 03:28:04.953937054 CET	21	49732	110.4.45.197	192.168.2.4	150 Accepted data connection
Nov 6, 2024 03:28:05.294531107 CET	21	49732	110.4.45.197	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.341 seconds (measured here), 9.60 Kbytes per second
Nov 6, 2024 03:28:05.294974089 CET	49732	21	192.168.2.4	110.4.45.197	PASV
Nov 6, 2024 03:28:05.632144928 CET	21	49732	110.4.45.197	192.168.2.4	227 Entering Passive Mode (110,4,45,197,208,118)
Nov 6, 2024 03:28:05.637681007 CET	49732	21	192.168.2.4	110.4.45.197	STOR CO_Firefox_fqs92o4p.default-release.txt_user-367706_2024_11_06_03_46_36.txt
Nov 6, 2024 03:28:06.544385910 CET	21	49732	110.4.45.197	192.168.2.4	150 Accepted data connection
Nov 6, 2024 03:28:06.884769917 CET	21	49732	110.4.45.197	192.168.2.4	226 File successfully transferred
Nov 6, 2024 03:29:33.219414949 CET	21	58717	110.4.45.197	192.168.2.4	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 28 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 28 of 50 allowed.220-Local time is now 10:29. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 28 of 50 allowed.220-Local time is now 10:29. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 28 of 50 allowed.220-Local time is now 10:29. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 28 of 50 allowed.220-Local time is now 10:29. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Nov 6, 2024 03:29:33.219537020 CET	58717	21	192.168.2.4	110.4.45.197	USER origin@haliza.com.my
Nov 6, 2024 03:29:33.569905996 CET	21	58717	110.4.45.197	192.168.2.4	331 User origin@haliza.com.my OK. Password required
Nov 6, 2024 03:29:33.573812008 CET	58717	21	192.168.2.4	110.4.45.197	PASS JesusChrist007$
Nov 6, 2024 03:29:34.318530083 CET	21	58717	110.4.45.197	192.168.2.4	230 OK. Current restricted directory is /
Nov 6, 2024 03:29:34.670238018 CET	21	58717	110.4.45.197	192.168.2.4	504 Unknown command
Nov 6, 2024 03:29:34.670416117 CET	58717	21	192.168.2.4	110.4.45.197	PWD
Nov 6, 2024 03:29:35.019610882 CET	21	58717	110.4.45.197	192.168.2.4	257 "/" is your current location
Nov 6, 2024 03:29:35.019840002 CET	58717	21	192.168.2.4	110.4.45.197	TYPE I
Nov 6, 2024 03:29:35.369612932 CET	21	58717	110.4.45.197	192.168.2.4	200 TYPE is now 8-bit binary
Nov 6, 2024 03:29:35.369757891 CET	58717	21	192.168.2.4	110.4.45.197	PASV
Nov 6, 2024 03:29:35.718926907 CET	21	58717	110.4.45.197	192.168.2.4	227 Entering Passive Mode (110,4,45,197,233,2)
Nov 6, 2024 03:29:35.724281073 CET	58717	21	192.168.2.4	110.4.45.197	STOR KL_user-367706_2024_11_20_00_56_08.html
Nov 6, 2024 03:29:36.653867960 CET	21	58717	110.4.45.197	192.168.2.4	150 Accepted data connection
Nov 6, 2024 03:29:36.998789072 CET	21	58717	110.4.45.197	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.345 seconds (measured here), 0.81 Kbytes per second
Nov 6, 2024 03:29:43.442147017 CET	58717	21	192.168.2.4	110.4.45.197	PASV
Nov 6, 2024 03:29:43.791662931 CET	21	58717	110.4.45.197	192.168.2.4	227 Entering Passive Mode (110,4,45,197,200,165)
Nov 6, 2024 03:29:43.796966076 CET	58717	21	192.168.2.4	110.4.45.197	STOR SC_user-367706_2024_11_27_00_46_29.jpeg
Nov 6, 2024 03:29:44.733119965 CET	21	58717	110.4.45.197	192.168.2.4	150 Accepted data connection
Nov 6, 2024 03:29:45.543734074 CET	21	58717	110.4.45.197	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.810 seconds (measured here), 79.92 Kbytes per second
Nov 6, 2024 03:29:49.525970936 CET	58717	21	192.168.2.4	110.4.45.197	PASV
Nov 6, 2024 03:29:49.875897884 CET	21	58717	110.4.45.197	192.168.2.4	227 Entering Passive Mode (110,4,45,197,211,105)
Nov 6, 2024 03:29:49.882388115 CET	58717	21	192.168.2.4	110.4.45.197	STOR SC_user-367706_2024_12_01_22_15_25.jpeg
Nov 6, 2024 03:29:50.789984941 CET	21	58717	110.4.45.197	192.168.2.4	150 Accepted data connection
Nov 6, 2024 03:29:51.561877012 CET	21	58717	110.4.45.197	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.772 seconds (measured here), 83.87 Kbytes per second
Nov 6, 2024 03:30:02.770656109 CET	58717	21	192.168.2.4	110.4.45.197	PASV
Nov 6, 2024 03:30:03.120295048 CET	21	58717	110.4.45.197	192.168.2.4	227 Entering Passive Mode (110,4,45,197,252,19)
Nov 6, 2024 03:30:03.130590916 CET	58717	21	192.168.2.4	110.4.45.197	STOR SC_user-367706_2024_12_14_12_26_38.jpeg
Nov 6, 2024 03:30:04.041052103 CET	21	58717	110.4.45.197	192.168.2.4	150 Accepted data connection
Nov 6, 2024 03:30:04.819842100 CET	21	58717	110.4.45.197	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.779 seconds (measured here), 83.10 Kbytes per second
Nov 6, 2024 03:30:34.214066982 CET	21	58799	110.4.45.197	192.168.2.4	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 28 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 28 of 50 allowed.220-Local time is now 10:30. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 28 of 50 allowed.220-Local time is now 10:30. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 28 of 50 allowed.220-Local time is now 10:30. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 28 of 50 allowed.220-Local time is now 10:30. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Nov 6, 2024 03:30:34.219362974 CET	58799	21	192.168.2.4	110.4.45.197	USER origin@haliza.com.my
Nov 6, 2024 03:30:34.544270039 CET	21	58799	110.4.45.197	192.168.2.4	331 User origin@haliza.com.my OK. Password required
Nov 6, 2024 03:30:34.547436953 CET	58799	21	192.168.2.4	110.4.45.197	PASS JesusChrist007$
Nov 6, 2024 03:30:34.905484915 CET	21	58799	110.4.45.197	192.168.2.4	230 OK. Current restricted directory is /
Nov 6, 2024 03:30:35.230592012 CET	21	58799	110.4.45.197	192.168.2.4	504 Unknown command
Nov 6, 2024 03:30:35.230851889 CET	58799	21	192.168.2.4	110.4.45.197	PWD
Nov 6, 2024 03:30:35.555893898 CET	21	58799	110.4.45.197	192.168.2.4	257 "/" is your current location
Nov 6, 2024 03:30:35.556011915 CET	58799	21	192.168.2.4	110.4.45.197	TYPE I
Nov 6, 2024 03:30:35.881057024 CET	21	58799	110.4.45.197	192.168.2.4	200 TYPE is now 8-bit binary
Nov 6, 2024 03:30:35.884629965 CET	58799	21	192.168.2.4	110.4.45.197	PASV
Nov 6, 2024 03:30:36.213385105 CET	21	58799	110.4.45.197	192.168.2.4	227 Entering Passive Mode (110,4,45,197,209,131)
Nov 6, 2024 03:30:36.223426104 CET	58799	21	192.168.2.4	110.4.45.197	STOR SC_user-367706_2024_12_29_23_28_07.jpeg
Nov 6, 2024 03:30:37.109307051 CET	21	58799	110.4.45.197	192.168.2.4	150 Accepted data connection
Nov 6, 2024 03:30:37.856267929 CET	21	58799	110.4.45.197	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.745 seconds (measured here), 86.91 Kbytes per second
Nov 6, 2024 03:31:02.161395073 CET	58799	21	192.168.2.4	110.4.45.197	PASV
Nov 6, 2024 03:31:02.487757921 CET	21	58799	110.4.45.197	192.168.2.4	227 Entering Passive Mode (110,4,45,197,255,14)
Nov 6, 2024 03:31:02.497400999 CET	58799	21	192.168.2.4	110.4.45.197	STOR SC_user-367706_2025_01_16_11_52_12.jpeg
Nov 6, 2024 03:31:03.402453899 CET	21	58799	110.4.45.197	192.168.2.4	150 Accepted data connection
Nov 6, 2024 03:31:04.180286884 CET	21	58799	110.4.45.197	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.777 seconds (measured here), 83.33 Kbytes per second
Nov 6, 2024 03:31:04.720079899 CET	21	58803	110.4.45.197	192.168.2.4	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 29 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 29 of 50 allowed.220-Local time is now 10:31. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 29 of 50 allowed.220-Local time is now 10:31. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 29 of 50 allowed.220-Local time is now 10:31. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 29 of 50 allowed.220-Local time is now 10:31. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Nov 6, 2024 03:31:04.720211983 CET	58803	21	192.168.2.4	110.4.45.197	USER origin@haliza.com.my
Nov 6, 2024 03:31:05.054861069 CET	21	58803	110.4.45.197	192.168.2.4	331 User origin@haliza.com.my OK. Password required
Nov 6, 2024 03:31:05.055082083 CET	58803	21	192.168.2.4	110.4.45.197	PASS JesusChrist007$
Nov 6, 2024 03:31:05.425643921 CET	21	58803	110.4.45.197	192.168.2.4	230 OK. Current restricted directory is /
Nov 6, 2024 03:31:05.760627031 CET	21	58803	110.4.45.197	192.168.2.4	504 Unknown command
Nov 6, 2024 03:31:05.760745049 CET	58803	21	192.168.2.4	110.4.45.197	PWD
Nov 6, 2024 03:31:06.097362041 CET	21	58803	110.4.45.197	192.168.2.4	257 "/" is your current location
Nov 6, 2024 03:31:06.097554922 CET	58803	21	192.168.2.4	110.4.45.197	TYPE I
Nov 6, 2024 03:31:06.612008095 CET	21	58803	110.4.45.197	192.168.2.4	200 TYPE is now 8-bit binary
Nov 6, 2024 03:31:06.612134933 CET	58803	21	192.168.2.4	110.4.45.197	PASV
Nov 6, 2024 03:31:06.948785067 CET	21	58803	110.4.45.197	192.168.2.4	227 Entering Passive Mode (110,4,45,197,237,8)
Nov 6, 2024 03:31:06.956779003 CET	58803	21	192.168.2.4	110.4.45.197	STOR SC_user-367706_2025_01_19_07_46_37.jpeg
Nov 6, 2024 03:31:07.863445044 CET	21	58803	110.4.45.197	192.168.2.4	150 Accepted data connection
Nov 6, 2024 03:31:08.626807928 CET	21	58803	110.4.45.197	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.764 seconds (measured here), 84.75 Kbytes per second
Nov 6, 2024 03:31:17.100698948 CET	58803	21	192.168.2.4	110.4.45.197	PASV
Nov 6, 2024 03:31:17.437263966 CET	21	58803	110.4.45.197	192.168.2.4	227 Entering Passive Mode (110,4,45,197,244,59)
Nov 6, 2024 03:31:17.442893982 CET	58803	21	192.168.2.4	110.4.45.197	STOR SC_user-367706_2025_01_27_08_09_00.jpeg
Nov 6, 2024 03:31:18.340233088 CET	21	58803	110.4.45.197	192.168.2.4	150 Accepted data connection
Nov 6, 2024 03:31:19.088221073 CET	21	58803	110.4.45.197	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.748 seconds (measured here), 86.52 Kbytes per second
Nov 6, 2024 03:31:23.336199999 CET	58803	21	192.168.2.4	110.4.45.197	PASV
Nov 6, 2024 03:31:23.670943975 CET	21	58803	110.4.45.197	192.168.2.4	227 Entering Passive Mode (110,4,45,197,249,160)
Nov 6, 2024 03:31:23.676453114 CET	58803	21	192.168.2.4	110.4.45.197	STOR SC_user-367706_2025_02_01_05_56_15.jpeg
Nov 6, 2024 03:31:24.581120968 CET	21	58803	110.4.45.197	192.168.2.4	150 Accepted data connection
Nov 6, 2024 03:31:25.363502026 CET	21	58803	110.4.45.197	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.782 seconds (measured here), 82.72 Kbytes per second
Nov 6, 2024 03:31:33.915693998 CET	58803	21	192.168.2.4	110.4.45.197	PASV
Nov 6, 2024 03:31:34.251508951 CET	21	58803	110.4.45.197	192.168.2.4	227 Entering Passive Mode (110,4,45,197,225,59)
Nov 6, 2024 03:31:34.260765076 CET	58803	21	192.168.2.4	110.4.45.197	STOR SC_user-367706_2025_02_10_05_12_55.jpeg
Nov 6, 2024 03:31:35.181025028 CET	21	58803	110.4.45.197	192.168.2.4	150 Accepted data connection
Nov 6, 2024 03:31:35.973961115 CET	21	58803	110.4.45.197	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.794 seconds (measured here), 81.77 Kbytes per second
Nov 6, 2024 03:31:38.661422968 CET	58803	21	192.168.2.4	110.4.45.197	PASV
Nov 6, 2024 03:31:38.996103048 CET	21	58803	110.4.45.197	192.168.2.4	227 Entering Passive Mode (110,4,45,197,194,179)
Nov 6, 2024 03:31:39.001679897 CET	58803	21	192.168.2.4	110.4.45.197	STOR SC_user-367706_2025_02_14_09_39_19.jpeg
Nov 6, 2024 03:31:39.890305996 CET	21	58803	110.4.45.197	192.168.2.4	150 Accepted data connection
Nov 6, 2024 03:31:40.639200926 CET	21	58803	110.4.45.197	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.740 seconds (measured here), 87.52 Kbytes per second
Nov 6, 2024 03:31:41.100122929 CET	58803	21	192.168.2.4	110.4.45.197	PASV
Nov 6, 2024 03:31:41.434815884 CET	21	58803	110.4.45.197	192.168.2.4	227 Entering Passive Mode (110,4,45,197,230,232)
Nov 6, 2024 03:31:41.440346003 CET	58803	21	192.168.2.4	110.4.45.197	STOR SC_user-367706_2025_02_17_16_34_25.jpeg
Nov 6, 2024 03:31:42.425790071 CET	21	58803	110.4.45.197	192.168.2.4	150 Accepted data connection
Nov 6, 2024 03:31:43.178364992 CET	21	58803	110.4.45.197	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.837 seconds (measured here), 77.29 Kbytes per second
Nov 6, 2024 03:32:03.615286112 CET	58803	21	192.168.2.4	110.4.45.197	PASV
Nov 6, 2024 03:32:03.949758053 CET	21	58803	110.4.45.197	192.168.2.4	227 Entering Passive Mode (110,4,45,197,236,206)
Nov 6, 2024 03:32:03.955049038 CET	58803	21	192.168.2.4	110.4.45.197	STOR SC_user-367706_2024_11_05_21_32_03.jpeg
Nov 6, 2024 03:32:04.875210047 CET	21	58803	110.4.45.197	192.168.2.4	150 Accepted data connection

Target ID:	0
Start time:	21:27:55
Start date:	05/11/2024
Path:	C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe"
Imagebase:	0x100000
File size:	1'438'208 bytes
MD5 hash:	983BA873783035B8788B52067FBD0DA0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1680578108.00000000015F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1680578108.00000000015F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.1680578108.00000000015F0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000000.00000002.1680578108.00000000015F0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	21:27:57
Start date:	05/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe"
Imagebase:	0xa10000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.4122762266.0000000002D9C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.4122762266.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.4122762266.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.4121919060.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.4121919060.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	21:28:09
Start date:	05/11/2024
Path:	C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Imagebase:	0x160000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	21:28:09
Start date:	05/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	21:28:17
Start date:	05/11/2024
Path:	C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Imagebase:	0x7d0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	21:28:17
Start date:	05/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.7%
Dynamic/Decrypted Code Coverage:	2.5%
Signature Coverage:	3.5%
Total number of Nodes:	1619
Total number of Limit Nodes:	31

Executed Functions

Function 001042DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0010430D

Part of subcall function 00106B57: _wcslen.LIBCMT ref: 00106B6A

GetCurrentProcess.KERNEL32(?,0019CB64,00000000,?,?), ref: 00104422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00104429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00104454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00104466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00104474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0010447B
GetSystemInfo.KERNEL32(?,?,?), ref: 001044A0

Strings

kernel32.dll, xrefs: 0010444F
GetNativeSystemInfo, xrefs: 00104460
|O, xrefs: 001436F8

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 700ac80c662ee5ac448424bf281121790c484dd1d0bc6e8606ead97dfa84bf4b
Instruction ID: d25767c5baea6b4199bb5d137f7404592a2df4a82c6051a487710888289ad7fa
Opcode Fuzzy Hash: 700ac80c662ee5ac448424bf281121790c484dd1d0bc6e8606ead97dfa84bf4b
Instruction Fuzzy Hash: A0A183B290B2C0FFCB15C76EBD811957FA5BB26360B1948ABD1D193E72D3704688CB61

Function 001042A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,001050AA,?,?,00000000,00000000), ref: 001042B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,001050AA,?,?,00000000,00000000), ref: 001042C9
LoadResource.KERNEL32(?,00000000,?,?,001050AA,?,?,00000000,00000000,?,?,?,?,?,?,00104F20), ref: 001435BE
SizeofResource.KERNEL32(?,00000000,?,?,001050AA,?,?,00000000,00000000,?,?,?,?,?,?,00104F20), ref: 001435D3
LockResource.KERNEL32(001050AA,?,?,001050AA,?,?,00000000,00000000,?,?,?,?,?,?,00104F20,?), ref: 001435E6

Strings

SCRIPT, xrefs: 001042BF

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: ffb2caefb822a901ddda54b2aced911c47d56f4d339595bb3de5c7c416ffbea2
Instruction ID: 10e99e103ae4430333b3d38cf250bfe738667e29fd85ee85c47f354c52eebdf0
Opcode Fuzzy Hash: ffb2caefb822a901ddda54b2aced911c47d56f4d339595bb3de5c7c416ffbea2
Instruction Fuzzy Hash: 03118EB0300700BFDB219B65EC88F677BB9EBC5B51F10416AF582D66A0DBB1DC408A70

Function 00142BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00102B6B

Part of subcall function 00103A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,001D1418,?,00102E7F,?,?,?,00000000), ref: 00103A78

Part of subcall function 00109CB3: _wcslen.LIBCMT ref: 00109CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,001C2224), ref: 00142C10
ShellExecuteW.SHELL32(00000000,?,?,001C2224), ref: 00142C17

Strings

runas, xrefs: 00142C0B

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: d189a8e29c54915dcf0b2519729780012c83aa103fe1d2eb0d4210b41eaf9723
Instruction ID: 195ae89294bc782a40bc125da0ac84551240d225f61f84f001249599211bfab8
Opcode Fuzzy Hash: d189a8e29c54915dcf0b2519729780012c83aa103fe1d2eb0d4210b41eaf9723
Instruction Fuzzy Hash: 0811E4312083457AC714FF60D856E7E77A8ABB1300F44442EF0D2560E3CFB19689C752

Function 0010D730 Relevance: 21.6, APIs: 14, Instructions: 618windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0010D807
timeGetTime.WINMM ref: 0010DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0010DB28
TranslateMessage.USER32(?), ref: 0010DB7B
DispatchMessageW.USER32(?), ref: 0010DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0010DB9F
Sleep.KERNEL32(0000000A), ref: 0010DBB1

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 21226de8d9801f303433aa20ee51a8648d9f22e84a7f4676308339e7413e9e44
Instruction ID: da0391c14012a865788eef7d7189e30d0e4693d86be21171f82545f61636d7bd
Opcode Fuzzy Hash: 21226de8d9801f303433aa20ee51a8648d9f22e84a7f4676308339e7413e9e44
Instruction Fuzzy Hash: D742E331608341EFD729CF64D844BAAB7E0BF56314F55851EF8A58B2D1D7B0E888CB92

Function 00102CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00102D07
RegisterClassExW.USER32(00000030), ref: 00102D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00102D42
InitCommonControlsEx.COMCTL32(?), ref: 00102D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00102D6F
LoadIconW.USER32(000000A9), ref: 00102D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00102D94

Strings

0, xrefs: 00102CE9
TaskbarCreated, xrefs: 00102D37
AutoIt v3 GUI, xrefs: 00102D23
+, xrefs: 00102CF0

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: dc5e5e6d5d5eddf5d379ac66b69e7c9c339387971b604d16e2968336bedd1996
Instruction ID: 0b906844ee0ad75d66e5ce643b36819d925b90f7c66e3042b94b3a33e2201c5e
Opcode Fuzzy Hash: dc5e5e6d5d5eddf5d379ac66b69e7c9c339387971b604d16e2968336bedd1996
Instruction Fuzzy Hash: 8A21C0B5902218BFEB04DFA4E999BDDBBB8FB08704F00811BF551A66A0D7B15584CFA1

Function 0014065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0014039A: CreateFileW.KERNELBASE(00000000,00000000,?,00140704,?,?,00000000,?,00140704,00000000,0000000C), ref: 001403B7

GetLastError.KERNEL32 ref: 0014076F
__dosmaperr.LIBCMT ref: 00140776
GetFileType.KERNELBASE(00000000), ref: 00140782
GetLastError.KERNEL32 ref: 0014078C
__dosmaperr.LIBCMT ref: 00140795
CloseHandle.KERNEL32(00000000), ref: 001407B5
CloseHandle.KERNEL32(?), ref: 001408FF
GetLastError.KERNEL32 ref: 00140931
__dosmaperr.LIBCMT ref: 00140938

Strings

H, xrefs: 001408BD

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 8ff2c509f47ed1c4e7266f1ae495970b7b97a75c0d3ea200a3bf99a897e3c3b5
Instruction ID: 5872e84bebb24fb43f813c8127a81a85af9fdd4c1d7df5fa71381c29360741a6
Opcode Fuzzy Hash: 8ff2c509f47ed1c4e7266f1ae495970b7b97a75c0d3ea200a3bf99a897e3c3b5
Instruction Fuzzy Hash: 43A11532A041148FDF1AAF68D851BAE7BB0EB0A320F24015EF9559B3A1D7359D53CB91

Function 0010344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00103A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,001D1418,?,00102E7F,?,?,?,00000000), ref: 00103A78

Part of subcall function 00103357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00103379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0010356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0014318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 001431CE
RegCloseKey.ADVAPI32(?), ref: 00143210
_wcslen.LIBCMT ref: 00143277
_wcslen.LIBCMT ref: 00143286

Strings

\Include\, xrefs: 00103527
Software\AutoIt v3\AutoIt, xrefs: 00103560
\, xrefs: 0014328C
Include, xrefs: 00143184, 001431C5

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 74134fd612d104aa22056dd922abe1f6fec8e8f8cfc3ffc05975a589e0d23b9f
Instruction ID: 53c74606badf6727635c2bf6b496fe404d3d45e3a62be0e52d38cb1f12c801ea
Opcode Fuzzy Hash: 74134fd612d104aa22056dd922abe1f6fec8e8f8cfc3ffc05975a589e0d23b9f
Instruction Fuzzy Hash: B571B371506301AFC704EF69EC8195BBBE8FFA8340F40052EF5A5971B0DBB09A88CB61

Function 00102B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00102B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00102B9D
LoadIconW.USER32(00000063), ref: 00102BB3
LoadIconW.USER32(000000A4), ref: 00102BC5
LoadIconW.USER32(000000A2), ref: 00102BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00102BEF
RegisterClassExW.USER32(?), ref: 00102C40

Part of subcall function 00102CD4: GetSysColorBrush.USER32(0000000F), ref: 00102D07
Part of subcall function 00102CD4: RegisterClassExW.USER32(00000030), ref: 00102D31
Part of subcall function 00102CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00102D42
Part of subcall function 00102CD4: InitCommonControlsEx.COMCTL32(?), ref: 00102D5F
Part of subcall function 00102CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00102D6F
Part of subcall function 00102CD4: LoadIconW.USER32(000000A9), ref: 00102D85
Part of subcall function 00102CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00102D94

Strings

0, xrefs: 00102C0F
AutoIt v3, xrefs: 00102C2F
#, xrefs: 00102C16

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 0ca0b1d408aea629ebc4102b250de8b1a1aa0a2204a0b275c0221e045dbc64f4
Instruction ID: 3db3dc580c9961a0071fe03fe5a8c89778e4da786413570f0ad4e69d0d50f6cf
Opcode Fuzzy Hash: 0ca0b1d408aea629ebc4102b250de8b1a1aa0a2204a0b275c0221e045dbc64f4
Instruction Fuzzy Hash: 0F212970E02318BBEB109FE5ED59AAD7FB4FB48B60F44011BE544A6AA0D7B11580CF90

Function 00103170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0010316A,?,?), ref: 001031D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0010316A,?,?), ref: 00103204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00103227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0010316A,?,?), ref: 00103232
CreatePopupMenu.USER32 ref: 00103246
PostQuitMessage.USER32(00000000), ref: 00103267

Strings

TaskbarCreated, xrefs: 0010322D

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 463ec3e8e92bf5c0d17f92703e93674c874358dab8a5b5384d9fbc97005f345e
Instruction ID: f20a0e854eb89e6580fa0317957f2c6eb2f190559dbe1385e6b621834fc55f05
Opcode Fuzzy Hash: 463ec3e8e92bf5c0d17f92703e93674c874358dab8a5b5384d9fbc97005f345e
Instruction Fuzzy Hash: FB415B39241200BBDB1C2BB89D2DB79371EFB19354F040127F9E296AE1C7F08AC097A1

Function 01A28DC0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01A28E91
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01A290B7

Memory Dump Source

Source File: 00000000.00000002.1683947429.0000000001A26000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A26000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a26000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
Instruction ID: ab5f4a49b83b9b9f2052caa9943d358cdb7e4a71b2d5cd487fa0f731aaa88a49
Opcode Fuzzy Hash: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
Instruction Fuzzy Hash: 0FA12A70E04229EBDB14CFA8C954BEEBBB6FF48704F208559E605BB280D7799A40CF54

Function 00102C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00102C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00102CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00101CAD,?), ref: 00102CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00101CAD,?), ref: 00102CCF

Strings

AutoIt v3, xrefs: 00102C89, 00102C8E, 00102C8F
edit, xrefs: 00102CAC

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 56283213908948b681001b67106a2976163c8ea4147ebc3d7afde412b0e105fc
Instruction ID: cb44e5c2a8d3280ec785772f14302122733cb2ca3995df2f7dbe3cbe47fda035
Opcode Fuzzy Hash: 56283213908948b681001b67106a2976163c8ea4147ebc3d7afde412b0e105fc
Instruction Fuzzy Hash: 92F0DA756422907BEB311717AC08E773FBDE7C6F60B00005BF904A29A0C6651890DAB0

Function 01A28B30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 164
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01A28A20: Sleep.KERNELBASE(000001F4), ref: 01A28A31

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01A28CA4

Strings

0ATIM8PCKJ9DX2D9C373H8YHRWPCYZ, xrefs: 01A28D0D, 01A28D10

Memory Dump Source

Source File: 00000000.00000002.1683947429.0000000001A26000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A26000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a26000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: CreateFileSleep
String ID: 0ATIM8PCKJ9DX2D9C373H8YHRWPCYZ
API String ID: 2694422964-1583062125
Opcode ID: c35e75187d3af110107feebefc592b0f76b019a8dc8e52fc24886109a24b92b7
Instruction ID: 9a6a9448fddff784fc97b7f0f98102d2ae98e2680d1c7690ee1c0c3361e177e9
Opcode Fuzzy Hash: c35e75187d3af110107feebefc592b0f76b019a8dc8e52fc24886109a24b92b7
Instruction Fuzzy Hash: 69719530D0429CDAEF11DBE8D8547EEBBB5AF15304F044199E6487B2C1D7B90B49CBA6

Function 00103B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00103B0F,SwapMouseButtons,00000004,?), ref: 00103B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00103B0F,SwapMouseButtons,00000004,?), ref: 00103B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00103B0F,SwapMouseButtons,00000004,?), ref: 00103B83

Strings

Control Panel\Mouse, xrefs: 00103B3E

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 0e34b66e0718cfe304d0991b3e80964d91ea9ebd8b8b16d0337fa9bc24926aec
Instruction ID: ec284495994553744e153c0b001f03f3164ecd0162e4ad00196a59590a02a1dc
Opcode Fuzzy Hash: 0e34b66e0718cfe304d0991b3e80964d91ea9ebd8b8b16d0337fa9bc24926aec
Instruction Fuzzy Hash: 9F1157B5610208FFDB208FA4DC84AAEBBBCEF40748B10846AB851D7150E3719E409BA0

Function 01A27A20 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01A2824D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01A28271
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01A28293

Memory Dump Source

Source File: 00000000.00000002.1683947429.0000000001A26000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A26000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a26000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 9ff7d806dc6ef1cc8f26af8a7a5011723b62bd23310367b846ce676590f9e849
Instruction ID: 93c77214f5f05af912f64fa871f209ffb5b0c81a7eca99bb7216a21286e7ef2e
Opcode Fuzzy Hash: 9ff7d806dc6ef1cc8f26af8a7a5011723b62bd23310367b846ce676590f9e849
Instruction Fuzzy Hash: C0620E30A14658DBEB24CFA8C850BDEB775EF58300F1091A9E10DEB394E7799E81CB59

Function 00103923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 001433A2

Part of subcall function 00106B57: _wcslen.LIBCMT ref: 00106B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00103A04

Strings

Line: , xrefs: 001433EB

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: f61c40ce4aad90715dfe683d2f80b9d46a59343f1536aac3d2e6405abd8e88f3
Instruction ID: 1d5683d5cf7c1b0a718f0d3f3a80a2f3a2532d2afe8d5456d4a8ae39793b1da5
Opcode Fuzzy Hash: f61c40ce4aad90715dfe683d2f80b9d46a59343f1536aac3d2e6405abd8e88f3
Instruction Fuzzy Hash: 7E31CD71509304BAC324EB20D845BEAB3DCBB54324F00492BF5E9821D1DBB09A89C7C2

Function 0011FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00120668

Part of subcall function 001232A4: RaiseException.KERNEL32(?,?,?,0012068A,?,001D1444,?,?,?,?,?,?,0012068A,00101129,001C8738,00101129), ref: 00123304

__CxxThrowException@8.LIBVCRUNTIME ref: 00120685

Strings

Unknown exception, xrefs: 00120692

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: b9e7cbd4d0c9595ab1e963fdc39409317c41c594d82a05b2615be8c5be28ad7b
Instruction ID: 52f42cddaa50346f49e4db09ae1f7cbac48368124a5117bbefddfc133f7f9406
Opcode Fuzzy Hash: b9e7cbd4d0c9595ab1e963fdc39409317c41c594d82a05b2615be8c5be28ad7b
Instruction Fuzzy Hash: 9DF0C23490022DB7CF05BAA4F846DAE7B6C5E24310B604639B824D65D3EF71DA76C6C0

Function 00187F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 001882F5
TerminateProcess.KERNEL32(00000000), ref: 001882FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 001884DD

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 25be1328cd3263395947bb0903fe342257f215a91b1311aff3cf74105fb7fc75
Instruction ID: e4d1858cdda41dc855806e18bba44531ddaaa609d18985567c96fd6a5c54fc0e
Opcode Fuzzy Hash: 25be1328cd3263395947bb0903fe342257f215a91b1311aff3cf74105fb7fc75
Instruction Fuzzy Hash: 51126B719083019FC714EF28C484B6ABBE5BF94314F44895DF8998B292DB71EE45CF92

Function 001010F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00101BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00101BF4
Part of subcall function 00101BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00101BFC
Part of subcall function 00101BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00101C07
Part of subcall function 00101BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00101C12
Part of subcall function 00101BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00101C1A
Part of subcall function 00101BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00101C22

Part of subcall function 00101B4A: RegisterWindowMessageW.USER32(00000004,?,001012C4), ref: 00101BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0010136A
OleInitialize.OLE32 ref: 00101388
CloseHandle.KERNEL32(00000000,00000000), ref: 001424AB

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 08c53d1cfb53e48d6b1a744412b45fa694fb18fa6bdc2864ea364846892d4974
Instruction ID: 467702204e5e08a21187c4844227d2e5a12830015e96d0c8932159099700a2b7
Opcode Fuzzy Hash: 08c53d1cfb53e48d6b1a744412b45fa694fb18fa6bdc2864ea364846892d4974
Instruction Fuzzy Hash: 5C719BB5A03300BFC784DFB9BA456953BE1FB9A344354822BD44AD7BA2EB784481CF51

Function 001386AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,001385CC,?,001C8CC8,0000000C), ref: 00138704
GetLastError.KERNEL32(?,001385CC,?,001C8CC8,0000000C), ref: 0013870E
__dosmaperr.LIBCMT ref: 00138739

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: a61797c83c5261a309f507416a3cc9d92f39cf9060ec9580a88118770800f379
Instruction ID: bb506624cff6c0a591ce2e63fd8146fa4c626cdab05141a2239d4787264f5d4c
Opcode Fuzzy Hash: a61797c83c5261a309f507416a3cc9d92f39cf9060ec9580a88118770800f379
Instruction Fuzzy Hash: F8014932A0572027DB356334A947B7E675A9B92B74F39011EF8199B1D2DFA0CCC18190

Function 00111310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001117F6

Strings

CALL, xrefs: 001117C6

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 467ec1e401d2cfdd43acbc456178a7e6aa9b1d2808683518e8aec2653a7bce3d
Instruction ID: 1c765566a06639f3182055363cdcdffc85380075a23e6c3672163e99a9795dcc
Opcode Fuzzy Hash: 467ec1e401d2cfdd43acbc456178a7e6aa9b1d2808683518e8aec2653a7bce3d
Instruction Fuzzy Hash: 28228C70608201EFC718DF14C494AAAFBF2BF95314F54892DF9968B3A1D771E885CB82

Function 00102DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00142C8C

Part of subcall function 00103AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00103A97,?,?,00102E7F,?,?,?,00000000), ref: 00103AC2

Part of subcall function 00102DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00102DC4

Strings

X, xrefs: 00142C5A

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 5ebe2fad1fff22d5a245ac33944a344087d595b5d6b2e2035f35514834407309
Instruction ID: bded4bf403a6f601f7e79f78c305684037522c981e69ef09dd361806b786e379
Opcode Fuzzy Hash: 5ebe2fad1fff22d5a245ac33944a344087d595b5d6b2e2035f35514834407309
Instruction Fuzzy Hash: 45219671A00258ABCB05DF94D849BDE7BFCAF59314F00405AE445F7281DBF499898B61

Function 00103837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00103908

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: d8629ac5be4887a4ff2d5b73f061c63d8067315afd17c19cb6e06974d0d121e6
Instruction ID: 24e89a286788db490f72e1ecb29d1d6ffceea026bb3d8469954dfee6fc64a5e0
Opcode Fuzzy Hash: d8629ac5be4887a4ff2d5b73f061c63d8067315afd17c19cb6e06974d0d121e6
Instruction Fuzzy Hash: 0E319370605701AFD720DF24D884797BBE8FB49718F00096FF5E983690E7B1AA44CB52

Function 00105745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0010949C,?,00008000), ref: 00105773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,0010949C,?,00008000), ref: 00144052

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: dbf3a0bdc6612c293da5ee78400e85e47dd1f555a5f7317ed839300569052592
Instruction ID: 6d793f7878d4cf3642c244ba5b1779d382f0bfc4d3f92f6111335c861f5d746c
Opcode Fuzzy Hash: dbf3a0bdc6612c293da5ee78400e85e47dd1f555a5f7317ed839300569052592
Instruction Fuzzy Hash: 30015231145225F6E3305A2ADC0EF977F99EF067B0F158311BA9C5A1E0CBB45854DBD4

Function 0010B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0010BB4E

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: f7b65088a170fc8090a97ef319cd23229fc5073f878b21e8ceb85c230bb6c12a
Instruction ID: be890e625f208ca336f174398b35f712aed7752362f0ac1e656f5e514636efef
Opcode Fuzzy Hash: f7b65088a170fc8090a97ef319cd23229fc5073f878b21e8ceb85c230bb6c12a
Instruction Fuzzy Hash: CC32CF70A08209EFCB15CF54C8D4ABAB7B5FF58304F15805AED65AB2A1C7B4ED81CB51

Function 01A27A1D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01A2824D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01A28271
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01A28293

Memory Dump Source

Source File: 00000000.00000002.1683947429.0000000001A26000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A26000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a26000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 282d440d23347d33a5333bc70feb3b77e7ffa06fe9f8fdc76eda24defaf3804a
Instruction ID: 11136667990396a767e8ca82da5ea568a6f7891985a5f7bffadd549bbdd3f36a
Opcode Fuzzy Hash: 282d440d23347d33a5333bc70feb3b77e7ffa06fe9f8fdc76eda24defaf3804a
Instruction Fuzzy Hash: 8C12BE24E14668C6EB24DF64D8507DEB272EF68300F1090E9D10DEB7A5E77A4F81CB5A

Function 0011FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0011FD1F

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: f213549c07ad96a80d5ccb61a14119e1faa903b25e0f789262bf3ac3f5f54d6a
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: B831D575A00109DBCB1CDF59E480AA9F7A5FF89310B2586B9E80ACB655D731EDC2DBC0

Function 00104ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00104E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00104EDD,?,001D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00104E9C
Part of subcall function 00104E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00104EAE
Part of subcall function 00104E90: FreeLibrary.KERNEL32(00000000,?,?,00104EDD,?,001D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00104EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,001D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00104EFD

Part of subcall function 00104E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00143CDE,?,001D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00104E62
Part of subcall function 00104E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00104E74
Part of subcall function 00104E59: FreeLibrary.KERNEL32(00000000,?,?,00143CDE,?,001D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00104E87

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 5fc19f929db5b477d3b826b7561e5f67404e768c64eda3a4aae9cc83538e6760
Instruction ID: 0620521c040e9a1876acaf0e515d022a0adfc4f57249f6868637e66bdfdb1f42
Opcode Fuzzy Hash: 5fc19f929db5b477d3b826b7561e5f67404e768c64eda3a4aae9cc83538e6760
Instruction Fuzzy Hash: 59112771600206ABDF14BB64DC82FAD77A59F60711F10842EF6C2A61D1EFF49A059B90

Function 00138402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00138440

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 5b369bf648f36441aab4cd116f1692cf1f6cd5ee56b9271afb598cce7ef5c3db
Instruction ID: d3d9587c9977175bb9836ec24946796a2481c447209622f38b7c77869c9b6536
Opcode Fuzzy Hash: 5b369bf648f36441aab4cd116f1692cf1f6cd5ee56b9271afb598cce7ef5c3db
Instruction Fuzzy Hash: 79112A7590420AAFCF16DF58E941A9E7BF5EF48314F154059FC08AB312DB31DA11CBA5

Function 00135000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00134C7D: RtlAllocateHeap.NTDLL(00000008,00101129,00000000,?,00132E29,00000001,00000364,?,?,?,0012F2DE,00133863,001D1444,?,0011FDF5,?), ref: 00134CBE

_free.LIBCMT ref: 0013506C

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 8f6ef1e059f56e605e6de8391390098502112ac4dffe3b28d75b2b04857066fa
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 3C0126722047046BE3258F659881A5AFBE9FB89370F25051DF19483280EB31A805C7B4

Function 0012E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: e2b852b42a9e585077a007c3781a9336ff3beebe6f1a575ea9eaeb292efdd53d
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 8EF0F432510A309BCB313A69BC05B5A33D89F72335F100729F424931D2DB74E8128AA5

Function 00109CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00109CBD

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: daa1ec522d7e5d217855691e78f7439a1b365263ee3c5ae7c9657e0e4f3ea7de
Instruction ID: 2f31fe1a90d790dfcfa28a364d095e3b06c3ad6cba3dce8f572f0397c35de455
Opcode Fuzzy Hash: daa1ec522d7e5d217855691e78f7439a1b365263ee3c5ae7c9657e0e4f3ea7de
Instruction Fuzzy Hash: 48F028B36016007ED7149F28D802AABBB94EB54760F10853EF619CB1D2DB71E450C7A0

Function 00134C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00101129,00000000,?,00132E29,00000001,00000364,?,?,?,0012F2DE,00133863,001D1444,?,0011FDF5,?), ref: 00134CBE

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7666cb19abed96a76f2ee65128b17a2bbf0fc2d76eb068ddc2b1133626178687
Instruction ID: 03888dd209593fa4331914d4494c815629e62e485a2b12c646ab810c135e5da8
Opcode Fuzzy Hash: 7666cb19abed96a76f2ee65128b17a2bbf0fc2d76eb068ddc2b1133626178687
Instruction Fuzzy Hash: 8AF0E231603234B7EF215F62AC09B5A3788FF917B0F155126F819AA291CB70FC1296E4

Function 00133820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,001D1444,?,0011FDF5,?,?,0010A976,00000010,001D1440,001013FC,?,001013C6,?,00101129), ref: 00133852

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ec261721ad5d3ff2e814c58e28d33d719944a9d8db3fc6c8c56d534afcec6c3b
Instruction ID: dd7eeddec01c4c64bca1f349ef8efa9cc8aefabeaa6e52aece6c947f835423a0
Opcode Fuzzy Hash: ec261721ad5d3ff2e814c58e28d33d719944a9d8db3fc6c8c56d534afcec6c3b
Instruction Fuzzy Hash: 12E0E531101234E7E7212A66AC00B9A3748AF427B0F0602B5BC24A28E0CB10DD0281EC

Function 00104F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,001D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00104F6D

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: c8758ff85b0d2da184b1c6ee8bfb6d5f62ceae7b81bba7edd99476ab0e1cf31e
Instruction ID: 52cb21511133da7fa4f9bb1492a6f625241ed8813f0f2d5ff332c03de9d0647b
Opcode Fuzzy Hash: c8758ff85b0d2da184b1c6ee8bfb6d5f62ceae7b81bba7edd99476ab0e1cf31e
Instruction Fuzzy Hash: 4FF030B1105752CFDB389F68E4D0822B7E4EF14319310897EE3DA82551C7B19884DF50

Function 0016CCFF Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,0014EE51,001C3630,00000002), ref: 0016CD26

Part of subcall function 0016CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,0016CD19,?,?,?), ref: 0016CC59
Part of subcall function 0016CC37: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,0016CD19,?,?,?,?,0014EE51,001C3630,00000002), ref: 0016CC6E
Part of subcall function 0016CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,0016CD19,?,?,?,?,0014EE51,001C3630,00000002), ref: 0016CC7A

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: File$Pointer$Write
String ID:
API String ID: 3847668363-0
Opcode ID: cfbf35235458562387335dcd4badfed2321e23f36c8185a7b8f23637d41349ec
Instruction ID: d77b40c028e6a1f949223a3409c337e793ce30687057125fc899e749fe81379b
Opcode Fuzzy Hash: cfbf35235458562387335dcd4badfed2321e23f36c8185a7b8f23637d41349ec
Instruction Fuzzy Hash: 72E06D7A400704EFC7219F8ADD008AABBF8FFC4361710852FE99AC2510D3B1AA54DFA0

Function 00102DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00102DC4

Part of subcall function 00106B57: _wcslen.LIBCMT ref: 00106B6A

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: c46d8bed4afc025813201942b31c6e8a1aa798de75ced81ed1add3798077f70a
Instruction ID: 12e28fdbd291b2e4865b6af8146e75388e5ce33ac29fe9ed019f55d3bc551007
Opcode Fuzzy Hash: c46d8bed4afc025813201942b31c6e8a1aa798de75ced81ed1add3798077f70a
Instruction Fuzzy Hash: 61E0CD726001245BC710D7589C05FDA77DDDFC8790F040071FD49D7258DA60ADC48590

Function 00102B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00103837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00103908

Part of subcall function 0010D730: GetInputState.USER32 ref: 0010D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00102B6B

Part of subcall function 001030F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0010314E

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: bc97a9f8f10d25bfa9490293494fa5c5008a3155f9f2cac5c51d94f335e295ae
Instruction ID: 5a4355af016b362a8f7ab0d52e95de29ffed85d5425a71d7c10a377b1d7abd33
Opcode Fuzzy Hash: bc97a9f8f10d25bfa9490293494fa5c5008a3155f9f2cac5c51d94f335e295ae
Instruction Fuzzy Hash: 8EE07D3130020427C604BBB0A81257DB34D9BF1311F40453FF1D2432E3CFE046854351

Function 0014039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00140704,?,?,00000000,?,00140704,00000000,0000000C), ref: 001403B7

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8b82658d6736db888d311be0e0ffa3e5cf20d6694aae5b4172000db6c79a16b5
Instruction ID: 354257d911e73cad98f52b7d4e685207a8a0b905cc3f83e7e6499cd5e7492fd1
Opcode Fuzzy Hash: 8b82658d6736db888d311be0e0ffa3e5cf20d6694aae5b4172000db6c79a16b5
Instruction Fuzzy Hash: 0DD06C3204010DFBDF029F84DD06EDA3BAAFB48714F014010BE5856020C732E861AB94

Function 00101CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00101CBC

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 0f14b358624a774317554831d6c2d36b40c33c6b02b00c5f7dd99d7b3116f8c3
Instruction ID: cc2e329786089ff63f8b91855386f3cc23ea6610e5aec11127e3593a7f1457c4
Opcode Fuzzy Hash: 0f14b358624a774317554831d6c2d36b40c33c6b02b00c5f7dd99d7b3116f8c3
Instruction Fuzzy Hash: D2C09236382305BFF2148B84BC4AF507764B358B10F448003F649A9DE3C3B228A0EA90

Function 0017744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 00105745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0010949C,?,00008000), ref: 00105773

GetLastError.KERNEL32(00000002,00000000), ref: 001776DE

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: bb73152be91f4a51795ed3ab3d7a08cadd322e33e86f6c0072e3319da4ff26c5
Instruction ID: 56097f5e8fac39d6f28e84f8c59128eb92243d1ee896f44fc24309276562ead1
Opcode Fuzzy Hash: bb73152be91f4a51795ed3ab3d7a08cadd322e33e86f6c0072e3319da4ff26c5
Instruction Fuzzy Hash: B9816D306087019FDB14EF28C491A6AB7F1BF99314F04856DF89A5B2E2DB70ED45CB92

Function 01A28A1C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01A28A31

Memory Dump Source

Source File: 00000000.00000002.1683947429.0000000001A26000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A26000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a26000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 22d94cbf927824cfae95c92fdc1b90d9ed631f148af0b1ee0319ea78397ece64
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 56E0BF7494010DEFDB00EFA8D5496DE7FB4EF04701F1005A1FD05D7681DB309E548A62

Function 00106246 Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,00000000,001424E0), ref: 00106266

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 1d7ec422df4910c04834668b70f9c4b8d8fa14d41429043b262c5450c406bb10
Instruction ID: 6ad6b6cb49fbbfe87cabc5dd59a31c3dc60dc7db100d67d9dc20380c6411fd06
Opcode Fuzzy Hash: 1d7ec422df4910c04834668b70f9c4b8d8fa14d41429043b262c5450c406bb10
Instruction Fuzzy Hash: F8E09275400B01CEC3314F1AE904412FBE5FFE13613214A2ED0E6926A0D3B058968B50

Function 01A28A20 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01A28A31

Memory Dump Source

Source File: 00000000.00000002.1683947429.0000000001A26000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A26000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a26000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: f54cdc9a8539ea02027bdef6063046a7dd6605aff5e2391e9991f5ed66d074d7
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 7FE0E67494010DDFDB00EFB8D54969E7FF4EF04701F100161FD05D2281DA309D508A72

Non-executed Functions

Function 00199576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00119BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00119BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0019961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0019965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0019969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001996C9
SendMessageW.USER32 ref: 001996F2
GetKeyState.USER32(00000011), ref: 0019978B
GetKeyState.USER32(00000009), ref: 00199798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001997AE
GetKeyState.USER32(00000010), ref: 001997B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001997E9
SendMessageW.USER32 ref: 00199810
SendMessageW.USER32(?,00001030,?,00197E95), ref: 00199918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0019992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00199941
SetCapture.USER32(?), ref: 0019994A
ClientToScreen.USER32(?,?), ref: 001999AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 001999BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001999D6
ReleaseCapture.USER32 ref: 001999E1
GetCursorPos.USER32(?), ref: 00199A19
ScreenToClient.USER32(?,?), ref: 00199A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00199A80
SendMessageW.USER32 ref: 00199AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00199AEB
SendMessageW.USER32 ref: 00199B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00199B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00199B4A
GetCursorPos.USER32(?), ref: 00199B68
ScreenToClient.USER32(?,?), ref: 00199B75
GetParent.USER32(?), ref: 00199B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00199BFA
SendMessageW.USER32 ref: 00199C2B
ClientToScreen.USER32(?,?), ref: 00199C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00199CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00199CDE
SendMessageW.USER32 ref: 00199D01
ClientToScreen.USER32(?,?), ref: 00199D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00199D82

Part of subcall function 00119944: GetWindowLongW.USER32(?,000000EB), ref: 00119952

GetWindowLongW.USER32(?,000000F0), ref: 00199E05

Strings

@GUI_DRAGID, xrefs: 0019997D
F, xrefs: 00199D07

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: a1b04c38c91c1204662dc48cf5574cec24c771d18ca231c573c31efcae89b5be
Instruction ID: eb6c9511ba96424f4dabdb2e51e9f3a80caa03066abf16cd204aff6a0600fe51
Opcode Fuzzy Hash: a1b04c38c91c1204662dc48cf5574cec24c771d18ca231c573c31efcae89b5be
Instruction Fuzzy Hash: 1842BD75205241AFDB24CF68CC94EAABBE5FF49314F10061EF699876A1D731E890CF92

Function 00194873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 001948F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00194908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00194927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0019494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0019495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0019497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 001949AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 001949D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00194A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00194A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00194A7E
IsMenu.USER32(?), ref: 00194A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00194AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00194B20
GetWindowLongW.USER32(?,000000F0), ref: 00194B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00194BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00194C82
wsprintfW.USER32 ref: 00194CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00194CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00194CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00194D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00194D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00194D5A

Strings

%d/%02d/%02d, xrefs: 00194CA8

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 087e9d55b36059cba41bbbb79f53ff16d0aeeac58462fce877a3d7a8daceda36
Instruction ID: 5765d33a05a16bf648b5872ecdd152b5f82005be3dc1220b2ce16a602a720230
Opcode Fuzzy Hash: 087e9d55b36059cba41bbbb79f53ff16d0aeeac58462fce877a3d7a8daceda36
Instruction Fuzzy Hash: 4C12CE71600215ABEF288F68CC49FEE7BF8AF45710F144129F516DB2E1DB749982CB90

Function 0011F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0011F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0015F474
IsIconic.USER32(00000000), ref: 0015F47D
ShowWindow.USER32(00000000,00000009), ref: 0015F48A
SetForegroundWindow.USER32(00000000), ref: 0015F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0015F4AA
GetCurrentThreadId.KERNEL32 ref: 0015F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0015F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0015F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0015F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0015F4DE
SetForegroundWindow.USER32(00000000), ref: 0015F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0015F4F6
keybd_event.USER32(00000012,00000000), ref: 0015F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0015F50B
keybd_event.USER32(00000012,00000000), ref: 0015F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0015F519
keybd_event.USER32(00000012,00000000), ref: 0015F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0015F528
keybd_event.USER32(00000012,00000000), ref: 0015F52D
SetForegroundWindow.USER32(00000000), ref: 0015F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0015F557

Strings

Shell_TrayWnd, xrefs: 0015F46F

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 6c9c8b37bbeb80c12ea660d595d07ce4720efe676b2659419f9f53a945344e8c
Instruction ID: 470dc1bcd35b81923efc558840ffbc91940c1aea2542806f64dddce01a6d24c5
Opcode Fuzzy Hash: 6c9c8b37bbeb80c12ea660d595d07ce4720efe676b2659419f9f53a945344e8c
Instruction Fuzzy Hash: 88316571B40318BBEB206BB55C4AFBF7E6CEB44B51F11042AFA04EA1D1D7B15D41AEA0

Function 00161201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 001616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0016170D
Part of subcall function 001616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0016173A
Part of subcall function 001616C3: GetLastError.KERNEL32 ref: 0016174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00161286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 001612A8
CloseHandle.KERNEL32(?), ref: 001612B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 001612D1
GetProcessWindowStation.USER32 ref: 001612EA
SetProcessWindowStation.USER32(00000000), ref: 001612F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00161310

Part of subcall function 001610BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001611FC), ref: 001610D4
Part of subcall function 001610BF: CloseHandle.KERNEL32(?,?,001611FC), ref: 001610E9

Strings

default, xrefs: 0016130B
winsta0, xrefs: 001612CC
, xrefs: 0016125A

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 4a2b4ace935a6004dc57ec8e2fa75f2428fe8d222c5a951948db6e4024adad38
Instruction ID: 02a09a36b2e433ccb12b24f42940d6e84f82832c281a4ff6f661fb8e94af8acc
Opcode Fuzzy Hash: 4a2b4ace935a6004dc57ec8e2fa75f2428fe8d222c5a951948db6e4024adad38
Instruction Fuzzy Hash: 66819D71901209BFDF219FA4DC49FEE7BB9EF04704F18412AF911A72A0DB7199A4CB61

Function 00160B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00161114
Part of subcall function 001610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00160B9B,?,?,?), ref: 00161120
Part of subcall function 001610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00160B9B,?,?,?), ref: 0016112F
Part of subcall function 001610F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00160B9B,?,?,?), ref: 00161136
Part of subcall function 001610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0016114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00160BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00160C00
GetLengthSid.ADVAPI32(?), ref: 00160C17
GetAce.ADVAPI32(?,00000000,?), ref: 00160C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00160C6D
GetLengthSid.ADVAPI32(?), ref: 00160C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00160C8C
HeapAlloc.KERNEL32(00000000), ref: 00160C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00160CB4
CopySid.ADVAPI32(00000000), ref: 00160CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00160CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00160D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00160D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00160D45
HeapFree.KERNEL32(00000000), ref: 00160D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00160D55
HeapFree.KERNEL32(00000000), ref: 00160D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00160D65
HeapFree.KERNEL32(00000000), ref: 00160D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00160D78
HeapFree.KERNEL32(00000000), ref: 00160D7F

Part of subcall function 00161193: GetProcessHeap.KERNEL32(00000008,00160BB1,?,00000000,?,00160BB1,?), ref: 001611A1
Part of subcall function 00161193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00160BB1,?), ref: 001611A8
Part of subcall function 00161193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00160BB1,?), ref: 001611B7

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: df3292c40711fc34f2fd60b76a2de36c9515da88d56271ba4212cdcb58e55ef2
Instruction ID: a633918f7801051cc90df9d4188602d3df8908e1158921c8d03caa3e2a1cd682
Opcode Fuzzy Hash: df3292c40711fc34f2fd60b76a2de36c9515da88d56271ba4212cdcb58e55ef2
Instruction Fuzzy Hash: D871697690020AAFDF11DFE4DC44BAFBBB8BF09310F044626F954A6291D771AA55CBA0

Function 0017EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0019CC08), ref: 0017EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0017EB37
GetClipboardData.USER32(0000000D), ref: 0017EB43
CloseClipboard.USER32 ref: 0017EB4F
GlobalLock.KERNEL32(00000000), ref: 0017EB87
CloseClipboard.USER32 ref: 0017EB91
GlobalUnlock.KERNEL32(00000000), ref: 0017EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0017EBC9
GetClipboardData.USER32(00000001), ref: 0017EBD1
GlobalLock.KERNEL32(00000000), ref: 0017EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0017EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0017EC38
GetClipboardData.USER32(0000000F), ref: 0017EC44
GlobalLock.KERNEL32(00000000), ref: 0017EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0017EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0017EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0017ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0017ECF3
CountClipboardFormats.USER32 ref: 0017ED14
CloseClipboard.USER32 ref: 0017ED59

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: fe33d8f345cdbf0b13182a809da652b045027fdd3d8b89385e34066a871fd57b
Instruction ID: 87ab32b76bf0bd5d2f9c29d29f48323a4b9a4d152e7c215c7d6d22b4998671b4
Opcode Fuzzy Hash: fe33d8f345cdbf0b13182a809da652b045027fdd3d8b89385e34066a871fd57b
Instruction Fuzzy Hash: 0F61F4342043019FD310EF64D894F2A7BF4AF98704F54855EF49A8B2A2DB70ED85CBA2

Function 0017698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001769BE
FindClose.KERNEL32(00000000), ref: 00176A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00176A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00176A75

Part of subcall function 00109CB3: _wcslen.LIBCMT ref: 00109CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00176AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00176ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00176B6A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00176B32
%4d, xrefs: 00176BB1
%02d, xrefs: 00176C00, 00176C0A, 00176C5A, 00176CAA, 00176CFA, 00176D4A
%03d, xrefs: 00176DA2

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: c43f2996ae7b6a174651b6183545a0451049478bfbbf6ebf25a1615b599b46b9
Instruction ID: ba3104b5e4c84c1e4f423ee1046a6bd15887e9445ceaf5714a091bc30b6b7ef3
Opcode Fuzzy Hash: c43f2996ae7b6a174651b6183545a0451049478bfbbf6ebf25a1615b599b46b9
Instruction Fuzzy Hash: 86D15F72508340AFC314EBA4C991EABB7ECAF98704F44491DF5C9D7191EB74EA44CBA2

Function 00179642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00179663
GetFileAttributesW.KERNEL32(?), ref: 001796A1
SetFileAttributesW.KERNEL32(?,?), ref: 001796BB
FindNextFileW.KERNEL32(00000000,?), ref: 001796D3
FindClose.KERNEL32(00000000), ref: 001796DE
FindFirstFileW.KERNEL32(*.*,?), ref: 001796FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0017974A
SetCurrentDirectoryW.KERNEL32(001C6B7C), ref: 00179768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00179772
FindClose.KERNEL32(00000000), ref: 0017977F
FindClose.KERNEL32(00000000), ref: 0017978F

Strings

*.*, xrefs: 001796F5

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 81e34561622e319812a4911f211d704db1f7745c9d2511d42d080a319b4d59e1
Instruction ID: 6c3b0d7f3c2d6e459732bf4cd09ca2a357003849ed5fd31251a93739e3162621
Opcode Fuzzy Hash: 81e34561622e319812a4911f211d704db1f7745c9d2511d42d080a319b4d59e1
Instruction Fuzzy Hash: 5131B532541219ABDF14EFB4EC49EDE77BCAF09320F148156F859E2190DB34DE888EA4

Function 0017979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 001797BE
FindNextFileW.KERNEL32(00000000,?), ref: 00179819
FindClose.KERNEL32(00000000), ref: 00179824
FindFirstFileW.KERNEL32(*.*,?), ref: 00179840
SetCurrentDirectoryW.KERNEL32(?), ref: 00179890
SetCurrentDirectoryW.KERNEL32(001C6B7C), ref: 001798AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 001798B8
FindClose.KERNEL32(00000000), ref: 001798C5
FindClose.KERNEL32(00000000), ref: 001798D5

Part of subcall function 0016DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0016DB00

Strings

*.*, xrefs: 0017983B

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 58331dc8dd1f5a90d95307458e1fe2e09eb678cf815aa695ac2507a97dac5cc1
Instruction ID: fd16f279f2082f4ff745f0c4a973f9fdfeb9a08dd966f52275c7e3ee9ecf85ff
Opcode Fuzzy Hash: 58331dc8dd1f5a90d95307458e1fe2e09eb678cf815aa695ac2507a97dac5cc1
Instruction Fuzzy Hash: 7231B23164165DAADF14EFB4EC48EDE77BDAF06320F148196E858A21D1DB30DE88CB61

Function 0018BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0018C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0018B6AE,?,?), ref: 0018C9B5
Part of subcall function 0018C998: _wcslen.LIBCMT ref: 0018C9F1
Part of subcall function 0018C998: _wcslen.LIBCMT ref: 0018CA68
Part of subcall function 0018C998: _wcslen.LIBCMT ref: 0018CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0018BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0018BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0018BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0018C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0018C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0018C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0018C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0018C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0018C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0018C382
RegCloseKey.ADVAPI32(00000000), ref: 0018C38F

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 866ba39d26ccd48292095259d15d681bbb960f05ad2f805b0f95feb2a4b3168b
Instruction ID: 2cf18d29364806b6c500ece7e1d2ffc48a4aa64979223e6cf89ae2906374dcba
Opcode Fuzzy Hash: 866ba39d26ccd48292095259d15d681bbb960f05ad2f805b0f95feb2a4b3168b
Instruction Fuzzy Hash: D1023C716042009FD714DF28C895E2ABBE5BF49314F19849DF88ADB2A2D731ED46CFA1

Function 00178195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00178257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00178267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00178273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00178310
SetCurrentDirectoryW.KERNEL32(?), ref: 00178324
SetCurrentDirectoryW.KERNEL32(?), ref: 00178356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0017838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00178395

Strings

*.*, xrefs: 0017839B

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 84a503b383a0a107f085b0c36c8a44748b725051ab50233c4d2502dec3884f71
Instruction ID: 81001bbc0d1d065eef1edf26359411588916a9facc207c896eda0a1543fbae96
Opcode Fuzzy Hash: 84a503b383a0a107f085b0c36c8a44748b725051ab50233c4d2502dec3884f71
Instruction Fuzzy Hash: 0B6158B25083059FCB10EF64D8849AEB3F8FF99314F04891EF99987251DB31E945CB92

Function 0016D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00103AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00103A97,?,?,00102E7F,?,?,?,00000000), ref: 00103AC2

Part of subcall function 0016E199: GetFileAttributesW.KERNEL32(?,0016CF95), ref: 0016E19A

FindFirstFileW.KERNEL32(?,?), ref: 0016D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0016D1DD
MoveFileW.KERNEL32(?,?), ref: 0016D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0016D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0016D237

Part of subcall function 0016D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0016D21C,?,?), ref: 0016D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0016D253
FindClose.KERNEL32(00000000), ref: 0016D264

Strings

\*.*, xrefs: 0016D0CD, 0016D0D6, 0016D0EB

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: ea0eb1857114b6a4c050c3e27eeb3afba2fb22920f7036896293299a86533c18
Instruction ID: 48ab0ed90a0648f0a25c95fba574e31a7bf95739249b7833d28489787ced9b86
Opcode Fuzzy Hash: ea0eb1857114b6a4c050c3e27eeb3afba2fb22920f7036896293299a86533c18
Instruction Fuzzy Hash: C8616D31D0110D9BCF05EBE0EEA29EEB7B9AF65300F608169E44277192EB705F19CB60

Function 0017ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0017ED91
EmptyClipboard.USER32 ref: 0017ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0017EDAC
CloseClipboard.USER32 ref: 0017EEA3

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: db4341fa038ad25a4c421d9edbaed8e58e1eea9d9d7d4e35a4ca559edc7f656b
Instruction ID: 01dd6cf26611038d330866aaf0604cc10be33674675336245c0c9e936cce453e
Opcode Fuzzy Hash: db4341fa038ad25a4c421d9edbaed8e58e1eea9d9d7d4e35a4ca559edc7f656b
Instruction Fuzzy Hash: A6419F35604611AFD720CF15E848B19BBF5EF48318F14C49AE4598BBA2CB75ED81CBD0

Function 0016E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 001616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0016170D
Part of subcall function 001616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0016173A
Part of subcall function 001616C3: GetLastError.KERNEL32 ref: 0016174A

ExitWindowsEx.USER32(?,00000000), ref: 0016E932

Strings

, xrefs: 0016E95C
@, xrefs: 0016E925
SeShutdownPrivilege, xrefs: 0016E902
, xrefs: 0016E920

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 067428a4bd830fb358bb668dab3361ab2fdce67e0095bcf56a938fdd06768448
Instruction ID: c87f67e6d93c3395fa080f7ad9eb573b539fb63f77e8812fdfecd49d254d994d
Opcode Fuzzy Hash: 067428a4bd830fb358bb668dab3361ab2fdce67e0095bcf56a938fdd06768448
Instruction Fuzzy Hash: 2E01D67A610221AFFB5866B49C86FBB73ACAF14758F194622F802E21D1D7A15CA085E0

Function 00181204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00181276
WSAGetLastError.WSOCK32 ref: 00181283
bind.WSOCK32(00000000,?,00000010), ref: 001812BA
WSAGetLastError.WSOCK32 ref: 001812C5
closesocket.WSOCK32(00000000), ref: 001812F4
listen.WSOCK32(00000000,00000005), ref: 00181303
WSAGetLastError.WSOCK32 ref: 0018130D
closesocket.WSOCK32(00000000), ref: 0018133C

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 6c1d809124e6c2bbb786c7aa43781917c4cb310fdde981d08a5ecd10b4e127bc
Instruction ID: 687abeb8a15ad6db9c0dd37b644ccdc6b1ae1a4a57d175053812319075b7a77e
Opcode Fuzzy Hash: 6c1d809124e6c2bbb786c7aa43781917c4cb310fdde981d08a5ecd10b4e127bc
Instruction Fuzzy Hash: C5418431600110AFD714EF64D484B69BBE6BF46318F288199E8569F2D6C771ED82CFE1

Function 0016D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00103AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00103A97,?,?,00102E7F,?,?,?,00000000), ref: 00103AC2

Part of subcall function 0016E199: GetFileAttributesW.KERNEL32(?,0016CF95), ref: 0016E19A

FindFirstFileW.KERNEL32(?,?), ref: 0016D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0016D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0016D481
FindClose.KERNEL32(00000000), ref: 0016D498
FindClose.KERNEL32(00000000), ref: 0016D4A1

Strings

\*.*, xrefs: 0016D3F2

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 52f4e503701834c0f2c1f8536f6567ad1f41b5ae359f9c5435e5ba73d48eada7
Instruction ID: 09756b88d58d363a2b37683980f29eaf4b37ee9eef4f8292b4cf23eac2117f9e
Opcode Fuzzy Hash: 52f4e503701834c0f2c1f8536f6567ad1f41b5ae359f9c5435e5ba73d48eada7
Instruction Fuzzy Hash: 24316B315083459BC304EF64D8929AFB7A8BEA5304F844A1EF4D192191EB70AA19CBA3

Function 0013E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0013E645

Strings

1#SNAN, xrefs: 0013F844
1#INF, xrefs: 0013F852
1#IND, xrefs: 0013F83D
1#QNAN, xrefs: 0013F84B

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 085cb404040f873ad3ee90fa82cb98627480724cd818071f2411ee4f4c31ddd8
Instruction ID: 6a29637d330ed592110b9b532f2684da3d42ff82082816c919d63efb9cafd891
Opcode Fuzzy Hash: 085cb404040f873ad3ee90fa82cb98627480724cd818071f2411ee4f4c31ddd8
Instruction Fuzzy Hash: FAC22971E086288FDF29CE28DD407EAB7B5EB49305F1541EAD44DE7281E774AE868F40

Function 0017648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001764DC
CoInitialize.OLE32(00000000), ref: 00176639
CoCreateInstance.OLE32(0019FCF8,00000000,00000001,0019FB68,?), ref: 00176650
CoUninitialize.OLE32 ref: 001768D4

Strings

.lnk, xrefs: 001764BA, 00176524, 001765E0

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 94547864ade7ef78bb8120b73ab6e5b2050a537507cd0f65ed091eee6cc3b65a
Instruction ID: 5efc707a3c0656b0f533d428e13d2d6031190102751a4ed12e956e6bfe971b44
Opcode Fuzzy Hash: 94547864ade7ef78bb8120b73ab6e5b2050a537507cd0f65ed091eee6cc3b65a
Instruction Fuzzy Hash: F2D14971508701AFD304EF24C891A6BB7E8FFA9704F00896DF5998B291EB70E945CB92

Function 001822DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 001822E8

Part of subcall function 0017E4EC: GetWindowRect.USER32(?,?), ref: 0017E504

GetDesktopWindow.USER32 ref: 00182312
GetWindowRect.USER32(00000000), ref: 00182319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00182355
GetCursorPos.USER32(?), ref: 00182381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 001823DF

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 5b642adf0308a7deef73eb6a7da6084584b81e6c24334d0f105d400047d2290e
Instruction ID: f566a115e1b90381464a7d279e43f4a1f2a6689423c8899d34b3b6e14bb954c8
Opcode Fuzzy Hash: 5b642adf0308a7deef73eb6a7da6084584b81e6c24334d0f105d400047d2290e
Instruction Fuzzy Hash: 7631B072504315AFD721EF54C845B9BB7E9FF88714F000A1AF98597191DB34EA48CBD2

Function 00179B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00109CB3: _wcslen.LIBCMT ref: 00109CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00179B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00179C8B

Part of subcall function 00173874: GetInputState.USER32 ref: 001738CB
Part of subcall function 00173874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00173966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00179BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00179C75

Strings

*.*, xrefs: 00179B5D

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: bafe3bd562c0cdf4409fb4a5c7cb91723de2dfd1d7273cd7c9d4651bbda64dfc
Instruction ID: 7128f9153e5d426d87bd6e63854b3a796a3fa9139f325f0988c047729e06daaa
Opcode Fuzzy Hash: bafe3bd562c0cdf4409fb4a5c7cb91723de2dfd1d7273cd7c9d4651bbda64dfc
Instruction Fuzzy Hash: 3B41827194420AAFCF15DF64C985EEEBBB8FF15310F148156E459A7191EB309E88CFA0

Function 00108060 Relevance: 8.7, Strings: 6, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 0010813C
VUUU, xrefs: 001083FA
VUUU, xrefs: 001083E8
5500609550060f550060f550060f550060f55006085500605550060c5500600550060755006045500600550060755006035500603550060c5500600550060e5500, xrefs: 0010839B, 001083A6
VUUU, xrefs: 00145DF0
VUUU, xrefs: 0010843C

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID:
String ID: 5500609550060f550060f550060f550060f55006085500605550060c5500600550060755006045500600550060755006035500603550060c5500600550060e5500$ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1639000849
Opcode ID: 80c4729ff763807739494e1cc84da8a704b7646a62fc8f5968b37a62e3b73654
Instruction ID: aec7f28db27a4c7f96cd8753633d1bb969c79140fdf7393b615a93d80689b876
Opcode Fuzzy Hash: 80c4729ff763807739494e1cc84da8a704b7646a62fc8f5968b37a62e3b73654
Instruction Fuzzy Hash: E2A2B270E0461ACBDF28CF58C8407BDB7B2BF54314F2581AAE895AB295DBB09D81CF51

Function 0011997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00119BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00119BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00119A4E
GetSysColor.USER32(0000000F), ref: 00119B23
SetBkColor.GDI32(?,00000000), ref: 00119B36

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 2b693c21d5cf23d433c41276b1f06b2c64ceade2af1cfa16696b703fa2a0cbc4
Instruction ID: 4f05ad385968d8200aa4e8dc459dfb5a4c01fa804ee8fb76ce8e1004349c1fde
Opcode Fuzzy Hash: 2b693c21d5cf23d433c41276b1f06b2c64ceade2af1cfa16696b703fa2a0cbc4
Instruction Fuzzy Hash: 59A1F770209444FEE62D9A2CBC69DFF369DEF46341B160129F832CB9D1CB259D89C2B5

Function 00181806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0018304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0018307A
Part of subcall function 0018304E: _wcslen.LIBCMT ref: 0018309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0018185D
WSAGetLastError.WSOCK32 ref: 00181884
bind.WSOCK32(00000000,?,00000010), ref: 001818DB
WSAGetLastError.WSOCK32 ref: 001818E6
closesocket.WSOCK32(00000000), ref: 00181915

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: be8220700f2aee6246e5f4fb8c0b4554f1338ec7665fca970cc33f7c69f8fbd0
Instruction ID: ec39b8eb4a5d87e1b55bf4e9d3e5c42042e88df025ce004c9023987fc74e13ad
Opcode Fuzzy Hash: be8220700f2aee6246e5f4fb8c0b4554f1338ec7665fca970cc33f7c69f8fbd0
Instruction Fuzzy Hash: 2551B571A00200AFDB10AF24C886F6A77E5AB59718F04809CF9455F3D3C7B1AD828BE1

Function 00191C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00191CC0
IsWindowEnabled.USER32 ref: 00191CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00191CDB
IsIconic.USER32 ref: 00191CE9
IsZoomed.USER32 ref: 00191CF7

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 389d67d0b843cc02e3aae07042dacbcd18b57708ebddeab406d01e2ff3468071
Instruction ID: 1508e066ae0cbbdde403327bb67be5c9500fbd259de208f3bd9b7bb25debd681
Opcode Fuzzy Hash: 389d67d0b843cc02e3aae07042dacbcd18b57708ebddeab406d01e2ff3468071
Instruction Fuzzy Hash: 8821A7317402126FDB248F1AD844B6A7BE5FF95325F598059E886CB351CB71EC82CBD1

Function 0018A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0018A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0018A6BA

Part of subcall function 00109CB3: _wcslen.LIBCMT ref: 00109CBD

Process32NextW.KERNEL32(00000000,?), ref: 0018A79C
CloseHandle.KERNEL32(00000000), ref: 0018A7AB

Part of subcall function 0011CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00143303,?), ref: 0011CE8A

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 712a957924a71bdb25634057f95134a9556170ef47bb012a23a8ba82f7c87ae9
Instruction ID: c8fb8bbd876490b3c5d14214996014c6cbb7ebf8ec4fc90b66c83c6f3999a636
Opcode Fuzzy Hash: 712a957924a71bdb25634057f95134a9556170ef47bb012a23a8ba82f7c87ae9
Instruction Fuzzy Hash: 0F516E715083019FD710EF24C886A6BBBE8FF99754F40892EF58597292EB70D944CF92

Function 0016AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0016AAAC
SetKeyboardState.USER32(00000080), ref: 0016AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0016AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0016AB88

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: eb2d5c91ef28f242c5eb4cfbb695725000059fb163cb21f81e4fe9c924d44c15
Instruction ID: 9511e8fffeffccd474cbfa65e15f8d48f3655f1d774618c53cd3c841dad54c11
Opcode Fuzzy Hash: eb2d5c91ef28f242c5eb4cfbb695725000059fb163cb21f81e4fe9c924d44c15
Instruction Fuzzy Hash: 28311630A40208AFFB35CA658C05BFE7BAAAF45310F84421BF4C1A61D1D3759DA1CBA2

Function 0013BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0013BB7F

Part of subcall function 001329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0013D7D1,00000000,00000000,00000000,00000000,?,0013D7F8,00000000,00000007,00000000,?,0013DBF5,00000000), ref: 001329DE
Part of subcall function 001329C8: GetLastError.KERNEL32(00000000,?,0013D7D1,00000000,00000000,00000000,00000000,?,0013D7F8,00000000,00000007,00000000,?,0013DBF5,00000000,00000000), ref: 001329F0

GetTimeZoneInformation.KERNEL32 ref: 0013BB91
WideCharToMultiByte.KERNEL32(00000000,?,001D121C,000000FF,?,0000003F,?,?), ref: 0013BC09
WideCharToMultiByte.KERNEL32(00000000,?,001D1270,000000FF,?,0000003F,?,?,?,001D121C,000000FF,?,0000003F,?,?), ref: 0013BC36

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: b9c32a145f68e780e028225c1c2e088c6d256f1d888b9593ca7da6cc42f8a4a3
Instruction ID: 1b9742998403274de28348d8fde748daa8be234d8839651b0b421f8ca203b8f0
Opcode Fuzzy Hash: b9c32a145f68e780e028225c1c2e088c6d256f1d888b9593ca7da6cc42f8a4a3
Instruction Fuzzy Hash: 9531B070909215FFCB15DF69DC80929BBB8FF55310B2442ABE164EB2A1EB319E80CB50

Function 0017CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0017CE89
GetLastError.KERNEL32(?,00000000), ref: 0017CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0017CEFE

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 8176388dbeeffca383048fc258a5409fa0be7443661b58afccd3366cda30b6eb
Instruction ID: 0d76519a1b4ee4322279ed0b4339fe80147f4801cff803b29e6b0bc13902c70a
Opcode Fuzzy Hash: 8176388dbeeffca383048fc258a5409fa0be7443661b58afccd3366cda30b6eb
Instruction Fuzzy Hash: B221ACB1500705AFEB30DFA5D948BA7BBFCEB50354F10841EE68AD2151EB70EE448BA4

Function 0016DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00145222), ref: 0016DBCE
GetFileAttributesW.KERNEL32(?), ref: 0016DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0016DBEE
FindClose.KERNEL32(00000000), ref: 0016DBFA

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 530ae762d145d4ec4536f345410071054ba5564230b0560aa6afc3aa4c135f49
Instruction ID: 152911e90ff3a75b867b8389db200b052a938ff2bbe25483cad5e5e16ab456e3
Opcode Fuzzy Hash: 530ae762d145d4ec4536f345410071054ba5564230b0560aa6afc3aa4c135f49
Instruction Fuzzy Hash: CAF0A03081091857C220AB78AC0D8AA376D9F02334B50470BF8B6C24E0EBB159E4C6D9

Function 00168298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 001682AA

Strings

(, xrefs: 001682F0
|, xrefs: 001682DA

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: bdd4b9fa0c5abdc78b48c18d0736a0bc472a0a8d78e18b8fb7ef763f092bcdfe
Instruction ID: 16b8b9ff3feaf18dedf9aaefc749f0c08984798b58f2b034068dcd02b894679d
Opcode Fuzzy Hash: bdd4b9fa0c5abdc78b48c18d0736a0bc472a0a8d78e18b8fb7ef763f092bcdfe
Instruction Fuzzy Hash: C9323475A007059FCB28CF59C481AAAB7F0FF48710B15C56EE49ADB3A1EB70E991CB44

Function 00175C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00175CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00175D17
FindClose.KERNEL32(?), ref: 00175D5F

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 833ea255be7f46898d3e158586bcb2052ed8001a80131561df854729bb20e136
Instruction ID: b179458eaf9141b92350e2008b7963f8f7f4899e78968be28ff7d1064183572f
Opcode Fuzzy Hash: 833ea255be7f46898d3e158586bcb2052ed8001a80131561df854729bb20e136
Instruction Fuzzy Hash: F8518874604A019FC718CF68C894A9AB7F5FF49314F14855EE99A8B3A2CB70ED44CB91

Function 00132622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0013271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00132724
UnhandledExceptionFilter.KERNEL32(?), ref: 00132731

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 7f5c05ae4d18fca5df58d4c70166f26bcd8879ee6de10493eb5529ddfca58468
Instruction ID: ae8c31fc8e6e0092371a5e20bc37d398236b22d53f4b3049a120f7cf3084f99d
Opcode Fuzzy Hash: 7f5c05ae4d18fca5df58d4c70166f26bcd8879ee6de10493eb5529ddfca58468
Instruction Fuzzy Hash: E731B774911228ABCB21DF64DC8979DB7B8BF18310F5042DAE41CA7261E7309F918F85

Function 001751CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001751DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00175238
SetErrorMode.KERNEL32(00000000), ref: 001752A1

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 44a768e29505a542bb34c9dbaafcb2499e89098d5ccdc5b39f76b8ba08ecb8ec
Instruction ID: 177e272870d827f58fe90583c3a638a38401dfdb984ca6a8407786883890257e
Opcode Fuzzy Hash: 44a768e29505a542bb34c9dbaafcb2499e89098d5ccdc5b39f76b8ba08ecb8ec
Instruction Fuzzy Hash: 97316F75A00518DFDB00DF54D884EADBBF5FF49314F088099E849AB3A2DB71E856CBA1

Function 001616C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0011FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00120668
Part of subcall function 0011FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00120685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0016170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0016173A
GetLastError.KERNEL32 ref: 0016174A

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: cecb92bfa263b1bc20e61ed67d096c546f1aea73bdc5968758d542a2bf8517ac
Instruction ID: 3eb0769bf0f814f87a6bf6f7981905df39b64331503b356b4b4ecffc0dc3ccea
Opcode Fuzzy Hash: cecb92bfa263b1bc20e61ed67d096c546f1aea73bdc5968758d542a2bf8517ac
Instruction Fuzzy Hash: 2D1191B2404304BFD7189F54EC86DABB7B9EB44714B24852EF05657681EB70BC918B60

Function 0016D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0016D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0016D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0016D650

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: be9b06fe2632fc14b444a0bcadc3766a8ff2d33da919ee5a1c3b637c8f68f1e1
Instruction ID: e2ecfc9e10236235229f0058f0e5181d9757a6484f4e749c34f130dacce32dbf
Opcode Fuzzy Hash: be9b06fe2632fc14b444a0bcadc3766a8ff2d33da919ee5a1c3b637c8f68f1e1
Instruction Fuzzy Hash: A2115E75E05228BFDB108F95EC45FAFBBBCEB45B50F108126F904E7290D6704A058BE1

Function 00161663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0016168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 001616A1
FreeSid.ADVAPI32(?), ref: 001616B1

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 131e2999524496d3e71ed990739df34316ede5559b9f0504a147e80d40c57710
Instruction ID: 287ac5c6f7dc524abf62e285b0bf34f5642969dff04c0b1b51d18573118e9d0b
Opcode Fuzzy Hash: 131e2999524496d3e71ed990739df34316ede5559b9f0504a147e80d40c57710
Instruction Fuzzy Hash: 2CF04475940308FBDB00CFE0CC89AAEBBBCFB08200F544561E500E2180E370AA448A90

Function 00124CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(001328E9,?,00124CBE,001328E9,001C88B8,0000000C,00124E15,001328E9,00000002,00000000,?,001328E9), ref: 00124D09
TerminateProcess.KERNEL32(00000000,?,00124CBE,001328E9,001C88B8,0000000C,00124E15,001328E9,00000002,00000000,?,001328E9), ref: 00124D10
ExitProcess.KERNEL32 ref: 00124D22

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 18de76cec3233fe3a92a628c639b171ab879ecb5e52f49d48668b3daf794671e
Instruction ID: 28e6a534d569c3258176014ae4a279e1e9f85ae95a846f925001a6bdd4596f6c
Opcode Fuzzy Hash: 18de76cec3233fe3a92a628c639b171ab879ecb5e52f49d48668b3daf794671e
Instruction Fuzzy Hash: 60E0B631000158AFCF11AF94EE0AA583B69FB61B81F104015FC598B522CB35EE92CA94

Function 0015D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0015D28C

Strings

X64, xrefs: 0015D2A8

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: ae0babaf3a45fb458e857d21e8db98a380a9e794804fad50a2bf4280c9b3a1ec
Instruction ID: 76fce8d57b79dffb0e5e013846fcbd6071e4a2bc883acaa9a8d1ec72817f7c7a
Opcode Fuzzy Hash: ae0babaf3a45fb458e857d21e8db98a380a9e794804fad50a2bf4280c9b3a1ec
Instruction Fuzzy Hash: AED0C9B480511DEECB98CB90EC88DDEB37CBB04305F100152F506A2000DB7095888F20

Function 0012CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: bc9b57154066d469edf54d2542ddf532e7632610d734908f198d9d5f84021729
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: C5022C71E002299FDF14CFA9D9806ADFBF1EF98314F25816AD919E7384D731AA518BC0

Function 001768EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00176918
FindClose.KERNEL32(00000000), ref: 00176961

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 9b03b5de66e2af315378c9f88b73d2fb4d9b75322ef0a5ab4ecea9004def9a6a
Instruction ID: 98f2d77a0c58aecc032aea8578ab666d607bd6edc822c556b322a0efe6abcf77
Opcode Fuzzy Hash: 9b03b5de66e2af315378c9f88b73d2fb4d9b75322ef0a5ab4ecea9004def9a6a
Instruction Fuzzy Hash: 061190716046019FC710DF29D884A16BBE5FF85328F14C699E5A98F6A2CB70EC45CBD1

Function 001737B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00184891,?,?,00000035,?), ref: 001737E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00184891,?,?,00000035,?), ref: 001737F4

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 81a24b2426bb6307767cc1dbdc719f5ae080b617a60feb3331ec55ff95ddaafe
Instruction ID: 0060d9ccf264bb63530e8c4840cd5237a7ecc117430f1816df80524f28e35eca
Opcode Fuzzy Hash: 81a24b2426bb6307767cc1dbdc719f5ae080b617a60feb3331ec55ff95ddaafe
Instruction Fuzzy Hash: 75F0E5B16042282AEB2017668C4DFEB3BAEEFC8761F000165F509D2291DA609944C6F0

Function 0016B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0016B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0016B270

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 151914ec75855562b5b2c234fd40b4d85303efc2333fc4806824e41b77f1d846
Instruction ID: 3c7713b486a746181950cdb3e57bceff22cfe2c796637ce55a11b2c9c17e02f3
Opcode Fuzzy Hash: 151914ec75855562b5b2c234fd40b4d85303efc2333fc4806824e41b77f1d846
Instruction Fuzzy Hash: 3EF01D7190428EABDB059FA0C845BBE7BB4FF04305F00801AF955A5192D37996519F94

Function 001610BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001611FC), ref: 001610D4
CloseHandle.KERNEL32(?,?,001611FC), ref: 001610E9

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 1471f535abaf3ee7446ef92f8ac3357ad0b35e5f0a71af96673bd6f0f4d93efa
Instruction ID: 301134cb949b5f5c8c582f39298fc0edceb6a9c1b4a07b847433fdfe750f45d2
Opcode Fuzzy Hash: 1471f535abaf3ee7446ef92f8ac3357ad0b35e5f0a71af96673bd6f0f4d93efa
Instruction Fuzzy Hash: 4AE0BF72018610AEEB252B51FC05EB777A9EB04310F14882EF5A5804B1DB626CE1DB50

Function 0010CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00150C40

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: d407be6b4ae48ed679004eb9b597ccbd97b977c3375ce801ab0b750fafb64d21
Instruction ID: 0490b9db492e5694e0433fd1b985bf0d11e79d434acceee21ae61ba26422bc97
Opcode Fuzzy Hash: d407be6b4ae48ed679004eb9b597ccbd97b977c3375ce801ab0b750fafb64d21
Instruction Fuzzy Hash: 5832BF70900219DBDF18DF94C981AEDB7B5FF19304F204169E856AB2C1DBB1AE49CF91

Function 0013676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00136766,?,?,00000008,?,?,0013FEFE,00000000), ref: 00136998

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 3e9f9f136e6e4d8f354f4e8877bdc28e938d6c8d21eefddea66c6a59d144be03
Instruction ID: 9366073d36219d94b9639bf9f9545c35946a30bf27a53aaec4a22727106f0520
Opcode Fuzzy Hash: 3e9f9f136e6e4d8f354f4e8877bdc28e938d6c8d21eefddea66c6a59d144be03
Instruction Fuzzy Hash: C7B13C71510608EFDB19CF28C48AB657BE0FF49368F25C698E899CF2A2C735D991CB40

Function 0011B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0015851F

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 4dd97957b0f65c506a22f38af7394fbccd31f6a06651002d38ba683550e66b9f
Instruction ID: 335c596b0ca257e083a558a455ada2b6fadce90fa6a84d0b0be23934d5d44d97
Opcode Fuzzy Hash: 4dd97957b0f65c506a22f38af7394fbccd31f6a06651002d38ba683550e66b9f
Instruction Fuzzy Hash: D4126F71904229DFDB18CF58C8806EEB7F5FF48710F1581AAE859EB255EB309A85CB90

Function 0017EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0017EABD

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: d799280065d6d6b6d1978360f55fcf4e58d4699d138473baa1006ea2eaeddd5e
Instruction ID: 0eff16ea5765b2270fa6e2b2541b2e710fcc436e1967ed505f6283ac748139aa
Opcode Fuzzy Hash: d799280065d6d6b6d1978360f55fcf4e58d4699d138473baa1006ea2eaeddd5e
Instruction Fuzzy Hash: E0E01A312002049FC710EF59E844E9AB7E9AFAC760F008456FC89C7391DBB0A8408B91

Function 001209D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,001203EE), ref: 001209DA

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 84d36fb303a74fa0c6f318ee562e40639dcf59ba37471b7e37cd8bd0b3ac980a
Instruction ID: f1c24904ebf8bac09b1c236717094e959c664828d5d86104ad3817fcb5cc9857
Opcode Fuzzy Hash: 84d36fb303a74fa0c6f318ee562e40639dcf59ba37471b7e37cd8bd0b3ac980a
Instruction Fuzzy Hash:

Function 0012781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0012798B

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: e3b0ead2b33044d51f1931d69c4ef5912520dec40ded3185af04f11fd975167d
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 5951747160C7359BDF3C8538B85ABBF63899B22314F180509E982D72C2CB11EEB1D352

Function 00136DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f00e4f61e9f7d8e5ad635cbaaaf80e672879c74d595ba664fb2f28006828be0f
Instruction ID: 164b574fe43a26833b18f15c7f4e9ffe1a5cfcdaa37402a334125180e750db10
Opcode Fuzzy Hash: f00e4f61e9f7d8e5ad635cbaaaf80e672879c74d595ba664fb2f28006828be0f
Instruction Fuzzy Hash: 44322262D29F014DD7279638CC22336A689AFB73C5F15D737E81AB5DAAEB29C4C34100

Function 0011CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eb86e00987ba2d31398262a97f3254e705deb460d679249f8bd2e973ada8e29
Instruction ID: cd027de2f68fc452e601f89cbd5d4e910cc82cb0ad3f05d70058443aa25e74cd
Opcode Fuzzy Hash: 1eb86e00987ba2d31398262a97f3254e705deb460d679249f8bd2e973ada8e29
Instruction Fuzzy Hash: 1932F231A00315CFCF2CCE68C4946BD7BA1EB85316F29816ADC699F691E330DD89DAC1

Function 00107920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b6c5035f7e48313d27cee9f8603a462855e2cfa8e85ceac8a733126dbea89b6
Instruction ID: 9adbbcc4d2e8751ad7ea21bdbf1c1297c9c45a8bd5f26d0b427b0c43d0ceab32
Opcode Fuzzy Hash: 8b6c5035f7e48313d27cee9f8603a462855e2cfa8e85ceac8a733126dbea89b6
Instruction Fuzzy Hash: BB22B070E04609DFDF14CF64D881AAEB7B2FF58300F144629E856AB2E2EB75AD51CB50

Function 001091C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e074fd4e22685685e4f135573e07b82af62923d0b7d5f2420e4a9f1c65cf2d03
Instruction ID: 59961a8fdba6252fc77dbe005b5346ee91ce11ff74b3c7b2472fdedd8e22b567
Opcode Fuzzy Hash: e074fd4e22685685e4f135573e07b82af62923d0b7d5f2420e4a9f1c65cf2d03
Instruction Fuzzy Hash: 3202A5B0E00205EFDF04DF64D891AAEB7F5FF54300F218169E8569B291EB71EA61CB91

Function 00139EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60b2e213639a351a19d338620a4e55cb0c52dcbdfdd8b2b2ba1879df1f2cd542
Instruction ID: 8bf7860fba1ff15c65319d05109f83ea0c51e530f759c8d23c28bda0a1426546
Opcode Fuzzy Hash: 60b2e213639a351a19d338620a4e55cb0c52dcbdfdd8b2b2ba1879df1f2cd542
Instruction Fuzzy Hash: 7FB1DF20E2AF414DD62396398831336B65CBFBB6D5F91D71BFC6674D22EB2286C34140

Function 00121C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 8effa9b054f5ba59c7d15d1bd81f831ef88421c3ffcd319021370d4f08bc90b8
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 3B9176735080B35ADB2EC67AA53407EFFE15A623A131A079DD4F2CA1C5FF249974D620

Function 00121F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: e49ae41259638469567773c6cdea2f98d70c636f6c5d6bdbb88df06b924d7b0b
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 4A9145732090B35ADB6D8239957443EFFE15A923A131A079DE4F2CA1D5EF348978D620

Function 001219B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 9566cabafaaf2e7ac2bc6296b473f64c247d49382d035ca4d1f901852b684d60
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 1B9110722090F35EDB2D867AA57407DFEF15AA23A131A07AED4F2CB1C5FF2485749620

Function 00127A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1de71abf10b719910b426d0a2f6427cf94d3920d9b68c09ddd30239da619e214
Instruction ID: 6d1df2295fc8bb4a4aecf1e419e5cfe766c00dcb0e84f30a24f0073b78c83b55
Opcode Fuzzy Hash: 1de71abf10b719910b426d0a2f6427cf94d3920d9b68c09ddd30239da619e214
Instruction Fuzzy Hash: 1E61487160873A9ADF38AA28BC96BBF2394DF51710F18091EE842DB2C1DB119E72C755

Function 00127CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b054c1352361d37842317ef2d938e7d7d779bab3c52a859a42ad211c08c1bec7
Instruction ID: bb4a71f59cdb5ee452a36091b89247aa5027e1b3d7bfd000b46baff1e1e282c0
Opcode Fuzzy Hash: b054c1352361d37842317ef2d938e7d7d779bab3c52a859a42ad211c08c1bec7
Instruction Fuzzy Hash: 2E61893520873D57DE3D5AA87851BBF2384EF52740F110959E842DB2C1DB12ED728366

Function 00121706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 52d7cf6eb2f95cc75c932fbed98c190458b7ce2d36dc7704ffed05750a3ea4db
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: CE8174736080B35ADF2DC23AA57403EFFE15AA23A531A079DD4F2CA1C1EF248574E620

Function 01A29DE0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683947429.0000000001A26000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A26000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a26000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 251813e31fbc3b88d891bda5132472b8e97aac6f6b9b720bf2b8e4e1ab78a8be
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: AB41D3B1D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB40

Function 00172046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4881f072613ad1c0efd204aa5ff2cdc5513157f84c40ae043fc4a226a0e078a0
Instruction ID: 8cedf51d203c6e54c1e854de30e8a15996cdd0fe193822178c0a13379f4d6fde
Opcode Fuzzy Hash: 4881f072613ad1c0efd204aa5ff2cdc5513157f84c40ae043fc4a226a0e078a0
Instruction Fuzzy Hash: 6221A8326216118BD728CF79C81267E73E5A764310F198A2EE4A7C37D0DE35A944C790

Function 01A29C70 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683947429.0000000001A26000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A26000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a26000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 5eb393703fa7f9eb2e42fae24ff514856f5655b24ed5c9a2e41ec0a4d0ff7d2b
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: D6019278A00119EFCB44DF99C6909AEF7F5FB48714F208599D909A7301D730AE41DB80

Function 01A29CD0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683947429.0000000001A26000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A26000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a26000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 7dc6f31fb2fb3ebe5ac9b7fbd5f5000faa3acd500114348b981569edb0e70bf7
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 2C019278A00119EFCB44DF99C5909AEF7F5FF48714F608599D809A7301E730AE41DB80

Function 01A285F0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683947429.0000000001A26000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A26000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a26000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00182ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00182B30
DeleteObject.GDI32(00000000), ref: 00182B43
DestroyWindow.USER32 ref: 00182B52
GetDesktopWindow.USER32 ref: 00182B6D
GetWindowRect.USER32(00000000), ref: 00182B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00182CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00182CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00182CF8
GetClientRect.USER32(00000000,?), ref: 00182D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00182D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00182D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00182D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00182D80
GlobalLock.KERNEL32(00000000), ref: 00182D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00182D98
GlobalUnlock.KERNEL32(00000000), ref: 00182DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00182DA8
GlobalFree.KERNEL32(00000000), ref: 00182DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00182DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0019FC38,00000000), ref: 00182DDB
GlobalFree.KERNEL32(00000000), ref: 00182DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00182E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00182E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00182E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0018303F

Strings

DISPLAY, xrefs: 00182EA2
AutoIt v3, xrefs: 00182CF2
static, xrefs: 00182D3A, 00182E91
, xrefs: 00182FC5

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 7a7c92ad98d2476964ea0d93a1b927eb5047856dd3c232277661682f23444453
Instruction ID: 6b001f396553970518e20ac4e81bb2ae9b31e55d6890b910e8c9525fe2eb6f92
Opcode Fuzzy Hash: 7a7c92ad98d2476964ea0d93a1b927eb5047856dd3c232277661682f23444453
Instruction Fuzzy Hash: E0026971900204AFDB14DFA4DC89EAE7BB9FF48714F048159F955AB2A1CB74AE41CFA0

Function 001970D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0019712F
GetSysColorBrush.USER32(0000000F), ref: 00197160
GetSysColor.USER32(0000000F), ref: 0019716C
SetBkColor.GDI32(?,000000FF), ref: 00197186
SelectObject.GDI32(?,?), ref: 00197195
InflateRect.USER32(?,000000FF,000000FF), ref: 001971C0
GetSysColor.USER32(00000010), ref: 001971C8
CreateSolidBrush.GDI32(00000000), ref: 001971CF
FrameRect.USER32(?,?,00000000), ref: 001971DE
DeleteObject.GDI32(00000000), ref: 001971E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00197230
FillRect.USER32(?,?,?), ref: 00197262
GetWindowLongW.USER32(?,000000F0), ref: 00197284

Part of subcall function 001973E8: GetSysColor.USER32(00000012), ref: 00197421
Part of subcall function 001973E8: SetTextColor.GDI32(?,?), ref: 00197425
Part of subcall function 001973E8: GetSysColorBrush.USER32(0000000F), ref: 0019743B
Part of subcall function 001973E8: GetSysColor.USER32(0000000F), ref: 00197446
Part of subcall function 001973E8: GetSysColor.USER32(00000011), ref: 00197463
Part of subcall function 001973E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00197471
Part of subcall function 001973E8: SelectObject.GDI32(?,00000000), ref: 00197482
Part of subcall function 001973E8: SetBkColor.GDI32(?,00000000), ref: 0019748B
Part of subcall function 001973E8: SelectObject.GDI32(?,?), ref: 00197498
Part of subcall function 001973E8: InflateRect.USER32(?,000000FF,000000FF), ref: 001974B7
Part of subcall function 001973E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001974CE
Part of subcall function 001973E8: GetWindowLongW.USER32(00000000,000000F0), ref: 001974DB

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: d55e51bec00980297212a65a20c015422f88fa83642b47c5762e2a29e73ba0b8
Instruction ID: 7d78d7cbfa8c7237bc78e10bf398ad4fa1274beb07054241d6e7c82761b702d9
Opcode Fuzzy Hash: d55e51bec00980297212a65a20c015422f88fa83642b47c5762e2a29e73ba0b8
Instruction Fuzzy Hash: 10A1B572118301FFDB019F60DC48E5B7BA9FF89320F140A2AF9A2961E1D771E984CB91

Function 00118D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00118E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00156AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00156AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00156F43

Part of subcall function 00118F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00118BE8,?,00000000,?,?,?,?,00118BBA,00000000,?), ref: 00118FC5

SendMessageW.USER32(?,00001053), ref: 00156F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00156F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00156FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00156FB7

Strings

0, xrefs: 00156DCF

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 9365d310c40e6c42192536e2518055178293c6fc73c7d64aaa5589e91d67e06c
Instruction ID: f3b1fa8ce760101137850b29b18cec9e8ffd16f4780ac5aa9fdbeb0ce6ce975c
Opcode Fuzzy Hash: 9365d310c40e6c42192536e2518055178293c6fc73c7d64aaa5589e91d67e06c
Instruction Fuzzy Hash: 0B12BF30602201EFDB29CF14D894BE5B7F1FB45306F94846AF8A58B661CB31EC95DB91

Function 00182711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0018273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0018286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 001828A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 001828B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00182900
GetClientRect.USER32(00000000,?), ref: 0018290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00182955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00182964
GetStockObject.GDI32(00000011), ref: 00182974
SelectObject.GDI32(00000000,00000000), ref: 00182978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00182988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00182991
DeleteDC.GDI32(00000000), ref: 0018299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 001829C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 001829DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00182A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00182A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00182A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00182A77
GetStockObject.GDI32(00000011), ref: 00182A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00182A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00182A97

Strings

DISPLAY, xrefs: 0018295A
AutoIt v3, xrefs: 001828F8
static, xrefs: 0018294F, 00182A71
msctls_progress32, xrefs: 00182A13

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: e550c9e5683471e664002583a9b25769c77e9edf163c8bc82a02b8b15f0ed665
Instruction ID: f0b9c971b35b2d1dbad6f3d91e93b0685acf232325dbf7538047bb5854207c88
Opcode Fuzzy Hash: e550c9e5683471e664002583a9b25769c77e9edf163c8bc82a02b8b15f0ed665
Instruction Fuzzy Hash: 67B14971A01215BFEB14DFA8DC8AEAE7BA9FB08710F008115F955EB6D0D774AD40CBA4

Function 00174ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00174AED
GetDriveTypeW.KERNEL32(?,0019CB68,?,\\.\,0019CC08), ref: 00174BCA
SetErrorMode.KERNEL32(00000000,0019CB68,?,\\.\,0019CC08), ref: 00174D36

Strings

Fibre, xrefs: 00174CAD
RAMDisk, xrefs: 00174BF4
SSA, xrefs: 00174CA6
MMC, xrefs: 00174CDE
SSD, xrefs: 00174C4A
Unknown, xrefs: 00174BED, 00174C83
Fixed, xrefs: 00174C09
\\.\, xrefs: 00174B3F
SAS, xrefs: 00174CC9
Network, xrefs: 00174C02
ATA, xrefs: 00174C98
RAID, xrefs: 00174CBB
iSCSI, xrefs: 00174CC2
FileBackedVirtual, xrefs: 00174CEC
Removable, xrefs: 00174C10, 00174C15
CDROM, xrefs: 00174BFB
SATA, xrefs: 00174CD0
Virtual, xrefs: 00174CE5
ATAPI, xrefs: 00174C91
PhysicalDrive, xrefs: 00174B76
1394, xrefs: 00174C9F
SCSI, xrefs: 00174C8A
USB, xrefs: 00174CB4

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 22ff2f0adaa74ec0a856ab73c98e012dede072f4920ec84b764454e0db977c58
Instruction ID: d8040ef51a2e031d9488ba81c08a8c7ef3c0e6895bb2e1f48df5c909f42d5419
Opcode Fuzzy Hash: 22ff2f0adaa74ec0a856ab73c98e012dede072f4920ec84b764454e0db977c58
Instruction Fuzzy Hash: A161BF31605205DBCB19DF68CA82E7977B0AF24340B25C01AF88EAB692DB75ED41DB81

Function 001973E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00197421
SetTextColor.GDI32(?,?), ref: 00197425
GetSysColorBrush.USER32(0000000F), ref: 0019743B
GetSysColor.USER32(0000000F), ref: 00197446
CreateSolidBrush.GDI32(?), ref: 0019744B
GetSysColor.USER32(00000011), ref: 00197463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00197471
SelectObject.GDI32(?,00000000), ref: 00197482
SetBkColor.GDI32(?,00000000), ref: 0019748B
SelectObject.GDI32(?,?), ref: 00197498
InflateRect.USER32(?,000000FF,000000FF), ref: 001974B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001974CE
GetWindowLongW.USER32(00000000,000000F0), ref: 001974DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0019752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00197554
InflateRect.USER32(?,000000FD,000000FD), ref: 00197572
DrawFocusRect.USER32(?,?), ref: 0019757D
GetSysColor.USER32(00000011), ref: 0019758E
SetTextColor.GDI32(?,00000000), ref: 00197596
DrawTextW.USER32(?,001970F5,000000FF,?,00000000), ref: 001975A8
SelectObject.GDI32(?,?), ref: 001975BF
DeleteObject.GDI32(?), ref: 001975CA
SelectObject.GDI32(?,?), ref: 001975D0
DeleteObject.GDI32(?), ref: 001975D5
SetTextColor.GDI32(?,?), ref: 001975DB
SetBkColor.GDI32(?,?), ref: 001975E5

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: fdcc1dc658ff1af7f0d633780df20703fc19eaef19a04cf40b0eff9b0bc96aa3
Instruction ID: fcfdc4d9bd7cbd7dc815ad56af0b333155ad65f5d1551baed7ba15502e4d879d
Opcode Fuzzy Hash: fdcc1dc658ff1af7f0d633780df20703fc19eaef19a04cf40b0eff9b0bc96aa3
Instruction Fuzzy Hash: 30613C72904218AFEF019FA4DC49AEE7FB9EF09320F114126F915AB2A1D7759980CB90

Function 00190FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00191128
GetDesktopWindow.USER32 ref: 0019113D
GetWindowRect.USER32(00000000), ref: 00191144
GetWindowLongW.USER32(?,000000F0), ref: 00191199
DestroyWindow.USER32(?), ref: 001911B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 001911ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0019120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0019121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00191232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00191245
IsWindowVisible.USER32(00000000), ref: 001912A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 001912BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 001912D0
GetWindowRect.USER32(00000000,?), ref: 001912E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0019130E
GetMonitorInfoW.USER32(00000000,?), ref: 00191328
CopyRect.USER32(?,?), ref: 0019133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 001913AA

Strings

0, xrefs: 001910D3
tooltips_class32, xrefs: 001911E6
(, xrefs: 0019131B

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: a71884e2b9127cc8c4e653657f7e83e3cb8b426f8ab798b6c8f068ff261d85e4
Instruction ID: 58965dbfd88043579dc74bef5950121741afacfbea274dd56bdcf33d52147228
Opcode Fuzzy Hash: a71884e2b9127cc8c4e653657f7e83e3cb8b426f8ab798b6c8f068ff261d85e4
Instruction Fuzzy Hash: B4B17F71608341AFDB14DF64C885B6ABBE4FF98354F00891DF9999B2A1CB71EC84CB91

Function 00118891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00118968
GetSystemMetrics.USER32(00000007), ref: 00118970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0011899B
GetSystemMetrics.USER32(00000008), ref: 001189A3
GetSystemMetrics.USER32(00000004), ref: 001189C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 001189E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 001189F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00118A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00118A3C
GetClientRect.USER32(00000000,000000FF), ref: 00118A5A
GetStockObject.GDI32(00000011), ref: 00118A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00118A81

Part of subcall function 0011912D: GetCursorPos.USER32(?), ref: 00119141
Part of subcall function 0011912D: ScreenToClient.USER32(00000000,?), ref: 0011915E
Part of subcall function 0011912D: GetAsyncKeyState.USER32(00000001), ref: 00119183
Part of subcall function 0011912D: GetAsyncKeyState.USER32(00000002), ref: 0011919D

SetTimer.USER32(00000000,00000000,00000028,001190FC), ref: 00118AA8

Strings

AutoIt v3 GUI, xrefs: 00118A20

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 0bc65db99ce51eba8269db696d8c2272bea3eba2115207ef4a2a9f85e2bc4c58
Instruction ID: a93d8fd0b474daa1f8d728a4eb40a17a0d820c5544308cbc4f7387c0ec3872c3
Opcode Fuzzy Hash: 0bc65db99ce51eba8269db696d8c2272bea3eba2115207ef4a2a9f85e2bc4c58
Instruction Fuzzy Hash: CEB17371600209EFDB18DFA8DD55BEE77B5FB48315F11422AFA159B290DB309881CB91

Function 00160D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00161114
Part of subcall function 001610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00160B9B,?,?,?), ref: 00161120
Part of subcall function 001610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00160B9B,?,?,?), ref: 0016112F
Part of subcall function 001610F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00160B9B,?,?,?), ref: 00161136
Part of subcall function 001610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0016114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00160DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00160E29
GetLengthSid.ADVAPI32(?), ref: 00160E40
GetAce.ADVAPI32(?,00000000,?), ref: 00160E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00160E96
GetLengthSid.ADVAPI32(?), ref: 00160EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00160EB5
HeapAlloc.KERNEL32(00000000), ref: 00160EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00160EDD
CopySid.ADVAPI32(00000000), ref: 00160EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00160F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00160F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00160F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00160F6E
HeapFree.KERNEL32(00000000), ref: 00160F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00160F7E
HeapFree.KERNEL32(00000000), ref: 00160F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00160F8E
HeapFree.KERNEL32(00000000), ref: 00160F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00160FA1
HeapFree.KERNEL32(00000000), ref: 00160FA8

Part of subcall function 00161193: GetProcessHeap.KERNEL32(00000008,00160BB1,?,00000000,?,00160BB1,?), ref: 001611A1
Part of subcall function 00161193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00160BB1,?), ref: 001611A8
Part of subcall function 00161193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00160BB1,?), ref: 001611B7

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 813d54520000fd6fa5d106fbe03a75691f9143ea62dbe41c7734a5991f706249
Instruction ID: 85c47257a9d20341e6010c11f09c407d36414cc1fd4845179aebb8b69a0441ff
Opcode Fuzzy Hash: 813d54520000fd6fa5d106fbe03a75691f9143ea62dbe41c7734a5991f706249
Instruction Fuzzy Hash: 0F716B7290021AEBDF22DFA4DC44FAFBBB8BF19300F044165F959E6191D7319A55CBA0

Function 0018C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0018C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0019CC08,00000000,?,00000000,?,?), ref: 0018C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0018C5A4
_wcslen.LIBCMT ref: 0018C5F4
_wcslen.LIBCMT ref: 0018C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0018C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0018C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0018C84D
RegCloseKey.ADVAPI32(?), ref: 0018C881
RegCloseKey.ADVAPI32(00000000), ref: 0018C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0018C960

Strings

REG_BINARY, xrefs: 0018C913
REG_MULTI_SZ, xrefs: 0018C6F5
REG_SZ, xrefs: 0018C644
REG_DWORD, xrefs: 0018C804
REG_QWORD, xrefs: 0018C8C3
REG_EXPAND_SZ, xrefs: 0018C5CD

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: c49829173fe93c6845c1970f725d8623261469735235419a01033be2a5483cc0
Instruction ID: 5c314722d5f3f0b2831bae5910e26783737f81b284c8bc243f492f1e598aa9f9
Opcode Fuzzy Hash: c49829173fe93c6845c1970f725d8623261469735235419a01033be2a5483cc0
Instruction Fuzzy Hash: 781255356042019FDB14EF24D891A6AB7E5EF88714F04889DF88A9B3A2DB71FD41CF91

Function 0019091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001909C6
_wcslen.LIBCMT ref: 00190A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00190A54
_wcslen.LIBCMT ref: 00190A8A
_wcslen.LIBCMT ref: 00190B06
_wcslen.LIBCMT ref: 00190B81

Part of subcall function 0011F9F2: _wcslen.LIBCMT ref: 0011F9FD

Part of subcall function 00162BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00162BFA

Strings

ISCHECKED, xrefs: 00190CE1
GETITEMCOUNT, xrefs: 00190C1E
GETSELECTED, xrefs: 00190C4E
CHECK, xrefs: 00190A85, 00190AA0
GETTOTALCOUNT, xrefs: 001909F2, 00190A17
EXPAND, xrefs: 00190BF8
COLLAPSE, xrefs: 00190B01, 00190B1C
UNCHECK, xrefs: 00190D3E
EXISTS, xrefs: 00190B7C, 00190B97
SELECT, xrefs: 00190D11
GETTEXT, xrefs: 00190C97

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 3983ee3d32340e3cfb1d91a86bd4cb26c1040ce8721f34e1d74d95772bae45a5
Instruction ID: 6ee12e06f76251f5fc1e664e951493492da4f3e1a0cf9ad9365f0bd3b6035368
Opcode Fuzzy Hash: 3983ee3d32340e3cfb1d91a86bd4cb26c1040ce8721f34e1d74d95772bae45a5
Instruction Fuzzy Hash: F1E1C0352087018FCB15DF24C45096AB7E1FFA8318F15895CF896AB3A2DB71ED85CB82

Function 0018C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0018B6AE,?,?), ref: 0018C9B5
_wcslen.LIBCMT ref: 0018C9F1
_wcslen.LIBCMT ref: 0018CA68
_wcslen.LIBCMT ref: 0018CA9E
_wcslen.LIBCMT ref: 0018CAF9
_wcslen.LIBCMT ref: 0018CB2F
_wcslen.LIBCMT ref: 0018CB7F

Strings

HKEY_CURRENT_USER, xrefs: 0018CBBD
HKEY_LOCAL_MACHINE, xrefs: 0018CA62, 0018CA67
HKU, xrefs: 0018CBF0
HKEY_CLASSES_ROOT, xrefs: 0018CAF3, 0018CAF8
HKEY_CURRENT_CONFIG, xrefs: 0018CB79, 0018CB7E
HKCU, xrefs: 0018CBCE
HKEY_USERS, xrefs: 0018CBDF
HKCR, xrefs: 0018CB29, 0018CB2E
HKCC, xrefs: 0018CBAC
HKLM, xrefs: 0018CA98, 0018CA9D

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: b3b10b9b6fb4a722a207061ac6870ea6fe68c326b14e5a1b0a83f1aefb41f1d6
Instruction ID: d81646b8b846b09cd3e1e7efe89e41ec5984e59464fb95e6f683e2f989d4df9b
Opcode Fuzzy Hash: b3b10b9b6fb4a722a207061ac6870ea6fe68c326b14e5a1b0a83f1aefb41f1d6
Instruction Fuzzy Hash: 6171F73260052A8BCB14FE7CD951ABB3391ABB0794B150529F866A7284F771CF85CBF0

Function 0019833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0019835A
_wcslen.LIBCMT ref: 0019836E
_wcslen.LIBCMT ref: 00198391
_wcslen.LIBCMT ref: 001983B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 001983F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,0019361A,?), ref: 0019844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00198487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 001984CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00198501
FreeLibrary.KERNEL32(?), ref: 0019850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0019851D
DestroyIcon.USER32(?), ref: 0019852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00198549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00198555

Strings

.exe, xrefs: 00198388
.dll, xrefs: 001983AB
.icl, xrefs: 00198368

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: ead7c1c772659f852730db5bdfd9eb7b576891bf90233301b23df5ffe6fa05b0
Instruction ID: 941eb41fb0f925cb2d1965251867585b372fd8b223db8acfe7a591b109b5cd28
Opcode Fuzzy Hash: ead7c1c772659f852730db5bdfd9eb7b576891bf90233301b23df5ffe6fa05b0
Instruction Fuzzy Hash: B561CC71A00215BFEF14DF64DC81BBE77A8BF19B21F10460AF855D61D1DBB4AA90CBA0

Function 00107778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

', xrefs: 00145169
Bad directive syntax error, xrefs: 0014519A
", xrefs: 00145153
Cannot parse #include, xrefs: 00145279
Unterminated group of comments, xrefs: 0014528C
#notrayicon, xrefs: 001077E7
#pragma compile, xrefs: 001077D3
#include-once, xrefs: 0010782F
#ce, xrefs: 001078ED
#comments-start, xrefs: 0010785F, 001078B1
#cs, xrefs: 00107873, 001078C5
#requireadmin, xrefs: 001077FF
#comments-end, xrefs: 001078D9
#include, xrefs: 00107847
#OnAutoItStartRegister, xrefs: 00107817

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: f0cc213b10f51b62359b94eecc7991814056364b6655ab4ce6cdadc30c943a57
Instruction ID: eff7473db6690231562d09d72f01ea6f26187125712d0145863521d0579bc296
Opcode Fuzzy Hash: f0cc213b10f51b62359b94eecc7991814056364b6655ab4ce6cdadc30c943a57
Instruction Fuzzy Hash: 29813771A04205BBDF24BF60DC42FAE37A9AF65740F054025F845AB1D3EBB0E952C7A1

Function 00173E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00173EF8
_wcslen.LIBCMT ref: 00173F03
_wcslen.LIBCMT ref: 00173F5A
_wcslen.LIBCMT ref: 00173F98
GetDriveTypeW.KERNEL32(?), ref: 00173FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0017401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00174059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00174087

Strings

close, xrefs: 00173EFE, 00173F18
set cd door , xrefs: 00174028
close cd wait, xrefs: 00174072
closed, xrefs: 00173F08, 00173F2D, 00173F46, 00173F7E, 00173F97
open , xrefs: 00173FE5
type cdaudio alias cd wait, xrefs: 00174001
wait, xrefs: 00174044
open, xrefs: 00173F54, 00173F59

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 2f4f6fac89816f8f158b88280aea44208278b2bec6ad53708c097876252139ee
Instruction ID: e49b171df9990d6e10bb92e45cbe6a0700aa6102a2ee28fa4792f019f572133c
Opcode Fuzzy Hash: 2f4f6fac89816f8f158b88280aea44208278b2bec6ad53708c097876252139ee
Instruction Fuzzy Hash: 8871E2726042119FC710EF24C88196EB7F4EFA4754F10892DF9E997291EB31ED45CB92

Function 00165A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00165A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00165A40
SetWindowTextW.USER32(?,?), ref: 00165A57
GetDlgItem.USER32(?,000003EA), ref: 00165A6C
SetWindowTextW.USER32(00000000,?), ref: 00165A72
GetDlgItem.USER32(?,000003E9), ref: 00165A82
SetWindowTextW.USER32(00000000,?), ref: 00165A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00165AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00165AC3
GetWindowRect.USER32(?,?), ref: 00165ACC
_wcslen.LIBCMT ref: 00165B33
SetWindowTextW.USER32(?,?), ref: 00165B6F
GetDesktopWindow.USER32 ref: 00165B75
GetWindowRect.USER32(00000000), ref: 00165B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00165BD3
GetClientRect.USER32(?,?), ref: 00165BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00165C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00165C2F

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 32b980924aa9d2a5c9576dc598820cae676f6592bbdabffee4d65ddd64299d4d
Instruction ID: 5396400bc6a908f81501ff7b85e2edf151ad1e2158a8def3701a06290bedf68a
Opcode Fuzzy Hash: 32b980924aa9d2a5c9576dc598820cae676f6592bbdabffee4d65ddd64299d4d
Instruction Fuzzy Hash: 6B717D31900B09AFDB20DFA8CE85AAEBBF6FF48705F104519E582A36A0D775E954CB50

Function 0017FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0017FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0017FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0017FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0017FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0017FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0017FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0017FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0017FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0017FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0017FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0017FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0017FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0017FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0017FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0017FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0017FECC
GetCursorInfo.USER32(?), ref: 0017FEDC
GetLastError.KERNEL32 ref: 0017FF1E

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 6bc125bd7d448e06fef7dfbcf0c3c786ab43feb02ebd10569217cf640013bd1b
Instruction ID: a4c1096cf32157a66bb60fe99711ec6d10d56dbed8068eca029c50b5eb0c875f
Opcode Fuzzy Hash: 6bc125bd7d448e06fef7dfbcf0c3c786ab43feb02ebd10569217cf640013bd1b
Instruction Fuzzy Hash: C64124B1D083196ADB109FBA8C8985EBFF8FF04754B50852AF11DE7281DB789901CE91

Function 001200C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 001200C6

Part of subcall function 001200ED: InitializeCriticalSectionAndSpinCount.KERNEL32(001D070C,00000FA0,4A90CD8C,?,?,?,?,001423B3,000000FF), ref: 0012011C
Part of subcall function 001200ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,001423B3,000000FF), ref: 00120127
Part of subcall function 001200ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,001423B3,000000FF), ref: 00120138
Part of subcall function 001200ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0012014E
Part of subcall function 001200ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0012015C
Part of subcall function 001200ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0012016A
Part of subcall function 001200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00120195
Part of subcall function 001200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 001201A0

___scrt_fastfail.LIBCMT ref: 001200E7

Part of subcall function 001200A3: __onexit.LIBCMT ref: 001200A9

Strings

kernel32.dll, xrefs: 00120133
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00120122
InitializeConditionVariable, xrefs: 00120148
SleepConditionVariableCS, xrefs: 00120154
WakeAllConditionVariable, xrefs: 00120162

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: a2622b6fb198d4becb291a6abfcadcaa9f90dd109db49aa9c543d245ab149865
Instruction ID: 43c81207e179f92408c1f403234471fcfa8736f4f6a9e0104b1e03b350c4e32c
Opcode Fuzzy Hash: a2622b6fb198d4becb291a6abfcadcaa9f90dd109db49aa9c543d245ab149865
Instruction Fuzzy Hash: C8210B32645720ABE7125BB4BC46B6E37D4EB0DB51F01023BF841D6A92DB70DC908AD4

Function 001630F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0016318D
_wcslen.LIBCMT ref: 001631F8

Strings

INSTANCE, xrefs: 00163453
TEXT, xrefs: 0016347C
REGEXPCLASS, xrefs: 00163255, 00163266
CLASS, xrefs: 00163188, 001631A5
NAME, xrefs: 00163335, 00163346
CLASSNN, xrefs: 001631F3, 00163204

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 1219778d205d0c5cdc6ab14c2c0a9c80ee0a68b2db8baa26b9d27f0d1757f0e9
Instruction ID: 333100f251b55a985825b7b01c8d0cf634a8f4918802ec66b0081fbf88fc6ee8
Opcode Fuzzy Hash: 1219778d205d0c5cdc6ab14c2c0a9c80ee0a68b2db8baa26b9d27f0d1757f0e9
Instruction Fuzzy Hash: F4E1E532A005269BCB189F68CC51BEDFBB1BF64710F55812DE466B7280DF30AEA5C790

Function 001744C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0019CC08), ref: 00174527
_wcslen.LIBCMT ref: 0017453B
_wcslen.LIBCMT ref: 00174599
_wcslen.LIBCMT ref: 001745F4
_wcslen.LIBCMT ref: 0017463F
_wcslen.LIBCMT ref: 001746A7

Part of subcall function 0011F9F2: _wcslen.LIBCMT ref: 0011F9FD

GetDriveTypeW.KERNEL32(?,001C6BF0,00000061), ref: 00174743

Strings

all, xrefs: 00174531, 00174536
network, xrefs: 0017469D, 001746A2
removable, xrefs: 001745EA, 001745EF
cdrom, xrefs: 0017458F, 00174594
fixed, xrefs: 00174635, 0017463A
unknown, xrefs: 00174708
ramdisk, xrefs: 001746F1

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: d38502e3173c6f083e6397542736996c6ddbdec07050d465585623921c1ff9ad
Instruction ID: 2f2fdbf009a74a5508d0a5b58fd23196af01b3da683d646939bb74e4eaca58ba
Opcode Fuzzy Hash: d38502e3173c6f083e6397542736996c6ddbdec07050d465585623921c1ff9ad
Instruction Fuzzy Hash: 7DB1E1716083029FC714DF28C890A6AB7F5BFA9764F508A1DF49AC7291E770DC85CB92

Function 0018AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0018B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0018B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0018B1D4
_wcslen.LIBCMT ref: 0018B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0018B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0018B236
_wcslen.LIBCMT ref: 0018B332

Part of subcall function 001705A7: GetStdHandle.KERNEL32(000000F6), ref: 001705C6

_wcslen.LIBCMT ref: 0018B34B
_wcslen.LIBCMT ref: 0018B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0018B3B6
GetLastError.KERNEL32(00000000), ref: 0018B407
CloseHandle.KERNEL32(?), ref: 0018B439
CloseHandle.KERNEL32(00000000), ref: 0018B44A
CloseHandle.KERNEL32(00000000), ref: 0018B45C
CloseHandle.KERNEL32(00000000), ref: 0018B46E
CloseHandle.KERNEL32(?), ref: 0018B4E3

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: d1094d24c1b6bae407b759ee1d95a7646924e2391410634a56bb7c29e1c51770
Instruction ID: 64e89977f47c6719fee889a5c2994f6b9b517ef885fb43b14b28a0ce37de8c18
Opcode Fuzzy Hash: d1094d24c1b6bae407b759ee1d95a7646924e2391410634a56bb7c29e1c51770
Instruction Fuzzy Hash: 43F18C315083009FCB14EF24C891B6EBBE1AF89314F18855DF89A9B2A2CB71ED45CF52

Function 0010326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(001D1990), ref: 00142F8D
GetMenuItemCount.USER32(001D1990), ref: 0014303D
GetCursorPos.USER32(?), ref: 00143081
SetForegroundWindow.USER32(00000000), ref: 0014308A
TrackPopupMenuEx.USER32(001D1990,00000000,?,00000000,00000000,00000000), ref: 0014309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 001430A9

Strings

0, xrefs: 0010327D

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 2b7318695dc2bcc16603cda60f5ce304a459ce06dac932047ad97c13aef61c38
Instruction ID: d10e0071ab4554268418849b8fbd72f9dc0c057a5f4c1913d220dcfed7cd95b7
Opcode Fuzzy Hash: 2b7318695dc2bcc16603cda60f5ce304a459ce06dac932047ad97c13aef61c38
Instruction Fuzzy Hash: D5710871644205BFFB258F64CC49FAABF68FF05364F204216F524AA1E1C7B1ADA4DB90

Function 00196CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00196DEB

Part of subcall function 00106B57: _wcslen.LIBCMT ref: 00106B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00196E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00196E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00196E94
DestroyWindow.USER32(?), ref: 00196EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00100000,00000000), ref: 00196EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00196EFD
GetDesktopWindow.USER32 ref: 00196F16
GetWindowRect.USER32(00000000), ref: 00196F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00196F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00196F4D

Part of subcall function 00119944: GetWindowLongW.USER32(?,000000EB), ref: 00119952

Strings

0, xrefs: 00196D98
tooltips_class32, xrefs: 00196E58, 00196EDD

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: e4c3347c5d1a83fc6a4ae4ea5e9e02e5934b0cab0e8e7051b2fb9b01baa734af
Instruction ID: 54d9dd3f556d4767624a47deb2732a50f50e650f17844da44d9b85efe084b7bf
Opcode Fuzzy Hash: e4c3347c5d1a83fc6a4ae4ea5e9e02e5934b0cab0e8e7051b2fb9b01baa734af
Instruction Fuzzy Hash: 32715774104244AFDB25CF18DC54FBABBE9FB89304F44041EF999872A1C770E946CB62

Function 0019911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00119BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00119BB2

DragQueryPoint.SHELL32(?,?), ref: 00199147

Part of subcall function 00197674: ClientToScreen.USER32(?,?), ref: 0019769A
Part of subcall function 00197674: GetWindowRect.USER32(?,?), ref: 00197710
Part of subcall function 00197674: PtInRect.USER32(?,?,00198B89), ref: 00197720

SendMessageW.USER32(?,000000B0,?,?), ref: 001991B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 001991BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 001991DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00199225
SendMessageW.USER32(?,000000B0,?,?), ref: 0019923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00199255
SendMessageW.USER32(?,000000B1,?,?), ref: 00199277
DragFinish.SHELL32(?), ref: 0019927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00199371

Strings

@GUI_DROPID, xrefs: 0019929E
@GUI_DRAGID, xrefs: 001992E9
@GUI_DRAGFILE, xrefs: 00199320

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 895d1c63bdbb3b908a0a3940ef1f05a7e254a3fbce96edbf926197ad8ac2b661
Instruction ID: 440a418867f3564526a37a548e4855fa913100d29b969b8fa320e1d33c9ad683
Opcode Fuzzy Hash: 895d1c63bdbb3b908a0a3940ef1f05a7e254a3fbce96edbf926197ad8ac2b661
Instruction Fuzzy Hash: 9D617871108301AFD701DF64DC95DAFBBE8FF99350F40092EF591922A1DB709A49CBA2

Function 0017C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0017C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0017C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0017C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0017C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0017C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0017C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0017C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0017C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0017C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0017C5F0
InternetCloseHandle.WININET(00000000), ref: 0017C5FB

Strings

, xrefs: 0017C575

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: dc169370d974ca7757b604e87aab76567b2c6d9543581968b3799df8c2df7a30
Instruction ID: 0dcba0904e5eaebf2126c300c3c1562eea1aced1fb8ee93949aa93e8af7fb1cf
Opcode Fuzzy Hash: dc169370d974ca7757b604e87aab76567b2c6d9543581968b3799df8c2df7a30
Instruction Fuzzy Hash: AE5151B1600605BFDB218FA4C988AAB7BFCFF04754F00841EF54996650D735E984DBE0

Function 0019856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00198592
GetFileSize.KERNEL32(00000000,00000000), ref: 001985A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 001985AD
CloseHandle.KERNEL32(00000000), ref: 001985BA
GlobalLock.KERNEL32(00000000), ref: 001985C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 001985D7
GlobalUnlock.KERNEL32(00000000), ref: 001985E0
CloseHandle.KERNEL32(00000000), ref: 001985E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 001985F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,0019FC38,?), ref: 00198611
GlobalFree.KERNEL32(00000000), ref: 00198621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00198641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00198671
DeleteObject.GDI32(00000000), ref: 00198699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 001986AF

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 6344af451d4aa8b70508662dee8577bcfec4c9397f64b4e4183b2ef492c7bf15
Instruction ID: f3f885e2b8e45e51a4ea444545ca54ca2790b7d829b585b8faa21e487881720b
Opcode Fuzzy Hash: 6344af451d4aa8b70508662dee8577bcfec4c9397f64b4e4183b2ef492c7bf15
Instruction Fuzzy Hash: A6411A75600204AFDB11DFA5DD48EAA7BB8FF89715F104159F945EB260DB30AD41CF60

Function 001714BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00171502
VariantCopy.OLEAUT32(?,?), ref: 0017150B
VariantClear.OLEAUT32(?), ref: 00171517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 001715FB
VarR8FromDec.OLEAUT32(?,?), ref: 00171657
VariantInit.OLEAUT32(?), ref: 00171708
SysFreeString.OLEAUT32(?), ref: 0017178C
VariantClear.OLEAUT32(?), ref: 001717D8
VariantClear.OLEAUT32(?), ref: 001717E7
VariantInit.OLEAUT32(00000000), ref: 00171823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00171625
Default, xrefs: 001716AF

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 808ca6b99e9ca8aa5508126fecd8ab367822bd91453abe1ece7aad5b44043716
Instruction ID: 74b9b715a2c0b817f161ef7dc0c6e74e857839f8fd620ce43935bc52d876c15c
Opcode Fuzzy Hash: 808ca6b99e9ca8aa5508126fecd8ab367822bd91453abe1ece7aad5b44043716
Instruction Fuzzy Hash: 68D1F071A00105EBDF189F68E885BBDB7B5BF46704F15C06AF44AAB180DB70EC81DBA1

Function 0018B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00109CB3: _wcslen.LIBCMT ref: 00109CBD

Part of subcall function 0018C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0018B6AE,?,?), ref: 0018C9B5
Part of subcall function 0018C998: _wcslen.LIBCMT ref: 0018C9F1
Part of subcall function 0018C998: _wcslen.LIBCMT ref: 0018CA68
Part of subcall function 0018C998: _wcslen.LIBCMT ref: 0018CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0018B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0018B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0018B80A
RegCloseKey.ADVAPI32(?), ref: 0018B87E
RegCloseKey.ADVAPI32(?), ref: 0018B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0018B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0018B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0018B922
FreeLibrary.KERNEL32(00000000), ref: 0018B983
RegCloseKey.ADVAPI32(00000000), ref: 0018B994

Strings

RegDeleteKeyExW, xrefs: 0018B8FE
advapi32.dll, xrefs: 0018B8ED

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: dc423a8671a48702a70cdb04ec40a88c511edde9704d4a220b716215ecd8496a
Instruction ID: 6b71bf180c747774f56b20c74b4b52bd6e6b17ec6be95661e19a4dc6ab8a9820
Opcode Fuzzy Hash: dc423a8671a48702a70cdb04ec40a88c511edde9704d4a220b716215ecd8496a
Instruction Fuzzy Hash: BFC17A74608201AFD714EF14C4D5F2ABBE5BF84308F18859CF59A8B6A2CB71EA45CF91

Function 0018255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 001825D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 001825E8
CreateCompatibleDC.GDI32(?), ref: 001825F4
SelectObject.GDI32(00000000,?), ref: 00182601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0018266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 001826AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 001826D0
SelectObject.GDI32(?,?), ref: 001826D8
DeleteObject.GDI32(?), ref: 001826E1
DeleteDC.GDI32(?), ref: 001826E8
ReleaseDC.USER32(00000000,?), ref: 001826F3

Strings

(, xrefs: 0018268D

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: bc5963d2ae688474a1c79e45b902fd6e6408b51e7001d945cea2ca81c6587e66
Instruction ID: 6379fcc72d29ae227959739d0043bc5fc7b8514f4e8ea2492851058070848f56
Opcode Fuzzy Hash: bc5963d2ae688474a1c79e45b902fd6e6408b51e7001d945cea2ca81c6587e66
Instruction Fuzzy Hash: E7610775D00219EFCF05DFA4D884AAEBBF6FF48310F20852AE955A7250D770A941CF90

Function 0013DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0013DAA1

Part of subcall function 0013D63C: _free.LIBCMT ref: 0013D659
Part of subcall function 0013D63C: _free.LIBCMT ref: 0013D66B
Part of subcall function 0013D63C: _free.LIBCMT ref: 0013D67D
Part of subcall function 0013D63C: _free.LIBCMT ref: 0013D68F
Part of subcall function 0013D63C: _free.LIBCMT ref: 0013D6A1
Part of subcall function 0013D63C: _free.LIBCMT ref: 0013D6B3
Part of subcall function 0013D63C: _free.LIBCMT ref: 0013D6C5
Part of subcall function 0013D63C: _free.LIBCMT ref: 0013D6D7
Part of subcall function 0013D63C: _free.LIBCMT ref: 0013D6E9
Part of subcall function 0013D63C: _free.LIBCMT ref: 0013D6FB
Part of subcall function 0013D63C: _free.LIBCMT ref: 0013D70D
Part of subcall function 0013D63C: _free.LIBCMT ref: 0013D71F
Part of subcall function 0013D63C: _free.LIBCMT ref: 0013D731

_free.LIBCMT ref: 0013DA96

Part of subcall function 001329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0013D7D1,00000000,00000000,00000000,00000000,?,0013D7F8,00000000,00000007,00000000,?,0013DBF5,00000000), ref: 001329DE
Part of subcall function 001329C8: GetLastError.KERNEL32(00000000,?,0013D7D1,00000000,00000000,00000000,00000000,?,0013D7F8,00000000,00000007,00000000,?,0013DBF5,00000000,00000000), ref: 001329F0

_free.LIBCMT ref: 0013DAB8
_free.LIBCMT ref: 0013DACD
_free.LIBCMT ref: 0013DAD8
_free.LIBCMT ref: 0013DAFA
_free.LIBCMT ref: 0013DB0D
_free.LIBCMT ref: 0013DB1B
_free.LIBCMT ref: 0013DB26
_free.LIBCMT ref: 0013DB5E
_free.LIBCMT ref: 0013DB65
_free.LIBCMT ref: 0013DB82
_free.LIBCMT ref: 0013DB9A

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 68ecf448cee0aab2b51daf079ece8dd08eb482b5180a6eb661c5c89d7b5d50fb
Instruction ID: 3c8e5daa8c5c535c50a953aab766f7ab35013c29f1af3b4c8bc651eb36440f83
Opcode Fuzzy Hash: 68ecf448cee0aab2b51daf079ece8dd08eb482b5180a6eb661c5c89d7b5d50fb
Instruction Fuzzy Hash: 6E3148326043159FEF22AA39F946B5ABBE9FF21324F154469F459D7191DF31EC808B20

Function 0016365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0016369C
_wcslen.LIBCMT ref: 001636A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00163797
GetClassNameW.USER32(?,?,00000400), ref: 0016380C
GetDlgCtrlID.USER32(?), ref: 0016385D
GetWindowRect.USER32(?,?), ref: 00163882
GetParent.USER32(?), ref: 001638A0
ScreenToClient.USER32(00000000), ref: 001638A7
GetClassNameW.USER32(?,?,00000100), ref: 00163921
GetWindowTextW.USER32(?,?,00000400), ref: 0016395D

Strings

%s%u, xrefs: 00163734

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 0b4fa8ede418755587e4befe60ba6162c5928f2f5d159e34fff923a3d030514c
Instruction ID: 5727a1099d04ce9b73f9eff6a9ac23cd7e0618f81e1b4d704d460c28f56ff8ec
Opcode Fuzzy Hash: 0b4fa8ede418755587e4befe60ba6162c5928f2f5d159e34fff923a3d030514c
Instruction Fuzzy Hash: 5491B271204706AFD719DF24CC85BEAF7A9FF44354F008629F9AAC2190DB30EA65CB91

Function 00164954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00164994
GetWindowTextW.USER32(?,?,00000400), ref: 001649DA
_wcslen.LIBCMT ref: 001649EB
CharUpperBuffW.USER32(?,00000000), ref: 001649F7
_wcsstr.LIBVCRUNTIME ref: 00164A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00164A64
GetWindowTextW.USER32(?,?,00000400), ref: 00164A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00164AE6
GetClassNameW.USER32(?,?,00000400), ref: 00164B20
GetWindowRect.USER32(?,?), ref: 00164B8B

Strings

ThumbnailClass, xrefs: 00164A6F, 00164AF1

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 13f4bf33958845064e5b0c6eca170f509e158d60467dbb0ac98aa1030df482f1
Instruction ID: 578c1a5c04594c8601c8ce23b040be7a7a389d6fdbd33725b253a4e3a6ab6b2e
Opcode Fuzzy Hash: 13f4bf33958845064e5b0c6eca170f509e158d60467dbb0ac98aa1030df482f1
Instruction Fuzzy Hash: 2C91DD72004205AFDB08DF14CD81FAA77E9FF94714F04846AFD869A196EB30ED65CBA1

Function 0016BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(001D1990,000000FF,00000000,00000030), ref: 0016BFAC
SetMenuItemInfoW.USER32(001D1990,00000004,00000000,00000030), ref: 0016BFE1
Sleep.KERNEL32(000001F4), ref: 0016BFF3
GetMenuItemCount.USER32(?), ref: 0016C039
GetMenuItemID.USER32(?,00000000), ref: 0016C056
GetMenuItemID.USER32(?,-00000001), ref: 0016C082
GetMenuItemID.USER32(?,?), ref: 0016C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0016C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0016C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0016C145

Strings

0, xrefs: 0016BF3D

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 332b0c18d09860493fff067dfd5942823fecdfbb35b284443bb781d85e008352
Instruction ID: 2f2e2d06ba4a243bd12243f468f529592aaa37bcf1e011de10434d6d9684cd3f
Opcode Fuzzy Hash: 332b0c18d09860493fff067dfd5942823fecdfbb35b284443bb781d85e008352
Instruction Fuzzy Hash: 1B6181B4A0024AEFDF15CF64CD88AFE7BA8EB06344F144156F891A3291C735AD65CBA1

Function 0018CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0018CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0018CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0018CD48

Part of subcall function 0018CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0018CCAA
Part of subcall function 0018CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0018CCBD
Part of subcall function 0018CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0018CCCF
Part of subcall function 0018CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0018CD05
Part of subcall function 0018CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0018CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0018CCF3

Strings

RegDeleteKeyExW, xrefs: 0018CCC9
advapi32.dll, xrefs: 0018CCB8

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 56bc28a71bb3a367a26e162e13d64daf9f9fea858ee226059a180c1a7de9d7a4
Instruction ID: 2be3de6384a6652738058500376f975321f2a00c352c079607fcf91f0f16f7f8
Opcode Fuzzy Hash: 56bc28a71bb3a367a26e162e13d64daf9f9fea858ee226059a180c1a7de9d7a4
Instruction Fuzzy Hash: 43316975901129BBDB20ABA5DC88EEFBB7CEF55740F000166B906E2240DB709B859FF0

Function 00173D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00173D40
_wcslen.LIBCMT ref: 00173D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00173D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00173DBE
RemoveDirectoryW.KERNEL32(?), ref: 00173DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00173E55
CloseHandle.KERNEL32(00000000), ref: 00173E60
CloseHandle.KERNEL32(00000000), ref: 00173E6B

Strings

\, xrefs: 00173D77
\??\%s, xrefs: 00173D5B
:, xrefs: 00173D82

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: f63e5c5deece8fe15bb84b4bf77b32dfc58f5bd802abaf5d30d5a0f76b262b19
Instruction ID: 5d788a347dd9876a40ed2913a9ced5099beba18777c0c6fb7ece56a802441224
Opcode Fuzzy Hash: f63e5c5deece8fe15bb84b4bf77b32dfc58f5bd802abaf5d30d5a0f76b262b19
Instruction Fuzzy Hash: 0F31B076900219ABDB209FA0DC49FEF37BDEF88700F5081B6F559D6060EB7097849B64

Function 0016E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0016E6B4

Part of subcall function 0011E551: timeGetTime.WINMM(?,?,0016E6D4), ref: 0011E555

Sleep.KERNEL32(0000000A), ref: 0016E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0016E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0016E727
SetActiveWindow.USER32 ref: 0016E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0016E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0016E773
Sleep.KERNEL32(000000FA), ref: 0016E77E
IsWindow.USER32 ref: 0016E78A
EndDialog.USER32(00000000), ref: 0016E79B

Strings

BUTTON, xrefs: 0016E719

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: b6eaf72a19c3682d242ab79dcc9d698873927d69e55a24b431449138f6b9fd4e
Instruction ID: 3c4119df2d1c78e286394f4be095b60571d4fe33ff79bb5a3d8c2cf9a6edd3ae
Opcode Fuzzy Hash: b6eaf72a19c3682d242ab79dcc9d698873927d69e55a24b431449138f6b9fd4e
Instruction Fuzzy Hash: A7219675202304BFFB015F64EC89A253BA9FB64748F100527FC51C2AA1DB71DCA4DBA4

Function 0016E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00109CB3: _wcslen.LIBCMT ref: 00109CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0016EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0016EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0016EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0016EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0016EAA7

Strings

open , xrefs: 0016EA0C
play PlayMe wait, xrefs: 0016EA91
status PlayMe mode, xrefs: 0016EA58
close PlayMe, xrefs: 0016EA6E, 0016EA9B
play PlayMe, xrefs: 0016EAA2
alias PlayMe, xrefs: 0016EA36

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 400e204f95e3bf4f0790a01c98113a5141e8571a8bac6d4336027be11adec817
Instruction ID: e75f39f9df106040e274d7dd552655dcef81304158142407cbdb130acbde3074
Opcode Fuzzy Hash: 400e204f95e3bf4f0790a01c98113a5141e8571a8bac6d4336027be11adec817
Instruction Fuzzy Hash: 6E11A035A902197DD720A7A6DD4AEFF6ABCEFE1B04F400529B811A30D1EFB08D04C6B0

Function 00165CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00165CE2
GetWindowRect.USER32(00000000,?), ref: 00165CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00165D59
GetDlgItem.USER32(?,00000002), ref: 00165D69
GetWindowRect.USER32(00000000,?), ref: 00165D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00165DCF
GetDlgItem.USER32(?,000003E9), ref: 00165DDD
GetWindowRect.USER32(00000000,?), ref: 00165DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00165E31
GetDlgItem.USER32(?,000003EA), ref: 00165E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00165E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00165E67

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 0d2ea1ea0fc04608fe3a6721b28389024be473beafd49fe7715976715b4c26e3
Instruction ID: 0000066e888faf373a8a9ffc20edc74427ce135ca4571f14fac113c808a8058c
Opcode Fuzzy Hash: 0d2ea1ea0fc04608fe3a6721b28389024be473beafd49fe7715976715b4c26e3
Instruction Fuzzy Hash: 69511071B00615AFDF18CFA8DD89AAEBBB6FB48300F548129F515E7690D7709E50CB60

Function 00118BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00118F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00118BE8,?,00000000,?,?,?,?,00118BBA,00000000,?), ref: 00118FC5

DestroyWindow.USER32(?), ref: 00118C81
KillTimer.USER32(00000000,?,?,?,?,00118BBA,00000000,?), ref: 00118D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00156973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00118BBA,00000000,?), ref: 001569A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00118BBA,00000000,?), ref: 001569B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00118BBA,00000000), ref: 001569D4
DeleteObject.GDI32(00000000), ref: 001569E6

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 002bb6a48db262c8e0bb2eceee95b2e59bef187f9002e09ddcd70708f1f0552e
Instruction ID: 34472279ac03148ed9ba8dee7faeb8d0014b2392d2742b4b7c6e5a9368b893e9
Opcode Fuzzy Hash: 002bb6a48db262c8e0bb2eceee95b2e59bef187f9002e09ddcd70708f1f0552e
Instruction Fuzzy Hash: 87618C30502600EFCB299F18D958BA5B7F2FB5031AF54852EE4929B960CB31A8C5DBD0

Function 00119838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00119944: GetWindowLongW.USER32(?,000000EB), ref: 00119952

GetSysColor.USER32(0000000F), ref: 00119862

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: b72be6ca852094eaa6bc2ca43075320988dd99fd8cec349660e97ea4ef5d5b1f
Instruction ID: 919a0862de99eb9455b5ee49b306fe2cd3ce7593534ab15b6d35d2199d18dbb3
Opcode Fuzzy Hash: b72be6ca852094eaa6bc2ca43075320988dd99fd8cec349660e97ea4ef5d5b1f
Instruction Fuzzy Hash: 6E41AD31104648EFDB285F389C99BF93BA5BB46721F144626F9B28B2E1D7309882DB51

Function 001696E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0014F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00169717
LoadStringW.USER32(00000000,?,0014F7F8,00000001), ref: 00169720

Part of subcall function 00109CB3: _wcslen.LIBCMT ref: 00109CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0014F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00169742
LoadStringW.USER32(00000000,?,0014F7F8,00000001), ref: 00169745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00169866

Strings

^ ERROR, xrefs: 001697FB
Line %d:, xrefs: 001697A0
Line %d (File "%s"):, xrefs: 0016978F
%s (%d) : ==> %s: %s %s, xrefs: 0016984A
Error: , xrefs: 0016981D

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: b1e40a5f384605e2530154e33f6f0b9729eb990fab8af0fc44493be9e163ddce
Instruction ID: 07c4f294fc4585f9bdf9bc0e06104f7178472cc3ee07755bcdeb0abc0068bc27
Opcode Fuzzy Hash: b1e40a5f384605e2530154e33f6f0b9729eb990fab8af0fc44493be9e163ddce
Instruction Fuzzy Hash: 9E411A7290020DABCB08EBE0DE96EEE777CAF64340F500065B64576092EB756F59CBA1

Function 001606DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00106B57: _wcslen.LIBCMT ref: 00106B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 001607A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 001607BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 001607DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00160804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0016082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00160837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0016083C

Strings

SOFTWARE\Classes\, xrefs: 0016070E
\CLSID, xrefs: 00160724
\IPC$, xrefs: 00160784

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: f37ee3891f5c39e220d6e43f0393a34bd91ea5fa94396329137e1b2640fb4979
Instruction ID: 140ef76f979546f4323a8cedd82560f533c193695daa5c9309b55374dbb6e2d9
Opcode Fuzzy Hash: f37ee3891f5c39e220d6e43f0393a34bd91ea5fa94396329137e1b2640fb4979
Instruction Fuzzy Hash: 8A412972D1022CABCF15EBA4DC95DEEB778FF18340F44412AE941A71A1EB709E54CBA0

Function 00183C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00183C5C
CoInitialize.OLE32(00000000), ref: 00183C8A
CoUninitialize.OLE32 ref: 00183C94
_wcslen.LIBCMT ref: 00183D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00183DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00183ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00183F0E
CoGetObject.OLE32(?,00000000,0019FB98,?), ref: 00183F2D
SetErrorMode.KERNEL32(00000000), ref: 00183F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00183FC4
VariantClear.OLEAUT32(?), ref: 00183FD8

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: cce92a0bb11df625824b45644e5b6653c73574962f8e18ec15e275a159490642
Instruction ID: be4d2880077d2684d9792434097a7adaf52a0488a18481d3012f6072a25167a9
Opcode Fuzzy Hash: cce92a0bb11df625824b45644e5b6653c73574962f8e18ec15e275a159490642
Instruction Fuzzy Hash: ECC147716083019FD700EF68C88492BB7E9FF89B44F04491DF99A9B251DB70EE46CB92

Function 00177A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00177AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00177B8F
SHGetDesktopFolder.SHELL32(?), ref: 00177BA3
CoCreateInstance.OLE32(0019FD08,00000000,00000001,001C6E6C,?), ref: 00177BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00177C74
CoTaskMemFree.OLE32(?,?), ref: 00177CCC
SHBrowseForFolderW.SHELL32(?), ref: 00177D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00177D7A
CoTaskMemFree.OLE32(00000000), ref: 00177D81
CoTaskMemFree.OLE32(00000000), ref: 00177DD6
CoUninitialize.OLE32 ref: 00177DDC

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: fa703865628159d784bc0af004dad538824bd805285ebd5024be12a044ad6f40
Instruction ID: 055656e1b579aa244f11e2450a982c73853b9b1e62cbdf4ff23149124643210e
Opcode Fuzzy Hash: fa703865628159d784bc0af004dad538824bd805285ebd5024be12a044ad6f40
Instruction Fuzzy Hash: C0C10A75A04109AFDB14DFA4C884DAEBBF9FF48304F148499E859DB6A1D730EE85CB90

Function 0019541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00195504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00195515
CharNextW.USER32(00000158), ref: 00195544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00195585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0019559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001955AC

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 4524f05ecd818588ed8f4bbbfac7bc4638cf10079831c8f4570d5996006563a4
Instruction ID: 280dfe713e0b9eafa39d5a8cc211e8a722257ddc89dad9bf2b22dc1605933655
Opcode Fuzzy Hash: 4524f05ecd818588ed8f4bbbfac7bc4638cf10079831c8f4570d5996006563a4
Instruction Fuzzy Hash: 67618C31900608AFEF169F94CC849FE7BBAFF09724F104146F965BB291D7709A80DBA1

Function 0015FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0015FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0015FB08
VariantInit.OLEAUT32(?), ref: 0015FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0015FB3A
VariantCopy.OLEAUT32(?,?), ref: 0015FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0015FBA1
VariantClear.OLEAUT32(?), ref: 0015FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0015FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0015FBCC
VariantClear.OLEAUT32(?), ref: 0015FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0015FBE9

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 59dd4cb2b7fd9eebfb728e67933954cebf76f7459fb791dbfe8d761395082fe5
Instruction ID: 941a28dc7634c56e6fb215ca87147d13e9ca63884f2d96549d74181705b46067
Opcode Fuzzy Hash: 59dd4cb2b7fd9eebfb728e67933954cebf76f7459fb791dbfe8d761395082fe5
Instruction Fuzzy Hash: 66416035A00219DFCF04DF68C8549EEBBB9FF18345F008069E955AB261CB30A946CFE1

Function 00169C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00169CA1
GetAsyncKeyState.USER32(000000A0), ref: 00169D22
GetKeyState.USER32(000000A0), ref: 00169D3D
GetAsyncKeyState.USER32(000000A1), ref: 00169D57
GetKeyState.USER32(000000A1), ref: 00169D6C
GetAsyncKeyState.USER32(00000011), ref: 00169D84
GetKeyState.USER32(00000011), ref: 00169D96
GetAsyncKeyState.USER32(00000012), ref: 00169DAE
GetKeyState.USER32(00000012), ref: 00169DC0
GetAsyncKeyState.USER32(0000005B), ref: 00169DD8
GetKeyState.USER32(0000005B), ref: 00169DEA

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 40440e7b20e0a0bef4ff9d3b3763332c8f7536aa69838efa67130edd71d07f78
Instruction ID: ffcd4c99dc8a65b9cba3a039e3465ba963b737249e7bc61fceec81a786cbf6ef
Opcode Fuzzy Hash: 40440e7b20e0a0bef4ff9d3b3763332c8f7536aa69838efa67130edd71d07f78
Instruction Fuzzy Hash: A841CB346047CA6FFF3197A4CC043B5BEE86F11344F04806ADAC65A5C2DBB599E8C7A2

Function 0018055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 001805BC
inet_addr.WSOCK32(?), ref: 0018061C
gethostbyname.WSOCK32(?), ref: 00180628
IcmpCreateFile.IPHLPAPI ref: 00180636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 001806C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 001806E5
IcmpCloseHandle.IPHLPAPI(?), ref: 001807B9
WSACleanup.WSOCK32 ref: 001807BF

Strings

Ping, xrefs: 00180676

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 3777fd7587ae8c9af84db841c7ac8cb284f68630521077fba68cd5cc00ec6fa1
Instruction ID: 783b0e838d42c2529e212fb9219894a5edd8c84f566a8d0f55a2063bdc015dda
Opcode Fuzzy Hash: 3777fd7587ae8c9af84db841c7ac8cb284f68630521077fba68cd5cc00ec6fa1
Instruction Fuzzy Hash: CC91B3356082419FD361EF15C888F16BBE0AF48318F1585A9F4A98B7A2C770FE85CF91

Function 00188CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00188CF3

Part of subcall function 00168E54: _wcslen.LIBCMT ref: 00168E77

_wcslen.LIBCMT ref: 00188D4E
_wcslen.LIBCMT ref: 00188D9C
_wcslen.LIBCMT ref: 00188DDC
_wcslen.LIBCMT ref: 00188E6E

Strings

none, xrefs: 00188E65, 00188E6A
stdcall, xrefs: 00188DD6, 00188DDB
cdecl, xrefs: 00188D48, 00188D4D
winapi, xrefs: 00188D96, 00188D9B

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: f34f7b4451a7d19bcd6546b8c1660a9cfb19a41a7e45458b20d0a70c895072ea
Instruction ID: ae6bbf9f6b5237f5da95333b63299f838b42e3f3ab24a139b35743bedfb6c80f
Opcode Fuzzy Hash: f34f7b4451a7d19bcd6546b8c1660a9cfb19a41a7e45458b20d0a70c895072ea
Instruction Fuzzy Hash: AE51B331A001169BCF14EFACC9509BEB7A5BF74324BA14229F466E72C5DB71DE40CB90

Function 0018372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00183774
CoUninitialize.OLE32 ref: 0018377F
CoCreateInstance.OLE32(?,00000000,00000017,0019FB78,?), ref: 001837D9
IIDFromString.OLE32(?,?), ref: 0018384C
VariantInit.OLEAUT32(?), ref: 001838E4
VariantClear.OLEAUT32(?), ref: 00183936

Strings

Failed to create object, xrefs: 001837E4, 0018389A
NULL Pointer assignment, xrefs: 0018381E
Invalid parameter, xrefs: 00183865

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: fdc9160eae556c7815bcf5635b51b19c3b0cbca85e11d8539036c8f8eb2bcc47
Instruction ID: c52ba0f7f074727bc759a2d3c7ac77ab68190dfb227e680125f4c6d086055128
Opcode Fuzzy Hash: fdc9160eae556c7815bcf5635b51b19c3b0cbca85e11d8539036c8f8eb2bcc47
Instruction Fuzzy Hash: D261AD70608301AFD311EF54C848F6AB7E8AF59B14F040919F9959B291D770EE89CF92

Function 00173388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 001733CF

Part of subcall function 00109CB3: _wcslen.LIBCMT ref: 00109CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 001733F0

Strings

Incorrect parameters to object property !, xrefs: 001734AB
"%s" (%d) : ==> %s:, xrefs: 00173522
"%s" (%d) : ==> %s:%s%s, xrefs: 00173504
Line %d (File "%s"):, xrefs: 00173443, 0017345C
^ ERROR , xrefs: 0017349E
Error: , xrefs: 001734D1

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 3e10c5eebdc006862433cfb9a7975f5107cb38d4f9893b40d5c0c883ef38a413
Instruction ID: 38692ab36d4f8c02cf7e90d7a7d96120bafedec75f418f249948a9fe1c1ee854
Opcode Fuzzy Hash: 3e10c5eebdc006862433cfb9a7975f5107cb38d4f9893b40d5c0c883ef38a413
Instruction Fuzzy Hash: 95518E72900209BADF18EBA0DD42EEEB778AF24340F104065F51572092EB716F98DB61

Function 0016B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0016B5FC
_wcslen.LIBCMT ref: 0016B608
_wcslen.LIBCMT ref: 0016B64D
_wcslen.LIBCMT ref: 0016B68C
_wcslen.LIBCMT ref: 0016B6C7

Strings

KEYS, xrefs: 0016B647, 0016B64C
EXISTS, xrefs: 0016B686, 0016B68B
REMOVE, xrefs: 0016B602, 0016B607
APPEND, xrefs: 0016B6C1, 0016B6C6

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 256a6e4f7435424327da9728b471861686d6b5ab686db472e81939db5ff8e1a4
Instruction ID: 96239ef7ac5fd5b7c481a07b6d5774833d1a910254fe7edba483f8fb6dc4cad5
Opcode Fuzzy Hash: 256a6e4f7435424327da9728b471861686d6b5ab686db472e81939db5ff8e1a4
Instruction Fuzzy Hash: 5141D632A091269BCB205F7DCDD05BE77A5AFB0758B254129E461DB284E731CDE1C790

Function 00175393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001753A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00175416
GetLastError.KERNEL32 ref: 00175420
SetErrorMode.KERNEL32(00000000,READY), ref: 001754A7

Strings

READY, xrefs: 00175460, 00175468
INVALID, xrefs: 00175459
UNKNOWN, xrefs: 00175444
READONLY, xrefs: 00175452
NOTREADY, xrefs: 0017544B

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: de72c8aa65ebc197fa30479267ff8c63195f86a71dec83b6e88f4253c01446f3
Instruction ID: 9b5a2949d8c9c643870a5f8a981606e855b771aafaf19ec547d58f4fe96e577d
Opcode Fuzzy Hash: de72c8aa65ebc197fa30479267ff8c63195f86a71dec83b6e88f4253c01446f3
Instruction Fuzzy Hash: 0831A235A00504DFD710DF68C984FAA7BB5EF15305F14C06AE40ADB292EBB1ED82CBA1

Function 00193C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00193C79
SetMenu.USER32(?,00000000), ref: 00193C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00193D10
IsMenu.USER32(?), ref: 00193D24
CreatePopupMenu.USER32 ref: 00193D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00193D5B
DrawMenuBar.USER32 ref: 00193D63

Strings

0, xrefs: 00193C54
F, xrefs: 00193D4E

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 12c02103deb98a26d28b10fc534b22543c51a26e4f41f76346c1f9a1138ffbbe
Instruction ID: cfdb96a277dd2c0f9827f633a0abb1d992722f2ffbb2ff35f0a61b489c74daa9
Opcode Fuzzy Hash: 12c02103deb98a26d28b10fc534b22543c51a26e4f41f76346c1f9a1138ffbbe
Instruction Fuzzy Hash: 6F4169B9A01209AFDF14CFA4D894AEA7BF5FF49350F14002AF956A7360D730AA10CF90

Function 00161EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00109CB3: _wcslen.LIBCMT ref: 00109CBD

Part of subcall function 00163CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00163CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00161F64
GetDlgCtrlID.USER32 ref: 00161F6F
GetParent.USER32 ref: 00161F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00161F8E
GetDlgCtrlID.USER32(?), ref: 00161F97
GetParent.USER32(?), ref: 00161FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00161FAE

Strings

ComboBox, xrefs: 00161EEC
ListBox, xrefs: 00161F21

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 06b7103004b2b6fc08416fa1704f74d2b7448b365fb3b9082a9d46873638bd96
Instruction ID: 027f83f04878cf37076bb5869af535b69fb0377678a30cc71d0c63895b0e1c0b
Opcode Fuzzy Hash: 06b7103004b2b6fc08416fa1704f74d2b7448b365fb3b9082a9d46873638bd96
Instruction Fuzzy Hash: 9E21D471D00214BBCF04AFA0DC95EEEBBB9EF25350F004156F9A1672E1CB755958DBA0

Function 00193A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00193A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00193AA0
GetWindowLongW.USER32(?,000000F0), ref: 00193AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00193AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00193B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00193BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00193BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00193BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00193BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00193C13

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: b440ae1e5bea8de6704b82b5bed773173bd94c9351c0076da6637cce18c4c5f7
Instruction ID: c1852618278ce0b6071f241782f95630adc923c3abd4d430b54985b6028bd328
Opcode Fuzzy Hash: b440ae1e5bea8de6704b82b5bed773173bd94c9351c0076da6637cce18c4c5f7
Instruction Fuzzy Hash: 15615A75900248AFDB10DFA8CC81EEE77B8EF09714F10419AFA15A72A2D774AE85DB50

Function 0016B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0016B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0016A1E1,?,00000001), ref: 0016B165
GetWindowThreadProcessId.USER32(00000000), ref: 0016B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0016A1E1,?,00000001), ref: 0016B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0016B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0016A1E1,?,00000001), ref: 0016B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0016A1E1,?,00000001), ref: 0016B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0016A1E1,?,00000001), ref: 0016B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0016A1E1,?,00000001), ref: 0016B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0016A1E1,?,00000001), ref: 0016B21D

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 6a0612a73828bd4b64353d38ec974be191aab96207dc042a214e1ac61c7c99d4
Instruction ID: 42dbff59ae838cff2bda22091dd854d639d329232079297aa154f68c96e7bfa1
Opcode Fuzzy Hash: 6a0612a73828bd4b64353d38ec974be191aab96207dc042a214e1ac61c7c99d4
Instruction Fuzzy Hash: 1031EF75506204BFDB109F24EC98B6EBBA9FB51312F10801AFA10D7690D7B4AEC08FA1

Function 00132C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00132C94

Part of subcall function 001329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0013D7D1,00000000,00000000,00000000,00000000,?,0013D7F8,00000000,00000007,00000000,?,0013DBF5,00000000), ref: 001329DE
Part of subcall function 001329C8: GetLastError.KERNEL32(00000000,?,0013D7D1,00000000,00000000,00000000,00000000,?,0013D7F8,00000000,00000007,00000000,?,0013DBF5,00000000,00000000), ref: 001329F0

_free.LIBCMT ref: 00132CA0
_free.LIBCMT ref: 00132CAB
_free.LIBCMT ref: 00132CB6
_free.LIBCMT ref: 00132CC1
_free.LIBCMT ref: 00132CCC
_free.LIBCMT ref: 00132CD7
_free.LIBCMT ref: 00132CE2
_free.LIBCMT ref: 00132CED
_free.LIBCMT ref: 00132CFB

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 80609eadefa15841dc91ecbe30cb170863fbf97ab92e7dbf84745eed36dc874a
Instruction ID: 88ea82aede7c6256d9a21415f08a7396b93a94acc202e8d055d9d7895b53d652
Opcode Fuzzy Hash: 80609eadefa15841dc91ecbe30cb170863fbf97ab92e7dbf84745eed36dc874a
Instruction Fuzzy Hash: FC119076100128AFCF02FF94E982DDD7BA9FF15354F8144A5FA489B222DB31EA509B90

Function 00101410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00101459
OleUninitialize.OLE32(?,00000000), ref: 001014F8
UnregisterHotKey.USER32(?), ref: 001016DD
DestroyWindow.USER32(?), ref: 001424B9
FreeLibrary.KERNEL32(?), ref: 0014251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0014254B

Strings

close all, xrefs: 00101454

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 14ecfea8ad8fb0e9d600ea79a8594198c7c9eb4d287fc2bedefdc21085c9255d
Instruction ID: f29df513e9a27123db0fadc7b9b45b347e63716a65be5eac79e87113619d59e5
Opcode Fuzzy Hash: 14ecfea8ad8fb0e9d600ea79a8594198c7c9eb4d287fc2bedefdc21085c9255d
Instruction Fuzzy Hash: 06D19031701212DFCB19EF14C899A69F7A0BF15700F5541ADF88AAB2A2DB71ED52CF90

Function 00177DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00177FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00177FC1
GetFileAttributesW.KERNEL32(?), ref: 00177FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00178005
SetCurrentDirectoryW.KERNEL32(?), ref: 00178017
SetCurrentDirectoryW.KERNEL32(?), ref: 00178060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 001780B0

Strings

*.*, xrefs: 00178066

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 5faa9a59f4a7cef737a1825e945bbba23aa151dad6162af0e600f1d961f48c16
Instruction ID: 2e851f7ca5f49a771e60eab2b66499cccc69cb1ce7cd345eb91af078b2b9cbbd
Opcode Fuzzy Hash: 5faa9a59f4a7cef737a1825e945bbba23aa151dad6162af0e600f1d961f48c16
Instruction Fuzzy Hash: 5381B1725082019BDB24EF14C8449AEB3F9BF99314F148C5EF889C7290EB74DD89CB92

Function 00105BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00105C7A

Part of subcall function 00105D0A: GetClientRect.USER32(?,?), ref: 00105D30
Part of subcall function 00105D0A: GetWindowRect.USER32(?,?), ref: 00105D71
Part of subcall function 00105D0A: ScreenToClient.USER32(?,?), ref: 00105D99

GetDC.USER32 ref: 001446F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00144708
SelectObject.GDI32(00000000,00000000), ref: 00144716
SelectObject.GDI32(00000000,00000000), ref: 0014472B
ReleaseDC.USER32(?,00000000), ref: 00144733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 001447C4

Strings

U, xrefs: 00144693

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 7146f35d92c1d3f589790c77c481f8bfb1b253599ae524a38428d9512ec7818c
Instruction ID: 8bb5a8ca948930d60b9672a9514250b4c55431f394326a5155b60c30c24cf5cf
Opcode Fuzzy Hash: 7146f35d92c1d3f589790c77c481f8bfb1b253599ae524a38428d9512ec7818c
Instruction Fuzzy Hash: 8971FE31400205EFDF25CF64C984BBA7BB6FF4A365F14426AE9955A2B6C7309882DF60

Function 0017359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 001735E4

Part of subcall function 00109CB3: _wcslen.LIBCMT ref: 00109CBD

LoadStringW.USER32(001D2390,?,00000FFF,?), ref: 0017360A

Strings

^ ERROR, xrefs: 001736C9
"%s" (%d) : ==> %s:, xrefs: 00173742
"%s" (%d) : ==> %s:%s%s, xrefs: 00173724
Line %d (File "%s"):, xrefs: 0017366B
Error: , xrefs: 001736EF

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: ad868b414de378c0a75f571c6ae69f76e5dde9479687229a0b4389c1e6ca4433
Instruction ID: d7f01f3f84fa8f05f56451b5a4983487ace972efa4adde9156374a31d7534722
Opcode Fuzzy Hash: ad868b414de378c0a75f571c6ae69f76e5dde9479687229a0b4389c1e6ca4433
Instruction Fuzzy Hash: 97518E71900209BBDF18EBA0DC42EEEBB78BF24310F144125F115761A2EB706B99DFA1

Function 0017C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0017C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0017C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0017C2CA
GetLastError.KERNEL32 ref: 0017C322
SetEvent.KERNEL32(?), ref: 0017C336
InternetCloseHandle.WININET(00000000), ref: 0017C341

Strings

, xrefs: 0017C2BB

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 6d0fb4e459d89875edf4f8676638a61a7fca1ff284f1cd1a1c47b6cadbb54fd1
Instruction ID: bd178db3ab632abf36ca9a864c5ee834d784ae8d8e21f7861ffe03639a5fc581
Opcode Fuzzy Hash: 6d0fb4e459d89875edf4f8676638a61a7fca1ff284f1cd1a1c47b6cadbb54fd1
Instruction Fuzzy Hash: F63148B1600608AFDB219FA49C88AAB7BFCFB59744B14C51EF48A92601DB34DD449BE1

Function 0016989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00143AAF,?,?,Bad directive syntax error,0019CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 001698BC
LoadStringW.USER32(00000000,?,00143AAF,?), ref: 001698C3

Part of subcall function 00109CB3: _wcslen.LIBCMT ref: 00109CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00169987

Strings

., xrefs: 0016996D
Line %d:, xrefs: 00169912
%s (%d) : ==> %s.: %s %s, xrefs: 001698F1
Line %d (File "%s"):, xrefs: 0016992D
Error: , xrefs: 00169955

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 249ca2efdc79995d239747ac459be184ca63c22c0f50ee2f52649b0f53a62459
Instruction ID: 0347db0be0ec9656e080691280d47a7b54af44f997bc58557be5f7884277e4da
Opcode Fuzzy Hash: 249ca2efdc79995d239747ac459be184ca63c22c0f50ee2f52649b0f53a62459
Instruction Fuzzy Hash: 38218B32C0021EABCF15AF90CC46EEE7739BF28304F04446AF555660A2EB71AA68DB51

Function 0016209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 001620AB
GetClassNameW.USER32(00000000,?,00000100), ref: 001620C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0016214D

Strings

smallicons, xrefs: 00162115
details, xrefs: 001620FB
SHELLDLL_DefView, xrefs: 001620CC
list, xrefs: 0016212F
largeicons, xrefs: 001620E1

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: bc3242c54c3ced09180076fca26b466175061e5f285c98cf8cb9e948ba73f43c
Instruction ID: 18a8e75742d7adf6f7c13423b98bd7bea0e0e367b3fdc984cc2c51182d0b4227
Opcode Fuzzy Hash: bc3242c54c3ced09180076fca26b466175061e5f285c98cf8cb9e948ba73f43c
Instruction Fuzzy Hash: 871106B668CB16BAF7056220EC06EE6779DCB26724B21001AFB05A50D2EF71ACA25654

Function 00138D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 657ef0614b2b39898880df5c4a3a3c1958e2005bfd88d31631332702918376d0
Instruction ID: 682218f6e894abf94f1547c4c4fbee3f92de1316017b85c790052b59dec957bb
Opcode Fuzzy Hash: 657ef0614b2b39898880df5c4a3a3c1958e2005bfd88d31631332702918376d0
Instruction Fuzzy Hash: C2C1EF74A04349AFDF15EFA8D841BADBBB8AF1A310F1440A9F855A7392C7749942CB60

Function 0013CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0013CEB7
_free.LIBCMT ref: 0013CF22
_free.LIBCMT ref: 0013CF48
_free.LIBCMT ref: 0013CF71
_free.LIBCMT ref: 0013CFA9
_free.LIBCMT ref: 0013CFDA
_free.LIBCMT ref: 0013D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0013D09C
_free.LIBCMT ref: 0013D0B5

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 712891bcf55ecc6530b88a0875111d973660fafcf5a15aa0fad079f3f93de9b9
Instruction ID: b852f156555dc696b99b5a30a77803ce7c6d06a5e55caa6c924885ca0ff0b6a7
Opcode Fuzzy Hash: 712891bcf55ecc6530b88a0875111d973660fafcf5a15aa0fad079f3f93de9b9
Instruction Fuzzy Hash: 99614771905310AFDF26BFB4A881B6A7BAAEF1A314F04416EF944B7281D7369D41C7D0

Function 001950D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00195186
ShowWindow.USER32(?,00000000), ref: 001951C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 001951CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 001951D1

Part of subcall function 00196FBA: DeleteObject.GDI32(00000000), ref: 00196FE6

GetWindowLongW.USER32(?,000000F0), ref: 0019520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0019521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0019524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00195287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00195296

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: d4a7f375d6d6b5dabc11995edec1855208a21ed2a75595516caca5b4f5dbbfb1
Instruction ID: bd74dff3f8cf483fe99cd4c843ad4b55a04c06f4de8576b2b9783e7f25e437ad
Opcode Fuzzy Hash: d4a7f375d6d6b5dabc11995edec1855208a21ed2a75595516caca5b4f5dbbfb1
Instruction Fuzzy Hash: F651B130A41A08FFEF2A9F24CC49BD83B67FB05365F184022F625B62E1C375A980DB51

Function 00118B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00156890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 001568A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 001568B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 001568D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 001568F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00118874,00000000,00000000,00000000,000000FF,00000000), ref: 00156901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0015691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00118874,00000000,00000000,00000000,000000FF,00000000), ref: 0015692D

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 279e142b4b18fa0675f9932994a60733ffd4aa6ca4d672bf800ee9860eed2eac
Instruction ID: b8cc4ed2dad29866ba793f0b9361303e2b80261819c5c783503496fcbceda168
Opcode Fuzzy Hash: 279e142b4b18fa0675f9932994a60733ffd4aa6ca4d672bf800ee9860eed2eac
Instruction Fuzzy Hash: 62519A70A00209EFDB28CF24CC51FAA7BB5FF58755F104529F9569B2A0DB70E990DB90

Function 0017C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0017C182
GetLastError.KERNEL32 ref: 0017C195
SetEvent.KERNEL32(?), ref: 0017C1A9

Part of subcall function 0017C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0017C272
Part of subcall function 0017C253: GetLastError.KERNEL32 ref: 0017C322
Part of subcall function 0017C253: SetEvent.KERNEL32(?), ref: 0017C336
Part of subcall function 0017C253: InternetCloseHandle.WININET(00000000), ref: 0017C341

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 4abac84fc7ed29d9ba8853bb08b28d539895a45b1b1416d844d6317c4bd44a6a
Instruction ID: 76d09111d6f833fe7d25c5e70eeba3fdc51f84ba699f1a8bb0f536e47e1402b6
Opcode Fuzzy Hash: 4abac84fc7ed29d9ba8853bb08b28d539895a45b1b1416d844d6317c4bd44a6a
Instruction Fuzzy Hash: 5A319C71200601EFDB259FE5DC44A66BBF9FF28300B54842EF99A82A11DB30E954DBE0

Function 001625A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00163A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00163A57
Part of subcall function 00163A3D: GetCurrentThreadId.KERNEL32 ref: 00163A5E
Part of subcall function 00163A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001625B3), ref: 00163A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 001625BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 001625DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 001625DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 001625E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00162601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00162605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0016260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00162623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00162627

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: a952608f6f8d85b352ad9dd063eec464b12bcccad02380f9f738fe1f822bda5f
Instruction ID: c1d27499d9463e7f6c517ac4ba58e4373409c8756f89d123886a1ef06f9f0276
Opcode Fuzzy Hash: a952608f6f8d85b352ad9dd063eec464b12bcccad02380f9f738fe1f822bda5f
Instruction Fuzzy Hash: 7D01B530290610BBFB1067699C8AF993E59DF5AB52F100012F354AF1D1C9F11494DAA9

Function 00161803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00161449,?,?,00000000), ref: 0016180C
HeapAlloc.KERNEL32(00000000,?,00161449,?,?,00000000), ref: 00161813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00161449,?,?,00000000), ref: 00161828
GetCurrentProcess.KERNEL32(?,00000000,?,00161449,?,?,00000000), ref: 00161830
DuplicateHandle.KERNEL32(00000000,?,00161449,?,?,00000000), ref: 00161833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00161449,?,?,00000000), ref: 00161843
GetCurrentProcess.KERNEL32(00161449,00000000,?,00161449,?,?,00000000), ref: 0016184B
DuplicateHandle.KERNEL32(00000000,?,00161449,?,?,00000000), ref: 0016184E
CreateThread.KERNEL32(00000000,00000000,00161874,00000000,00000000,00000000), ref: 00161868

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 5b829519e26d0f5cf12fbe559f699a811c5b81a33153beec805ee73efb39e6f2
Instruction ID: 57d102a4d79efa05cefc08349ef6892ffa8643a2d807809247321393d132f827
Opcode Fuzzy Hash: 5b829519e26d0f5cf12fbe559f699a811c5b81a33153beec805ee73efb39e6f2
Instruction Fuzzy Hash: 7B01BBB5240308FFE710ABA5DD4EF6B3BACEB89B11F404422FA45DB5A1CA709850CB74

Function 0018A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0016D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0016D501
Part of subcall function 0016D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0016D50F
Part of subcall function 0016D4DC: CloseHandle.KERNEL32(00000000), ref: 0016D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0018A16D
GetLastError.KERNEL32 ref: 0018A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0018A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0018A268
GetLastError.KERNEL32(00000000), ref: 0018A273
CloseHandle.KERNEL32(00000000), ref: 0018A2C4

Strings

SeDebugPrivilege, xrefs: 0018A18F

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 00b4f0b9a8ab6d78a7a0f642480fe5545c539986c43585f437aaf20d266d76e4
Instruction ID: 7e88f574d38d625272408748cdb8d7f806df2db4f414770543bed702f30fafaa
Opcode Fuzzy Hash: 00b4f0b9a8ab6d78a7a0f642480fe5545c539986c43585f437aaf20d266d76e4
Instruction Fuzzy Hash: 4B617E702042429FE724EF18C494F15BBA1AF54318F58849DE4A64BBA3C7B6ED45CFD2

Function 00193886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00193925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0019393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00193954
_wcslen.LIBCMT ref: 00193999
SendMessageW.USER32(?,00001057,00000000,?), ref: 001939C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 001939F4

Strings

SysListView32, xrefs: 001938F7

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 18ee96c3de5a5817dc3549c791dbc408aeb9036ba0345504f70b5d05805d0f04
Instruction ID: 7d7b53c5405440fe830a1a0449212456b5638c2579a72890010b16d1481f6625
Opcode Fuzzy Hash: 18ee96c3de5a5817dc3549c791dbc408aeb9036ba0345504f70b5d05805d0f04
Instruction Fuzzy Hash: 1B419571A00219ABDF219F64CC49FEA77A9FF18354F100526F968E7281D7B19D94CB90

Function 0016BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0016BCFD
IsMenu.USER32(00000000), ref: 0016BD1D
CreatePopupMenu.USER32 ref: 0016BD53
GetMenuItemCount.USER32(016C5888), ref: 0016BDA4
InsertMenuItemW.USER32(016C5888,?,00000001,00000030), ref: 0016BDCC

Strings

2, xrefs: 0016BD37
0, xrefs: 0016BCA8

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 08f36f9150a56ae906e7942c3ff284dd9f95e4de92c4035431ec1797acbf59c6
Instruction ID: ba95b37d5595bd05f9d6cdb069d540bf3fb86065c394e1835246bb494e171d94
Opcode Fuzzy Hash: 08f36f9150a56ae906e7942c3ff284dd9f95e4de92c4035431ec1797acbf59c6
Instruction Fuzzy Hash: 2051BF70A082059BDF24CFE8DCC4BAEBBF8BF55318F14421AE441DB291D77099A1CB61

Function 0016C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0016C913

Strings

stop, xrefs: 0016C8E4
warning, xrefs: 0016C8FC
blank, xrefs: 0016C895
info, xrefs: 0016C8B4
question, xrefs: 0016C8CC

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: cf44b30ad18d17d6e1456773ba14ceba6ba0c38663cf2c702384a369d02d0154
Instruction ID: b6fb7fde1e899833a9435d4da8457dab3e867de662ae37c89afc908ecdc2a713
Opcode Fuzzy Hash: cf44b30ad18d17d6e1456773ba14ceba6ba0c38663cf2c702384a369d02d0154
Instruction Fuzzy Hash: 36113A32689316BBE7089B54EC83DBE379CDF25359B20002FF544E7282E7B09E2052E4

Function 0016DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0016DE42
gethostname.WSOCK32(?,00000100), ref: 0016DE5C
gethostbyname.WSOCK32(?), ref: 0016DE69
inet_ntoa.WSOCK32(?), ref: 0016DEAB
_strcat.LIBCMT ref: 0016DEB9
WSACleanup.WSOCK32 ref: 0016DEDE

Strings

0.0.0.0, xrefs: 0016DE87

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 4244af4db28fda7bf9e6a696687c8dbe4991f24f161e304aa35654ff19f841bb
Instruction ID: 6d5e15f21f6f9c2e88bb5a26348741253b227103ba578beeb2f1e58488e978e5
Opcode Fuzzy Hash: 4244af4db28fda7bf9e6a696687c8dbe4991f24f161e304aa35654ff19f841bb
Instruction Fuzzy Hash: B9112C31A04115AFDB24AB64FC0AEEE77BCDF25710F01016AF54596091EFB18AD18A90

Function 0016ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0016ED2A
_wcslen.LIBCMT ref: 0016ED3B
_wcslen.LIBCMT ref: 0016ED79
_wcslen.LIBCMT ref: 0016EDAF
_wcslen.LIBCMT ref: 0016EDDF
_wcslen.LIBCMT ref: 0016EDEF
_wcslen.LIBCMT ref: 0016EE2B
_wcslen.LIBCMT ref: 0016EE5A

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 4c416f9f06d53c4071f06993abf49a9c075e71c9c47e99ba24f2fe1bd4fa18d7
Instruction ID: 6791addb7afe0dde68427bf72cfb016f7172e642ec913699a77c036da6dce749
Opcode Fuzzy Hash: 4c416f9f06d53c4071f06993abf49a9c075e71c9c47e99ba24f2fe1bd4fa18d7
Instruction Fuzzy Hash: 8741C365C10228B6CB11EBF4DC8A9CFB7E8AF59310F508562E518E3161FB34E265C3E5

Function 0011F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0015682C,00000004,00000000,00000000), ref: 0011F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0015682C,00000004,00000000,00000000), ref: 0015F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0015682C,00000004,00000000,00000000), ref: 0015F454

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 917dbad0d02aea5cd7c3b2b2d964b332b4bc819a503ebb0a50d069b6f827429a
Instruction ID: 9a5ed78c16976ad64f7022dff5faebe85499516aac8488a50164718ec67ccbb5
Opcode Fuzzy Hash: 917dbad0d02aea5cd7c3b2b2d964b332b4bc819a503ebb0a50d069b6f827429a
Instruction Fuzzy Hash: 35416E30208648FFD73CAB29C8887AA7B92BB56329F59443DF49756960C73198C7CB50

Function 00192D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00192D1B
GetDC.USER32(00000000), ref: 00192D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00192D2E
ReleaseDC.USER32(00000000,00000000), ref: 00192D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00192D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00192D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00195A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00192DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00192DE1

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: ec960676112b5e483b7ef76e833893199d2e74896f53f1fc92c484faa546a2a0
Instruction ID: 46922edf03ca90a3d8512918eabe4626235db3382a996096b0defabfd0da67b7
Opcode Fuzzy Hash: ec960676112b5e483b7ef76e833893199d2e74896f53f1fc92c484faa546a2a0
Instruction Fuzzy Hash: 74317A76201214BFEF218F50DC8AFEB3BA9EF09715F044066FE489A291C6759C90CBB4

Function 00165622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00165637
_memcmp.LIBVCRUNTIME ref: 00165659
_memcmp.LIBVCRUNTIME ref: 00165671
_memcmp.LIBVCRUNTIME ref: 00165684
_memcmp.LIBVCRUNTIME ref: 0016569E
_memcmp.LIBVCRUNTIME ref: 001656B1
_memcmp.LIBVCRUNTIME ref: 001656C9
_memcmp.LIBVCRUNTIME ref: 001656E4

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: ca8489f20c1cc7093c8d5371a66caa38c98786946e14b83bbdf22d5aa80e9544
Instruction ID: 19431003d495aa70c52c93e9d729de17d5ab1adf0b78048763ff0b615fb885e9
Opcode Fuzzy Hash: ca8489f20c1cc7093c8d5371a66caa38c98786946e14b83bbdf22d5aa80e9544
Instruction Fuzzy Hash: 8821C661A41A197BD718DA20EE82FFA335FBF303A4F444024FD05AA681F720ED31C1A5

Function 00184FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0018502E, 00185383
Not an Object type, xrefs: 00185007

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 5ff77563b63d8e35f6b7948083498cb6b2f0a919e53b266daf20241d7f0be626
Instruction ID: 0a5f137a176fd1587cf73634739f301784cb67e2ea1ba12486b725fcfc5023d9
Opcode Fuzzy Hash: 5ff77563b63d8e35f6b7948083498cb6b2f0a919e53b266daf20241d7f0be626
Instruction Fuzzy Hash: 27D1A375A0060A9FDF14DF98C885BAEB7B6FF48344F148069E915AB281D770DE45CF90

Function 00141522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 001415CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00141651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 001416E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 001416FB

Part of subcall function 00133820: RtlAllocateHeap.NTDLL(00000000,?,001D1444,?,0011FDF5,?,?,0010A976,00000010,001D1440,001013FC,?,001013C6,?,00101129), ref: 00133852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00141777
__freea.LIBCMT ref: 001417A2
__freea.LIBCMT ref: 001417AE

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 09515a7b3a2895257691c286d1e2e6b5e1d04f4d0da987247a4a26c7bb57a546
Instruction ID: c8593308c599d181b566851046e64e1d3e02cefd0dda8f066c99aef54ff71d6b
Opcode Fuzzy Hash: 09515a7b3a2895257691c286d1e2e6b5e1d04f4d0da987247a4a26c7bb57a546
Instruction Fuzzy Hash: 6991C472E00216BADF248EB4C881AEE7BB5AF49350F194669E905EB161D735DDC0CBA0

Function 00184523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00184648
VariantInit.OLEAUT32(?), ref: 00184749
VariantClear.OLEAUT32(?), ref: 00184753
VariantClear.OLEAUT32(?), ref: 001847B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0018472C
Null Object assignment in FOR..IN loop, xrefs: 001845D8, 00184706, 001847BE

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 6b310108263d95fcb3405e76dd9422b73f0e56ed756cee75e4a59f9498a28555
Instruction ID: 241c6d65819183eaf2b3a2dfc891faa69bf9ff28f28818b69c267944bc10ebf8
Opcode Fuzzy Hash: 6b310108263d95fcb3405e76dd9422b73f0e56ed756cee75e4a59f9498a28555
Instruction Fuzzy Hash: 27918271A0021AAFDF24DFA5D844FAEBBB8EF56714F10855DF505AB280DB709A41CFA0

Function 00171187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0017125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00171284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 001712A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001712D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0017135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001713C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00171430

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 8a95f6a0c13096b3cfeb171d1cc86a0327d25e7799722462b0d150dab4cb5c32
Instruction ID: bb385ab5cc363694ff5d94286fb7061cae73aeef1687af8a1884d7712de26fca
Opcode Fuzzy Hash: 8a95f6a0c13096b3cfeb171d1cc86a0327d25e7799722462b0d150dab4cb5c32
Instruction Fuzzy Hash: 38910671A00208BFDB05DFA8C884BFE77B5FF55315F258029E945EB292D774A981CB90

Function 0011948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: d8525b2e9609d6da5e2eb8cbd68f7a7243e1f7b2d11a9e2b9e5d2f48c82bc19b
Instruction ID: 92284a10277f4097ae0aa153af560db8edb0ad9a0a0718fcf25e4e000931c67a
Opcode Fuzzy Hash: d8525b2e9609d6da5e2eb8cbd68f7a7243e1f7b2d11a9e2b9e5d2f48c82bc19b
Instruction Fuzzy Hash: A4913A71D04219EFCB54CFA9CC84AEEBBB9FF49320F144156E925B7251D374A981CB60

Function 00183947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0018396B
CharUpperBuffW.USER32(?,?), ref: 00183A7A
_wcslen.LIBCMT ref: 00183A8A
VariantClear.OLEAUT32(?), ref: 00183C1F

Part of subcall function 00170CDF: VariantInit.OLEAUT32(00000000), ref: 00170D1F
Part of subcall function 00170CDF: VariantCopy.OLEAUT32(?,?), ref: 00170D28
Part of subcall function 00170CDF: VariantClear.OLEAUT32(?), ref: 00170D34

Strings

AUTOIT.ERROR, xrefs: 00183A80, 00183A85
Incorrect Parameter format, xrefs: 001839A6, 00183BA1

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 4fb629877c4417ff18f6a688dc7191d74fdf1acec05ba42a8abaaa5853905e5e
Instruction ID: 313f26d2db4e3e74ebdc18f6a3c12dde062f8bf26e59f7a324d5094e01f17f5f
Opcode Fuzzy Hash: 4fb629877c4417ff18f6a688dc7191d74fdf1acec05ba42a8abaaa5853905e5e
Instruction Fuzzy Hash: 0F914775A083059FC704EF24C49096AB7E4BF99714F18882EF8999B391DB70EE45CF92

Function 00184BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0016000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0015FF41,80070057,?,?,?,0016035E), ref: 0016002B
Part of subcall function 0016000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0015FF41,80070057,?,?), ref: 00160046
Part of subcall function 0016000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0015FF41,80070057,?,?), ref: 00160054
Part of subcall function 0016000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0015FF41,80070057,?), ref: 00160064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00184C51
_wcslen.LIBCMT ref: 00184D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00184DCF
CoTaskMemFree.OLE32(?), ref: 00184DDA

Strings

NULL Pointer assignment, xrefs: 00184E23, 00184E52

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: fbefa4edd78cab9e89b7c2d2b2c720bac74bc486321f0634b7a905b8c848249b
Instruction ID: f7169dac7e55e7cc97ac1b4c84d09b9a0fcc6ccc9f1134cac1c759ec29d3cbc2
Opcode Fuzzy Hash: fbefa4edd78cab9e89b7c2d2b2c720bac74bc486321f0634b7a905b8c848249b
Instruction Fuzzy Hash: 8B913A71D0021DAFDF14EFA4DC90AEEB7B8BF18314F10816AE555A7291DB745A44CFA0

Function 001920FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00192183
GetMenuItemCount.USER32(00000000), ref: 001921B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 001921DD
_wcslen.LIBCMT ref: 00192213
GetMenuItemID.USER32(?,?), ref: 0019224D
GetSubMenu.USER32(?,?), ref: 0019225B

Part of subcall function 00163A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00163A57
Part of subcall function 00163A3D: GetCurrentThreadId.KERNEL32 ref: 00163A5E
Part of subcall function 00163A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001625B3), ref: 00163A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 001922E3

Part of subcall function 0016E97B: Sleep.KERNEL32 ref: 0016E9F3

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: b5f8a4362bd8ab547cbae041c6c2363685f63ce7c448fe3df418aa7db8bf232b
Instruction ID: b503b4fad5867247ac6a1e2f3d5fdd10ff989fb3cc18d6e9cb178df654310f96
Opcode Fuzzy Hash: b5f8a4362bd8ab547cbae041c6c2363685f63ce7c448fe3df418aa7db8bf232b
Instruction Fuzzy Hash: F2718C75E00205AFCF14EFA8C845AAEB7F5EF58310F158469E856EB381DB74EE418B90

Function 00197E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(016C5860), ref: 00197F37
IsWindowEnabled.USER32(016C5860), ref: 00197F43
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0019801E
SendMessageW.USER32(016C5860,000000B0,?,?), ref: 00198051
IsDlgButtonChecked.USER32(?,?), ref: 00198089
GetWindowLongW.USER32(016C5860,000000EC), ref: 001980AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 001980C3

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 62486f353b090f51b4212a664988e687c7605470871e2883ab4faa893e7ac4c5
Instruction ID: 55d3ebf0c09b5817f3b85881e8a646c38f307c557d882bad648fb696bd09a7eb
Opcode Fuzzy Hash: 62486f353b090f51b4212a664988e687c7605470871e2883ab4faa893e7ac4c5
Instruction Fuzzy Hash: DE716F34609204AFEF259F54C894FFA7BB5FF1A300F14445AF955A72A1CB31AC85DB60

Function 0016AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0016AEF9
GetKeyboardState.USER32(?), ref: 0016AF0E
SetKeyboardState.USER32(?), ref: 0016AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0016AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0016AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0016AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0016B020

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 2029e53c0596507774ac0c39c75b0c95ae3fe700f850bd05d9d9cd1e3b2c5c8c
Instruction ID: 2801fbac5b76404e96e3158e9374c3712070b3508aab79d34e7b799c1356a39a
Opcode Fuzzy Hash: 2029e53c0596507774ac0c39c75b0c95ae3fe700f850bd05d9d9cd1e3b2c5c8c
Instruction Fuzzy Hash: 7951B4A0A087D53DFB3642348C85BBA7EE95F06304F088589F1D5958C3D3E9ACE4DB52

Function 0016ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0016AD19
GetKeyboardState.USER32(?), ref: 0016AD2E
SetKeyboardState.USER32(?), ref: 0016AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0016ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0016ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0016AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0016AE38

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 13e995ce9d19175d0d474adf4f7e99247b480319b7a5a77ef4a332511a79e883
Instruction ID: 703d2abefb2e02232f1a68c80b19330866afd330dad06352b85534657b240187
Opcode Fuzzy Hash: 13e995ce9d19175d0d474adf4f7e99247b480319b7a5a77ef4a332511a79e883
Instruction Fuzzy Hash: 635118A16087D13DFB3783748C95B7A7EE85F05300F488489E1D5668C3C395ECA4DB62

Function 0013542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00143CD6,?,?,?,?,?,?,?,?,00135BA3,?,?,00143CD6,?,?), ref: 00135470
__fassign.LIBCMT ref: 001354EB
__fassign.LIBCMT ref: 00135506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00143CD6,00000005,00000000,00000000), ref: 0013552C
WriteFile.KERNEL32(?,00143CD6,00000000,00135BA3,00000000,?,?,?,?,?,?,?,?,?,00135BA3,?), ref: 0013554B
WriteFile.KERNEL32(?,?,00000001,00135BA3,00000000,?,?,?,?,?,?,?,?,?,00135BA3,?), ref: 00135584

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 3d98498da1ca89579f75f6b84154f14247fb69d64ead90e803ebad19bd87b580
Instruction ID: b11237b767543cb8eec630bc4bb02528efbc9b841842aa8f7b0946c60a25df66
Opcode Fuzzy Hash: 3d98498da1ca89579f75f6b84154f14247fb69d64ead90e803ebad19bd87b580
Instruction Fuzzy Hash: DE51D671A006499FDF11CFA8D845AEEBBFAEF09700F14452AF955E7291E730EA41CB60

Function 00122D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00122D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00122D53
_ValidateLocalCookies.LIBCMT ref: 00122DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00122E0C
_ValidateLocalCookies.LIBCMT ref: 00122E61

Strings

csm, xrefs: 00122DF6

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 3940e0aad8fde618086df72acacccf387fd95cbb9cbb98d441a45b6abea4fd47
Instruction ID: a9894a80d10f01c3c889255aafbf6c3b56267797612c0b6d8487ded2d75f8291
Opcode Fuzzy Hash: 3940e0aad8fde618086df72acacccf387fd95cbb9cbb98d441a45b6abea4fd47
Instruction Fuzzy Hash: 3741D334E00228BBCF10DFA8E845AAEBBB5BF55324F148155F8146B352D735DA65CBD0

Function 001810B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0018304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0018307A
Part of subcall function 0018304E: _wcslen.LIBCMT ref: 0018309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00181112
WSAGetLastError.WSOCK32 ref: 00181121
WSAGetLastError.WSOCK32 ref: 001811C9
closesocket.WSOCK32(00000000), ref: 001811F9

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 8f0326ec64f7058fb05f81e2e29e15abc3c30408c4e9f1a5c07f119f1e819f7a
Instruction ID: 5ca007842990b2e34738ed9cf8b10368437cb3b1cf29eee390925fafd9ce62ed
Opcode Fuzzy Hash: 8f0326ec64f7058fb05f81e2e29e15abc3c30408c4e9f1a5c07f119f1e819f7a
Instruction Fuzzy Hash: 8C41D432600204AFDB10AF64C888BA9B7EAEF45364F148159FD559B291C770AE82CFE1

Function 0016CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0016DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0016CF22,?), ref: 0016DDFD

Part of subcall function 0016DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0016CF22,?), ref: 0016DE16

lstrcmpiW.KERNEL32(?,?), ref: 0016CF45
MoveFileW.KERNEL32(?,?), ref: 0016CF7F
_wcslen.LIBCMT ref: 0016D005
_wcslen.LIBCMT ref: 0016D01B
SHFileOperationW.SHELL32(?), ref: 0016D061

Strings

\*.*, xrefs: 0016CFF3

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 35f4fdeaeedf1a043c7b63e21e2a3871b49ee43ff08b30caaec27a8b8bc45a78
Instruction ID: eecc7ca67abb95200929e56e74d4e31027276fddaf6fdddadb7f2cc410c7609a
Opcode Fuzzy Hash: 35f4fdeaeedf1a043c7b63e21e2a3871b49ee43ff08b30caaec27a8b8bc45a78
Instruction Fuzzy Hash: 5A414671D452189FDF12EFA4DD81AEEB7F9AF18380F1000E6E545EB142EB74A698CB50

Function 00192DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00192E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00192E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00192E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00192EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00192EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00192EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00192F0B

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 42011bf7ce76dda1a5c1ca2028849dd9bde6f235e7b1f79bea4f82f57f28c43a
Instruction ID: c4af85da26e85c4066a13c0d6a21acac61d696de15736d7085bacfbf6a77258c
Opcode Fuzzy Hash: 42011bf7ce76dda1a5c1ca2028849dd9bde6f235e7b1f79bea4f82f57f28c43a
Instruction Fuzzy Hash: 3E310C35606240BFEF21CF18DCD4FA537A0EB9A724F1501A6F9408B2B2CB71A8809B90

Function 00167726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00167769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0016778F
SysAllocString.OLEAUT32(00000000), ref: 00167792
SysAllocString.OLEAUT32(?), ref: 001677B0
SysFreeString.OLEAUT32(?), ref: 001677B9
StringFromGUID2.OLE32(?,?,00000028), ref: 001677DE
SysAllocString.OLEAUT32(?), ref: 001677EC

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 4ff69324dfcae80e5bcd935bc26861887399c36428c9e69df89163dc6f44385f
Instruction ID: a47a880752848a039d6ad003d3f9396c6f30cebb1f9dfa66edbb63a391d9537f
Opcode Fuzzy Hash: 4ff69324dfcae80e5bcd935bc26861887399c36428c9e69df89163dc6f44385f
Instruction Fuzzy Hash: 9221A176608219AFDF10EFACCD88CBB77ACEB097687048426FA15DB190D774DC8187A4

Function 001677FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00167842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00167868
SysAllocString.OLEAUT32(00000000), ref: 0016786B
SysAllocString.OLEAUT32 ref: 0016788C
SysFreeString.OLEAUT32 ref: 00167895
StringFromGUID2.OLE32(?,?,00000028), ref: 001678AF
SysAllocString.OLEAUT32(?), ref: 001678BD

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 19c9feaafdfad11356670885578011b6643a425ea92402d3a72c983abb68787a
Instruction ID: e16f1012d8c34736d5e8e43cf6f9c1b97e0a7df97719e8bcafc3b2a41f4bb587
Opcode Fuzzy Hash: 19c9feaafdfad11356670885578011b6643a425ea92402d3a72c983abb68787a
Instruction Fuzzy Hash: 03217F31608204AFDB14AFB8DC88DBA77ECEB097647108126F915CB2A1DB70DC91CBA4

Function 001704D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 001704F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0017052E

Strings

nul, xrefs: 00170567

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 073d3522349e68b161ab3b13d9e9b19854afc17a41e4edd49a170ffc7e2fb3d6
Instruction ID: 1856975b041202e57487845aa7d6cabdfa529d38fd8380d0fc123fd5a38cf558
Opcode Fuzzy Hash: 073d3522349e68b161ab3b13d9e9b19854afc17a41e4edd49a170ffc7e2fb3d6
Instruction Fuzzy Hash: 38217F75500305EFDB219F69DC44A9A7BB4BF59724F208A19F8A9D72E0D770D980CF60

Function 001705A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 001705C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00170601

Strings

nul, xrefs: 00170639

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 876b5d9b03c0ecf7c8e67cd1fe177187db7e73a4bfdb79d2990d8f382fdaf0ea
Instruction ID: d0c8de8b2d1a87a8bab7f6aaa7cde374e86834d929d3585b9bd65f647ec1b1ef
Opcode Fuzzy Hash: 876b5d9b03c0ecf7c8e67cd1fe177187db7e73a4bfdb79d2990d8f382fdaf0ea
Instruction Fuzzy Hash: 1021B275500305DFDB219F69CC54A9A77F4BF99720F208B1AF8A5E72E0E77099A0CB60

Function 001940AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0010600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0010604C
Part of subcall function 0010600E: GetStockObject.GDI32(00000011), ref: 00106060
Part of subcall function 0010600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0010606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00194112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0019411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0019412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00194139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00194145

Strings

Msctls_Progress32, xrefs: 001940E3

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 32d153198464f1d9a82324547482f899baeb5a573fcd50dac15206679abfa49a
Instruction ID: 8ce0b3574e51e83cca49cdec6a924a8ee407f80eed56fb2da779ddd30fda752f
Opcode Fuzzy Hash: 32d153198464f1d9a82324547482f899baeb5a573fcd50dac15206679abfa49a
Instruction Fuzzy Hash: 9611B2B2140219BFEF119F64CC86EE77F5DEF18798F014121BA18A2190C772DC61DBA4

Function 0013D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0013D7A3: _free.LIBCMT ref: 0013D7CC

_free.LIBCMT ref: 0013D82D

Part of subcall function 001329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0013D7D1,00000000,00000000,00000000,00000000,?,0013D7F8,00000000,00000007,00000000,?,0013DBF5,00000000), ref: 001329DE
Part of subcall function 001329C8: GetLastError.KERNEL32(00000000,?,0013D7D1,00000000,00000000,00000000,00000000,?,0013D7F8,00000000,00000007,00000000,?,0013DBF5,00000000,00000000), ref: 001329F0

_free.LIBCMT ref: 0013D838
_free.LIBCMT ref: 0013D843
_free.LIBCMT ref: 0013D897
_free.LIBCMT ref: 0013D8A2
_free.LIBCMT ref: 0013D8AD
_free.LIBCMT ref: 0013D8B8

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: b52de83fec4bd57b1b277975b3d029f30e4e4b0543e3f29dd6c3b43f4cbdecbf
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 8C114C71940B24AAEA21BFF0FC47FCB7BDCAF20704F400825F699A6292DB75B5058761

Function 0016DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0016DA74
LoadStringW.USER32(00000000), ref: 0016DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0016DA91
LoadStringW.USER32(00000000), ref: 0016DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0016DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0016DAB9

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 326c277e43efcad7602344c8953a336f2d2fef99f1d9bb22a4df1f68955a6107
Instruction ID: 5bee27ec42fc873d25532ea70bc8f71221ee80a04c0f15bbfa60794f7aa899d9
Opcode Fuzzy Hash: 326c277e43efcad7602344c8953a336f2d2fef99f1d9bb22a4df1f68955a6107
Instruction Fuzzy Hash: 880112F6904208BFEB11DBE4DD89EE7766CE708701F4044A6B746E2041E6749E848FB5

Function 0017096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(016BDFD0,016BDFD0), ref: 0017097B
EnterCriticalSection.KERNEL32(016BDFB0,00000000), ref: 0017098D
TerminateThread.KERNEL32(00000000,000001F6), ref: 0017099B
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 001709A9
CloseHandle.KERNEL32(00000000), ref: 001709B8
InterlockedExchange.KERNEL32(016BDFD0,000001F6), ref: 001709C8
LeaveCriticalSection.KERNEL32(016BDFB0), ref: 001709CF

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 3265d6a4fab5033e05a71f5ba7dbc92fd30442297b018c7f3f447fd756f2fb19
Instruction ID: 1ec0d2f0bfd4e96441f46ab0af87778e2fafc2076bcc89ad2e397667ce669eff
Opcode Fuzzy Hash: 3265d6a4fab5033e05a71f5ba7dbc92fd30442297b018c7f3f447fd756f2fb19
Instruction Fuzzy Hash: B4F0CD31442A12EBD7525BA4EE89AD67A35BF05706F801026F24550CA1C775A5A5CFE0

Function 00105D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00105D30
GetWindowRect.USER32(?,?), ref: 00105D71
ScreenToClient.USER32(?,?), ref: 00105D99
GetClientRect.USER32(?,?), ref: 00105ED7
GetWindowRect.USER32(?,?), ref: 00105EF8

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: a7be8e095020bfb8f759c6970a6b1c516ab28a1cdbf62847010fb9907e9cfcfa
Instruction ID: 840f9d56dc2568697957361bf54d06911969704e579a5b73cc636a963ec3de49
Opcode Fuzzy Hash: a7be8e095020bfb8f759c6970a6b1c516ab28a1cdbf62847010fb9907e9cfcfa
Instruction Fuzzy Hash: 31B15835A00A4ADBDB14CFA9C4807EAB7F2FF58310F14841AE8E9D7290DB74AA51DF54

Function 001301B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 001300BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001300D6
__allrem.LIBCMT ref: 001300ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0013010B
__allrem.LIBCMT ref: 00130122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00130140

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: 3e32641871fbda82d5f01280cb73f2de3ed26d9b779f791eca22c57314f144cc
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 13815672A00B16ABE725AF28CC92B6B73F8AF55764F24423EF550D7281E770D9418B90

Function 00181D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00183149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,0018101C,00000000,?,?,00000000), ref: 00183195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00181DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00181DE1
WSAGetLastError.WSOCK32 ref: 00181DF2
inet_ntoa.WSOCK32(?), ref: 00181E8C
htons.WSOCK32(?,?,?,?,?), ref: 00181EDB
_strlen.LIBCMT ref: 00181F35

Part of subcall function 001639E8: _strlen.LIBCMT ref: 001639F2

Part of subcall function 00106D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,0011CF58,?,?,?), ref: 00106DBA
Part of subcall function 00106D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,0011CF58,?,?,?), ref: 00106DED

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 4a77dc925441a9d5211b3bc149c8f44c5819cbe74430afacd7ce65957a903293
Instruction ID: d410b48fcad7464437a8468dd7d464a0987d210e9f324300492bea814d92d347
Opcode Fuzzy Hash: 4a77dc925441a9d5211b3bc149c8f44c5819cbe74430afacd7ce65957a903293
Instruction Fuzzy Hash: CCA1E232104300AFC314EF24C895F2A77E9AF94318F54895CF5965B2E2CB71EE86CB91

Function 001361FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,001282D9,001282D9,?,?,?,0013644F,00000001,00000001,8BE85006), ref: 00136258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0013644F,00000001,00000001,8BE85006,?,?,?), ref: 001362DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 001363D8
__freea.LIBCMT ref: 001363E5

Part of subcall function 00133820: RtlAllocateHeap.NTDLL(00000000,?,001D1444,?,0011FDF5,?,?,0010A976,00000010,001D1440,001013FC,?,001013C6,?,00101129), ref: 00133852

__freea.LIBCMT ref: 001363EE
__freea.LIBCMT ref: 00136413

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 3d3bb9b11847bead48970aad0bdfa76524998896d621782289804b18d7b0bb9a
Instruction ID: 55defddc265c5f101bfdf6852d85e662b12279400b842955816b4c50da920588
Opcode Fuzzy Hash: 3d3bb9b11847bead48970aad0bdfa76524998896d621782289804b18d7b0bb9a
Instruction Fuzzy Hash: C451D072A00216BBEB258F64CC81EBF7BA9EF54750F158629FC09D7140EB34DC80C6A0

Function 0018BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00109CB3: _wcslen.LIBCMT ref: 00109CBD

Part of subcall function 0018C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0018B6AE,?,?), ref: 0018C9B5
Part of subcall function 0018C998: _wcslen.LIBCMT ref: 0018C9F1
Part of subcall function 0018C998: _wcslen.LIBCMT ref: 0018CA68
Part of subcall function 0018C998: _wcslen.LIBCMT ref: 0018CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0018BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0018BD25
RegCloseKey.ADVAPI32(00000000), ref: 0018BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0018BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0018BDF3
RegCloseKey.ADVAPI32(?), ref: 0018BDFF

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: b2c41e1ffbb4722e5da6cefe8d241810aa58b16e720dbe6a80c894c1a30acea9
Instruction ID: bb2b52c660eefb73ecaf71c1e0c7c56ae3f7b1ec73f56ea783f9b0a2ac6a92b7
Opcode Fuzzy Hash: b2c41e1ffbb4722e5da6cefe8d241810aa58b16e720dbe6a80c894c1a30acea9
Instruction Fuzzy Hash: 85817B30208241AFD714EF64C891E6ABBE5BF84308F14855DF4994B2A2DB31EE45CF92

Function 0015F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0015F7B9
SysAllocString.OLEAUT32(00000001), ref: 0015F860
VariantCopy.OLEAUT32(0015FA64,00000000), ref: 0015F889
VariantClear.OLEAUT32(0015FA64), ref: 0015F8AD
VariantCopy.OLEAUT32(0015FA64,00000000), ref: 0015F8B1
VariantClear.OLEAUT32(?), ref: 0015F8BB

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 59866d0e7a473e51877730df1e09674d0ac520a5d98eba58aa354721f9f6a907
Instruction ID: 42be20c14a69f13b682d366c0b5664edfd48090bca7669474992c6bf8d0593be
Opcode Fuzzy Hash: 59866d0e7a473e51877730df1e09674d0ac520a5d98eba58aa354721f9f6a907
Instruction Fuzzy Hash: 1751E531600300FACF14AB65D895B29B3A8EF55316B24846FFC55DF291DBB08C8AC796

Function 0017910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00107620: _wcslen.LIBCMT ref: 00107625

Part of subcall function 00106B57: _wcslen.LIBCMT ref: 00106B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 001794E5
_wcslen.LIBCMT ref: 00179506
_wcslen.LIBCMT ref: 0017952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00179585

Strings

X, xrefs: 00179412

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 7d695f7ba9029e75ea1410d3c69971f87a78191e47537ee3351e4d00f78a41a8
Instruction ID: 64818b621d64f071861cba6ea8c6dd50d19a23e20ca76e5d2753217ccfd46ade
Opcode Fuzzy Hash: 7d695f7ba9029e75ea1410d3c69971f87a78191e47537ee3351e4d00f78a41a8
Instruction Fuzzy Hash: DCE1B3316083508FD724DF24C881A6AB7F4FF99314F14896DF8899B2A2DB71ED45CB92

Function 0011920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00119BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00119BB2

BeginPaint.USER32(?,?,?), ref: 00119241
GetWindowRect.USER32(?,?), ref: 001192A5
ScreenToClient.USER32(?,?), ref: 001192C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 001192D3
EndPaint.USER32(?,?,?,?,?), ref: 00119321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 001571EA

Part of subcall function 00119339: BeginPath.GDI32(00000000), ref: 00119357

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: c29073a596ff3679d1e46bfe1b53ccf4bdcb982dd9da0cae573a3bf997ff04ff
Instruction ID: 618996ed8e19320e50ea405f1284b6f49a9c151f1005902644f5243af1cc0eb6
Opcode Fuzzy Hash: c29073a596ff3679d1e46bfe1b53ccf4bdcb982dd9da0cae573a3bf997ff04ff
Instruction Fuzzy Hash: 0441BE70109200EFD714DF64DCA5FBA7BB8FB55325F04062AF9A48B2E1C7309885DBA1

Function 001707EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0017080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00170847
EnterCriticalSection.KERNEL32(?), ref: 00170863
LeaveCriticalSection.KERNEL32(?), ref: 001708DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 001708F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00170921

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 0eda9829199c257cda3dd9588a17adc831e67de46696c8c358deaa1695c203d3
Instruction ID: 3f1e62a3168df0ce9860d220aa30f88368bc206b90c212188b7a2e03f611e504
Opcode Fuzzy Hash: 0eda9829199c257cda3dd9588a17adc831e67de46696c8c358deaa1695c203d3
Instruction Fuzzy Hash: B7414971A00205EFDF159F54DC85AAA77B8FF08310F1580B9ED049A29BD730EEA5DBA4

Function 001981DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0015F3AB,00000000,?,?,00000000,?,0015682C,00000004,00000000,00000000), ref: 0019824C
EnableWindow.USER32(00000000,00000000), ref: 00198272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 001982D1
ShowWindow.USER32(00000000,00000004), ref: 001982E5
EnableWindow.USER32(00000000,00000001), ref: 0019830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0019832F

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 2c2d4578f7c4721b5934405b7f92ecbb61eae9b7069306c76fea9eefa643e176
Instruction ID: bdb6487ef08191b3d81662cdd145627cd5fdafe0f8508dc293ebd341f41bef70
Opcode Fuzzy Hash: 2c2d4578f7c4721b5934405b7f92ecbb61eae9b7069306c76fea9eefa643e176
Instruction Fuzzy Hash: F3416234602644BFDF25CF25D899BE47BF1FB4B714F1852AAE5484B6A3CB31A881CB50

Function 00164C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00164C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00164CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00164CEA
_wcslen.LIBCMT ref: 00164D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00164D10
_wcsstr.LIBVCRUNTIME ref: 00164D1A

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: be5673cd03417a4e1aa9bcb07ed9fdfc30b60caeb07c38d001297624d342a943
Instruction ID: 00a80386b2030ca10908364a7425d25dc2cd62248c7cea44ea9dd3cb695b45f3
Opcode Fuzzy Hash: be5673cd03417a4e1aa9bcb07ed9fdfc30b60caeb07c38d001297624d342a943
Instruction Fuzzy Hash: 13213832605200BBEB195B79EC09EBF7BACDF65750F11803EF805CA291EB61CC91D2A0

Function 0017581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00103AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00103A97,?,?,00102E7F,?,?,?,00000000), ref: 00103AC2

_wcslen.LIBCMT ref: 0017587B
CoInitialize.OLE32(00000000), ref: 00175995
CoCreateInstance.OLE32(0019FCF8,00000000,00000001,0019FB68,?), ref: 001759AE
CoUninitialize.OLE32 ref: 001759CC

Strings

.lnk, xrefs: 00175876, 001758C1, 00175985

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 78244bff0bcc056e8d5a8c34e21dbe58a58dbaf382b0c88ecbd2952df4c9ffff
Instruction ID: c2975e7aa14ec8fffaa798db954b4c7b4c33f891244fb7006e81e18600e252f9
Opcode Fuzzy Hash: 78244bff0bcc056e8d5a8c34e21dbe58a58dbaf382b0c88ecbd2952df4c9ffff
Instruction Fuzzy Hash: 65D143716087019FC714DF24C480A2ABBF6EF99714F14885DF8899B3A1DBB1EC45CB92

Function 0016175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00160FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00160FCA
Part of subcall function 00160FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00160FD6
Part of subcall function 00160FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00160FE5
Part of subcall function 00160FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00160FEC
Part of subcall function 00160FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00161002

GetLengthSid.ADVAPI32(?,00000000,00161335), ref: 001617AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 001617BA
HeapAlloc.KERNEL32(00000000), ref: 001617C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 001617DA
GetProcessHeap.KERNEL32(00000000,00000000,00161335), ref: 001617EE
HeapFree.KERNEL32(00000000), ref: 001617F5

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: e2bb80738af8c6820c65f0bfdd7ad6260c403a638db120a096e6aeda4f403ca4
Instruction ID: 4b6f772365fc7c443f8244db46b93c54463c187cc6e8a3d64e9d028842ab5325
Opcode Fuzzy Hash: e2bb80738af8c6820c65f0bfdd7ad6260c403a638db120a096e6aeda4f403ca4
Instruction Fuzzy Hash: 4311BF32600205FFDB149FA4CC49FAF7BB9EF46355F184429F981A7210D736AA94CBA0

Function 001614CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 001614FF
OpenProcessToken.ADVAPI32(00000000), ref: 00161506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00161515
CloseHandle.KERNEL32(00000004), ref: 00161520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0016154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00161563

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: b4e2b50ffec4c56571e75cb7a83feac8cec387f765a269579e41b75c3498caa4
Instruction ID: 2294340cba18a5afa100af76254284fdc2712c140cc35ea70bca10d9d8e8db8b
Opcode Fuzzy Hash: b4e2b50ffec4c56571e75cb7a83feac8cec387f765a269579e41b75c3498caa4
Instruction Fuzzy Hash: 5E112972505209BBDF118FA8EE49BDE7BA9EF49744F084015FA45A2060C3758EA0DBA1

Function 00123382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00123379,00122FE5), ref: 00123390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0012339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001233B7
SetLastError.KERNEL32(00000000,?,00123379,00122FE5), ref: 00123409

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 29dd6ff8a8b4d1efff3e922890ddab1b842be0b16347f4b385a49149f2135e65
Instruction ID: 18a86fa6da169860b690f1a5f47057abb6773e91bba7a05dd7ba24e533a64ec7
Opcode Fuzzy Hash: 29dd6ff8a8b4d1efff3e922890ddab1b842be0b16347f4b385a49149f2135e65
Instruction Fuzzy Hash: 09012432208331BFAA2937747C85A262E99FB25779720022AF430902F0EF198F725294

Function 00132D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00135686,00143CD6,?,00000000,?,00135B6A,?,?,?,?,?,0012E6D1,?,001C8A48), ref: 00132D78
_free.LIBCMT ref: 00132DAB
_free.LIBCMT ref: 00132DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0012E6D1,?,001C8A48,00000010,00104F4A,?,?,00000000,00143CD6), ref: 00132DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0012E6D1,?,001C8A48,00000010,00104F4A,?,?,00000000,00143CD6), ref: 00132DEC
_abort.LIBCMT ref: 00132DF2

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 21c02d9bd3dac6d664496df005bb1e7244f8cc79d86583985aed0fea61b5734e
Instruction ID: 7963e2f08ca5ab64d37d70fef0de824102d3af604c2d0b60475578ee006b53bb
Opcode Fuzzy Hash: 21c02d9bd3dac6d664496df005bb1e7244f8cc79d86583985aed0fea61b5734e
Instruction Fuzzy Hash: 00F0FC31505A106BC61237B5BC06F1F295ABFD17B1F250419F828D35D2EF34CD4252A0

Function 00198A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00119639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00119693
Part of subcall function 00119639: SelectObject.GDI32(?,00000000), ref: 001196A2
Part of subcall function 00119639: BeginPath.GDI32(?), ref: 001196B9
Part of subcall function 00119639: SelectObject.GDI32(?,00000000), ref: 001196E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00198A4E
LineTo.GDI32(?,00000003,00000000), ref: 00198A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00198A70
LineTo.GDI32(?,00000000,00000003), ref: 00198A80
EndPath.GDI32(?), ref: 00198A90
StrokePath.GDI32(?), ref: 00198AA0

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 0b5f5171f7f6374e5997d26727257ceb667d3de8aabfd128b96ef78d25cd8aa8
Instruction ID: 3f41d2563b322144706870ac209f6193a693413d50d766fe5bb9cf5c3a8dbf08
Opcode Fuzzy Hash: 0b5f5171f7f6374e5997d26727257ceb667d3de8aabfd128b96ef78d25cd8aa8
Instruction Fuzzy Hash: D2111B7600010CFFDF129F90DC88EAA7F6DEB08354F048022FA599A5A1C771AD95DFA0

Function 001651FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00165218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00165229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00165230
ReleaseDC.USER32(00000000,00000000), ref: 00165238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0016524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00165261

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 6214159adb2e6d8ded859c920d66f3b3294efcdda8bd5f9eba6ea455b1b5bc93
Instruction ID: eb48e789f44ac6ac49b968c0678c595b1135376c434820302d99e380f15161d2
Opcode Fuzzy Hash: 6214159adb2e6d8ded859c920d66f3b3294efcdda8bd5f9eba6ea455b1b5bc93
Instruction Fuzzy Hash: 5B014F75A00718FBEB109BA59C49A5EBFB9EB48751F044066FA44AB781D6709810CBA0

Function 00101BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00101BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00101BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00101C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00101C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00101C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00101C22

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 402d20ea0158288869406f553bc8c7f9ae66c23e9a7ae413d6dea2c1cdf10da7
Instruction ID: fb84176ac6bca13e35e7bdbb1887a5cd43b35494e0995bf78fe9f44bdef903e1
Opcode Fuzzy Hash: 402d20ea0158288869406f553bc8c7f9ae66c23e9a7ae413d6dea2c1cdf10da7
Instruction Fuzzy Hash: 2E016CB09027597DE3008F5A8C85B52FFA8FF19354F00411B915C47A41C7F5A864CBE5

Function 0016EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0016EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0016EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0016EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0016EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0016EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0016EB75

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 634fcdb0b34b757ea2dd7f4c37d915da3d7eb3acbb9da43c8262e538972f49ef
Instruction ID: 79d9f675efa417d8ba57e923bc701eddd2688cdd5a7f2ca8aaa96c71cbfe4ddf
Opcode Fuzzy Hash: 634fcdb0b34b757ea2dd7f4c37d915da3d7eb3acbb9da43c8262e538972f49ef
Instruction Fuzzy Hash: 9FF05E72640158BBE7215B629C0EEEF3E7CEFCAB11F00016AF641D1591E7A05A41CAF9

Function 00157439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00157452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00157469
GetWindowDC.USER32(?), ref: 00157475
GetPixel.GDI32(00000000,?,?), ref: 00157484
ReleaseDC.USER32(?,00000000), ref: 00157496
GetSysColor.USER32(00000005), ref: 001574B0

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 2966952aefe7cc1abe078d5ab8d69a4bc30680f4b33571dc68aa52bc9fffec41
Instruction ID: b9d8f49ef782bf36858b5bb6990169a5b371dfa2bc75a8314456f88966b6da63
Opcode Fuzzy Hash: 2966952aefe7cc1abe078d5ab8d69a4bc30680f4b33571dc68aa52bc9fffec41
Instruction Fuzzy Hash: 18018B31500205FFEB105FA4EC09BFABBB6FB04722F510061FD66A25A0CB311E81AB90

Function 00161874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0016187F
UnloadUserProfile.USERENV(?,?), ref: 0016188B
CloseHandle.KERNEL32(?), ref: 00161894
CloseHandle.KERNEL32(?), ref: 0016189C
GetProcessHeap.KERNEL32(00000000,?), ref: 001618A5
HeapFree.KERNEL32(00000000), ref: 001618AC

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: a4d3a1a581358b704ab0ae9fb29215451e7219fbc3a9aea4608bf6ca18d6dd54
Instruction ID: c3d939490e71aa1e311b61d3fc36d88bfd9d0d0d3c57671dc0c9572be2f733bd
Opcode Fuzzy Hash: a4d3a1a581358b704ab0ae9fb29215451e7219fbc3a9aea4608bf6ca18d6dd54
Instruction Fuzzy Hash: 98E0E536004101FBDB015FA1EE0C90ABF39FF49B22B108222F26581870CB3294A0DFA4

Function 0016C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00107620: _wcslen.LIBCMT ref: 00107625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0016C6EE
_wcslen.LIBCMT ref: 0016C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0016C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0016C7CA

Strings

0, xrefs: 0016C6AF

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: e9ace7d6f1d2008f261a5f473e559e81ef91f4ad23bf0010e1835dfbffb5fcf7
Instruction ID: 9e29928e8b293be2fe9ea1b467cc488c5e17fb778220c687753ae343e4f8eae9
Opcode Fuzzy Hash: e9ace7d6f1d2008f261a5f473e559e81ef91f4ad23bf0010e1835dfbffb5fcf7
Instruction Fuzzy Hash: C351CD72605301ABD7149F28CC85ABBB7E8AF59314F040A2EF9D5D32A0DB60D864CBD6

Function 0018AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0018AEA3

Part of subcall function 00107620: _wcslen.LIBCMT ref: 00107625

GetProcessId.KERNEL32(00000000), ref: 0018AF38
CloseHandle.KERNEL32(00000000), ref: 0018AF67

Strings

@, xrefs: 0018AE72
<, xrefs: 0018AE6B

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: d6a4c0f2fea1e83eed93a738fba7d76809261aac2a5fa9cb54e79dc1d710d2d1
Instruction ID: 2d2bad3cf54457c3d49828d3df9e93817dbb03c6211b4b416a5a8aca865f64ac
Opcode Fuzzy Hash: d6a4c0f2fea1e83eed93a738fba7d76809261aac2a5fa9cb54e79dc1d710d2d1
Instruction Fuzzy Hash: 83714870A00615DFDB14EF64D494A9EBBF0BF08314F44849AE856AB392CB74EE81CF91

Function 0016719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00167206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0016723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0016724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 001672CF

Strings

DllGetClassObject, xrefs: 00167242

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 2fefc9fd1132fb2e17bb7983ab8181f927f012027140f78b6da396d7e91bdf81
Instruction ID: 10daa558702d015dae4a2d536b1fe20fa3052e7b0329e6efecbedb10ac76ddb1
Opcode Fuzzy Hash: 2fefc9fd1132fb2e17bb7983ab8181f927f012027140f78b6da396d7e91bdf81
Instruction Fuzzy Hash: 4B418F72A04204EFDB15CF94CC94B9A7BA9EF44318F1580ADFD059F28AD7B0D955CBA0

Function 00193D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00193E35
IsMenu.USER32(?), ref: 00193E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00193E92
DrawMenuBar.USER32 ref: 00193EA5

Strings

0, xrefs: 00193D89

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 1134027e4ea10b624f7fb85db04eaa0a03ea28609dd2d50b14acb2c98d40e94d
Instruction ID: 11df2b591f7057cc980921b81c4e75b25cee3773c6216851b667f7e7bdc746f0
Opcode Fuzzy Hash: 1134027e4ea10b624f7fb85db04eaa0a03ea28609dd2d50b14acb2c98d40e94d
Instruction Fuzzy Hash: E6414775A01209AFDF14DF50D884AEABBB9FF49354F04412AE925A7650D730AE45CFA0

Function 00161DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00109CB3: _wcslen.LIBCMT ref: 00109CBD

Part of subcall function 00163CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00163CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00161E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00161E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00161EA9

Part of subcall function 00106B57: _wcslen.LIBCMT ref: 00106B6A

Strings

ComboBox, xrefs: 00161DF0
ListBox, xrefs: 00161E25

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 41a36f8e5ae72468a823625b9965de1261376e67b09599a4f866b57defb52b86
Instruction ID: 9395e061cc3fb20e3f253ca4603d8fb73453727e40bbf2ecd1a76594c90946e3
Opcode Fuzzy Hash: 41a36f8e5ae72468a823625b9965de1261376e67b09599a4f866b57defb52b86
Instruction Fuzzy Hash: 7821AB72E00104BFDB08AB64DC45CFFBBB9DF61350F08402AF861A72E1DB758D5A9620

Function 0018C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0018C9F1
_wcslen.LIBCMT ref: 0018CA68
_wcslen.LIBCMT ref: 0018CA9E
_wcslen.LIBCMT ref: 0018CAF9
_wcslen.LIBCMT ref: 0018CB2F
_wcslen.LIBCMT ref: 0018CB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 0018CA62, 0018CA67
HKLM, xrefs: 0018CA98, 0018CA9D

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: c77068fed9b6768f1836365f92ebd92358d7cf042c5c179fa3708fbff7200cf2
Instruction ID: 82f778a531c5b2e8af3c1bf7423570133797a7650aeaabe14b5f3a7c4adc85b8
Opcode Fuzzy Hash: c77068fed9b6768f1836365f92ebd92358d7cf042c5c179fa3708fbff7200cf2
Instruction Fuzzy Hash: 0C31F532A0056A4BCB28FE6C99405BF33919BB1754B05402AF851AB385F7B1CF80DBF0

Function 00192F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00192F8D
LoadLibraryW.KERNEL32(?), ref: 00192F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00192FA9
DestroyWindow.USER32(?), ref: 00192FB1

Strings

SysAnimate32, xrefs: 00192F68

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 998429b8bbda803ad14d43566315d26533534d495a8221f637ddd654914e0210
Instruction ID: d0621ea82f171868e8042641d20c7ce2aa9319e51fc30b899b340f087b2e5761
Opcode Fuzzy Hash: 998429b8bbda803ad14d43566315d26533534d495a8221f637ddd654914e0210
Instruction Fuzzy Hash: F221A972600209BBEF108FA4DC80EBB77B9EB69364F100629FA54D21A0D771DC919BA0

Function 00124D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00124D1E,001328E9,?,00124CBE,001328E9,001C88B8,0000000C,00124E15,001328E9,00000002), ref: 00124D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00124DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00124D1E,001328E9,?,00124CBE,001328E9,001C88B8,0000000C,00124E15,001328E9,00000002,00000000), ref: 00124DC3

Strings

mscoree.dll, xrefs: 00124D86
CorExitProcess, xrefs: 00124D98

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b8f9a5aa5c4b50d63de71378eeb246a65a8eb043182a3b63e2c48f71f3e02a18
Instruction ID: d91187b0c6e63257b56ba50781dec4f953930f426fe5f3ba560ec0fb285815d2
Opcode Fuzzy Hash: b8f9a5aa5c4b50d63de71378eeb246a65a8eb043182a3b63e2c48f71f3e02a18
Instruction Fuzzy Hash: C3F03C35A40218ABDB119B94EC49BEDBBA5EB58751F4001A9F849A2660DB309E90CAD4

Function 0015D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0015D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0015D3BF
FreeLibrary.KERNEL32(00000000), ref: 0015D3E5

Strings

X64, xrefs: 0015D2A8
GetSystemWow64DirectoryW, xrefs: 0015D3B9

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 922fd005f8e09ae59c2ece17d90c5becf51d470d851ffaf4225e924bf6b70895
Instruction ID: a824ccf727b1203f61020958e305f503d5f5f693b10291a9b9f3ea5cbdaabbbb
Opcode Fuzzy Hash: 922fd005f8e09ae59c2ece17d90c5becf51d470d851ffaf4225e924bf6b70895
Instruction Fuzzy Hash: 27F02771405621EBD7795720AC089997210BF10703F52416AFC52FA110DB60CDC88BC6

Function 00104E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00104EDD,?,001D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00104E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00104EAE
FreeLibrary.KERNEL32(00000000,?,?,00104EDD,?,001D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00104EC0

Strings

kernel32.dll, xrefs: 00104E94
Wow64DisableWow64FsRedirection, xrefs: 00104EA8

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: afb7676c88c28d34a3a2266a8db7216fb1b9982f4e7c298b83b4aa0bd9aa13be
Instruction ID: e1b1396891f336f22f69090ca89feb757565df3bfbc5720c5809c9bdca710f22
Opcode Fuzzy Hash: afb7676c88c28d34a3a2266a8db7216fb1b9982f4e7c298b83b4aa0bd9aa13be
Instruction Fuzzy Hash: 75E0CD35A015229BD2311725FC18B9F7554AF81F627050126FD85D3550DBA4CD4244F8

Function 00104E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00143CDE,?,001D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00104E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00104E74
FreeLibrary.KERNEL32(00000000,?,?,00143CDE,?,001D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00104E87

Strings

kernel32.dll, xrefs: 00104E5B
Wow64RevertWow64FsRedirection, xrefs: 00104E6E

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 2d668b733f1166d7195d5dd3c37b4139c0be528b1e44bc0a03d1276658f202aa
Instruction ID: 72a44a6768976f5a35d32d3ea4c9e564a2ce1283da49b58872547fc14743546d
Opcode Fuzzy Hash: 2d668b733f1166d7195d5dd3c37b4139c0be528b1e44bc0a03d1276658f202aa
Instruction Fuzzy Hash: C2D05B3550263197EA321B25FC1CECF7A18AF85F51345453AFA89E3194CFA5CD41C5D4

Function 00172947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00172C05
DeleteFileW.KERNEL32(?), ref: 00172C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00172C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00172CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00172CC0

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 80d809398c9d87504234baa8710adc85c2394a5fd80dfa9909c5a6a61d8cd375
Instruction ID: 7ba31b5f0a0f76422c48a8dec6ef19b085373ac01c93b3a1595861b67f5e4f7d
Opcode Fuzzy Hash: 80d809398c9d87504234baa8710adc85c2394a5fd80dfa9909c5a6a61d8cd375
Instruction Fuzzy Hash: 44B15E71900129ABDF25DBA4CC85EDFB7BDEF59350F1080AAF509E7141EB309A858F61

Function 0018A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0018A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0018A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0018A468
CloseHandle.KERNEL32(?), ref: 0018A63D

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 330d5e61031285a8fe6b7a1e236b24fcc792210b737015dc986df12138f882f5
Instruction ID: c4362dad9edf349656008a34564bb4eb48c6d96d7e5954df60c5cb44c0687f78
Opcode Fuzzy Hash: 330d5e61031285a8fe6b7a1e236b24fcc792210b737015dc986df12138f882f5
Instruction Fuzzy Hash: FAA1C4716043019FE720EF18D886F2AB7E1AF98714F54881DF5999B2D2DBB0ED418F92

Function 0016E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0016DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0016CF22,?), ref: 0016DDFD

Part of subcall function 0016DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0016CF22,?), ref: 0016DE16

Part of subcall function 0016E199: GetFileAttributesW.KERNEL32(?,0016CF95), ref: 0016E19A

lstrcmpiW.KERNEL32(?,?), ref: 0016E473
MoveFileW.KERNEL32(?,?), ref: 0016E4AC
_wcslen.LIBCMT ref: 0016E5EB
_wcslen.LIBCMT ref: 0016E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0016E650

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 19ef4319e8a952a779867eb56b8379b1815571d31c780ef8454eb0877a0c8572
Instruction ID: ea86dca1bb5b29cf51f4bc16ab026391c9a8b5cde305c52dd7b0e807e9a971e4
Opcode Fuzzy Hash: 19ef4319e8a952a779867eb56b8379b1815571d31c780ef8454eb0877a0c8572
Instruction Fuzzy Hash: 275194B24083849BC724EBA0DC919DF73ECAF94340F00491EF689D3191EF74A698C76A

Function 0018B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00109CB3: _wcslen.LIBCMT ref: 00109CBD

Part of subcall function 0018C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0018B6AE,?,?), ref: 0018C9B5
Part of subcall function 0018C998: _wcslen.LIBCMT ref: 0018C9F1
Part of subcall function 0018C998: _wcslen.LIBCMT ref: 0018CA68
Part of subcall function 0018C998: _wcslen.LIBCMT ref: 0018CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0018BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0018BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0018BB63
RegCloseKey.ADVAPI32(?,?), ref: 0018BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0018BBB3

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: ba75ea690e6b2361c813f1209683398742a2e6f17d6b51a95212aa2e5d8e815f
Instruction ID: 47034c61785bb411bb6d0dad1c84c9b851aa6f4f8e0ef95fe525c65d5530bbcc
Opcode Fuzzy Hash: ba75ea690e6b2361c813f1209683398742a2e6f17d6b51a95212aa2e5d8e815f
Instruction Fuzzy Hash: A0613B31208241AFD718EF14C4D1E2ABBE5BF84308F54855DF4998B2A2DB71EE45CB92

Function 00168BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00168BCD
VariantClear.OLEAUT32 ref: 00168C3E
VariantClear.OLEAUT32 ref: 00168C9D
VariantClear.OLEAUT32(?), ref: 00168D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00168D3B

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: c2484e36508102137d50bddde4847a65b609fde02e05ea5a8a3b899a12e73aa8
Instruction ID: 76a323aee5fb3196969c65a1a6a6081f65d1c58e4908880ad861aa5b353dc80e
Opcode Fuzzy Hash: c2484e36508102137d50bddde4847a65b609fde02e05ea5a8a3b899a12e73aa8
Instruction Fuzzy Hash: C0516BB5A00219EFCB14CF68C894AAAB7F8FF89310B158559F945DB350E730E921CFA0

Function 00178AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00178BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00178BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00178C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00178C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00178C5F

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: a65c3d34dcbff8fe62a07ee940857ed37f8ea41b8b8106afc14347a5b17734df
Instruction ID: 5967196b0e1024340846b05b2338ed385be6b02465bde6716de5d71b2099aaf2
Opcode Fuzzy Hash: a65c3d34dcbff8fe62a07ee940857ed37f8ea41b8b8106afc14347a5b17734df
Instruction Fuzzy Hash: 93515A35A002159FCB05DF64C885AAEBBF5FF48314F08C459E849AB3A2CB71ED81CB90

Function 00188EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00188F40
GetProcAddress.KERNEL32(00000000,?), ref: 00188FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00188FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00189032
FreeLibrary.KERNEL32(00000000), ref: 00189052

Part of subcall function 0011F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00171043,?,753CE610), ref: 0011F6E6
Part of subcall function 0011F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0015FA64,00000000,00000000,?,?,00171043,?,753CE610,?,0015FA64), ref: 0011F70D

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 9d74a930d9d176936141c5633f035013d79fc01e254f92a3a790159d388386d4
Instruction ID: 781746ae2a0a92d31aa4d0355b3d93e10a05644df7c5c8dad408c4afa8321eb6
Opcode Fuzzy Hash: 9d74a930d9d176936141c5633f035013d79fc01e254f92a3a790159d388386d4
Instruction Fuzzy Hash: FB516D34604205DFC715EF58C4948ADBBF1FF59314B4980A9E94AAB3A2DB31EE85CF90

Function 00196B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00196C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00196C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00196C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0017AB79,00000000,00000000), ref: 00196C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00196CC7

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: dde946ed4beaf067a03995c20da6092574f2dcf588e12ff5ec425ac151ca4672
Instruction ID: 63f7c9ed2cad1f88750965021e864ae34e2c94afc6598cc40405524a0474dc38
Opcode Fuzzy Hash: dde946ed4beaf067a03995c20da6092574f2dcf588e12ff5ec425ac151ca4672
Instruction Fuzzy Hash: 9441B235A04104BFDF28DF68CD58FA97BA5EB0A350F150269F899A72E0D371ED41DAA0

Function 00132051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001320C3
_free.LIBCMT ref: 001320E3

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b91f746966ff981bc4312f5b52ddccd77ba35357dc56d7f2f5ac8db999ea6612
Instruction ID: daec6f6c9aa95eca9c2a5f079c7f5dbf1fff406d97fc5912b006c79a191f33fb
Opcode Fuzzy Hash: b91f746966ff981bc4312f5b52ddccd77ba35357dc56d7f2f5ac8db999ea6612
Instruction Fuzzy Hash: 5941D336A00210AFCB24EF78C981A9EB7F5EF89714F1545A8E515EB351D731ED01CB80

Function 0011912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00119141
ScreenToClient.USER32(00000000,?), ref: 0011915E
GetAsyncKeyState.USER32(00000001), ref: 00119183
GetAsyncKeyState.USER32(00000002), ref: 0011919D

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 1e69ca1d122a3917e70d09c04117c8406e1de1217b9e3e42c6ac5aa8b1ed94ba
Instruction ID: b9799cc048e580c8cfc153153f9e33ac1647347babe97b954b29946e8771c11e
Opcode Fuzzy Hash: 1e69ca1d122a3917e70d09c04117c8406e1de1217b9e3e42c6ac5aa8b1ed94ba
Instruction Fuzzy Hash: 65414071A0851AFBDF199F64D899BEEB774FB05334F204225E835A72D0C7306994CB91

Function 00173874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 001738CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00173922
TranslateMessage.USER32(?), ref: 0017394B
DispatchMessageW.USER32(?), ref: 00173955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00173966

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: de30a39fcfd988ee1315aad7840b86861c370e637b51cc61e5996ce6fe6d759a
Instruction ID: 4207045febc26c9f21af6c6e5783e342f55db824fa90253b8a0bc78583272523
Opcode Fuzzy Hash: de30a39fcfd988ee1315aad7840b86861c370e637b51cc61e5996ce6fe6d759a
Instruction Fuzzy Hash: EF31E970506341BEEB39CB74D848BB637B8AB15308F04856EE57A825E0E3B49AC5EB51

Function 0017CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0017C21E,00000000), ref: 0017CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0017CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0017C21E,00000000), ref: 0017CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0017C21E,00000000), ref: 0017CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0017C21E,00000000), ref: 0017CFF2

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 9c6782fb8e3614efb579296bb59a88c52ce31b5cf931831220fb055a01d45769
Instruction ID: 0438e748e5e129c9e22b949ebf2983c8d7b903103da9a340ba52b2226bf43b72
Opcode Fuzzy Hash: 9c6782fb8e3614efb579296bb59a88c52ce31b5cf931831220fb055a01d45769
Instruction Fuzzy Hash: 72315C71600605EFDB24DFA5D884AABBBF9EF14350B10842EF55AD2141DB30AE81DBA0

Function 00161901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00161915
PostMessageW.USER32(00000001,00000201,00000001), ref: 001619C1
Sleep.KERNEL32(00000000,?,?,?), ref: 001619C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 001619DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 001619E2

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: d91406728c8f23a6ee38f45f08a69f17740c29baaba3eb1bb808b7092df3a78e
Instruction ID: c7148cd92f4a1a7e4983af56eefffbf7749d6be83f772d47010865757bfbd71a
Opcode Fuzzy Hash: d91406728c8f23a6ee38f45f08a69f17740c29baaba3eb1bb808b7092df3a78e
Instruction Fuzzy Hash: 3431A072A00219FFCB04CFA8CD99AEE7BB5EB45319F144229F961A72D1C7709954CB90

Function 00195706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00195745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0019579D
_wcslen.LIBCMT ref: 001957AF
_wcslen.LIBCMT ref: 001957BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00195816

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 33f54ce355d303f6eb5e42186efc02bf01688a49da2ca0b255e00cd3dc5a1814
Instruction ID: e71bb49e94dd91039fcc5625c4e78d64f856c325223eb10887062a8bf07e61b6
Opcode Fuzzy Hash: 33f54ce355d303f6eb5e42186efc02bf01688a49da2ca0b255e00cd3dc5a1814
Instruction Fuzzy Hash: F9218271904618AADF219FA0DC85AEE7BB9FF14724F108216E929FB180E7708AC5CF50

Function 00180930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00180951
GetForegroundWindow.USER32 ref: 00180968
GetDC.USER32(00000000), ref: 001809A4
GetPixel.GDI32(00000000,?,00000003), ref: 001809B0
ReleaseDC.USER32(00000000,00000003), ref: 001809E8

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 25e4555c1e6ba8dc186380b4b10caf27369bacaeec204fe16a047fd90d67d566
Instruction ID: 886edbe4e0d5682a9b3b04f33e1dadd3397c366b3b55ad605d4dabd565416bac
Opcode Fuzzy Hash: 25e4555c1e6ba8dc186380b4b10caf27369bacaeec204fe16a047fd90d67d566
Instruction Fuzzy Hash: 32218135A00204AFD714EF69DC84AAEBBF5EF58704F048069E89AD7762DB70AD44CB90

Function 0013CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0013CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0013CDE9

Part of subcall function 00133820: RtlAllocateHeap.NTDLL(00000000,?,001D1444,?,0011FDF5,?,?,0010A976,00000010,001D1440,001013FC,?,001013C6,?,00101129), ref: 00133852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0013CE0F
_free.LIBCMT ref: 0013CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0013CE31

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 0d1f0efc34f248de617559c055779e1f0788d2fe8c0d57e51c3d5ece125714aa
Instruction ID: 742f85ac22ec27e4d3339845c2297d4954e4f2d0319bd910d58bfc73f764652d
Opcode Fuzzy Hash: 0d1f0efc34f248de617559c055779e1f0788d2fe8c0d57e51c3d5ece125714aa
Instruction Fuzzy Hash: 4001A7726012257FA72126BA6C8CD7B7D6DEFC6BA1B15013AFD05E7201EB618D0193F4

Function 00119639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00119693
SelectObject.GDI32(?,00000000), ref: 001196A2
BeginPath.GDI32(?), ref: 001196B9
SelectObject.GDI32(?,00000000), ref: 001196E2

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 06a2f2b4e0f5d908eead65466b5347051e79ace45894e5cfb34534c53ab50881
Instruction ID: 84ada0520a9b82ef5a0eb505d9a6ecdae6a41885775bcab52852315837dbab90
Opcode Fuzzy Hash: 06a2f2b4e0f5d908eead65466b5347051e79ace45894e5cfb34534c53ab50881
Instruction Fuzzy Hash: DA217C70903305FBDB199F64EC297E93BA9BB1036AF100227F820A65B1D37098D5CBA4

Function 00165711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00165726
_memcmp.LIBVCRUNTIME ref: 00165744
_memcmp.LIBVCRUNTIME ref: 00165757
_memcmp.LIBVCRUNTIME ref: 0016576F
_memcmp.LIBVCRUNTIME ref: 00165787

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 6ed1d9bbbb2fa8839aae42980c425c0cefed934109e6320d60522274f04d0acd
Instruction ID: a44db0a7e2443c7005dd961e1eaba33a8ae5f8f73d090337431d28d645c151ed
Opcode Fuzzy Hash: 6ed1d9bbbb2fa8839aae42980c425c0cefed934109e6320d60522274f04d0acd
Instruction Fuzzy Hash: FC01B571641619BBD708D510AD82FBB735FAB313B4F804024FD05AA642F761ED3182E0

Function 00132DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0012F2DE,00133863,001D1444,?,0011FDF5,?,?,0010A976,00000010,001D1440,001013FC,?,001013C6), ref: 00132DFD
_free.LIBCMT ref: 00132E32
_free.LIBCMT ref: 00132E59
SetLastError.KERNEL32(00000000,00101129), ref: 00132E66
SetLastError.KERNEL32(00000000,00101129), ref: 00132E6F

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 5869c312a08bdf7c6bbd64ea3514849b4862f043ebc655227c1d879e0144f0e4
Instruction ID: 14c650de569c8c0cf7b9d0c83c154e05dc0ceeefb1eccec28bb8ce5a894a7870
Opcode Fuzzy Hash: 5869c312a08bdf7c6bbd64ea3514849b4862f043ebc655227c1d879e0144f0e4
Instruction Fuzzy Hash: 0E0128322056006BCA2277B57C47E2B2A5EABE53B5F250039F425A32D2EF70CC4151A0

Function 0016000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0015FF41,80070057,?,?,?,0016035E), ref: 0016002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0015FF41,80070057,?,?), ref: 00160046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0015FF41,80070057,?,?), ref: 00160054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0015FF41,80070057,?), ref: 00160064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0015FF41,80070057,?,?), ref: 00160070

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 73c3140d85f766099145dccf3dabee34c81e514c5b46e138d1043c5e29866a4c
Instruction ID: 355f756f004cc8dcc3c635c05bbb853a4b4d4c869e5149ca9b18c1a2576c960e
Opcode Fuzzy Hash: 73c3140d85f766099145dccf3dabee34c81e514c5b46e138d1043c5e29866a4c
Instruction Fuzzy Hash: F101AD72600214BFDB124F68DC08BABBAEDEF48792F244129F945D2210E7B1DD908BA0

Function 0016E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0016E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0016E9A5
Sleep.KERNEL32(00000000), ref: 0016E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0016E9B7
Sleep.KERNEL32 ref: 0016E9F3

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 208257dbfcfa8dc930e85066f8aba041a8eb1b919ff492e601e77326925acd86
Instruction ID: eef561912ecbe589521311deba55ddc6092b45595d66bfbc730f8ffcee395b99
Opcode Fuzzy Hash: 208257dbfcfa8dc930e85066f8aba041a8eb1b919ff492e601e77326925acd86
Instruction Fuzzy Hash: B5018C35C0162DDBCF00AFE8DC59AEDBBB8FF08704F010656E942B2240CB3095A0CBA5

Function 001610F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00161114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00160B9B,?,?,?), ref: 00161120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00160B9B,?,?,?), ref: 0016112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00160B9B,?,?,?), ref: 00161136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0016114D

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 09aa3b0879cb3f2e7113a972162385b852c481d3a3bff0115fb014094050cb60
Instruction ID: d66802a31623c42d90917bf86f1258c29d6e12dba87df0855e0254f83ac692d8
Opcode Fuzzy Hash: 09aa3b0879cb3f2e7113a972162385b852c481d3a3bff0115fb014094050cb60
Instruction Fuzzy Hash: C3018179100205BFDB114FA4DC49E6A3F6EEF86360B544426FA81C3360DB31DC508AA0

Function 00160FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00160FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00160FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00160FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00160FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00161002

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 8c87458094c8e2230f2fac99724096d7dc594a7bb46886074d5bcc710bb493b4
Instruction ID: 7a8f720a204cf4874c38ef8a8c40d454270e2d615dc22a82a656ede7f5f38c15
Opcode Fuzzy Hash: 8c87458094c8e2230f2fac99724096d7dc594a7bb46886074d5bcc710bb493b4
Instruction Fuzzy Hash: 87F04939200301FBDB214FA49C49F5A3BADEF89762F644426FA85C6261CA70DC90CAB0

Function 00161014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0016102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00161036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00161045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0016104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00161062

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 68676591ee81aa8716ddcad6e37eabbee4adea28417e387df4efe631db94420b
Instruction ID: 9329b27bf69bb11daa362ad6167c2f7df083a5e362ab111f7f7dc114afa2a71c
Opcode Fuzzy Hash: 68676591ee81aa8716ddcad6e37eabbee4adea28417e387df4efe631db94420b
Instruction Fuzzy Hash: 79F06239100311FBDB215FA4EC49F563B6DFF89761F240415F985C7260CB70D9908AB0

Function 0017030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0017017D,?,001732FC,?,00000001,00142592,?), ref: 00170324
CloseHandle.KERNEL32(?,?,?,?,0017017D,?,001732FC,?,00000001,00142592,?), ref: 00170331
CloseHandle.KERNEL32(?,?,?,?,0017017D,?,001732FC,?,00000001,00142592,?), ref: 0017033E
CloseHandle.KERNEL32(?,?,?,?,0017017D,?,001732FC,?,00000001,00142592,?), ref: 0017034B
CloseHandle.KERNEL32(?,?,?,?,0017017D,?,001732FC,?,00000001,00142592,?), ref: 00170358
CloseHandle.KERNEL32(?,?,?,?,0017017D,?,001732FC,?,00000001,00142592,?), ref: 00170365

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: df73b691840f989c44b57530eee06c1c23c229c03986c23310a2ca65dfe79ce0
Instruction ID: 44ea69446641afa6c2361a596c36ff62069f1cd93833c50e91f57ea09a94bde5
Opcode Fuzzy Hash: df73b691840f989c44b57530eee06c1c23c229c03986c23310a2ca65dfe79ce0
Instruction Fuzzy Hash: 68019C72800B15DFCB31AF66D880812FBF9BF643153158A3FD1AA52931C3B1A998CE80

Function 0013D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0013D752

Part of subcall function 001329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0013D7D1,00000000,00000000,00000000,00000000,?,0013D7F8,00000000,00000007,00000000,?,0013DBF5,00000000), ref: 001329DE
Part of subcall function 001329C8: GetLastError.KERNEL32(00000000,?,0013D7D1,00000000,00000000,00000000,00000000,?,0013D7F8,00000000,00000007,00000000,?,0013DBF5,00000000,00000000), ref: 001329F0

_free.LIBCMT ref: 0013D764
_free.LIBCMT ref: 0013D776
_free.LIBCMT ref: 0013D788
_free.LIBCMT ref: 0013D79A

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: fb40d32ae985d7b0e6cade275e3195ebe3ce549c2505abe1760ebe2919e2f1b0
Instruction ID: 84dcc1192ca76c19d9218c70080fb0bdba584b5fecf45fadb7e46f5307b5c6f8
Opcode Fuzzy Hash: fb40d32ae985d7b0e6cade275e3195ebe3ce549c2505abe1760ebe2919e2f1b0
Instruction Fuzzy Hash: 17F01272544225ABCA21FB64F9C6D1A7BDEBB54718F950845F148D7901C730FC8087A4

Function 00165C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00165C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00165C6F
MessageBeep.USER32(00000000), ref: 00165C87
KillTimer.USER32(?,0000040A), ref: 00165CA3
EndDialog.USER32(?,00000001), ref: 00165CBD

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: dbe5323a26977c3ef58ff840b140d092bfc011f1d2cc6aeff9a06621bed2fa0c
Instruction ID: 9ee52d3c4d42844f28764698a17fea92321715813c1ec3e63781543d20f2c3e2
Opcode Fuzzy Hash: dbe5323a26977c3ef58ff840b140d092bfc011f1d2cc6aeff9a06621bed2fa0c
Instruction Fuzzy Hash: 90018130500B04AFEB245B10DD4EFA67BBDBB00B05F01055AA5C3A15E1DBF0A9948B90

Function 001322A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001322BE

Part of subcall function 001329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0013D7D1,00000000,00000000,00000000,00000000,?,0013D7F8,00000000,00000007,00000000,?,0013DBF5,00000000), ref: 001329DE
Part of subcall function 001329C8: GetLastError.KERNEL32(00000000,?,0013D7D1,00000000,00000000,00000000,00000000,?,0013D7F8,00000000,00000007,00000000,?,0013DBF5,00000000,00000000), ref: 001329F0

_free.LIBCMT ref: 001322D0
_free.LIBCMT ref: 001322E3
_free.LIBCMT ref: 001322F4
_free.LIBCMT ref: 00132305

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 38329dd02b1b6633db3dfc183e03762eb866e95d3ad1b497ca424d693f2c3af3
Instruction ID: 60d820f99ee4a5fa21895ad3c8e864fb00afcdae742d16bc84bda0e707b42c13
Opcode Fuzzy Hash: 38329dd02b1b6633db3dfc183e03762eb866e95d3ad1b497ca424d693f2c3af3
Instruction Fuzzy Hash: 26F0B775803130ABCA12BF94BC01A493B65F728B65F25054BF414D7AB1C7314D92AFE4

Function 001195C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 001195D4
StrokeAndFillPath.GDI32(?,?,001571F7,00000000,?,?,?), ref: 001195F0
SelectObject.GDI32(?,00000000), ref: 00119603
DeleteObject.GDI32 ref: 00119616
StrokePath.GDI32(?), ref: 00119631

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: a3b8c4b4d881387fc999908f7f765d1c2be173a07a3b617f51e7f8c76423e5bc
Instruction ID: b60844387884227480730446e0d26d57e1f03d23b2d8d931c47d33ca70504407
Opcode Fuzzy Hash: a3b8c4b4d881387fc999908f7f765d1c2be173a07a3b617f51e7f8c76423e5bc
Instruction Fuzzy Hash: 32F0E735007308FBDB2A5F69ED2CBA83B65AB0132AF048226F4A5658F1C73089D5DF74

Function 00130F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 001310F9
__freea.LIBCMT ref: 00131117

Part of subcall function 00131537: _free.LIBCMT ref: 0013154F

Strings

am/pm, xrefs: 0013117A
a/p, xrefs: 001311DE

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: adcfe86e1575a3332828a900fa3a0522aefe987a6de603d56822d175ebfa1568
Instruction ID: 1ea3fe5af70996071abcdfc3de5e72587710e63d2ef91f26dbd4f6154e9b18ef
Opcode Fuzzy Hash: adcfe86e1575a3332828a900fa3a0522aefe987a6de603d56822d175ebfa1568
Instruction Fuzzy Hash: 42D13531900206FBDB289F68C895BFFB7B1FF06320F294159E901ABA51D3759D80CB91

Function 00187B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00120242: EnterCriticalSection.KERNEL32(001D070C,001D1884,?,?,0011198B,001D2518,?,?,?,001012F9,00000000), ref: 0012024D
Part of subcall function 00120242: LeaveCriticalSection.KERNEL32(001D070C,?,0011198B,001D2518,?,?,?,001012F9,00000000), ref: 0012028A

Part of subcall function 00109CB3: _wcslen.LIBCMT ref: 00109CBD

Part of subcall function 001200A3: __onexit.LIBCMT ref: 001200A9

__Init_thread_footer.LIBCMT ref: 00187BFB

Part of subcall function 001201F8: EnterCriticalSection.KERNEL32(001D070C,?,?,00118747,001D2514), ref: 00120202
Part of subcall function 001201F8: LeaveCriticalSection.KERNEL32(001D070C,?,00118747,001D2514), ref: 00120235

Strings

G, xrefs: 00187C7F
Variable must be of type 'Object'., xrefs: 00187C3A
5, xrefs: 00187C78

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 98032c9d55b1e658cab2130a8dc342190f194c6cef9f4aaa51885916818f5c96
Instruction ID: 2f852b257022c9b51218538665fce6005a5a9424f9659af952bfc408a50b2655
Opcode Fuzzy Hash: 98032c9d55b1e658cab2130a8dc342190f194c6cef9f4aaa51885916818f5c96
Instruction Fuzzy Hash: 3E916870A04209EFCB04EF94D9919ADB7B2FF59300F248159F856AB292DB71EE41CF51

Function 00162716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0016B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001621D0,?,?,00000034,00000800,?,00000034), ref: 0016B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00162760

Part of subcall function 0016B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001621FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0016B3F8

Part of subcall function 0016B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0016B355
Part of subcall function 0016B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00162194,00000034,?,?,00001004,00000000,00000000), ref: 0016B365
Part of subcall function 0016B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00162194,00000034,?,?,00001004,00000000,00000000), ref: 0016B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001627CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0016281A

Strings

@, xrefs: 00162832

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: ce7a008c6d308a606afac6a8339c21acd85018a2fb8243eeb3092a09a8c3355f
Instruction ID: 6e4faab18237cd0aa59217ca742ffebe91727d08cb1f3459228194b17d412590
Opcode Fuzzy Hash: ce7a008c6d308a606afac6a8339c21acd85018a2fb8243eeb3092a09a8c3355f
Instruction Fuzzy Hash: 11411C72900218AFDB10DFA4CD86EEEBBB8AF19700F108055FA55B7181DB706E95CBA1

Function 0013172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe,00000104), ref: 00131769
_free.LIBCMT ref: 00131834
_free.LIBCMT ref: 0013183E

Strings

C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe, xrefs: 00131760, 00131767, 00131796, 001317CE

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\Termination_List_November_2024_pdf.exe
API String ID: 2506810119-962016276
Opcode ID: 91b109ce1b92fd1414550c4cc25ee5f77769569f9ce373a3eb2b37fcc832e240
Instruction ID: eaaaff77d58422217d36a5d9b315e7b1d965a55a29d78094539d96f3ac40c706
Opcode Fuzzy Hash: 91b109ce1b92fd1414550c4cc25ee5f77769569f9ce373a3eb2b37fcc832e240
Instruction Fuzzy Hash: 9F315D75A41218FBDB21DB999C85D9EBBFCEB95310F2441ABF804A7211D7708E81CBA4

Function 0016C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0016C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0016C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,001D1990,016C5888), ref: 0016C395

Strings

0, xrefs: 0016C2DF

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 1cc6a52ae676a958fbabb7a12e0b808f76759d6194c31128f1bcfd771aeaa5fe
Instruction ID: c2d444af4bef493a49678529c593ac4d389d665bd13a9cf7fc5daee3e77e570c
Opcode Fuzzy Hash: 1cc6a52ae676a958fbabb7a12e0b808f76759d6194c31128f1bcfd771aeaa5fe
Instruction Fuzzy Hash: 9B418C312043019FD724DF29DC84B6ABBE8BB95320F148A1EF9A5973D1D770E914CBA2

Function 00194416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0019CC08,00000000,?,?,?,?), ref: 001944AA
GetWindowLongW.USER32 ref: 001944C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001944D7

Strings

SysTreeView32, xrefs: 0019447C

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: f788eff8a6ea5bc7f5ddd6325cbaecc1b0f08de88e42556a10ea2446e108d90f
Instruction ID: f571a25d1f652c0054131d39182472bdd98403d3a6480cb6fa2b94135d11c0f7
Opcode Fuzzy Hash: f788eff8a6ea5bc7f5ddd6325cbaecc1b0f08de88e42556a10ea2446e108d90f
Instruction Fuzzy Hash: 5A317C31210205AFEF249E78DC45FEA7BA9EB08324F214725F979931D0D770EC919B90

Function 0018304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0018335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00183077,?,?), ref: 00183378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0018307A
_wcslen.LIBCMT ref: 0018309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00183106

Strings

255.255.255.255, xrefs: 00183095, 0018309A

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 4eb1f09b6bd2c2aa413668ccc436dae03c604035e9ef6bb635e2188e3c769b05
Instruction ID: ba1dc93bb565d047b673d4ec93a76f359e00451e36a4c6420ff1fac711fc034b
Opcode Fuzzy Hash: 4eb1f09b6bd2c2aa413668ccc436dae03c604035e9ef6bb635e2188e3c769b05
Instruction Fuzzy Hash: 0231E435604205DFCB10EF28C585EAA77E0EF54B18F298059E9268F792DB72EF41CB60

Function 00193EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00193F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00193F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00193F78

Strings

SysMonthCal32, xrefs: 00193F0B

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 421f5760e8f9462d44298df6b8eed6004be9169c9ebb9ee27d0e327ab9f510ea
Instruction ID: 81e2c718dde2937d6b5fd28f6c8ba29fe155e9e0c6641e7280075bacc06b1542
Opcode Fuzzy Hash: 421f5760e8f9462d44298df6b8eed6004be9169c9ebb9ee27d0e327ab9f510ea
Instruction Fuzzy Hash: A9219C32600219BFDF258F90CC46FEA3B79EB48714F110215FA656B1D0D7B1A9908BA0

Function 00194653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00194705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00194713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0019471A

Strings

msctls_updown32, xrefs: 00194684

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: ae2e0ac9b5b2fd3fb89ef18de7b39de3be17c28506dcea190336edcf91a2068c
Instruction ID: 4f426dfd11633c730f276acb08838dd9771b4ca432ffee213175f9997a39be56
Opcode Fuzzy Hash: ae2e0ac9b5b2fd3fb89ef18de7b39de3be17c28506dcea190336edcf91a2068c
Instruction Fuzzy Hash: 0D215EB5601208BFDB14DF64DCD1DBB37ADEB5A398B040059FA009B291DB70EC52CA60

Function 001695AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0016961D

Strings

#requireadmin, xrefs: 001695D9
#notrayicon, xrefs: 001695B7
#OnAutoItStartRegister, xrefs: 001695F3

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: eb141d13b87529b902a5fe4b17c45049e3be81c1371f1d83d4b24668336b7a3c
Instruction ID: 96d0db688aa8384387c6da4d248b91eadd48e87fc9f78a1d96a0612be0e08f08
Opcode Fuzzy Hash: eb141d13b87529b902a5fe4b17c45049e3be81c1371f1d83d4b24668336b7a3c
Instruction Fuzzy Hash: 20216A7220462067D731AB28DC02FBB73DC9FA1300F15402AF94AD7081EBB1AD66C2D5

Function 001937B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00193840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00193850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00193876

Strings

Listbox, xrefs: 0019380F

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 75b3cd6f3710517ebde57b79fff5e87c4becb4d1edc9280541c3aa8a69df9f72
Instruction ID: d56973921b10131889f956e2d76e4833adf9a107537c7e4a5f6791bbac27227e
Opcode Fuzzy Hash: 75b3cd6f3710517ebde57b79fff5e87c4becb4d1edc9280541c3aa8a69df9f72
Instruction Fuzzy Hash: 4A21D172600218BBEF218F94CC85FBB376EEF89750F108124F9509B190C771EC528BA0

Function 001749F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00174A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00174A5C
SetErrorMode.KERNEL32(00000000,?,?,0019CC08), ref: 00174AD0

Strings

%lu, xrefs: 00174A6F

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: c25e3c6cd5379f55372aef6cae8d5788bb9fd7339e7105a64d99477fa0827e19
Instruction ID: c79ef19e6f0577b7f4cc1ee096602a3a787dc36588f78ff5440794c599721de4
Opcode Fuzzy Hash: c25e3c6cd5379f55372aef6cae8d5788bb9fd7339e7105a64d99477fa0827e19
Instruction Fuzzy Hash: 99315175A00109AFDB10DF54C985EAA7BF8EF18308F1480A9F949DB292D771EE45CBA1

Function 001941EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0019424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00194264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00194271

Strings

msctls_trackbar32, xrefs: 00194226

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 3e105ea0a2a39f9b778f27b435e1b9c2da00fa4b613b22e5cba681fc5b6e2bfb
Instruction ID: 330b8ba88cf37670b9a33b9df280412f65b5f4780188b2cc6ed261dcaf2e3bd5
Opcode Fuzzy Hash: 3e105ea0a2a39f9b778f27b435e1b9c2da00fa4b613b22e5cba681fc5b6e2bfb
Instruction Fuzzy Hash: 1C11E332240208BFEF209F29DC06FAB3BACEF95B54F110524FA55E2190D3B1D8529B20

Function 00162F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00106B57: _wcslen.LIBCMT ref: 00106B6A

Part of subcall function 00162DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00162DC5
Part of subcall function 00162DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00162DD6
Part of subcall function 00162DA7: GetCurrentThreadId.KERNEL32 ref: 00162DDD
Part of subcall function 00162DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00162DE4

GetFocus.USER32 ref: 00162F78

Part of subcall function 00162DEE: GetParent.USER32(00000000), ref: 00162DF9

GetClassNameW.USER32(?,?,00000100), ref: 00162FC3
EnumChildWindows.USER32(?,0016303B), ref: 00162FEB

Strings

%s%d, xrefs: 00162FFF

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: d3ab41ce2c0273b672b9b889a704cfc35139c5b9e711a841582c45b9e3b3cd8a
Instruction ID: 3f1b099794524b5711cbbb5a6488327ff9f60e92975938c4045d67dce8b5d0a4
Opcode Fuzzy Hash: d3ab41ce2c0273b672b9b889a704cfc35139c5b9e711a841582c45b9e3b3cd8a
Instruction Fuzzy Hash: D2117FB57002056BDF14BFA4CC85EEE376AAFA4304F048079FD599B292DF7099598B60

Function 00195882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001958C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001958EE
DrawMenuBar.USER32(?), ref: 001958FD

Strings

0, xrefs: 0019588F

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: fe5e53111b31a9d25ded5024eb8ea7b55adb040e96e8efc31bd1fdfd8f4a009a
Instruction ID: 0aaa0f203b61c58b0839d01aa89a49841e37c2fae1803db09876cab16d10abbc
Opcode Fuzzy Hash: fe5e53111b31a9d25ded5024eb8ea7b55adb040e96e8efc31bd1fdfd8f4a009a
Instruction Fuzzy Hash: 73016D31600218EFEF269F21DC44BEEBBB5FB45764F1180AAE849E6151DB308AC5DF61

Function 0016007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a340989a6bdd9ddf4346b4fbda0374121228f061c94343efecff520b739b7c4e
Instruction ID: d6ab64c01b7d513000d7004a15796dbdab8a724acbc5876472118e8ef378ebbd
Opcode Fuzzy Hash: a340989a6bdd9ddf4346b4fbda0374121228f061c94343efecff520b739b7c4e
Instruction Fuzzy Hash: E5C16C75A00206EFCB15CFA8CC94AAEB7B5FF48705F118598E505EB251D731EE91CB90

Function 00133E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00133F0B
__alldvrm.LIBCMT ref: 0013410C
__alldvrm.LIBCMT ref: 0013412E

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 04bcc829d0dd0c29abc8633f711076c222aa1b70c63c9b90350fb5e2bb2b55e7
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: ACA15872E007969FEB29CF28C8917AEBFE4EF61350F18416DE5959B281C338AD81C751

Function 0018342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00183459
CoUninitialize.OLE32 ref: 00183463
VariantInit.OLEAUT32(?), ref: 0018346E
VariantClear.OLEAUT32(?), ref: 0018371B

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 812db1519a774111fab3116273de890c8899e9fb2767f5c719389b9d91061a8f
Instruction ID: 318c6cee3cbfea0b416b98447fbe6c892252536e0f4c70af55222c51c5dad3b4
Opcode Fuzzy Hash: 812db1519a774111fab3116273de890c8899e9fb2767f5c719389b9d91061a8f
Instruction Fuzzy Hash: BBA13C756043009FC704EF28C885A6AB7E5FF98714F188859F9999B3A2DB70EE41CF91

Function 00160436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0019FC08,?), ref: 001605F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0019FC08,?), ref: 00160608
CLSIDFromProgID.OLE32(?,?,00000000,0019CC40,000000FF,?,00000000,00000800,00000000,?,0019FC08,?), ref: 0016062D
_memcmp.LIBVCRUNTIME ref: 0016064E

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 54fdef91d05718afd0fbe4ccf5f52b76e9444fa4f1332286f32ea42adc47da4f
Instruction ID: 9f03eac06fcf79b2bdc30c093aeb08ec87e4781369c74c4bf54a12f3ff06a8df
Opcode Fuzzy Hash: 54fdef91d05718afd0fbe4ccf5f52b76e9444fa4f1332286f32ea42adc47da4f
Instruction Fuzzy Hash: 01810971A00209EFCB05DF94C988EEEB7B9FF89315F204558E506AB250DB71AE56CF60

Function 00141391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001414C0

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 2ef7f3e0480781809c1a57a470c099a737aea17518fed5d01e5b2b27fc5da5bd
Instruction ID: 01246b6d81727857856e70d491ce6ec9486707395e9ca46a5420e9323d34c9e0
Opcode Fuzzy Hash: 2ef7f3e0480781809c1a57a470c099a737aea17518fed5d01e5b2b27fc5da5bd
Instruction Fuzzy Hash: 2E413B31A40110BBDB257BB9AC466BE3AB5EF62370F190275F419D61E2E77488C15361

Function 00196278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(016CE9E8,?), ref: 001962E2
ScreenToClient.USER32(?,?), ref: 00196315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00196382

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 6567f8229facda46c14a42db4371dee4cb38ff6fcad7e5aef0d9ae1f460a69f0
Instruction ID: 10b67df4b566d3dbe8e1e38acb3df8bd1be314583a54c65d9c952d32ed3888db
Opcode Fuzzy Hash: 6567f8229facda46c14a42db4371dee4cb38ff6fcad7e5aef0d9ae1f460a69f0
Instruction Fuzzy Hash: 6C515074A01209EFDF14DF68D8909AE7BB5FF55364F10815AF8599B290D730EE81CBA0

Function 00181AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00181AFD
WSAGetLastError.WSOCK32 ref: 00181B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00181B8A
WSAGetLastError.WSOCK32 ref: 00181B94

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 98ff97fb9532221cde317d8818a7a1462499871aed1f0b16cecbe7abd0369176
Instruction ID: dc8c089a1ee4d74d513fbda21a8adc23dee272ad8609d5b7c7860cd942b7e154
Opcode Fuzzy Hash: 98ff97fb9532221cde317d8818a7a1462499871aed1f0b16cecbe7abd0369176
Instruction Fuzzy Hash: D3410335600200AFE720AF24C886F6977E5AB48718F54805CF95A8F7D2D7B2ED82CB91

Function 0013B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57c7a200350e681ca164bd58652e019cc96fc52dec38053efc860ec4089509eb
Instruction ID: 9b2ddf759cae96bb5de437f1cb63793d5012d8f6f09fb64d769a42f2da2068b5
Opcode Fuzzy Hash: 57c7a200350e681ca164bd58652e019cc96fc52dec38053efc860ec4089509eb
Instruction Fuzzy Hash: 26412A76A04314BFD7249F38CC81B6ABBF9EF98720F10452EF246DB292E77199418780

Function 001756D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00175783
GetLastError.KERNEL32(?,00000000), ref: 001757A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 001757CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 001757FA

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: bc46eea8484c1ab42fd68b7d08ee9ade1a0bcd62938e96199b6fe2785dbacb2f
Instruction ID: be25af372f9081a889872539104ccf99cf481aea28154e0d35c3211d2f9bffb0
Opcode Fuzzy Hash: bc46eea8484c1ab42fd68b7d08ee9ade1a0bcd62938e96199b6fe2785dbacb2f
Instruction Fuzzy Hash: AE411D39600610DFCB11DF55D544A5EBBF2EF99320B19C488E88AAB3A2CB74FD40CB91

Function 0013D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00126D71,00000000,00000000,001282D9,?,001282D9,?,00000001,00126D71,8BE85006,00000001,001282D9,001282D9), ref: 0013D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0013D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0013D9AB
__freea.LIBCMT ref: 0013D9B4

Part of subcall function 00133820: RtlAllocateHeap.NTDLL(00000000,?,001D1444,?,0011FDF5,?,?,0010A976,00000010,001D1440,001013FC,?,001013C6,?,00101129), ref: 00133852

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 39098c2510983e1b4dfdee569364055993541d309d54c3ae01040ed55c1412ce
Instruction ID: 69096a1b7dc099051bf3ac1a63a98719921aba8d9ced74787bfcd493d541be93
Opcode Fuzzy Hash: 39098c2510983e1b4dfdee569364055993541d309d54c3ae01040ed55c1412ce
Instruction Fuzzy Hash: B031CD72A0021AABDF25DF64EC41EAF7BA5EB44314F054269FC04D7251EB35DD90CBA0

Function 001952C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00195352
GetWindowLongW.USER32(?,000000F0), ref: 00195375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00195382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001953A8

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: bfba6d24fac2b693efdc0092d72cae1df8b8f86ae04659d110310cb228f9aa77
Instruction ID: 2c47424c6bb81c0f751ee849b84084dcd33141580b10ee076a3a3f1e12b6ba3d
Opcode Fuzzy Hash: bfba6d24fac2b693efdc0092d72cae1df8b8f86ae04659d110310cb228f9aa77
Instruction Fuzzy Hash: A531B034A56A08FFEF369A54CC55BE83767BB05390F584102FA51A62E1C7B09B80DB92

Function 0016AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0016ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0016AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0016AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0016ACC6

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: cdc51dda78ecc9d5480de53704f7ebbe6e1b8e5225faad2033216be3c65b1a3e
Instruction ID: b012d97f37b24dbbc90ba2156bb6ef956caa2cd2f7885b456de46ecaaee02e6e
Opcode Fuzzy Hash: cdc51dda78ecc9d5480de53704f7ebbe6e1b8e5225faad2033216be3c65b1a3e
Instruction Fuzzy Hash: BC314830A003186FFF34CB658C047FE7BB5AF89310F84431AE485A62D0C375D9A19B92

Function 00197674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0019769A
GetWindowRect.USER32(?,?), ref: 00197710
PtInRect.USER32(?,?,00198B89), ref: 00197720
MessageBeep.USER32(00000000), ref: 0019778C

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: ed21d5384f0f67d9c7097e2f5fe5b2d984578de85573bf7019a6d59c3109e042
Instruction ID: 8b6bbf9f32790d4c6a5fdefd6d9971e5fd790afdb77f107dc7c6d7b61d1d6eb3
Opcode Fuzzy Hash: ed21d5384f0f67d9c7097e2f5fe5b2d984578de85573bf7019a6d59c3109e042
Instruction Fuzzy Hash: D541A034A1A254EFDF09CF98C898EA977F5FF49314F1541A9E4149B2A1C730E981CF90

Function 001916DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 001916EB

Part of subcall function 00163A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00163A57
Part of subcall function 00163A3D: GetCurrentThreadId.KERNEL32 ref: 00163A5E
Part of subcall function 00163A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001625B3), ref: 00163A65

GetCaretPos.USER32(?), ref: 001916FF
ClientToScreen.USER32(00000000,?), ref: 0019174C
GetForegroundWindow.USER32 ref: 00191752

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 3550c9f42f119e20cd6e1ff1ca8da5604758f5e91d209246977803b4a5fbb243
Instruction ID: 4513930bfc5f125b5305906aa34389cd706b4282c52f41afa257ee516b52a71f
Opcode Fuzzy Hash: 3550c9f42f119e20cd6e1ff1ca8da5604758f5e91d209246977803b4a5fbb243
Instruction Fuzzy Hash: 1C317071E00109AFDB04EFA9C881CAEBBF9EF58304B5080AAE455E7251DB719E45CFA1

Function 0016D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0016D501
Process32FirstW.KERNEL32(00000000,?), ref: 0016D50F
Process32NextW.KERNEL32(00000000,?), ref: 0016D52F
CloseHandle.KERNEL32(00000000), ref: 0016D5DC

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 193d7058279357554aec98cebe8a7de8c7109e021d782fd91de6f24145a2187f
Instruction ID: dd8ca95f5317aa4238fe06a23f14027e6fed19d86ac59b4f8ed78ce2738d77aa
Opcode Fuzzy Hash: 193d7058279357554aec98cebe8a7de8c7109e021d782fd91de6f24145a2187f
Instruction Fuzzy Hash: 1D31C4715083009FD304EF54DC91AAFBBF8EFA9344F10052DF5C2861A2EB719945CB92

Function 00198FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00119BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00119BB2

GetCursorPos.USER32(?), ref: 00199001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00157711,?,?,?,?,?), ref: 00199016
GetCursorPos.USER32(?), ref: 0019905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00157711,?,?,?), ref: 00199094

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: ccfe175368edf1f8703545173f83fa5982b136f7f440c925a9c22e2cce260050
Instruction ID: 33629e47905ed573def112c389292fb85fe9f4df8a383724c012a8aada8f7ee0
Opcode Fuzzy Hash: ccfe175368edf1f8703545173f83fa5982b136f7f440c925a9c22e2cce260050
Instruction Fuzzy Hash: BD219F35601018FFDF298F99C858EEA7BB9FB49350F08416AF9154B261C33299A0DBA1

Function 0016D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0019CB68), ref: 0016D2FB
GetLastError.KERNEL32 ref: 0016D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0016D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0019CB68), ref: 0016D376

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: b13229029de02a376e30532279cc20ac780fd55de554d634d1e5734088250731
Instruction ID: 1cebcc4741f11beddc5a11a6e0061b3725840276ad165bba4837de3f8057fa8b
Opcode Fuzzy Hash: b13229029de02a376e30532279cc20ac780fd55de554d634d1e5734088250731
Instruction Fuzzy Hash: BB216DB0A092019FC710DF28E88186A77E8BF56364F504A1EF499C73E1E7319956CB93

Function 00161571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00161014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0016102A
Part of subcall function 00161014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00161036
Part of subcall function 00161014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00161045
Part of subcall function 00161014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0016104C
Part of subcall function 00161014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00161062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 001615BE
_memcmp.LIBVCRUNTIME ref: 001615E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00161617
HeapFree.KERNEL32(00000000), ref: 0016161E

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 6765bfbfae6f195ceefd6596eaa2d4f555945d31418c433c2a83b05f8bbef3d9
Instruction ID: 6600d6099f3c9faa67d9deca8873d9248571da896048e166da6c199d70fbd462
Opcode Fuzzy Hash: 6765bfbfae6f195ceefd6596eaa2d4f555945d31418c433c2a83b05f8bbef3d9
Instruction Fuzzy Hash: FA216632E00108FFDB00DFA8CD45BEEB7B8EF44355F088459E441AB241E770AA55CBA0

Function 00192782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0019280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00192824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00192832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00192840

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 080bae149028aacb1ca2904150feec3a549afa7979ed1ff670c5a94324e221fc
Instruction ID: 731b85add7432908df51c9b24480e55cc58871be6078888ce51f36bd52594b41
Opcode Fuzzy Hash: 080bae149028aacb1ca2904150feec3a549afa7979ed1ff670c5a94324e221fc
Instruction Fuzzy Hash: 8221C131208111BFDB14DB24CC44FAA7B95AF55324F158159F4668B6E2CB71FC82CBD0

Function 001678F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00168D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0016790A,?,000000FF,?,00168754,00000000,?,0000001C,?,?), ref: 00168D8C
Part of subcall function 00168D7D: lstrcpyW.KERNEL32(00000000,?,?,0016790A,?,000000FF,?,00168754,00000000,?,0000001C,?,?,00000000), ref: 00168DB2
Part of subcall function 00168D7D: lstrcmpiW.KERNEL32(00000000,?,0016790A,?,000000FF,?,00168754,00000000,?,0000001C,?,?), ref: 00168DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00168754,00000000,?,0000001C,?,?,00000000), ref: 00167923
lstrcpyW.KERNEL32(00000000,?,?,00168754,00000000,?,0000001C,?,?,00000000), ref: 00167949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00168754,00000000,?,0000001C,?,?,00000000), ref: 00167984

Strings

cdecl, xrefs: 0016797B

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 9c36010f4c330fd3f091a0541f35025134fef19e70c6c78afbab65c17bd7ba14
Instruction ID: f18141569049369abde55ed17df1f479ae317a7b9f09065cf2c1184646646a25
Opcode Fuzzy Hash: 9c36010f4c330fd3f091a0541f35025134fef19e70c6c78afbab65c17bd7ba14
Instruction Fuzzy Hash: 9211293A200342ABCF156F38CC44D7A77E5FF55368B40402AF842C72A4EB31D861C7A1

Function 00197CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00197D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00197D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00197D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0017B7AD,00000000), ref: 00197D6B

Part of subcall function 00119BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00119BB2

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 6a229674132fe76546e5d67ec53835b7ea24beb7dfdea155ba453dc331455c64
Instruction ID: 01cb32f8ba51da6c29be9621d50112aeba25ac2f505cb5ebadd277866ffb1e34
Opcode Fuzzy Hash: 6a229674132fe76546e5d67ec53835b7ea24beb7dfdea155ba453dc331455c64
Instruction Fuzzy Hash: 3811CD71225655AFCF148FA8CC04AA63BA4BF45364F114729F839C72F0D7309D91CB90

Function 00195660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 001956BB
_wcslen.LIBCMT ref: 001956CD
_wcslen.LIBCMT ref: 001956D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00195816

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 694ff9a09b2d09a37f3e7472c612a0ced41276a796fa5eefe83da0f25bbb30ab
Instruction ID: e719abe63978f9d636e471b516ab00acd8c6b408dd2cc54ab8cfed820f7e7544
Opcode Fuzzy Hash: 694ff9a09b2d09a37f3e7472c612a0ced41276a796fa5eefe83da0f25bbb30ab
Instruction Fuzzy Hash: E2110875A00618AADF21DF61DC85AEE77BDFF11764F104026F915F6181E770CA80CBA0

Function 00131D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b7cfb79b845832e8b930f5fef9dda8ae5d4c3fdf0dd5d49acea0641cfd6d976
Instruction ID: 7b435a65bf24667cd290b87f0f49ea6a1ab9c419722a800e8b61bb3230fba9f5
Opcode Fuzzy Hash: 2b7cfb79b845832e8b930f5fef9dda8ae5d4c3fdf0dd5d49acea0641cfd6d976
Instruction Fuzzy Hash: B501ADB220AA267EFA212AB87CC4F67675DDF523B8F310326F521A11D2DB708C404160

Function 00161A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00161A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00161A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00161A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00161A8A

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 46237f3df0613300cec18985135546abdd11902cf8dff49b726531344896d567
Instruction ID: 790bc84d8d8672f7014ab8e56341d927208acc7a3eb2f6f6771361f73128aef7
Opcode Fuzzy Hash: 46237f3df0613300cec18985135546abdd11902cf8dff49b726531344896d567
Instruction Fuzzy Hash: 8E11273A901219FFEB10DBA4CD85FADBB79EB08750F240492EA04B7290D7716E50DB94

Function 0016E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0016E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0016E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0016E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0016E24D

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 459ba23da4e72bae445d509e59276ac1c540f8fcf940cd19ccea6fc314d51c73
Instruction ID: d649cba88d9a1cf75aedba34601560cd6a57f037a0665ae945de91738879748b
Opcode Fuzzy Hash: 459ba23da4e72bae445d509e59276ac1c540f8fcf940cd19ccea6fc314d51c73
Instruction Fuzzy Hash: 30110876905214BBC7019BA8EC09A9E7FAEAB45320F00432AF815D3690D3708A5487A0

Function 0012D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0012CFF9,00000000,00000004,00000000), ref: 0012D218
GetLastError.KERNEL32 ref: 0012D224
__dosmaperr.LIBCMT ref: 0012D22B
ResumeThread.KERNEL32(00000000), ref: 0012D249

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 870e7f455ca81e46d68555e63cd4d335efbcb25cbf43fdeccfee14cc9156ca98
Instruction ID: e276a9928d6c2cb35018310a6eb300ca58a55ee66873cf3c77b216a32b7f5e1a
Opcode Fuzzy Hash: 870e7f455ca81e46d68555e63cd4d335efbcb25cbf43fdeccfee14cc9156ca98
Instruction Fuzzy Hash: 0001F536805224FBDB216BA5FC09BAE7A6DEF92330F100229F925921D0CF70C961C6E0

Function 00199EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00119BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00119BB2

GetClientRect.USER32(?,?), ref: 00199F31
GetCursorPos.USER32(?), ref: 00199F3B
ScreenToClient.USER32(?,?), ref: 00199F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00199F7A

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 15bbb0b1ba5bb498d9d95d7ee892bedb81770535edc49d329d412fd42eb120c8
Instruction ID: 1de5788be5fbee2771bbcd009d5ba265bb72e4f39487e8aa87805c2277e10635
Opcode Fuzzy Hash: 15bbb0b1ba5bb498d9d95d7ee892bedb81770535edc49d329d412fd42eb120c8
Instruction Fuzzy Hash: 71111532A0051ABBDF14DFA8D8899EEBBB9FB45311F40055AF952E7150D730BA81CBE1

Function 0010600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0010604C
GetStockObject.GDI32(00000011), ref: 00106060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0010606A

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 58f94247d67e045614a7f5be26e8d882e5a31a288d55763a6c7b5e42d1752478
Instruction ID: 1aa2c102dda6ae10c087fd871ff46262dd2cec31b107665aad83aff63ee4e75a
Opcode Fuzzy Hash: 58f94247d67e045614a7f5be26e8d882e5a31a288d55763a6c7b5e42d1752478
Instruction Fuzzy Hash: 1111C072501508BFEF164FA4CC54EEABB69FF083A4F000212FA4452160C776DCA0EBA0

Function 00123B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00123B56

Part of subcall function 00123AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00123AD2
Part of subcall function 00123AA3: ___AdjustPointer.LIBCMT ref: 00123AED

_UnwindNestedFrames.LIBCMT ref: 00123B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00123B7C
CallCatchBlock.LIBVCRUNTIME ref: 00123BA4

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 7b8cb0c69a442972a7ee65546c169f22d383b47116cb80c316ae30823f82b296
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: F1012932100158BBDF126F95EC42EEB3F6AEF58754F044014FE5896121C736E971EBA0

Function 00133073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,001013C6,00000000,00000000,?,0013301A,001013C6,00000000,00000000,00000000,?,0013328B,00000006,FlsSetValue), ref: 001330A5
GetLastError.KERNEL32(?,0013301A,001013C6,00000000,00000000,00000000,?,0013328B,00000006,FlsSetValue,001A2290,FlsSetValue,00000000,00000364,?,00132E46), ref: 001330B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0013301A,001013C6,00000000,00000000,00000000,?,0013328B,00000006,FlsSetValue,001A2290,FlsSetValue,00000000), ref: 001330BF

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: cb46db8b92b64622f774f49ab2d8ca96c78e3c718414212ec7306879f12cd0dc
Instruction ID: dfa4515ccc78459e727cc25877418d8bb1cb6fee8f6482b9c4ffdfd62da8629a
Opcode Fuzzy Hash: cb46db8b92b64622f774f49ab2d8ca96c78e3c718414212ec7306879f12cd0dc
Instruction Fuzzy Hash: 0C012B32302732ABCB354B78AC84A577B98AF05B71F210621F969E7150C721DA41C6E4

Function 00167464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0016747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00167497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 001674AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 001674CA

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 031b327fd1df5652df154cfc56c009784137a89e69558a608de1373afde3184e
Instruction ID: 9bab8f4f501cd4f12962ad2e1ec7e4b2e4fabf88f73cd988f59ecfbd7692bd43
Opcode Fuzzy Hash: 031b327fd1df5652df154cfc56c009784137a89e69558a608de1373afde3184e
Instruction Fuzzy Hash: 3911ADB5209310ABE7208F18DD0CBA27BFCEB40B08F10856AA656D7591DBB0E954DBA0

Function 0016B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0016ACD3,?,00008000), ref: 0016B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0016ACD3,?,00008000), ref: 0016B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0016ACD3,?,00008000), ref: 0016B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0016ACD3,?,00008000), ref: 0016B126

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 2f484ec02c53237fb23f6d9992e1351df09a5e48cc26f4eafb83ff366f6d71eb
Instruction ID: 1e59e6c30a2af5d82efd503945d891fdb7daf7e88acb7de6484bda452dec94c4
Opcode Fuzzy Hash: 2f484ec02c53237fb23f6d9992e1351df09a5e48cc26f4eafb83ff366f6d71eb
Instruction Fuzzy Hash: B9112A71C05518EBCF049FA4ED986EEBF78BB0A711F118096D981B2145CB3095E08B95

Function 00197E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00197E33
ScreenToClient.USER32(?,?), ref: 00197E4B
ScreenToClient.USER32(?,?), ref: 00197E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00197E8A

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 7a3359ef8a38597b244b54dcf32d3162b5f50eb64cf7663c0705cde49facd100
Instruction ID: 2387b1d545393958369c2d0c16112644897341f47f9aac38dea910811705d269
Opcode Fuzzy Hash: 7a3359ef8a38597b244b54dcf32d3162b5f50eb64cf7663c0705cde49facd100
Instruction Fuzzy Hash: EC1144B9D0024AAFDB41CF98C8849EEBBF5FF18310F505056E955E3610D735AA94CF90

Function 00162DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00162DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00162DD6
GetCurrentThreadId.KERNEL32 ref: 00162DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00162DE4

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 7cd614596901ba7416588a23de16d03c623d273604be6918318eef0bcce226fd
Instruction ID: bd639227d8a6daa58524ddd3111d656dd5ff64866b526d64d27b39d4a069d17f
Opcode Fuzzy Hash: 7cd614596901ba7416588a23de16d03c623d273604be6918318eef0bcce226fd
Instruction Fuzzy Hash: 23E09272101624BBDB201BB29C0DFEB3E6CEF42BA1F400416F105D15909BA1C880C6F1

Function 00198863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00119639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00119693
Part of subcall function 00119639: SelectObject.GDI32(?,00000000), ref: 001196A2
Part of subcall function 00119639: BeginPath.GDI32(?), ref: 001196B9
Part of subcall function 00119639: SelectObject.GDI32(?,00000000), ref: 001196E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00198887
LineTo.GDI32(?,?,?), ref: 00198894
EndPath.GDI32(?), ref: 001988A4
StrokePath.GDI32(?), ref: 001988B2

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 78f667a4da226eb62d783904b8c15459e1f3be75ca2ef2d3bdba0a7cc4ab4d19
Instruction ID: b627c1807482f9dbc3f5501a31bb3f9521ddc4031fbe40919cc9721807195a22
Opcode Fuzzy Hash: 78f667a4da226eb62d783904b8c15459e1f3be75ca2ef2d3bdba0a7cc4ab4d19
Instruction Fuzzy Hash: BBF05E3A046258FADB126F94AC09FCE3F59AF06310F048002FA51654E1C7755591CFF9

Function 001198B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 001198CC
SetTextColor.GDI32(?,?), ref: 001198D6
SetBkMode.GDI32(?,00000001), ref: 001198E9
GetStockObject.GDI32(00000005), ref: 001198F1

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: bdb6071fabd34aa121fa2938c3c15fe945f546115d88d73925986e345e3019a7
Instruction ID: 6ef9176177d2932904a96372fa8e7d494e8845a07ce81c32663cbc8155e155eb
Opcode Fuzzy Hash: bdb6071fabd34aa121fa2938c3c15fe945f546115d88d73925986e345e3019a7
Instruction Fuzzy Hash: D1E06D31244284EBEB215B74BC09BE83F21AB52336F04822AFAFA584E1C77146849B10

Function 0016162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00161634
OpenThreadToken.ADVAPI32(00000000,?,?,?,001611D9), ref: 0016163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,001611D9), ref: 00161648
OpenProcessToken.ADVAPI32(00000000,?,?,?,001611D9), ref: 0016164F

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: ead5152f53d5d828843d0a469023241a636e0d284c0cfd12b4307ee9fcec5505
Instruction ID: d7add9d2f5b1a88ccc64ad29f4a2c371b66946f01246c5a61a0a1fe4698e67b2
Opcode Fuzzy Hash: ead5152f53d5d828843d0a469023241a636e0d284c0cfd12b4307ee9fcec5505
Instruction Fuzzy Hash: 65E08635601211EBD7201FA09E0DB473B7CAF54791F188809F285C9080D7744480C7A0

Function 0015D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0015D858
GetDC.USER32(00000000), ref: 0015D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0015D882
ReleaseDC.USER32(?), ref: 0015D8A3

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 43b55ed61f4896ac9df6d42c34a5fa1504e95f2d5701609b74604800894c05df
Instruction ID: 95109ba03665337f70bdb9ac134d0774e6f154cb8a68ecec03b3c44302f0f66a
Opcode Fuzzy Hash: 43b55ed61f4896ac9df6d42c34a5fa1504e95f2d5701609b74604800894c05df
Instruction Fuzzy Hash: E0E01AB5800205DFCF459FA0D80866DBBB1FB08311F15801AF886E7750CB399981AF90

Function 0015D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0015D86C
GetDC.USER32(00000000), ref: 0015D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0015D882
ReleaseDC.USER32(?), ref: 0015D8A3

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: dfaceb97ad886142b847f699496f6c3a145df5e7d4756869738ee829bc5694db
Instruction ID: 697b0835756c966456f34e6ded16497f8b7c50161279f2753a4e4a4aafeb3cd2
Opcode Fuzzy Hash: dfaceb97ad886142b847f699496f6c3a145df5e7d4756869738ee829bc5694db
Instruction Fuzzy Hash: 1BE012B5800200EFCF40AFA0D80866DBBB1BB08310F14800AF88AE7750CB389981AF90

Function 00174D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00107620: _wcslen.LIBCMT ref: 00107625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00174ED4

Strings

*, xrefs: 00174E10
LPT, xrefs: 00174DFB

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: a848f14da7fe2e8030f6415a2952948de30fe8b1d126178815b77d5c5b120d38
Instruction ID: 1549b8ef46fc9f916cf2ae7b262f344ae80f15f9246752fdd0a51fff36f4d897
Opcode Fuzzy Hash: a848f14da7fe2e8030f6415a2952948de30fe8b1d126178815b77d5c5b120d38
Instruction Fuzzy Hash: 81918175A002049FCB14DF58C484EAABBF1BF48304F19C099E84A9F3A2C775EE85CB91

Function 0012E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0012E30D

Strings

pow, xrefs: 0012E2E5, 0012E302

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 0355a3c8b248bfb5d6c725f5c86e750565dca2a05cf4bc2a17ac879125d5d112
Instruction ID: b5a48692d2941ed4fa340ac23b92a0c8530658c1c5169469c2f3b06feaf21f8f
Opcode Fuzzy Hash: 0355a3c8b248bfb5d6c725f5c86e750565dca2a05cf4bc2a17ac879125d5d112
Instruction Fuzzy Hash: 54516EA1A0C20296CB35B728ED013793BE4FF50751F344D68E4D6826E9EB358CE59A86

Function 0011E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0011E1B1

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: e4346296043881694dc56d33241cad014e6647470b867060f909d4a7f2badd3b
Instruction ID: 3c12f5396ba85a6467e9f59e779d605cc1743acd2ead84b3d14a8edb4bf2755f
Opcode Fuzzy Hash: e4346296043881694dc56d33241cad014e6647470b867060f909d4a7f2badd3b
Instruction Fuzzy Hash: 0551FF31900256DEDB1DDF68C091AFA7BE8EF29311F244065ECA19B2C0D7309E86CB90

Function 0011F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0011F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0011F2BB

Strings

@, xrefs: 0011F2AF

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 3a56591bdc7e03bd9f4918dd902f26fd7f71a7f955e4e169c77d41d26a881307
Instruction ID: dcb565e65b582a1298aaf3bdc3947a6303aeec685b8f06e0d1ebffcdac93555b
Opcode Fuzzy Hash: 3a56591bdc7e03bd9f4918dd902f26fd7f71a7f955e4e169c77d41d26a881307
Instruction Fuzzy Hash: BF516671808745ABD320AF14DC86BABBBF8FB94300F81895DF1D9410A5EB709569CBA7

Function 00185745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 001857E0
_wcslen.LIBCMT ref: 001857EC

Strings

CALLARGARRAY, xrefs: 001857E6, 001857EB

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 2035a774b07ce85794b44941524067cf03bec24a588531287f32b627925051e5
Instruction ID: 3d5205eca377a83b049da90d58ed1f2c92d74de39e87047a3e159fb9ccb6e81f
Opcode Fuzzy Hash: 2035a774b07ce85794b44941524067cf03bec24a588531287f32b627925051e5
Instruction Fuzzy Hash: 8C419271E001099FCB14EFA9C8859EEBBB6FF6A314F10406AF505A7291D7709E81CF90

Function 0017D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0017D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0017D13A

Strings

|, xrefs: 0017D10B

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 4abec15a165794e4dbdf7992d09e0826e6d299bc2e13e452d3c1d25e97d54bb9
Instruction ID: a7a23fcb5238010ddb626b41d7c787bfd4422534aed49b269ded5fa6c2cc5d4e
Opcode Fuzzy Hash: 4abec15a165794e4dbdf7992d09e0826e6d299bc2e13e452d3c1d25e97d54bb9
Instruction Fuzzy Hash: 3F314F71D00219ABCF15EFA4DC85EEE7FB9FF18300F404059F819A61A2D771AA56CB60

Function 0019356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00193621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0019365C

Strings

static, xrefs: 001935BC

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: c22e784570ffd5e311a6c7d6e24eb39ed3b20d163b1ccea3ee5cdbe349fd6cdb
Instruction ID: ab8825e19a94b6b5abf819f0d5a44fee03cdd2c2c1105237a3b56c815362d8ab
Opcode Fuzzy Hash: c22e784570ffd5e311a6c7d6e24eb39ed3b20d163b1ccea3ee5cdbe349fd6cdb
Instruction Fuzzy Hash: 2A318B71100204AEEB14DF68DC80EFB73A9FF98764F01861AF8A5D7280DB71AD91DB60

Function 00194537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0019461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00194634

Strings

', xrefs: 0019458E

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 3fd5779b72abb68adc2037f9a380d48b921e625de6a810b6881256a5b3c4f6af
Instruction ID: 7496e559ae27d5521f66a689cc1a811ed5a5291d4773e6c744ae0ddbe9e11cc3
Opcode Fuzzy Hash: 3fd5779b72abb68adc2037f9a380d48b921e625de6a810b6881256a5b3c4f6af
Instruction Fuzzy Hash: 413107B5A01309AFEF14CFA9C990BDA7BB5FF49300F15416AE905AB351D770A942CF90

Function 001931EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0019327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00193287

Strings

Combobox, xrefs: 00193249

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 392fd4d2b4418965871c731b525e9eeefc64a0585d9bcc5800b7c1f05c986147
Instruction ID: 29084e06fd27670e84993bb6f8db83c2e6d1d746f34bc82f76a88bac48f81d74
Opcode Fuzzy Hash: 392fd4d2b4418965871c731b525e9eeefc64a0585d9bcc5800b7c1f05c986147
Instruction Fuzzy Hash: C51190713002087FEF259F94DC80EBB376AEB943A4F104129F92897290D7719D519760

Function 00193710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0010600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0010604C
Part of subcall function 0010600E: GetStockObject.GDI32(00000011), ref: 00106060
Part of subcall function 0010600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0010606A

GetWindowRect.USER32(00000000,?), ref: 0019377A
GetSysColor.USER32(00000012), ref: 00193794

Strings

static, xrefs: 00193757

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 9f15aa07a2453e709fa3c862e2309588689d7f8c01f44ad658f7b7ce7100981c
Instruction ID: 50f2b02cfba0dc48b3a4c2b75e7282d9fb9863ecf133788a63c0d8cf276707b9
Opcode Fuzzy Hash: 9f15aa07a2453e709fa3c862e2309588689d7f8c01f44ad658f7b7ce7100981c
Instruction Fuzzy Hash: 02113AB2610209AFDF05DFA8CC45EEA7BB8FB08354F014915F9A5E2250D775E8519B50

Function 0017CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0017CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0017CDA6

Strings

<local>, xrefs: 0017CD66

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 248b845a7e8423e9d1da9e5da80f0db2df75636ce674a5361ffe1fbb31802e32
Instruction ID: 4ed002d44d58a9c95da09aa4ed63bddabff7b7f15269901c81d1f40e52eca8f9
Opcode Fuzzy Hash: 248b845a7e8423e9d1da9e5da80f0db2df75636ce674a5361ffe1fbb31802e32
Instruction Fuzzy Hash: A011A071205631BAD7384AA6CC49EE7BEB8EB227A4F00822EB14D82180D7649940D6F0

Function 00193429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 001934AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 001934BA

Strings

edit, xrefs: 0019348F

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 11021097ab9de5bfa7f1a90c4b1d2e28b451e38c057feb65cd51c7b9fa7cf182
Instruction ID: f005dafb68bffd64d9c46150ac4883636265076b4df6070f5932325ecbdd5b44
Opcode Fuzzy Hash: 11021097ab9de5bfa7f1a90c4b1d2e28b451e38c057feb65cd51c7b9fa7cf182
Instruction Fuzzy Hash: 4C118C71200208AFEF128F64DC44AEB37AAEB15778F524724F975931E0C771EC91AB60

Function 00166C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00109CB3: _wcslen.LIBCMT ref: 00109CBD

CharUpperBuffW.USER32(?,?,?), ref: 00166CB6
_wcslen.LIBCMT ref: 00166CC2

Strings

STOP, xrefs: 00166CBC, 00166CC1

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: b14375e35fc4ad57142621bc0fc119ed68ff309c137e02eaddad3b463d2dfecf
Instruction ID: 74dc412986d0617a8647fa3421b2d0aea439deed171e691c46d403b647c6f437
Opcode Fuzzy Hash: b14375e35fc4ad57142621bc0fc119ed68ff309c137e02eaddad3b463d2dfecf
Instruction Fuzzy Hash: C901D232A0092A8BCB20AFFDDC909BF77B5EF71750B510529E8A2972D1EB71D960C650

Function 00161CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00109CB3: _wcslen.LIBCMT ref: 00109CBD

Part of subcall function 00163CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00163CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00161D4C

Strings

ComboBox, xrefs: 00161CEB
ListBox, xrefs: 00161D16

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 2ed88ae1f790db667bc25fded09797c69962071912fcc3828e652bda8c994ffc
Instruction ID: 728bf0a17b7b7e0836462a936cba3ac50b1ba01703aa10aef16853bd56c2f8c4
Opcode Fuzzy Hash: 2ed88ae1f790db667bc25fded09797c69962071912fcc3828e652bda8c994ffc
Instruction Fuzzy Hash: 4501D871601228BBCB08EBE4CD55DFE7769EB66350F04091AF872573C2EB70591897A0

Function 00161BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00109CB3: _wcslen.LIBCMT ref: 00109CBD

Part of subcall function 00163CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00163CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00161C46

Strings

ComboBox, xrefs: 00161BE5
ListBox, xrefs: 00161C10

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 86bc3aad401157f58284ffc8e856b87e40fde7ccbb652ff79712a65cad68cba0
Instruction ID: 381ca150f3df733df059be1ce2e64fc829216cb0e1b82708b75a48107e27df4f
Opcode Fuzzy Hash: 86bc3aad401157f58284ffc8e856b87e40fde7ccbb652ff79712a65cad68cba0
Instruction Fuzzy Hash: A301A775A8110876DB08EB90CE62EFF77A99B21340F14001AB956672C2EB609F2896B1

Function 00161C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00109CB3: _wcslen.LIBCMT ref: 00109CBD

Part of subcall function 00163CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00163CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00161CC8

Strings

ComboBox, xrefs: 00161C69
ListBox, xrefs: 00161C94

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 7f77399861d0fb212dfdcd67a372a75ec06ae4b238e41dba8a9b6c45992324b1
Instruction ID: 1d68294bd079222cc29c7c61e2eef66c476e042f7c21e384ac67b8d51370a1c9
Opcode Fuzzy Hash: 7f77399861d0fb212dfdcd67a372a75ec06ae4b238e41dba8a9b6c45992324b1
Instruction Fuzzy Hash: EB01D6B2A8011877DB04EBA0CF11EFF77A99B31340F58001AB842772C2EB609F28D671

Function 00161D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00109CB3: _wcslen.LIBCMT ref: 00109CBD

Part of subcall function 00163CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00163CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00161DD3

Strings

ComboBox, xrefs: 00161D75
ListBox, xrefs: 00161DA0

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: b571433de40d5d5ae62f63b74a28a8044839f477e2f39376526c10f195f43930
Instruction ID: 2eb28d3cb30e8570d37ecd19fc56794ba3f332b200e35be8f2b2270c7a4f7b8a
Opcode Fuzzy Hash: b571433de40d5d5ae62f63b74a28a8044839f477e2f39376526c10f195f43930
Instruction Fuzzy Hash: 96F0CD71F4121876D704F7E4CD55FFF777CAB21350F44091AB862672C2DB6059189360

Function 0018747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00187493
_wcslen.LIBCMT ref: 001874B9

Strings

3, 3, 16, 1, xrefs: 00187483

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 70d69d78da556f69c422362b93a262f580c4ab0f7a086d323eb3c08a8845d4be
Instruction ID: f238ce0bbb6335a302927c1e9a816d59d4ac7a57aa11d32e7659a257efce6e48
Opcode Fuzzy Hash: 70d69d78da556f69c422362b93a262f580c4ab0f7a086d323eb3c08a8845d4be
Instruction Fuzzy Hash: 0BE02B0220423015D23132B9BCC1A7F5689DFE9750734182BF985C22E6EBD4CEE193A0

Function 00160B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00160B23

Strings

AutoIt, xrefs: 00160B17
Error allocating memory., xrefs: 00160B1C

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: d88435ce7bfc0724ab1522d1e06e57eabea00d535ce066cf037e4dff0ac335bf
Instruction ID: db3944b350afac47256d262f27c2a807da9bf6c2406fd50553a29d316c2a67a7
Opcode Fuzzy Hash: d88435ce7bfc0724ab1522d1e06e57eabea00d535ce066cf037e4dff0ac335bf
Instruction Fuzzy Hash: 3FE0DF322883183AD61837947C03FC97A848F29B24F10042EFBC8A94C38BE264E006E9

Function 00120D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0011F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00120D71,?,?,?,0010100A), ref: 0011F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0010100A), ref: 00120D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0010100A), ref: 00120D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00120D7F

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: dd429cd91434f8512196f4387674019c58dc630e68759c665e642f18e5ffc524
Instruction ID: 93dbe13e3963d10963d8313ca4e4301f8ab9929e4b1dc3025e543cb0b63d94d9
Opcode Fuzzy Hash: dd429cd91434f8512196f4387674019c58dc630e68759c665e642f18e5ffc524
Instruction Fuzzy Hash: 89E06D742013119BD7219FB8E5083427BE0BB18740F004A2EE486C6A52DBB0E4858B91

Function 00173017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0017302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00173044

Strings

aut, xrefs: 00173038

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: dda2b8b758790a60caa2c437f04d7d39ebcb776c3929d33169754b0416e7750c
Instruction ID: 3be1b1c42069a842dea77a15d621a349c0733d852ca7d211921ff9c720ac30e0
Opcode Fuzzy Hash: dda2b8b758790a60caa2c437f04d7d39ebcb776c3929d33169754b0416e7750c
Instruction Fuzzy Hash: C3D05E7250032877DA20A7A4AC0EFCB7A7CDB04B50F0002A2B695E2091DAB0D984CAE0

Function 0015D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0015D220

Strings

%.3d, xrefs: 0015D22B
X64, xrefs: 0015D2A8

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 5bebe8c3b00ae35e377a4211d26c89aa31e0e5b71b79269c62f7c634d9ecdcd6
Instruction ID: f283c662c095fc85c92e15e831ad063c6e93684e6f289588294be98aff407e97
Opcode Fuzzy Hash: 5bebe8c3b00ae35e377a4211d26c89aa31e0e5b71b79269c62f7c634d9ecdcd6
Instruction Fuzzy Hash: 1CD0127580C148E9CB6897D0EC459FAB37CBB18342F518466FC1695040D764D58CAB62

Function 00192322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0019232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0019233F

Part of subcall function 0016E97B: Sleep.KERNEL32 ref: 0016E9F3

Strings

Shell_TrayWnd, xrefs: 00192325

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: b42bb8c2c353fbef61754ffa3b55289ed9c5243c1d0812c521b24cd896d5bcce
Instruction ID: 93dbf006c468a21b3c4d4e57145394e3c4e99e906c6f55edec48e34e134effcc
Opcode Fuzzy Hash: b42bb8c2c353fbef61754ffa3b55289ed9c5243c1d0812c521b24cd896d5bcce
Instruction Fuzzy Hash: 7DD012363D4310B7E664B770DC0FFD67A649F10B14F014A177785AA1D4CAF0B851CA94

Function 00192356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0019236C
PostMessageW.USER32(00000000), ref: 00192373

Part of subcall function 0016E97B: Sleep.KERNEL32 ref: 0016E9F3

Strings

Shell_TrayWnd, xrefs: 00192365

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: b583ad1e4e61e75babe7f9cb734f8b15aa5a9d2d8a5727e2b92e8a5a7185e598
Instruction ID: 6febf8f8a4016e0a6bed2aee3a22485b15f2a007a6172765a211d487e78810f3
Opcode Fuzzy Hash: b583ad1e4e61e75babe7f9cb734f8b15aa5a9d2d8a5727e2b92e8a5a7185e598
Instruction Fuzzy Hash: E7D0C9363C13107AE664A7709C0FFC676649B14B14F014A167685AA1D4CAA0B8518A94

Function 0013BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0013BE93
GetLastError.KERNEL32 ref: 0013BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0013BEFC

Memory Dump Source

Source File: 00000000.00000002.1675119023.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true

Associated: 00000000.00000002.1675054006.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675184013.00000000001C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675264792.00000000001CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1675302716.00000000001D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100000_Termination_List_November_2024_pdf.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 244829bbf2362152d230db3f24fcdd8303a1c42fcc813ac006f03008b52abea4
Instruction ID: 3d545ce1cf52b8901830150ab8113a6231b22d2cd69135757fce47815ec383c7
Opcode Fuzzy Hash: 244829bbf2362152d230db3f24fcdd8303a1c42fcc813ac006f03008b52abea4
Instruction Fuzzy Hash: F841E934608216EFCF258F68DCD4ABA7BA9EF42320F155169FA59971A1FB308D01CB61

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Termination_List_November_2024_pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sgxIb.exe.log

C:\Users\user\AppData\Local\Temp\peristeronic

C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
Termination_List_November_2024_pdf.exe

Function 001042DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 001042A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00142BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00102CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 0014065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 0010344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00102B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00103170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 01A28DC0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00102C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 01A28B30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 164
fileCOMMON

Function 00103B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Function 01A27A20 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre